Merge pull request #4311 from magento-arcticfoxes/2.2-develop-pr

[arcticfoxes] PR

Author: Joan He

app/code/Magento/Backend/Test/Unit/Block/Widget/Grid/Column/Filter/TextTest.php

@@ -8,6 +8,9 @@
 
 use Magento\Framework\TestFramework\Unit\Helper\ObjectManager as ObjectManagerHelper;
 
+/**
+ * Unit test for \Magento\Backend\Block\Widget\Grid\Column\Filter\Text
+ */
 class TextTest extends \PHPUnit\Framework\TestCase
 {
     /** @var \Magento\Backend\Block\Widget\Grid\Column\Filter\Text*/
@@ -31,7 +34,10 @@ protected function setUp()
             ->setMethods(['getEscaper'])
             ->disableOriginalConstructor()
             ->getMock();
-        $this->escaper = $this->createPartialMock(\Magento\Framework\Escaper::class, ['escapeHtml']);
+        $this->escaper = $this->createPartialMock(
+            \Magento\Framework\Escaper::class,
+            ['escapeHtml', 'escapeHtmlAttr']
+        );
         $this->helper = $this->createMock(\Magento\Framework\DB\Helper::class);
 
         $this->context->expects($this->once())->method('getEscaper')->willReturn($this->escaper);
@@ -60,6 +66,13 @@ public function testGetHtml()
         $this->block->setColumn($column);
 
         $this->escaper->expects($this->any())->method('escapeHtml')->willReturn('escapedHtml');
+        $this->escaper->expects($this->once())
+            ->method('escapeHtmlAttr')
+            ->willReturnCallback(
+                function ($string) {
+                    return $string;
+                }
+            );
         $column->expects($this->any())->method('getId')->willReturn('id');
         $column->expects($this->once())->method('getHtmlId')->willReturn('htmlId');
 

app/code/Magento/Catalog/Block/Adminhtml/Product/Edit/AttributeSet.php

@@ -11,6 +11,9 @@
  */
 namespace Magento\Catalog\Block\Adminhtml\Product\Edit;
 
+/**
+ * Admin AttributeSet block
+ */
 class AttributeSet extends \Magento\Backend\Block\Widget\Form
 {
     /**
@@ -42,12 +45,14 @@ public function __construct(
     public function getSelectorOptions()
     {
         return [
-            'source' => $this->getUrl('catalog/product/suggestAttributeSets'),
+            'source' => $this->escapeUrl($this->getUrl('catalog/product/suggestAttributeSets')),
             'className' => 'category-select',
             'showRecent' => true,
             'storageKey' => 'product-template-key',
             'minLength' => 0,
-            'currentlySelected' => $this->_coreRegistry->registry('product')->getAttributeSetId()
+            'currentlySelected' => $this->escapeHtml(
+                $this->_coreRegistry->registry('product')->getAttributeSetId()
+            )
         ];
     }
 }

app/code/Magento/Catalog/Block/Adminhtml/Product/Edit/Tab/Attributes/Search.php

@@ -11,6 +11,9 @@
  */
 namespace Magento\Catalog\Block\Adminhtml\Product\Edit\Tab\Attributes;
 
+/**
+ * Admin product attribute search block
+ */
 class Search extends \Magento\Backend\Block\Widget
 {
     /**
@@ -62,13 +65,15 @@ protected function _construct()
     }
 
     /**
+     * Get selector options
+     *
      * @return array
      */
     public function getSelectorOptions()
     {
         $templateId = $this->_coreRegistry->registry('product')->getAttributeSetId();
         return [
-            'source' => $this->getUrl('catalog/product/suggestAttributes'),
+            'source' => $this->escapeUrl($this->getUrl('catalog/product/suggestAttributes')),
             'minLength' => 0,
             'ajaxOptions' => ['data' => ['template_id' => $templateId]],
             'template' => '[data-template-for="product-attribute-search-' . $this->getGroupId() . '"]',
@@ -82,6 +87,7 @@ public function getSelectorOptions()
      * @param string $labelPart
      * @param int $templateId
      * @return array
+     * @SuppressWarnings(PHPMD.RequestAwareBlockMethod)
      */
     public function getSuggestedAttributes($labelPart, $templateId = null)
     {
@@ -95,7 +101,9 @@ public function getSuggestedAttributes($labelPart, $templateId = null)
             ['like' => $escapedLabelPart]
         );
 
