Skip to content

Magento_Checkout: avoid using deprecated escape* methods from Abstrac… #31680

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 2 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -117,7 +117,7 @@ protected function addQuoteMessages()
foreach ($this->cartHelper->getQuote()->getMessages() as $message) {
if ($message) {
// Escape HTML entities in quote message to prevent XSS
$message->setText($this->escapeHtml($message->getText()));
$message->setText($this->_escaper->escapeHtml($message->getText()));
$messages[] = $message;
}
}
Expand Down
10 changes: 7 additions & 3 deletions app/code/Magento/Checkout/view/frontend/templates/button.phtml
Original file line number Diff line number Diff line change
Expand Up @@ -3,15 +3,19 @@
* Copyright © Magento, Inc. All rights reserved.
* See COPYING.txt for license details.
*/

/**
* @var \Magento\Checkout\Block\Onepage\Success $block
* @var \Magento\Framework\Escaper $escaper
*/
?>
<?php /** @var $block \Magento\Checkout\Block\Onepage\Success */ ?>

<?php if ($block->getCanViewOrder() && $block->getCanPrintOrder()) :?>
<a href="<?= $block->escapeUrl($block->getPrintUrl()) ?>"
<a href="<?= $escaper->escapeUrl($block->getPrintUrl()) ?>"
class="action print"
target="_blank"
rel="noopener">
<?= $block->escapeHtml(__('Print receipt')) ?>
<?= $escaper->escapeHtml(__('Print receipt')) ?>
</a>
<?= $block->getChildHtml() ?>
<?php endif;?>
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
/**
* Shopping cart template
*
* @var $block \Magento\Checkout\Block\Cart
* @var \Magento\Checkout\Block\Cart $block
*/

if ($block->getItemsCount()) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
<?php
/**
* Shopping cart additional info
* @var $block \Magento\Framework\View\Element\Template
* @var \Magento\Framework\View\Element\Template $block
*/
?>
<?php
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@

/**
* @var \Magento\Framework\View\Element\AbstractBlock $block
* @var \Magento\Framework\Escaper $escaper
*/

// We should use strlen function because coupon code could be "0", converted to bool will lead to false
Expand All @@ -16,11 +17,11 @@ $hasCouponCode = (bool) strlen($block->getCouponCode());
data-mage-init='{"collapsible":{"active": <?= $hasCouponCode ? 'true' : 'false' ?>, "openedState": "active", "saveState": false}}'
>
<div class="title" data-role="title">
<strong id="block-discount-heading" role="heading" aria-level="2"><?= $block->escapeHtml(__('Apply Discount Code')) ?></strong>
<strong id="block-discount-heading" role="heading" aria-level="2"><?= $escaper->escapeHtml(__('Apply Discount Code')) ?></strong>
</div>
<div class="content" data-role="content" aria-labelledby="block-discount-heading">
<form id="discount-coupon-form"
action="<?= $block->escapeUrl($block->getUrl('checkout/cart/couponPost')) ?>"
action="<?= $escaper->escapeUrl($block->getUrl('checkout/cart/couponPost')) ?>"
method="post"
data-mage-init='{"discountCode":{"couponCodeSelector": "#coupon_code",
"removeCouponSelector": "#remove-coupon",
Expand All @@ -29,14 +30,14 @@ $hasCouponCode = (bool) strlen($block->getCouponCode());
<div class="fieldset coupon<?= $hasCouponCode ? ' applied' : '' ?>">
<input type="hidden" name="remove" id="remove-coupon" value="0" />
<div class="field">
<label for="coupon_code" class="label"><span><?= $block->escapeHtml(__('Enter discount code')) ?></span></label>
<label for="coupon_code" class="label"><span><?= $escaper->escapeHtml(__('Enter discount code')) ?></span></label>
<div class="control">
<input type="text"
class="input-text"
id="coupon_code"
name="coupon_code"
value="<?= $block->escapeHtmlAttr($block->getCouponCode()) ?>"
placeholder="<?= $block->escapeHtmlAttr(__('Enter discount code')) ?>"
value="<?= $escaper->escapeHtmlAttr($block->getCouponCode()) ?>"
placeholder="<?= $escaper->escapeHtmlAttr(__('Enter discount code')) ?>"
<?php if ($hasCouponCode) :?>
disabled="disabled"
<?php endif; ?>
Expand All @@ -46,13 +47,13 @@ $hasCouponCode = (bool) strlen($block->getCouponCode());
<div class="actions-toolbar">
<?php if (!$hasCouponCode) :?>
<div class="primary">
<button class="action apply primary" type="button" value="<?= $block->escapeHtmlAttr(__('Apply Discount')) ?>">
<span><?= $block->escapeHtml(__('Apply Discount')) ?></span>
<button class="action apply primary" type="button" value="<?= $escaper->escapeHtmlAttr(__('Apply Discount')) ?>">
<span><?= $escaper->escapeHtml(__('Apply Discount')) ?></span>
</button>
</div>
<?php else :?>
<div class="primary">
<button type="button" class="action cancel primary" value="<?= $block->escapeHtmlAttr(__('Cancel Coupon')) ?>"><span><?= $block->escapeHtml(__('Cancel Coupon')) ?></span></button>
<button type="button" class="action cancel primary" value="<?= $escaper->escapeHtmlAttr(__('Cancel Coupon')) ?>"><span><?= $escaper->escapeHtml(__('Cancel Coupon')) ?></span></button>
</div>
<?php endif; ?>
</div>
Expand Down
33 changes: 18 additions & 15 deletions app/code/Magento/Checkout/view/frontend/templates/cart/form.phtml
Original file line number Diff line number Diff line change
Expand Up @@ -6,15 +6,18 @@

