MAGETWO-55809: Eliminate @escapeNotVerified in Module Backend

Oleksandr Gorkun · Oleksandr Gorkun · commit 14c1b6a419f9 · 2019-06-06T14:49:39.000-05:00
diff --git a/app/code/Magento/Backend/view/adminhtml/templates/widget/form/element/gallery.phtml b/app/code/Magento/Backend/view/adminhtml/templates/widget/form/element/gallery.phtml
@@ -30,7 +30,7 @@
         <tr id="<?= $block->getElement()->getHtmlId() ?>_tr_<?= $block->escapeHtmlAttr($image->getValueId()) ?>" class="gallery">
         <?php foreach ($block->getValues()->getAttributeBackend()->getImageTypes() as $type) : ?>
             <td class="gallery" align="center" style="vertical-align:bottom;">
-            <a href="<?= $block->escapeUrl($image->setType($type)->getSourceUrl()) ?>" target="_blank" onclick="imagePreview('<?= $block->getElement()->getHtmlId() ?>_image_<?= $block->escapeHtmlAttr($type) ?>_<?= $block->escapeHtmlAttr($image->getValueId()) ?>');return false;">
+            <a href="<?= $block->escapeUrl($image->setType($type)->getSourceUrl()) ?>" target="_blank" onclick="imagePreview('<?= $block->getElement()->getHtmlId() ?>_image_<?= $block->escapeHtmlAttr($block->escapeJs($type)) ?>_<?= $block->escapeHtmlAttr($block->escapeJs($image->getValueId())) ?>');return false;">
             <img id="<?= $block->getElement()->getHtmlId() ?>_image_<?= $block->escapeHtmlAttr($type) ?>_<?= $block->escapeHtmlAttr($image->getValueId()) ?>" src="<?= $block->escapeUrl($image->setType($type)->getSourceUrl()) ?>?<?= /* @noEscape */ time() ?>" alt="<?= $block->escapeHtmlAttr($image->getValue()) ?>" title="<?= $block->escapeHtmlAttr($image->getValue()) ?>" height="25" class="small-image-preview v-middle"/></a><br/>
             <input type="file" name="<?= $block->escapeHtmlAttr($block->getElement()->getName()) ?>_<?= $block->escapeHtmlAttr($type) ?>[<?= $block->escapeHtmlAttr($image->getValueId()) ?>]" size="1"></td>
         <?php endforeach; ?>
diff --git a/app/code/Magento/Backend/view/adminhtml/templates/widget/grid/column_set.phtml b/app/code/Magento/Backend/view/adminhtml/templates/widget/grid/column_set.phtml
@@ -94,7 +94,7 @@ $numColumns = count($block->getColumns());
                             <td data-column="<?= $block->escapeHtmlAttr($_column->getId()) ?>"
                                 class="<?= $block->escapeHtmlAttr($_column->getCssProperty()) ?> <?= /* @noEscape */ $_column->getId() == 'massaction' ? 'data-grid-checkbox-cell': '' ?> <?= ++$i == $numColumns ? 'last' : '' ?>"
                             >
-                                <?= /* @noEscape */ $_column->hasSubtotalsLabel() ? $_column->getSubtotalsLabel() : $_column->getRowField($block->getSubTotals($_item)) ?>
+                                <?= /* @noEscape */ $_column->hasSubtotalsLabel() ? $block->escapeHtml($_column->getSubtotalsLabel()) : $_column->getRowField($block->getSubTotals($_item)) ?>
                             </td>
                         <?php endforeach; ?>
                     </tr>
@@ -138,7 +138,7 @@ $numColumns = count($block->getColumns());
                 <th data-column="<?= $block->escapeHtmlAttr($_column->getId()) ?>"
                     class="<?= $block->escapeHtmlAttr($_column->getCssProperty()) ?>"
                 >
-                    <?= /* @noEscape */ ($_column->hasTotalsLabel()) ? $_column->getTotalsLabel() : $_column->getRowField($block->getTotals()) ?>
+                    <?= /* @noEscape */ ($_column->hasTotalsLabel()) ? $block->escapeHtml($_column->getTotalsLabel()) : $_column->getRowField($block->getTotals()) ?>
                 </th>
