Merge remote-tracking branch 'engcom/async-webapi-1' into async-webapi-2

Author: vrann

app/code/Magento/Catalog/Helper/Product/Configuration.php

@@ -6,6 +6,7 @@
 namespace Magento\Catalog\Helper\Product;
 
 use Magento\Framework\App\ObjectManager;
+use Magento\Framework\Escaper;
 use Magento\Framework\Serialize\Serializer\Json;
 use Magento\Catalog\Helper\Product\Configuration\ConfigurationInterface;
 use Magento\Framework\App\Helper\AbstractHelper;
@@ -43,6 +44,11 @@ class Configuration extends AbstractHelper implements ConfigurationInterface
      */
     private $serializer;
 
+    /**
+     * @var Escaper
+     */
+    private $escaper;
+
     /**
      * @param \Magento\Framework\App\Helper\Context $context
      * @param \Magento\Catalog\Model\Product\OptionFactory $productOptionFactory
@@ -55,12 +61,14 @@ public function __construct(
         \Magento\Catalog\Model\Product\OptionFactory $productOptionFactory,
         \Magento\Framework\Filter\FilterManager $filter,
         \Magento\Framework\Stdlib\StringUtils $string,
-        Json $serializer = null
+        Json $serializer = null,
+        Escaper $escaper = null
     ) {
         $this->_productOptionFactory = $productOptionFactory;
         $this->filter = $filter;
         $this->string = $string;
         $this->serializer = $serializer ?: ObjectManager::getInstance()->get(Json::class);
+        $this->escaper = $escaper ?: ObjectManager::getInstance()->get(Escaper::class);
         parent::__construct($context);
     }
 
@@ -175,7 +183,7 @@ public function getFormattedOptionValue($optionValue, $params = null)
             if (isset($optionValue['option_id'])) {
                 $optionInfo = $optionValue;
                 if (isset($optionInfo['value'])) {
-                    $optionValue = $optionInfo['value'];
+                    $optionValue = $this->escaper->escapeHtml($optionInfo['value']);
                 }
             } elseif (isset($optionValue['value'])) {
                 $optionValue = $optionValue['value'];

app/code/Magento/Checkout/view/frontend/web/template/minicart/item/default.html

@@ -45,7 +45,7 @@
                                 <span data-bind="html: option.value.join('<br>')"></span>
                             <!-- /ko -->
                             <!-- ko ifnot: Array.isArray(option.value) -->
-                                <span data-bind="html: option.value"></span>
+                                <span data-bind="text: option.value"></span>
                             <!-- /ko -->
                         </dd>
                         <!-- /ko -->

app/code/Magento/Checkout/view/frontend/web/template/summary/item/details.html

@@ -35,7 +35,7 @@
                     <dd class="values" data-bind="html: full_view"></dd>
                     <!-- /ko -->
                     <!-- ko ifnot: ($data.full_view)-->
-                    <dd class="values" data-bind="html: value"></dd>
+                    <dd class="values" data-bind="text: value"></dd>
                     <!-- /ko -->
                 <!-- /ko -->
             </dl>

app/code/Magento/ConfigurableProduct/Ui/DataProvider/Product/Form/Modifier/ConfigurablePanel.php

@@ -475,7 +475,10 @@ protected function getRows()
                                 [
                                     'required-entry' => true,
                                     'max_text_length' => Sku::SKU_MAX_LENGTH,
-                                ]
+                                ],
+                        ],
+                        [
+                            'elementTmpl' => 'Magento_ConfigurableProduct/components/cell-sku',
                         ]
                     ),
                     'price_container' => $this->getColumn(

app/code/Magento/ConfigurableProduct/Ui/DataProvider/Product/Form/Modifier/Data/AssociatedProducts.php

@@ -17,6 +17,8 @@
 use Magento\Framework\Json\Helper\Data as JsonHelper;
 use Magento\Framework\Locale\CurrencyInterface;
 use Magento\Framework\UrlInterface;
+use Magento\Framework\App\ObjectManager;
+use Magento\Framework\Escaper;
 
 /**
  * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
@@ -83,6 +85,11 @@ class AssociatedProducts
      */
     protected $imageHelper;
 
