Skip to content

Magento_Payment: avoid using deprecated escape* methods from Abstract… #31694

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion app/code/Magento/Payment/Block/Form.php
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,6 @@ public function getMethodCode()
*/
public function getInfoData($field)
{
return $this->escapeHtml($this->getMethod()->getInfoInstance()->getData($field));
return $this->_escaper->escapeHtml($this->getMethod()->getInfoInstance()->getData($field));
}
}
2 changes: 1 addition & 1 deletion app/code/Magento/Payment/Block/Info.php
Original file line number Diff line number Diff line change
Expand Up @@ -107,7 +107,7 @@ public function getValueAsArray($value, $escapeHtml = false)
}
if ($escapeHtml) {
foreach ($value as $_key => $_val) {
$value[$_key] = $this->escapeHtml($_val);
$value[$_key] = $this->_escaper->escapeHtml($_val);
}
}
return $value;
Expand Down
27 changes: 14 additions & 13 deletions app/code/Magento/Payment/view/adminhtml/templates/form/cc.phtml
Original file line number Diff line number Diff line change
Expand Up @@ -6,62 +6,63 @@

/**
* @var \Magento\Payment\Block\Adminhtml\Transparent\Form $block
* @var \Magento\Framework\Escaper $escaper
* @var \Magento\Framework\View\Helper\SecureHtmlRenderer $secureRenderer
*/
$code = $block->escapeHtml($block->getMethodCode());
$code = $escaper->escapeHtml($block->getMethodCode());
$ccType = $block->getInfoData('cc_type');
$ccExpMonth = $block->getInfoData('cc_exp_month');
$ccExpYear = $block->getInfoData('cc_exp_year');
?>
<fieldset class="admin__fieldset payment-method" id="payment_form_<?= /* @noEscape */ $code ?>">
<div class="field-type admin__field _required">
<label class="admin__field-label" for="<?= /* @noEscape */ $code ?>_cc_type">
<span><?= $block->escapeHtml(__('Credit Card Type')) ?></span>
<span><?= $escaper->escapeHtml(__('Credit Card Type')) ?></span>
</label>
<div class="admin__field-control">
<select id="<?= /* @noEscape */ $code ?>_cc_type" name="payment[cc_type]"
class="required-entry validate-cc-type-select admin__control-select">
<option value=""></option>
<?php foreach ($block->getCcAvailableTypes() as $typeCode => $typeName): ?>
<option value="<?= $block->escapeHtml($typeCode) ?>"
<option value="<?= $escaper->escapeHtml($typeCode) ?>"
<?php if ($typeCode == $ccType): ?>selected="selected"<?php endif ?>>
<?= $block->escapeHtml($typeName) ?>
<?= $escaper->escapeHtml($typeName) ?>
</option>
<?php endforeach ?>
</select>
</div>
</div>
<div class="field-number admin__field _required">
<label class="admin__field-label" for="<?= /* @noEscape */ $code ?>_cc_number">
<span><?= $block->escapeHtml(__('Credit Card Number')) ?></span>
<span><?= $escaper->escapeHtml(__('Credit Card Number')) ?></span>
</label>
<div class="admin__field-control">
<input type="text" id="<?= /* @noEscape */ $code ?>_cc_number" name="payment[cc_number]"
title="<?= $block->escapeHtml(__('Credit Card Number')) ?>"
title="<?= $escaper->escapeHtml(__('Credit Card Number')) ?>"
class="admin__control-text validate-cc-number"
value="<?= /* @noEscape */ $block->getInfoData('cc_number') ?>"/>
</div>
</div>
<div class="field-date admin__field _required">
<label class="admin__field-label" for="<?= /* @noEscape */ $code ?>_expiration">
<span><?= $block->escapeHtml(__('Expiration Date')) ?></span>
<span><?= $escaper->escapeHtml(__('Expiration Date')) ?></span>
</label>
<div class="admin__field-control">
<select id="<?= /* @noEscape */ $code ?>_expiration" name="payment[cc_exp_month]"
class="admin__control-select admin__control-select-month validate-cc-exp required-entry">
<?php foreach ($block->getCcMonths() as $k => $v): ?>
<option value="<?= $block->escapeHtml($k) ?>"
<option value="<?= $escaper->escapeHtml($k) ?>"
<?php if ($k == $ccExpMonth): ?>selected="selected"<?php endif ?>>
<?= $block->escapeHtml($v) ?>
<?= $escaper->escapeHtml($v) ?>
</option>
<?php endforeach; ?>
</select>
<select id="<?= /* @noEscape */ $code ?>_expiration_yr" name="payment[cc_exp_year]"
class="admin__control-select admin__control-select-year required-entry">
<?php foreach ($block->getCcYears() as $k => $v): ?>
<option value="<?= /* @noEscape */ $k ? $block->escapeHtml($k) : '' ?>"
<option value="<?= /* @noEscape */ $k ? $escaper->escapeHtml($k) : '' ?>"
<?php if ($k == $ccExpYear): ?>selected="selected"<?php endif ?>>
<?= $block->escapeHtml($v) ?>
<?= $escaper->escapeHtml($v) ?>
</option>
<?php endforeach ?>
</select>
Expand All @@ -71,10 +72,10 @@ $ccExpYear = $block->getInfoData('cc_exp_year');
<?php if ($block->hasVerification()): ?>
<div class="field-number required admin__field _required">
<label class="admin__field-label" for="<?= /* @noEscape */ $code ?>_cc_cid">
<span><?= $block->escapeHtml(__('Card Verification Number')) ?></span>
<span><?= $escaper->escapeHtml(__('Card Verification Number')) ?></span>
</label>
<div class="admin__field-control">
<input type="text" title="<?= $block->escapeHtml(__('Card Verification Number')) ?>"
<input type="text" title="<?= $escaper->escapeHtml(__('Card Verification Number')) ?>"
class="required-entry validate-cc-cvn admin__control-cvn admin__control-text"
id="<?= /* @noEscape */ $code ?>_cc_cid"
name="payment[cc_cid]" value="<?= /* @noEscape */ $block->getInfoData('cc_cid') ?>"/>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,20 +6,21 @@