             <?php endforeach; ?>
         </tr>
diff --git a/app/code/Magento/Backend/view/adminhtml/templates/widget/grid/extended.phtml b/app/code/Magento/Backend/view/adminhtml/templates/widget/grid/extended.phtml
@@ -114,7 +114,7 @@ $numColumns = count($block->getColumns());
                         </label>
                         <?php if ($_curPage < $_lastPage) : ?>
                             <button type="button"
-                                    title="<?= $block->escapeHtml(__('Next page')) ?>"
+                                    title="<?= $block->escapeHtmlAttr(__('Next page')) ?>"
                                     class="action-next"
                                     onclick="<?= /* @noEscape */ $block->getJsObjectName() ?>.setPage('<?= /* @noEscape */ ($_curPage + 1) ?>');return false;">
                                 <span><?= $block->escapeHtml(__('Next page')) ?></span>
@@ -168,7 +168,7 @@ $numColumns = count($block->getColumns());
                 <tr class="totals">
                     <?php foreach ($block->getColumns() as $_column) : ?>
                         <th class="<?= $block->escapeHtmlAttr($_column->getCssProperty()) ?>">
-                            <?= /* @noEscape */ ($_column->hasTotalsLabel()) ? $_column->getTotalsLabel() : $_column->getRowField($_column->getGrid()->getTotals()) ?>
+                            <?= /* @noEscape */ ($_column->hasTotalsLabel()) ? $block->escapeHtml($_column->getTotalsLabel()) : $_column->getRowField($_column->getGrid()->getTotals()) ?>
                         </th>
                     <?php endforeach; ?>
                 </tr>
@@ -218,7 +218,7 @@ $numColumns = count($block->getColumns());
                             foreach ($block->getSubTotalColumns() as $_column) : ?>
                                 <td class="<?= $block->escapeHtmlAttr($_column->getCssProperty()) ?>
                                            <?= /* @noEscape */ $_column->getId() == 'massaction' ? 'data-grid-checkbox-cell': '' ?>">
-                                    <?= /* @noEscape */ $_column->hasSubtotalsLabel() ? $_column->getSubtotalsLabel() : $_column->getRowField($block->getSubTotalItem($_item)) ?>
+                                    <?= /* @noEscape */ $_column->hasSubtotalsLabel() ? $block->escapeHtml($_column->getSubtotalsLabel()) : $_column->getRowField($block->getSubTotalItem($_item)) ?>
                                 </td>
                             <?php endforeach; ?>
                         </tr>
diff --git a/app/code/Magento/Backend/view/adminhtml/templates/widget/grid/massaction.phtml b/app/code/Magento/Backend/view/adminhtml/templates/widget/grid/massaction.phtml
@@ -44,7 +44,7 @@
             class="action-select-multiselect _disabled"
             disabled="disabled"
             data-menu="grid-mass-select">
-            <optgroup label="<?= $block->escapeHtml(__('Mass Actions')) ?>">
+            <optgroup label="<?= $block->escapeHtmlAttr(__('Mass Actions')) ?>">
                 <option disabled selected></option>
                 <?php if ($block->getUseSelectAll()) :?>
                     <option value="selectAll">
@@ -93,7 +93,7 @@
         });
     });
     <?php if (!$block->getParentBlock()->canDisplayContainer()) : ?>
-        <?= $block->escapeJs($block->getJsObjectName()) ?>.setGridIds('<?= /* @noEscape */ $block->getGridIdsJson() ?>');
+        <?= $block->escapeJs($block->getJsObjectName()) ?>.setGridIds('<?= $block->escapeJs($block->getGridIdsJson()) ?>');
     <?php endif; ?>
 </script>
 </div>
