MC-16608: Use escaper methods

 - clean up code

Author: cspruiell

app/code/Magento/AdminNotification/view/adminhtml/templates/notification/window.phtml

@@ -15,7 +15,7 @@
             "autoOpen": true,
             "buttons": false,
             "modalClass": "modal-system-messages",
-            "title": "<?= $block->escapeHtml($block->getHeaderText()) ?>"
+            "title": "<?= $block->escapeHtmlAttr($block->getHeaderText()) ?>"
         }
     }'>
     <li class="message message-warning warning">

app/code/Magento/AdminNotification/view/adminhtml/templates/system/messages/popup.phtml

@@ -8,10 +8,10 @@
 ?>
 
 <div style="display:none" id="system_messages_list" data-role="system_messages_list"
-     title="<?= $block->escapeHtml($block->getPopupTitle()) ?>">
+     title="<?= $block->escapeHtmlAttr($block->getPopupTitle()) ?>">
     <ul class="message-system-list messages">
         <?php foreach ($block->getUnreadMessages() as $message) : ?>
-            <li class="message message-warning <?= $block->escapeHtml($block->getItemClass($message)) ?>">
+            <li class="message message-warning <?= $block->escapeHtmlAttr($block->getItemClass($message)) ?>">
                 <?= $block->escapeHtml($message->getText()) ?>
             </li>
         <?php endforeach;?>

app/code/Magento/AdminNotification/view/adminhtml/templates/toolbar_entry.phtml

@@ -12,16 +12,16 @@
 <div
     data-mage-init='{"toolbarEntry": {}}'
     class="notifications-wrapper admin__action-dropdown-wrap"
-    data-notification-count="<?= $block->escapeHtml($notificationCount) ?>">
+    data-notification-count="<?= (int)$notificationCount ?>">
     <?php if ($notificationCount > 0) : ?>
         <a
             href="<?= $block->escapeUrl($block->getUrl('adminhtml/notification/index')) ?>"
             class="notifications-action admin__action-dropdown"
             data-mage-init='{"dropdown":{}}'
-            title="<?= $block->escapeHtml(__('Notifications')) ?>"
+            title="<?= $block->escapeHtmlAttr(__('Notifications')) ?>"
             data-toggle="dropdown">
             <span class="notifications-counter">
-                <?= ($notificationCount > $notificationCounterMax) ? $block->escapeHtml($notificationCounterMax) . '+' : $block->escapeHtml($notificationCount) ?>
+                <?= /* @noEscape */ ($notificationCount > $notificationCounterMax) ? (int)$notificationCounterMax . '+' : (int)$notificationCount ?>
             </span>
         </a>
         <ul
@@ -30,7 +30,7 @@
             <?php foreach ($block->getLatestUnreadNotifications() as $notification) : ?>
                 <?php /** @var $notification \Magento\AdminNotification\Model\Inbox */ ?>
                 <li class="notifications-entry<?php if ($notification->getSeverity() == 1) : ?> notifications-critical<?php endif; ?>"
-                    data-notification-id="<?= $block->escapeHtml($notification->getId()) ?>"
+                    data-notification-id="<?= $block->escapeHtmlAttr($notification->getId()) ?>"
                     data-notification-severity="<?php if ($notification->getSeverity() == 1) : ?>1<?php endif; ?>">
                     <?php
                         $notificationDescription = $notification->getDescription();
@@ -59,23 +59,23 @@
                     <button
                         type="button"
                         class="notifications-close"
-                        title="<?= $block->escapeHtml(__('Close')) ?>"
+                        title="<?= $block->escapeHtmlAttr(__('Close')) ?>"
                         ></button>
                 </li>
             <?php endforeach; ?>
             <li class="notifications-entry notifications-entry-last">
                 <a
                     href="<?= $block->escapeUrl($block->getUrl('adminhtml/notification/index')) ?>"
                     class="action-tertiary action-more">
-                    <?= $block->escapeHtml(__('See All (')) ?><span class="notifications-counter"><?= $block->escapeHtml($notificationCount) ?></span><?= $block->escapeHtml(__(' unread)')) ?>
+                    <?= $block->escapeHtml(__('See All (')) ?><span class="notifications-counter"><?= (int)$notificationCount ?></span><?= $block->escapeHtml(__(' unread)')) ?>
                 </a>
             </li>
         </ul>
     <?php else : ?>
         <a
             class="notifications-action admin__action-dropdown"
             href="<?= $block->escapeUrl($block->getUrl('adminhtml/notification/index')) ?>"
-            title="<?= $block->escapeHtml(__('Notifications')) ?>">
+            title="<?= $block->escapeHtmlAttr(__('Notifications')) ?>">
         </a>
     <?php endif; ?>
 </div>

app/code/Magento/Backup/view/adminhtml/templates/backup/dialogs.phtml

@@ -6,8 +6,7 @@
 ?>
 <!-- TODO: refactor form styles and js -->
 <script type="text/x-magento-template" id="rollback-warning-template">
-<p><?= $block->escapeHtml(__('You will lose any data created since the backup was made, including admin users, '
-    . 'customers and orders.')) ?></p>
+<p><?= $block->escapeHtml(__('You will lose any data created since the backup was made, including admin users, customers and orders.')) ?></p>
 <p><?= $block->escapeHtml(__('Are you sure you want to continue?')) ?></p>
 </script>
 <script type="text/x-magento-template" id="backup-options-template">

app/code/Magento/Config/view/adminhtml/templates/system/config/form/field/array.phtml