-        $collection->setExcludeSetFilter($templateId ?: $this->getRequest()->getParam('template_id'))->setPageSize(20);
+        $paramTemplateId = $this->getRequest()->getParam('template_id');
+        $paramTemplateId = is_int($paramTemplateId) ? $paramTemplateId : null;
+        $collection->setExcludeSetFilter($templateId ?: $paramTemplateId)->setPageSize(20);
 
         $result = [];
         foreach ($collection->getItems() as $attribute) {
@@ -110,6 +118,8 @@ public function getSuggestedAttributes($labelPart, $templateId = null)
     }
 
     /**
+     * Get add attribute url
+     *
      * @return string
      */
     public function getAddAttributeUrl()

app/code/Magento/Catalog/Block/Product/Gallery.php

@@ -16,6 +16,8 @@
 use Magento\Framework\Data\Collection;
 
 /**
+ * Product gallery block
+ *
  * @api
  * @since 100.0.2
  */
@@ -43,6 +45,8 @@ public function __construct(
     }
 
     /**
+     * Prepare layout
+     *
      * @return $this
      */
     protected function _prepareLayout()
@@ -52,6 +56,8 @@ protected function _prepareLayout()
     }
 
     /**
+     * Get product
+     *
      * @return Product
      */
     public function getProduct()
@@ -60,6 +66,8 @@ public function getProduct()
     }
 
     /**
+     * Get gallery collection
+     *
      * @return Collection
      */
     public function getGalleryCollection()
@@ -68,13 +76,16 @@ public function getGalleryCollection()
     }
 
     /**
+     * Get current image
+     *
      * @return Image|null
+     * @SuppressWarnings(PHPMD.RequestAwareBlockMethod)
      */
     public function getCurrentImage()
     {
         $imageId = $this->getRequest()->getParam('image');
         $image = null;
-        if ($imageId) {
+        if (is_int($imageId)) {
             $image = $this->getGalleryCollection()->getItemById($imageId);
         }
 
@@ -85,6 +96,8 @@ public function getCurrentImage()
     }
 
     /**
+     * Get image url
+     *
      * @return string
      */
     public function getImageUrl()
@@ -93,6 +106,8 @@ public function getImageUrl()
     }
 
     /**
+     * Get image file
+     *
      * @return mixed
      */
     public function getImageFile()
@@ -115,7 +130,7 @@ public function getImageWidth()
                 if ($size[0] > 600) {
                     return 600;
                 } else {
-                    return $size[0];
+                    return (int) $size[0];
                 }
             }
         }
@@ -124,6 +139,8 @@ public function getImageWidth()
     }
 
     /**
+     * Get previous image
+     *
      * @return Image|false
      */
     public function getPreviousImage()
@@ -143,6 +160,8 @@ public function getPreviousImage()
     }
 
     /**
+     * Get next image
+     *
      * @return Image|false
      */
     public function getNextImage()
@@ -166,6 +185,8 @@ public function getNextImage()
     }
 
     /**
+     * Get previous image url
+     *
      * @return false|string
      */
     public function getPreviousImageUrl()
@@ -178,6 +199,8 @@ public function getPreviousImageUrl()
     }
 