/**
* @var \Magento\Payment\Block\Info $block
* @var \Magento\Framework\Escaper $escaper
* @see \Magento\Payment\Block\Info
*/
$specificInfo = $block->getSpecificInformation();
$paymentTitle = $block->getMethod()->getConfigData('title', $block->getInfo()->getOrder()->getStoreId());
?>
<?= $block->escapeHtml($paymentTitle) ?>
<?= $escaper->escapeHtml($paymentTitle) ?>

<?php if ($specificInfo) : ?>
<table class="data-table admin__table-secondary">
<?php foreach ($specificInfo as $label => $value) : ?>
<tr>
<th><?= $block->escapeHtml($label) ?>:</th>
<th><?= $escaper->escapeHtml($label) ?>:</th>
<td>
<?= /* @noEscape */ nl2br($block->escapeHtml(implode("\n", $block->getValueAsArray($value, true)))) ?>
<?= /* @noEscape */ nl2br($escaper->escapeHtml(implode("\n", $block->getValueAsArray($value, true)))) ?>
</td>
</tr>
<?php endforeach; ?>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,15 +6,16 @@

/**
* @var \Magento\Payment\Block\Info $block
* @var \Magento\Framework\Escaper $escaper
* @see \Magento\Payment\Block\Info
*/
?>
<p><?= $block->escapeHtml($block->getMethod()->getTitle()) ?></p>
<p><?= $escaper->escapeHtml($block->getMethod()->getTitle()) ?></p>
<?php if ($block->getInstructions()) : ?>
<table>
<tbody>
<tr>
<td><?= /* @noEscape */ nl2br($block->escapeHtml($block->getInstructions())) ?></td>
<td><?= /* @noEscape */ nl2br($escaper->escapeHtml($block->getInstructions())) ?></td>
</tr>
</tbody>
</table>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,17 +7,18 @@
/**
* @see \Magento\Payment\Block\Info
* @var \Magento\Payment\Block\Info $block
* @var \Magento\Framework\Escaper $escaper
*/
$paymentTitle = $block->getMethod()->getConfigData('title', $block->getInfo()->getOrder()->getStoreId());
?>
<?= $block->escapeHtml($paymentTitle) ?>{{pdf_row_separator}}
<?= $escaper->escapeHtml($paymentTitle) ?>{{pdf_row_separator}}

