MAGE-1381 Apply JS escaping where necessary

Author: cammonro

view/adminhtml/templates/catalog/category/edit/merchandising.phtml

@@ -2,7 +2,6 @@
 
 /** @var \Algolia\AlgoliaSearch\Block\Adminhtml\Category\Merchandising $block */
 /** @var \Magento\Framework\Escaper $escaper */
-/** TODO:Reevaluate PHPCS ignores and enables/disables */
 
 $configHelper = $block->getConfigHelper();
 
@@ -197,7 +196,7 @@ $isConfig = [
 <script>
     requirejs(['algoliaAdminBundle'], function (algoliaAdminBundle) {
         algoliaAdminBundle.$(function ($) {
-            var config = <?= /** phpcs:ignore Magento2.Security.XssTemplate.FoundUnescaped */json_encode($isConfig); ?>;
+            var config = JSON.parse('<?= $escaper->escapeJs(json_encode($isConfig)) ?>');
 
             var search = algoliaAdminBundle.instantsearch(config);
 

view/adminhtml/templates/common.phtml

@@ -2,7 +2,6 @@
 /** @var \Magento\Backend\Block\Template $block */
 /** @var \Magento\Framework\Escaper $escaper */
 /** @var \Algolia\AlgoliaSearch\ViewModel\Adminhtml\Common $viewModel */
-/** TODO:Reevaluate PHPCS ignores and enables/disables */
 
 $viewModel = $block->getViewModel();
 
@@ -12,9 +11,9 @@ $ajaxCheckQuery = $block->getUrl('algolia_algoliasearch/query/checkQuery');
 $applicationId = $viewModel->getApplicationId();
 ?>
 <script>
-var applicationId = <?=/** phpcs:ignore Magento2.Security.XssTemplate.FoundUnescaped */ json_encode($applicationId); ?>;
-var ajaxCheckUrl = <?=/** phpcs:ignore Magento2.Security.XssTemplate.FoundUnescaped */ json_encode($ajaxCheckUrl); ?>;
-var ajaxCheckQuery = <?= /** phpcs:ignore Magento2.Security.XssTemplate.FoundUnescaped */json_encode($ajaxCheckQuery); ?>;
+var applicationId = "<?= $escaper->escapeJs($applicationId) ?>";
+var ajaxCheckUrl = "<?= $escaper->escapeJs($ajaxCheckUrl) ?>";
+var ajaxCheckQuery = "<?= $escaper->escapeJs($ajaxCheckQuery) ?>";
 document.addEventListener("DOMContentLoaded", function(event) {
   requirejs([
     'jquery',

view/adminhtml/templates/configuration.phtml

@@ -3,7 +3,6 @@
 /** @var \Magento\Backend\Block\Template $block */
 /** @var \Magento\Framework\Escaper $escaper */
 /** @var \Algolia\AlgoliaSearch\ViewModel\Adminhtml\Configuration $viewModel */
-/** TODO:Reevaluate PHPCS ignores and enables/disables */
 
 $viewModel = $block->getViewModel();
 
@@ -24,6 +23,7 @@ if (preg_match('/algoliasearch_/', $section)) {
 ?>
 
 <script>
+<?php // The following is internally generated trusted content and can be ignored by PHPCS ?>
 var isClickAnalyticsEnabled = <?= /** phpcs:ignore Magento2.Security.EscapeOutput.OutputNotEscaped */json_encode($isClickAnalyticsEnabled); ?>;
 var linksAndVideoTemplate = <?= /** phpcs:ignore Magento2.Security.EscapeOutput.OutputNotEscaped */json_encode($linksAndVideoTemplate); ?>;
 var personalizationStatus = <?= /** phpcs:ignore Magento2.Security.EscapeOutput.OutputNotEscaped */json_encode($personalizationStatus); ?>;