// phpcs:disable Magento2.Templates.ThisInTemplate

/** @var $block \Magento\Checkout\Block\Cart\Grid */
/**
* @var \Magento\Checkout\Block\Cart\Grid $block
* @var \Magento\Framework\Escaper $escaper
*/
?>
<?php $mergedCells = ($this->helper(Magento\Tax\Helper\Data::class)->displayCartBothPrices() ? 2 : 1); ?>
<?= $block->getChildHtml('form_before') ?>
<form action="<?= $block->escapeUrl($block->getUrl('checkout/cart/updatePost')) ?>"
<form action="<?= $escaper->escapeUrl($block->getUrl('checkout/cart/updatePost')) ?>"
method="post"
id="form-validate"
data-mage-init='{"Magento_Checkout/js/action/update-shopping-cart":
{"validationURL" : "<?= $block->escapeUrl($block->getUrl('checkout/cart/updateItemQty')) ?>",
{"validationURL" : "<?= $escaper->escapeUrl($block->getUrl('checkout/cart/updateItemQty')) ?>",
"updateCartActionContainer": "#update_cart_action_container"}
}'
class="form form-cart">
Expand All @@ -29,13 +32,13 @@
class="cart items data table"
data-mage-init='{"shoppingCart":{"emptyCartButton": ".action.clear",
"updateCartActionContainer": "#update_cart_action_container"}}'>
<caption class="table-caption"><?= $block->escapeHtml(__('Shopping Cart Items')) ?></caption>
<caption class="table-caption"><?= $escaper->escapeHtml(__('Shopping Cart Items')) ?></caption>
<thead>
<tr>
<th class="col item" scope="col"><span><?= $block->escapeHtml(__('Item')) ?></span></th>
<th class="col price" scope="col"><span><?= $block->escapeHtml(__('Price')) ?></span></th>
<th class="col qty" scope="col"><span><?= $block->escapeHtml(__('Qty')) ?></span></th>
<th class="col subtotal" scope="col"><span><?= $block->escapeHtml(__('Subtotal')) ?></span></th>
<th class="col item" scope="col"><span><?= $escaper->escapeHtml(__('Item')) ?></span></th>
<th class="col price" scope="col"><span><?= $escaper->escapeHtml(__('Price')) ?></span></th>
<th class="col qty" scope="col"><span><?= $escaper->escapeHtml(__('Qty')) ?></span></th>
<th class="col subtotal" scope="col"><span><?= $escaper->escapeHtml(__('Subtotal')) ?></span></th>
</tr>
</thead>
<?php foreach ($block->getItems() as $_item): ?>
Expand All @@ -51,28 +54,28 @@
<div class="cart main actions">
<?php if ($block->getContinueShoppingUrl()): ?>
<a class="action continue"
href="<?= $block->escapeUrl($block->getContinueShoppingUrl()) ?>"
title="<?= $block->escapeHtml(__('Continue Shopping')) ?>">
<span><?= $block->escapeHtml(__('Continue Shopping')) ?></span>
href="<?= $escaper->escapeUrl($block->getContinueShoppingUrl()) ?>"
title="<?= $escaper->escapeHtml(__('Continue Shopping')) ?>">