<?php if ($specificInfo = $block->getSpecificInformation()) : ?>
<?php foreach ($specificInfo as $label => $value) : ?>
<?= $block->escapeHtml($label) ?>:
<?= $block->escapeHtml(implode(' ', $block->getValueAsArray($value))) ?>
<?= $escaper->escapeHtml($label) ?>:
<?= $escaper->escapeHtml(implode(' ', $block->getValueAsArray($value))) ?>
{{pdf_row_separator}}
<?php endforeach; ?>
<?php endif;?>

<?= $block->escapeHtml(implode('{{pdf_row_separator}}', $block->getChildPdfAsArray())) ?>
<?= $escaper->escapeHtml(implode('{{pdf_row_separator}}', $block->getChildPdfAsArray())) ?>
Original file line number Diff line number Diff line change
Expand Up @@ -6,11 +6,12 @@

/**
* @var \Magento\Payment\Block\Info $block
* @var \Magento\Framework\Escaper $escaper
*/
?>
<div>
<?= $block->getMethod()->getTitle()
? $block->escapeHtml($block->getMethod()->getTitle())
: $block->escapeHtml(__('Payment method')); ?>
<?= $block->escapeHtml(__(' is not available. You still can process offline actions.')) ?>
? $escaper->escapeHtml($block->getMethod()->getTitle())
: $escaper->escapeHtml(__('Payment method')); ?>
<?= $escaper->escapeHtml(__(' is not available. You still can process offline actions.')) ?>
</div>
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,13 @@
* See COPYING.txt for license details.
*/

/** @var \Magento\Payment\Block\Transparent\Form $block */
/**
* @var \Magento\Payment\Block\Transparent\Form $block
* @var \Magento\Framework\Escaper $escaper
*/
/** @var \Magento\Framework\View\Helper\SecureHtmlRenderer $secureRenderer */

$code = $block->escapeHtml($block->getMethodCode());
$code = $escaper->escapeHtml($block->getMethodCode());
$ccType = $block->getInfoData('cc_type');
$ccExpYear = $block->getInfoData('cc_exp_year');
$ccExpMonth = $block->getInfoData('cc_exp_month');
Expand All @@ -19,7 +22,7 @@ $ccExpMonth = $block->getInfoData('cc_exp_month');
allowtransparency="true"
frameborder="0"
name="iframeTransparent"
src="<?= $block->escapeUrl($block->getViewFileUrl('blank.html')) ?>"></iframe>
src="<?= $escaper->escapeUrl($block->getViewFileUrl('blank.html')) ?>"></iframe>
<?= /* @noEscape */ $secureRenderer->renderStyleAsTag(
"display: none; width: 100%; background-color: transparent;",
'iframe#' . /* @noEscape */ $code . '-transparent-iframe'
Expand All @@ -29,20 +32,20 @@ $ccExpMonth = $block->getInfoData('cc_exp_month');
class="admin__fieldset"
data-mage-init='{
"transparent":{
"controller":"<?= $block->escapeHtml($block->getRequest()->getControllerName()) ?>",
"controller":"<?= $escaper->escapeHtml($block->getRequest()->getControllerName()) ?>",
"gateway":"<?= /* @noEscape */ $code ?>",
"dateDelim":"<?= $block->escapeHtml($block->getDateDelim()) ?>",
"cardFieldsMap":<?= $block->escapeHtml($block->getCardFieldsMap()) ?>,
"orderSaveUrl":"<?= $block->escapeUrl($block->getOrderUrl()) ?>",
"cgiUrl":"<?= $block->escapeUrl($block->getCgiUrl()) ?>",
"expireYearLength":"<?= $block->escapeHtml($block->getMethodConfigData('cc_year_length')) ?>",
"nativeAction":"<?= $block->escapeUrl(
"dateDelim":"<?= $escaper->escapeHtml($block->getDateDelim()) ?>",
"cardFieldsMap":<?= $escaper->escapeHtml($block->getCardFieldsMap()) ?>,
"orderSaveUrl":"<?= $escaper->escapeUrl($block->getOrderUrl()) ?>",
"cgiUrl":"<?= $escaper->escapeUrl($block->getCgiUrl()) ?>",
"expireYearLength":"<?= $escaper->escapeHtml($block->getMethodConfigData('cc_year_length')) ?>",
"nativeAction":"<?= $escaper->escapeUrl(
$block->getUrl('*/*/save', ['_secure' => $block->getRequest()->isSecure()])
) ?>"
}, "validation":[]}'>
<div class="admin__field _required">
<label for="<?= /* @noEscape */ $code ?>_cc_type" class="admin__field-label">
<span><?= $block->escapeHtml(__('Credit Card Type')) ?></span>
<span><?= $escaper->escapeHtml(__('Credit Card Type')) ?></span>
</label>