view/adminhtml/templates/landingpage/search-configuration.phtml

@@ -1,7 +1,7 @@
 <?php
 /** @var \Magento\Framework\Escaper $escaper */
 /** @var \Algolia\AlgoliaSearch\Block\Adminhtml\LandingPage\SearchConfiguration $block */
-/** TODO:Reevaluate PHPCS ignores and enables/disables */
+
 $configHelper = $block->getConfigHelper();
 $merchIllustration = $block->getViewFileUrl('Algolia_AlgoliaSearch::images/illu-merchtool.svg');
 $starsIllustration = $block->getViewFileUrl('Algolia_AlgoliaSearch::images/icon-stars.svg');
@@ -117,9 +117,7 @@ $isConfig = [
                 {{/_highlightResult.sku.0}}
             </td>
             <td>{{{ _highlightResult.name.value }}}</td>
-            <!-- phpcs:disable Magento2.Security.XssTemplate.FoundUnescaped -->
-            <td>{{ price.<?= $configHelper->getCurrencyCode() ?>.default_formated }}</td>
-            <!-- phpcs:enable Magento2.Security.XssTemplate.FoundUnescaped -->
+            <td>{{ price.<?= $escaper->escapeHtml($configHelper->getCurrencyCode()) ?>.default_formated }}</td>
             <td class="actions">
                 <div class="pin_block">
                     <a class="arrow up" href="#">
@@ -184,9 +182,7 @@ $isConfig = [
                 {{/_highlightResult.sku.0}}
             </td>
             <td>{{{ _highlightResult.name.value }}}</td>
-            <!-- phpcs:disable Magento2.Security.XssTemplate.FoundUnescaped -->
-            <td>{{ price.<?= $configHelper->getCurrencyCode() ?>.default_formated }}</td>
-            <!-- phpcs:enable Magento2.Security.XssTemplate.FoundUnescaped -->
+            <td>{{ price.<?= $escaper->escapeHtml($configHelper->getCurrencyCode()) ?>.default_formated }}</td>
                 <td class="actions">
                     <div class="pin_block">
                         <a class="arrow up" href="#">
@@ -227,9 +223,7 @@ $isConfig = [
             {{/sku.0}}
         </td>
         <td>{{{ name }}}</td>
-        <!-- phpcs:disable Magento2.Security.XssTemplate.FoundUnescaped -->
-        <td>{{ price.<?= $configHelper->getCurrencyCode() ?>.default_formated }}</td>
-        <!-- phpcs:enable Magento2.Security.XssTemplate.FoundUnescaped -->
+        <td>{{ price.<?= $escaper->escapeHtml($configHelper->getCurrencyCode()) ?>.default_formated }}</td>
             <td class="actions">
                 <div class="pin_block">
                     <a class="arrow up" href="#">
@@ -256,9 +250,7 @@ $isConfig = [
         <div class="info">
             {{{ _highlightResult.name.value }}}
             <div class="price">
-                <!-- phpcs:disable Magento2.Security.XssTemplate.FoundUnescaped -->
-                {{ price.<?= $configHelper->getCurrencyCode() ?>.default_formated }}
-                <!-- phpcs:enable Magento2.Security.XssTemplate.FoundUnescaped -->
+                {{ price.<?= $escaper->escapeHtml($configHelper->getCurrencyCode()) ?>.default_formated }}
             </div>
         </div>
 
@@ -316,7 +308,7 @@ $isConfig = [
 
             algoliaAdminBundle.$(function ($) {
                 var storeId = $('select[name="store_id"]').val();
-                var config = <?=/** phpcs:ignore Magento2.Security.EscapeOutput.OutputNotEscaped */ json_encode($isConfig); ?>;
+                var config = JSON.parse('<?= $escaper->escapeJs(json_encode($isConfig)) ?>');
 
                 config.appId = config.indexDataByStoreIds[storeId].appId;
                 config.apiKey = config.indexDataByStoreIds[storeId].apiKey;

view/adminhtml/templates/query/edit/merchandising.phtml

@@ -2,7 +2,6 @@
 
 /** @var \Algolia\AlgoliaSearch\Block\Adminhtml\Query\Merchandising $block */
 /** @var \Magento\Framework\Escaper $escaper */
-/** TODO:Reevaluate PHPCS ignores and enables/disables */
 