+    /**
+     * @var Escaper
+     */
+    private $escaper;
+
     /**
      * @param LocatorInterface $locator
      * @param UrlInterface $urlBuilder
@@ -93,6 +100,8 @@ class AssociatedProducts
      * @param CurrencyInterface $localeCurrency
      * @param JsonHelper $jsonHelper
      * @param ImageHelper $imageHelper
+     * @param Escaper|null $escaper
+     * @SuppressWarnings(PHPMD.ExcessiveParameterList)
      */
     public function __construct(
         LocatorInterface $locator,
@@ -103,7 +112,8 @@ public function __construct(
         VariationMatrix $variationMatrix,
         CurrencyInterface $localeCurrency,
         JsonHelper $jsonHelper,
-        ImageHelper $imageHelper
+        ImageHelper $imageHelper,
+        Escaper $escaper = null
     ) {
         $this->locator = $locator;
         $this->urlBuilder = $urlBuilder;
@@ -114,6 +124,7 @@ public function __construct(
         $this->localeCurrency = $localeCurrency;
         $this->jsonHelper = $jsonHelper;
         $this->imageHelper = $imageHelper;
+        $this->escaper = $escaper ?: ObjectManager::getInstance()->get(Escaper::class);
     }
 
     /**
@@ -280,9 +291,9 @@ protected function prepareVariations()
                         'product_link' => '<a href="' . $this->urlBuilder->getUrl(
                             'catalog/product/edit',
                             ['id' => $product->getId()]
-                        ) . '" target="_blank">' . $product->getName() . '</a>',
+                        ) . '" target="_blank">' . $this->escaper->escapeHtml($product->getName()) . '</a>',
                         'sku' => $product->getSku(),
-                        'name' => $product->getName(),
+                        'name' => $this->escaper->escapeHtml($product->getName()),
                         'qty' => $this->getProductStockQty($product),
                         'price' => $price,
                         'price_string' => $currency->toCurrency(sprintf("%f", $price)),

app/code/Magento/ConfigurableProduct/view/adminhtml/web/template/components/cell-sku.html

@@ -0,0 +1,13 @@
+<!--
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+-->
+<div class="control-table-text">
+    <span attr="'data-index': index" data-bind="
+        text: value,
+        css: {_disabled: disabled}
+    ">
+    </span>
+</div>

app/code/Magento/Sales/view/adminhtml/templates/items/column/name.phtml

@@ -32,7 +32,7 @@
                         <?= /* @escapeNotVerified */ $block->getCustomizedOptionValue($_option) ?>
                     <?php else: ?>
                         <?php $_option = $block->getFormattedOption($_option['value']); ?>
-                        <?= /* @escapeNotVerified */ $_option['value'] ?><?php if (isset($_option['remainder']) && $_option['remainder']): ?><span id="<?= /* @escapeNotVerified */ $_dots = 'dots' . uniqid() ?>"> ...</span><span id="<?= /* @escapeNotVerified */ $_id = 'id' . uniqid() ?>"><?= /* @escapeNotVerified */ $_option['remainder'] ?></span>
+                        <?= $block->escapeHtml($_option['value']) ?><?php if (isset($_option['remainder']) && $_option['remainder']): ?><span id="<?= /* @escapeNotVerified */ $_dots = 'dots' . uniqid() ?>"> ...</span><span id="<?= /* @escapeNotVerified */ $_id = 'id' . uniqid() ?>"><?= /* @escapeNotVerified */ $_option['remainder'] ?></span>
                             <script>
                                 require(['prototype'], function() {
                                     $('<?= /* @escapeNotVerified */ $_id ?>').hide();

app/code/Magento/Sales/view/frontend/templates/order/creditmemo/items/renderer/default.phtml

@@ -20,12 +20,12 @@
             <?php if (!$block->getPrintStatus()): ?>
                 <?php $_formatedOptionValue = $block->getFormatedOptionValue($_option) ?>
                 <dd<?php if (isset($_formatedOptionValue['full_view'])): ?> class="tooltip wrapper"<?php endif; ?>>
-                    <?= /* @escapeNotVerified */ $_formatedOptionValue['value'] ?>
+                    <?= $block->escapeHtml($_formatedOptionValue['value']) ?>
                     <?php if (isset($_formatedOptionValue['full_view'])): ?>
                     <div class="tooltip content">
                         <dl class="item options">
                             <dt><?= $block->escapeHtml($_option['label']) ?></dt>
-                            <dd><?= /* @escapeNotVerified */ $_formatedOptionValue['full_view'] ?></dd>
+                            <dd><?= $block->escapeHtml($_formatedOptionValue['full_view']) ?></dd>
                         </dl>
                     </div>
                     <?php endif; ?>

app/code/Magento/Sales/view/frontend/templates/order/invoice/items/renderer/default.phtml