<div class="admin__field-control">
Expand All @@ -51,12 +54,12 @@ $ccExpMonth = $block->getInfoData('cc_exp_month');
name="payment[cc_type]"
data-validate='{required:true, "validate-cc-type-select":"#<?= /* @noEscape */ $code ?>_cc_number"}'
class="admin__control-select">
<option value=""><?= $block->escapeHtml(__('Please Select')) ?></option>
<option value=""><?= $escaper->escapeHtml(__('Please Select')) ?></option>
<?php foreach ($block->getCcAvailableTypes() as $typeCode => $typeName): ?>
<option
value="<?= $block->escapeHtml($typeCode) ?>"
value="<?= $escaper->escapeHtml($typeCode) ?>"
<?php if ($typeCode == $ccType): ?> selected="selected"<?php endif ?>>
<?= $block->escapeHtml($typeName) ?>
<?= $escaper->escapeHtml($typeName) ?>
</option>
<?php endforeach ?>
</select>
Expand All @@ -65,13 +68,13 @@ $ccExpMonth = $block->getInfoData('cc_exp_month');

<div class="admin__field _required field-number">
<label for="<?= /* @noEscape */ $code ?>_cc_number" class="admin__field-label">
<span><?= $block->escapeHtml(__('Credit Card Number')) ?></span>
<span><?= $escaper->escapeHtml(__('Credit Card Number')) ?></span>
</label>

<div class="admin__field-control">
<input type="text" id="<?= /* @noEscape */ $code ?>_cc_number"
data-container="<?= /* @noEscape */ $code ?>-cc-number"
name="payment[cc_number]" title="<?= $block->escapeHtml(__('Credit Card Number')) ?>"
name="payment[cc_number]" title="<?= $escaper->escapeHtml(__('Credit Card Number')) ?>"
class="admin__control-text"
value=""
data-validate='{
Expand All @@ -85,7 +88,7 @@ $ccExpMonth = $block->getInfoData('cc_exp_month');

<div class="admin__field _required field-date" id="<?= /* @noEscape */ $code ?>_cc_type_exp_div">
<label for="<?= /* @noEscape */ $code ?>_expiration" class="admin__field-label">
<span><?= $block->escapeHtml(__('Expiration Date')) ?></span>
<span><?= $escaper->escapeHtml(__('Expiration Date')) ?></span>
</label>

<div class="admin__field-control">
Expand All @@ -95,9 +98,9 @@ $ccExpMonth = $block->getInfoData('cc_exp_month');
data-validate='{required:true, "validate-cc-exp":"#<?= /* @noEscape */ $code ?>_expiration_yr"}'>
<?php foreach ($block->getCcMonths() as $k => $v): ?>
<option
value="<?= /* @noEscape */ $k ? $block->escapeHtml($k) : '' ?>"
value="<?= /* @noEscape */ $k ? $escaper->escapeHtml($k) : '' ?>"
<?php if ($k == $ccExpMonth): ?> selected="selected"<?php endif; ?>>
<?= $block->escapeHtml($v) ?>
<?= $escaper->escapeHtml($v) ?>
</option>
<?php endforeach ?>
</select>
Expand All @@ -107,9 +110,9 @@ $ccExpMonth = $block->getInfoData('cc_exp_month');
data-container="<?= /* @noEscape */ $code ?>-cc-year" data-validate='{required:true}'>
<?php foreach ($block->getCcYears() as $k => $v): ?>
<option
value="<?= /* @noEscape */ $k ? $block->escapeHtml($k) : '' ?>"
value="<?= /* @noEscape */ $k ? $escaper->escapeHtml($k) : '' ?>"
<?php if ($k == $ccExpYear): ?> selected="selected"<?php endif ?>>
<?= $block->escapeHtml($v) ?>
<?= $escaper->escapeHtml($v) ?>
</option>
<?php endforeach ?>
</select>
Expand All @@ -118,11 +121,11 @@ $ccExpMonth = $block->getInfoData('cc_exp_month');
<?php if ($block->hasVerification()): ?>
<div class="admin__field _required field-cvv" id="<?= /* @noEscape */ $code ?>_cc_type_cvv_div">
<label for="<?= /* @noEscape */ $code ?>_cc_cid" class="admin__field-label">
<span><?= $block->escapeHtml(__('Card Verification Number')) ?></span>
<span><?= $escaper->escapeHtml(__('Card Verification Number')) ?></span>
</label>