 $configHelper = $block->getConfigHelper();
 $indexName = $block->getCoreHelper()->getBaseIndexName();
@@ -83,9 +82,7 @@ $isConfig = [
                             {{/_highlightResult.sku.0}}
                         </td>
                         <td>{{{ _highlightResult.name.value }}}</td>
-                        <!-- phpcs:disable Magento2.Security.XssTemplate.FoundUnescaped -->
-                        <td>{{ price.<?= $currencyCode ?>.default_formated }}</td>
-                        <!-- phpcs:enable Magento2.Security.XssTemplate.FoundUnescaped -->
+                        <td>{{ price.<?= $escaper->escapeHtml($currencyCode) ?>.default_formated }}</td>
                         <td class="actions">
                             <div class="pin_block">
                                 <a class="arrow up" href="#">
@@ -135,9 +132,7 @@ $isConfig = [
             {{/sku.0}}
         </td>
         <td>{{{ name }}}</td>
-        <!-- phpcs:disable Magento2.Security.XssTemplate.FoundUnescaped -->
-        <td>{{ price.<?= $currencyCode ?>.default_formated }}</td>
-        <!-- phpcs:enable Magento2.Security.XssTemplate.FoundUnescaped -->
+        <td>{{ price.<?= $escaper->escapeHtml($currencyCode) ?>.default_formated }}</td>
         <td class="actions">
             <div class="pin_block">
                 <a class="arrow up" href="#">
@@ -164,9 +159,7 @@ $isConfig = [
         <div class="info">
             {{{ _highlightResult.name.value }}}
             <div class="price">
-                <!-- phpcs:disable Magento2.Security.XssTemplate.FoundUnescaped -->
-                {{ price.<?= $currencyCode ?>.default_formated }}
-                <!-- phpcs:enable Magento2.Security.XssTemplate.FoundUnescaped -->
+                {{ price.<?= $escaper->escapeHtml($currencyCode) ?>.default_formated }}
             </div>
         </div>
 
@@ -197,7 +190,7 @@ $isConfig = [
         var initInstantSearch = function() {
             algoliaAdminBundle.$(function ($) {
                 var storeId = $('select[name="store_id"]').val();
-                var config = <?= /** phpcs:ignore Magento2.Security.XssTemplate.FoundUnescaped */json_encode($isConfig); ?>;
+                var config = JSON.parse('<?= $escaper->escapeJs(json_encode($isConfig)) ?>');
 
                 config.appId = config.indexDataByStoreIds[storeId].appId;
                 config.apiKey = config.indexDataByStoreIds[storeId].apiKey;

view/adminhtml/templates/support/overview.phtml

@@ -2,7 +2,6 @@
 
 /** @var \Magento\Backend\Block\Template $block */
 /** @var \Magento\Framework\Escaper $escaper */
-/** TODO:Reevaluate PHPCS ignores and enables/disables */
 /** @var \Algolia\AlgoliaSearch\ViewModel\Adminhtml\Support\Overview $view */
 $view = $block->getViewModel();
 
@@ -32,11 +31,9 @@ $videoFeatures = $block->getViewFileUrl('Algolia_AlgoliaSearch::images/video-fea
 <div id="algolia_support_tab_content">
 
     <div class="algolia_support_panel" id="algolia-documentation-panel">
-        <!-- phpcs:disable Magento2.Security.EscapeOutput.OutputNotEscaped -->
         <script>
-            const noResultsIllustration = "<?= $noResultsIllustration; ?>"
+            const noResultsIllustration = "<?= $escaper->escapeUrl($noResultsIllustration) ?>"
         </script>
-        <!-- phpcs:enable Magento2.Security.EscapeOutput.OutputNotEscaped -->
 
         <div class="search-box-wrapper">
             <input type="text" name="q" id="search_box" />

view/frontend/templates/checkout/conversion.phtml

@@ -1,11 +1,8 @@
 <?php
 /** @var \Magento\Framework\Escaper $escaper */
-/** TODO:Reevaluate PHPCS ignores and enables/disables */
 /** @var \Algolia\AlgoliaSearch\Block\Checkout\Conversion $block */
 $orderItemsJson = $block->getOrderItemsConversionJson();
 ?>
-<!-- phpcs:disable Magento2.Security.EscapeOutput.OutputNotEscaped -->
 <script type="text/javascript">
-    var algoliaOrderConversionJson = <?= $orderItemsJson ?>;
+    var algoliaOrderConversionJson = JSON.parse('<?= $escaper->escapeJs($orderItemsJson) ?>');
 </script>
-<!-- phpcs:enable Magento2.Security.EscapeOutput.OutputNotEscaped -->

view/frontend/templates/instant/hit.phtml

@@ -52,14 +52,14 @@ $origFormatedVar = $escaper->escapeHtml('price' . $priceKey . '_original_formate
 