@@ -20,12 +20,12 @@
             <?php if (!$block->getPrintStatus()): ?>
                 <?php $_formatedOptionValue = $block->getFormatedOptionValue($_option) ?>
                 <dd<?php if (isset($_formatedOptionValue['full_view'])): ?> class="tooltip wrapper"<?php endif; ?>>
-                    <?= /* @escapeNotVerified */ $_formatedOptionValue['value'] ?>
+                    <?= $block->escapeHtml($_formatedOptionValue['value']) ?>
                     <?php if (isset($_formatedOptionValue['full_view'])): ?>
                     <div class="tooltip content">
                         <dl class="item options">
                             <dt><?= $block->escapeHtml($_option['label']) ?></dt>
-                            <dd><?= /* @escapeNotVerified */ $_formatedOptionValue['full_view'] ?></dd>
+                            <dd><?= $block->escapeHtml($_formatedOptionValue['full_view']) ?></dd>
                         </dl>
                     </div>
                     <?php endif; ?>

app/code/Magento/Sales/view/frontend/templates/order/items/renderer/default.phtml

@@ -20,9 +20,9 @@ $_item = $block->getItem();
                 <?php $_formatedOptionValue = $block->getFormatedOptionValue($_option) ?>
                 <dd>
                     <?php if (isset($_formatedOptionValue['full_view'])): ?>
-                        <?= /* @escapeNotVerified */ $_formatedOptionValue['full_view'] ?>
+                        <?= $block->escapeHtml($_formatedOptionValue['full_view']) ?>
                     <?php else: ?>
-                        <?= /* @escapeNotVerified */ $_formatedOptionValue['value'] ?>
+                        <?=$block->escapeHtml($_formatedOptionValue['value']) ?>
                     <?php endif; ?>
                 </dd>
             <?php else: ?>

app/code/Magento/Sales/view/frontend/templates/order/shipment/items/renderer/default.phtml

@@ -19,12 +19,12 @@
             <?php if (!$block->getPrintStatus()): ?>
                 <?php $_formatedOptionValue = $block->getFormatedOptionValue($_option) ?>
                 <dd<?php if (isset($_formatedOptionValue['full_view'])): ?> class="tooltip wrapper"<?php endif; ?>>
-                    <?= /* @escapeNotVerified */ $_formatedOptionValue['value'] ?>
+                    <?= $block->escapeHtml($_formatedOptionValue['value']) ?>
                     <?php if (isset($_formatedOptionValue['full_view'])): ?>
                     <div class="tooltip content">
                         <dl class="item options">
                             <dt><?= $block->escapeHtml($_option['label']) ?></dt>
-                            <dd><?= /* @escapeNotVerified */ $_formatedOptionValue['full_view'] ?></dd>
+                            <dd><?= $block->escapeHtml($_formatedOptionValue['full_view']) ?></dd>
                         </dl>
                     </div>
                     <?php endif; ?>

app/code/Magento/Ui/Controller/Adminhtml/Export/GridToCsv.php

@@ -9,6 +9,9 @@
 use Magento\Backend\App\Action\Context;
 use Magento\Ui\Model\Export\ConvertToCsv;
 use Magento\Framework\App\Response\Http\FileFactory;
+use Magento\Framework\App\ObjectManager;
+use Magento\Ui\Component\MassAction\Filter;
+use Psr\Log\LoggerInterface;
 
 /**
  * Class Render
@@ -25,19 +28,35 @@ class GridToCsv extends Action
      */
     protected $fileFactory;
 