<div class="admin__field-control">
<input type="text" title="<?= $block->escapeHtml(__('Card Verification Number')) ?>"
<input type="text" title="<?= $escaper->escapeHtml(__('Card Verification Number')) ?>"
data-container="<?= /* @noEscape */ $code ?>-cc-cvv"
class="admin__control-text cvv"
id="<?= /* @noEscape */ $code ?>_cc_cid" name="payment[cc_cid]"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@

/**
* @var \Magento\Payment\Block\Transparent\Iframe $block
* @var \Magento\Framework\Escaper $escaper
* @var \Magento\Framework\View\Helper\SecureHtmlRenderer $secureRenderer
*/
$params = $block->getParams();
Expand All @@ -18,12 +19,12 @@ $jsonHelper = $block->getData('jsonHelper');
<?php $scriptString = '' ?>
<?php if (isset($params['redirect'])): ?>
<?php $scriptString .= <<<script
window.location="{$block->escapeJs($params['redirect'])}";
window.location="{$escaper->escapeJs($params['redirect'])}";
script;
?>
<?php elseif (isset($params['redirect_parent'])): ?>
<?php $scriptString .= <<<script
window.top.location="{$block->escapeJs($params['redirect_parent'])}";
window.top.location="{$escaper->escapeJs($params['redirect_parent'])}";
script;
?>
<?php elseif (isset($params['error_msg'])): ?>
Expand All @@ -34,7 +35,7 @@ script;
?>
<?php elseif (isset($params['order_success'])): ?>
<?php $scriptString .= <<<script
window.top.location = "{$block->escapeJs($params['order_success'])}";
window.top.location = "{$escaper->escapeJs($params['order_success'])}";
script;
?>
<?php else: ?>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,14 +6,15 @@

/**
* @var \Magento\Payment\Block\Transparent\Info $block
* @var \Magento\Framework\Escaper $escaper
* @var \Magento\Framework\View\Helper\SecureHtmlRenderer $secureRenderer
* @see \Magento\Payment\Block\Transparent\Info
*/
?>
<fieldset id="payment_form_<?= $block->escapeHtml($block->getMethodCode()) ?>" class="fieldset items redirect">
<div><?= $block->escapeHtml(__('We\'ll ask for your payment details before you place an order.')) ?></div>
<fieldset id="payment_form_<?= $escaper->escapeHtml($block->getMethodCode()) ?>" class="fieldset items redirect">
<div><?= $escaper->escapeHtml(__('We\'ll ask for your payment details before you place an order.')) ?></div>
</fieldset>
<?= /* @noEscape */ $secureRenderer->renderStyleAsTag(
"display:none",
'fieldset#payment_form_' . $block->escapeHtml($block->getMethodCode())
'fieldset#payment_form_' . $escaper->escapeHtml($block->getMethodCode())
) ?>
Original file line number Diff line number Diff line change
Expand Up @@ -4,17 +4,20 @@
* See COPYING.txt for license details.
*/

/** @var \Magento\Payment\Block\Transparent\Redirect $block */
/**
* @var \Magento\Payment\Block\Transparent\Redirect $block
* @var \Magento\Framework\Escaper $escaper
*/
$params = $block->getPostParams();
$redirectUrl = $block->getRedirectUrl();
?>
<html>
<head></head>
<body onload="document.forms['proxy_form'].submit()">
<form id="proxy_form" action="<?= $block->escapeUrl($redirectUrl) ?>"
<form id="proxy_form" action="<?= $escaper->escapeUrl($redirectUrl) ?>"
method="POST" hidden enctype="application/x-www-form-urlencoded" class="no-display">
<?php foreach ($params as $name => $value):?>
<input value="<?= $block->escapeHtmlAttr($value) ?>" name="<?= $block->escapeHtmlAttr($name) ?>" type="hidden"/>
<input value="<?= $escaper->escapeHtmlAttr($value) ?>" name="<?= $escaper->escapeHtmlAttr($name) ?>" type="hidden"/>
<?php endforeach?>
</form>
</body>
Expand Down
Loading