     /**
+     * Get next image url
+     *
      * @return false|string
      */
     public function getNextImageUrl()

app/code/Magento/Catalog/Block/Product/ListProduct.php

@@ -364,7 +364,7 @@ public function getAddToCartPostParams(Product $product)
         return [
             'action' => $url,
             'data' => [
-                'product' => $product->getEntityId(),
+                'product' => (int) $product->getEntityId(),
                 ActionInterface::PARAM_NAME_URL_ENCODED => $this->urlHelper->getEncodedUrl($url),
             ]
         ];

app/code/Magento/Catalog/Block/Product/View.php

@@ -187,24 +187,25 @@ public function getJsonConfig()
         }
 
         $tierPrices = [];
-        $tierPricesList = $product->getPriceInfo()->getPrice('tier_price')->getTierPriceList();
+        $priceInfo = $product->getPriceInfo();
+        $tierPricesList = $priceInfo->getPrice('tier_price')->getTierPriceList();
         foreach ($tierPricesList as $tierPrice) {
-            $tierPrices[] = $tierPrice['price']->getValue();
+            $tierPrices[] = $tierPrice['price']->getValue() * 1;
         }
         $config = [
-            'productId'   => $product->getId(),
+            'productId'   => (int)$product->getId(),
             'priceFormat' => $this->_localeFormat->getPriceFormat(),
             'prices'      => [
                 'oldPrice'   => [
-                    'amount'      => $product->getPriceInfo()->getPrice('regular_price')->getAmount()->getValue(),
+                    'amount'      => $priceInfo->getPrice('regular_price')->getAmount()->getValue() * 1,
                     'adjustments' => []
                 ],
                 'basePrice'  => [
-                    'amount'      => $product->getPriceInfo()->getPrice('final_price')->getAmount()->getBaseAmount(),
+                    'amount'      => $priceInfo->getPrice('final_price')->getAmount()->getBaseAmount() * 1,
                     'adjustments' => []
                 ],
                 'finalPrice' => [
-                    'amount'      => $product->getPriceInfo()->getPrice('final_price')->getAmount()->getValue(),
+                    'amount'      => $priceInfo->getPrice('final_price')->getAmount()->getValue() * 1,
                     'adjustments' => []
                 ]
             ],

app/code/Magento/Catalog/view/adminhtml/templates/catalog/category/checkboxes/tree.phtml

@@ -4,7 +4,6 @@
  * See COPYING.txt for license details.
  */
 
-// @codingStandardsIgnoreFile
 /**
  * @var $block \Magento\Catalog\Block\Adminhtml\Category\Tree
  */

app/code/Magento/Catalog/view/adminhtml/templates/catalog/category/edit.phtml

@@ -5,18 +5,18 @@
  */
 
 /**
- * Template for \Magento\Catalog\Block\Adminhtml\Category\Edit
+ * @var $block \Magento\Catalog\Block\Adminhtml\Category\Edit
  */
 ?>
 <div data-id="information-dialog-category" class="messages" style="display: none;">
     <div class="message message-notice">
-        <div><?= /* @escapeNotVerified */ __('This operation can take a long time') ?></div>
+        <div><?= $block->escapeHtml(__('This operation can take a long time')) ?></div>
     </div>
 </div>
 <script type="text/x-magento-init">
     {
         "*": {
-            "categoryForm": {"refreshUrl": "<?= /* @escapeNotVerified */ $block->getRefreshPathUrl() ?>"}
+            "categoryForm": {"refreshUrl": "<?= $block->escapeJs($block->escapeUrl($block->getRefreshPathUrl())) ?>"}
         }
     }
 </script>

app/code/Magento/Catalog/view/adminhtml/templates/catalog/category/edit/assign_products.phtml

@@ -16,8 +16,8 @@ $gridJsObjectName = $blockGrid->getJsObjectName();
     {
         "*": {
             "Magento_Catalog/catalog/category/assign-products": {
-                "selectedProducts": <?= /* @escapeNotVerified */ $block->getProductsJson() ?>,
-                "gridJsObjectName": <?= /* @escapeNotVerified */ '"' . $gridJsObjectName . '"' ?: '{}' ?>
+                "selectedProducts": <?= /* @noEscape */ $block->getProductsJson() ?>,
+                "gridJsObjectName": <?= /* @noEscape */ '"' . $gridJsObjectName . '"' ?: '{}' ?>
             }
         }
     }