+    /**
+     * @var Filter
+     */
+    private $filter;
+
+    /**
+     * @var LoggerInterface
+     */
+    private $logger;
+
     /**
      * @param Context $context
      * @param ConvertToCsv $converter
      * @param FileFactory $fileFactory
+     * @param Filter|null $filter
+     * @param LoggerInterface|null $logger
      */
     public function __construct(
         Context $context,
         ConvertToCsv $converter,
-        FileFactory $fileFactory
+        FileFactory $fileFactory,
+        Filter $filter = null,
+        LoggerInterface $logger = null
     ) {
         parent::__construct($context);
         $this->converter = $converter;
         $this->fileFactory = $fileFactory;
+        $this->filter = $filter ?: ObjectManager::getInstance()->get(Filter::class);
+        $this->logger = $logger ?: ObjectManager::getInstance()->get(LoggerInterface::class);
     }
 
     /**
@@ -50,4 +69,32 @@ public function execute()
     {
         return $this->fileFactory->create('export.csv', $this->converter->getCsvFile(), 'var');
     }
+
+    /**
+     * Checking if the user has access to requested component.
+     *
+     * @inheritDoc
+     */
+    protected function _isAllowed()
+    {
+        if ($this->_request->getParam('namespace')) {
+            try {
+                $component = $this->filter->getComponent();
+                $dataProviderConfig = $component->getContext()
+                    ->getDataProvider()
+                    ->getConfigData();
+                if (isset($dataProviderConfig['aclResource'])) {
+                    return $this->_authorization->isAllowed(
+                        $dataProviderConfig['aclResource']
+                    );
+                }
+            } catch (\Throwable $exception) {
+                $this->logger->critical($exception);
+
+                return false;
+            }
+        }
+
+        return true;
+    }
 }

app/code/Magento/Ui/Controller/Adminhtml/Export/GridToXml.php

@@ -9,6 +9,9 @@
 use Magento\Backend\App\Action\Context;
 use Magento\Ui\Model\Export\ConvertToXml;
 use Magento\Framework\App\Response\Http\FileFactory;
+use Magento\Framework\App\ObjectManager;
+use Magento\Ui\Component\MassAction\Filter;
+use Psr\Log\LoggerInterface;
 
 /**
  * Class Render
@@ -25,19 +28,35 @@ class GridToXml extends Action
      */
     protected $fileFactory;
 
+    /**
+     * @var Filter
+     */
+    private $filter;
+
+    /**
+     * @var LoggerInterface
+     */
+    private $logger;
+
     /**
      * @param Context $context
      * @param ConvertToXml $converter
      * @param FileFactory $fileFactory
+     * @param Filter|null $filter
+     * @param LoggerInterface|null $logger
      */
     public function __construct(
         Context $context,
         ConvertToXml $converter,
-        FileFactory $fileFactory
+        FileFactory $fileFactory,
+        Filter $filter = null,
+        LoggerInterface $logger = null
     ) {
         parent::__construct($context);
         $this->converter = $converter;
         $this->fileFactory = $fileFactory;
+        $this->filter = $filter ?: ObjectManager::getInstance()->get(Filter::class);
+        $this->logger = $logger ?: ObjectManager::getInstance()->get(LoggerInterface::class);
     }
 
     /**
@@ -50,4 +69,32 @@ public function execute()
     {
         return $this->fileFactory->create('export.xml', $this->converter->getXmlFile(), 'var');
     }
+
+    /**
+     * Checking if the user has access to requested component.
+     *
+     * @inheritDoc
+     */
+    protected function _isAllowed()
+    {
+        if ($this->_request->getParam('namespace')) {
+            try {
+                $component = $this->filter->getComponent();
+                $dataProviderConfig = $component->getContext()
+                    ->getDataProvider()
+                    ->getConfigData();
+                if (isset($dataProviderConfig['aclResource'])) {
+                    return $this->_authorization->isAllowed(
+                        $dataProviderConfig['aclResource']
+                    );
+                }
+            } catch (\Throwable $exception) {
+                $this->logger->critical($exception);
+
+                return false;
+            }
+        }
+
+        return true;
+    }
 }

app/code/Magento/Variable/Model/Variable.php

@@ -153,7 +153,7 @@ public function getVariablesOptionArray($withGroup = false)
         foreach ($collection->toOptionArray() as $variable) {
             $variables[] = [
                 'value' => '{{customVar code=' . $variable['value'] . '}}',
-                'label' => __('%1', $variable['label']),
+                'label' => __('%1', $this->_escaper->escapeHtml($variable['label'])),
             ];
         }
         if ($withGroup && $variables) {