                                 {{^<?= $escaper->escapeHtml($maxVar) ?>}}
                                 <div itemprop="offers" itemscope itemtype="http://schema.org/Offer" class="price">
-                                    <meta itemprop="price" content="{{<?= $escaper->escapeHtml($baseVar); ?>}}" />
+                                    <meta itemprop="price" content="{{<?= $escaper->escapeHtmlAttr($baseVar); ?>}}" />
                                 {{/<?= $escaper->escapeHtml($maxVar); ?>}}
                                 {{#<?= $escaper->escapeHtml($maxVar); ?>}}
                                 <div itemprop="offers" itemscope itemtype="http://schema.org/AggregateOffer" class="price">
-                                    <meta itemprop="lowPrice" content="{{<?= $escaper->escapeHtml($baseVar); ?>}}" />
-                                    <meta itemprop="highPrice" content="{{<?= $escaper->escapeHtml($maxVar); ?>}}" />
+                                    <meta itemprop="lowPrice" content="{{<?= $escaper->escapeHtmlAttr($baseVar); ?>}}" />
+                                    <meta itemprop="highPrice" content="{{<?= $escaper->escapeHtmlAttr($maxVar); ?>}}" />
                                 {{/<?= $escaper->escapeHtml($maxVar); ?>}}
-                                    <meta itemprop="priceCurrency" content="<?= $escaper->escapeHtml($currencyCode); ?>" />
+                                    <meta itemprop="priceCurrency" content="<?= $escaper->escapeHtmlAttr($currencyCode); ?>" />
                                     <div class="price-wrapper">
                                         <div>
 

view/frontend/templates/layer/filter/js-default.phtml

@@ -1,16 +1,14 @@
 <?php
+/** @var \Magento\Backend\Block\Template $block */
 /** @var \Magento\Framework\Escaper $escaper */
-/** TODO:Reevaluate PHPCS ignores and enables/disables */
+
 $datascope = $block->getFilter()->getRequestVar() . 'Filter';
 ?>
 <?php if (!empty($filterItems)): ?>
-    <div data-bind="scope: '<?= /** phpcs:ignore Magento2.Security.XssTemplate.FoundUnescaped */$datascope; ?>'">
+    <div data-bind="scope: '<?= $escaper->escapeHtmlAttr($datascope) ?>'">
         <!-- ko template: getTemplate() --> <!-- /ko -->
     </div>
-    <!-- phpcs:disable Magento2.Security.EscapeOutput.OutputNotEscaped -->
     <script type="text/x-magento-init">
-    {"*" : {"Magento_Ui/js/core/app": {"components": {"<?= $datascope; ?>": <?= $block->getJsLayout(); ?>}}}}
+    {"*" : {"Magento_Ui/js/core/app": {"components": {"<?= $escaper->escapeJs($datascope) ?>": JSON.parse('<?= $escaper->escapeJs($block->getJsLayout()) ?>')}}}}
     </script>
-    <!-- phpcs:enable Magento2.Security.EscapeOutput.OutputNotEscaped -->
-
-<?php endif; ?>
+<?php endif; ?>

view/frontend/templates/recommend/cart/recommend_items.phtml

@@ -1,7 +1,6 @@
 <?php
 /** @var \Algolia\AlgoliaSearch\ViewModel\Recommend\Cart $block */
 /** @var \Magento\Framework\Escaper $escaper */
-/** TODO:Reevaluate PHPCS ignores and enables/disables */
 $viewModel = $block->getViewModel();
 $recommendConfig = $viewModel->getAlgoliaRecommendConfiguration();
 if (!empty($recommendConfig['enabledRelatedInCart']) || !empty($recommendConfig['enabledFBTInCart']) || !empty($recommendConfig['isTrendItemsEnabledInCartPage'])):
@@ -13,17 +12,15 @@ if (!empty($recommendConfig['enabledRelatedInCart']) || !empty($recommendConfig[
         <div id="trendItems" class="trendsItem recommend-component"></div>
         <div id="lookingSimilar" class="lookingSimilar recommend-component"></div>
     </div>
-    <!-- phpcs:disable Magento2.Security.EscapeOutput.OutputNotEscaped -->
     <script type="text/x-magento-init">
         {
             "*": {
                 "Algolia_AlgoliaSearch/js/recommend" : {
-                    "objectIDs" : <?= json_encode($cartItems) ?>
+                    "objectIDs" : JSON.parse('<?= $escaper->escapeJs(json_encode($cartItems)) ?>')
                 }
             }
         }
     </script>
-    <!-- phpcs:enable Magento2.Security.EscapeOutput.OutputNotEscaped -->
     <script type="text/x-magento-init">
         {
             "[data-role=tocart-form]": {