<span><?= $escaper->escapeHtml(__('Continue Shopping')) ?></span>
</a>
<?php endif; ?>
<?php if ($block->getViewModel()->isClearShoppingCartEnabled()): ?>
<button type="button"
name="update_cart_action"
data-cart-empty=""
value="empty_cart"
title="<?= $block->escapeHtml(__('Clear Shopping Cart')) ?>"
title="<?= $escaper->escapeHtml(__('Clear Shopping Cart')) ?>"
class="action clear" id="empty_cart_button">
<span><?= $block->escapeHtml(__('Clear Shopping Cart')) ?></span>
<span><?= $escaper->escapeHtml(__('Clear Shopping Cart')) ?></span>
</button>
<?php endif ?>
<button type="submit"
name="update_cart_action"
data-cart-item-update=""
value="update_qty"
title="<?= $block->escapeHtml(__('Update Shopping Cart')) ?>"
title="<?= $escaper->escapeHtml(__('Update Shopping Cart')) ?>"
class="action update">
<span><?= $block->escapeHtml(__('Update Shopping Cart')) ?></span>
<span><?= $escaper->escapeHtml(__('Update Shopping Cart')) ?></span>
</button>
<input type="hidden" value="" id="update_cart_action_container" data-cart-item-update=""/>
</div>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,10 @@
* See COPYING.txt for license details.
*/

/** @var $block \Magento\Catalog\Block\Product\View */
/**
* @var \Magento\Catalog\Block\Product\View $block
* @var \Magento\Framework\Escaper $escaper
*/
?>
<?php $_product = $block->getProduct(); ?>
<?php $buttonTitle = __('Update Cart'); ?>
Expand All @@ -13,25 +16,25 @@
<fieldset class="fieldset">
<?php if ($block->shouldRenderQuantity()) :?>
<div class="field qty">
<label class="label" for="qty"><span><?= $block->escapeHtml(__('Qty')) ?></span></label>
<label class="label" for="qty"><span><?= $escaper->escapeHtml(__('Qty')) ?></span></label>
<div class="control">
<input type="number"
name="qty"
id="qty"
min="0"
value=""
title="<?= $block->escapeHtmlAttr(__('Qty')) ?>"
title="<?= $escaper->escapeHtmlAttr(__('Qty')) ?>"
class="input-text qty"
data-validate="<?= $block->escapeHtml(json_encode($block->getQuantityValidators())) ?>"/>
data-validate="<?= $escaper->escapeHtml(json_encode($block->getQuantityValidators())) ?>"/>
</div>
</div>
<?php endif; ?>
<div class="actions">
<button type="submit"
title="<?= $block->escapeHtmlAttr($buttonTitle) ?>"
title="<?= $escaper->escapeHtmlAttr($buttonTitle) ?>"
class="action primary tocart"
id="product-updatecart-button">
<span><?= $block->escapeHtml($buttonTitle) ?></span>
<span><?= $escaper->escapeHtml($buttonTitle) ?></span>
</button>
<?= $block->getChildHtml('', true) ?>
</div>
Expand Down
Loading