@@ -10,31 +10,30 @@ $_htmlId = $block->getHtmlId() ? $block->getHtmlId() : '_' . uniqid();
 $_colspan = $block->isAddAfter() ? 2 : 1;
 ?>
 
-<div class="design_theme_ua_regexp" id="grid<?= $block->escapeHtml($_htmlId) ?>">
+<div class="design_theme_ua_regexp" id="grid<?= $block->escapeHtmlAttr($_htmlId) ?>">
     <div class="admin__control-table-wrapper">
-        <table class="admin__control-table" id="<?= $block->escapeHtml($block->getElement()->getId()) ?>">
+        <table class="admin__control-table" id="<?= $block->escapeHtmlAttr($block->getElement()->getId()) ?>">
             <thead>
             <tr>
                 <?php foreach ($block->getColumns() as $columnName => $column) : ?>
                     <th><?= $block->escapeHtml($column['label']) ?></th>
                 <?php endforeach; ?>
-                <th class="col-actions" colspan="<?= $block->escapeHtml($_colspan) ?>"><?= $block->escapeHtml(__('Action')) ?></th>
+                <th class="col-actions" colspan="<?= (int)$_colspan ?>"><?= $block->escapeHtml(__('Action')) ?></th>
             </tr>
             </thead>
             <tfoot>
             <tr>
                 <td colspan="<?= count($block->getColumns())+$_colspan ?>" class="col-actions-add">
-                    <button id="addToEndBtn<?= $block->escapeHtml($_htmlId) ?>" class="action-add"
-                            title="<?= $block->escapeHtml(__('Add')) ?>" type="button">
+                    <button id="addToEndBtn<?= $block->escapeHtmlAttr($_htmlId) ?>" class="action-add" title="<?= $block->escapeHtmlAttr(__('Add')) ?>" type="button">
                         <span><?= $block->escapeHtml($block->getAddButtonLabel()) ?></span>
                     </button>
                 </td>
             </tr>
             </tfoot>
-            <tbody id="addRow<?= $block->escapeHtml($_htmlId) ?>"></tbody>
+            <tbody id="addRow<?= $block->escapeHtmlAttr($_htmlId) ?>"></tbody>
         </table>
     </div>
-    <input type="hidden" name="<?= $block->escapeHtml($block->getElement()->getName()) ?>[__empty]" value="" />
+    <input type="hidden" name="<?= $block->escapeHtmlAttr($block->getElement()->getName()) ?>[__empty]" value="" />
 
     <script>
         require([
@@ -55,14 +54,14 @@ $_colspan = $block->isAddAfter() ? 2 : 1;
 
                     <?php if ($block->isAddAfter()) : ?>
                         + '<td><button class="action-add" type="button" id="addAfterBtn<%- _id %>"><span>'
-                        + '<?= $block->escapeHtml(__('Add after')) ?>'
+                        + '<?= $block->escapeJs($block->escapeHtml(__('Add after'))) ?>'
                         + '<\/span><\/button><\/td>'
                     <?php endif; ?>
 
                     + '<td class="col-actions"><button '
                     + 'onclick="arrayRow<?= $block->escapeJs($_htmlId) ?>.del(\'<%- _id %>\')" '
                     + 'class="action-delete" type="button">'
-                    + '<span><?= $block->escapeHtml(__('Delete')) ?><\/span><\/button><\/td>'
+                    + '<span><?= $block->escapeJs($block->escapeHtml(__('Delete'))) ?><\/span><\/button><\/td>'
                     + '<\/tr>'
             ),
 
@@ -123,7 +122,7 @@ $_colspan = $block->isAddAfter() ? 2 : 1;
         // add existing rows
         <?php
         foreach ($block->getArrayRows() as $_rowId => $_row) {
-            echo /** noEscape */ "arrayRow{$block->escapeJs($_htmlId)}.add(" . /** noEscape */$_row->toJson() . ");\n";
+            echo /* @noEscape */ "arrayRow{$block->escapeJs($_htmlId)}.add(" . /* @noEscape */ $_row->toJson() . ");\n";
         }
         ?>
 

app/code/Magento/Config/view/adminhtml/templates/system/config/js.phtml

@@ -68,7 +68,7 @@ originModel.prototype = {
     {
         this.reload = false;
         this.loader = new varienLoader(true);
-        this.regionsUrl = "<?= $block->escapeUrl($block->getUrl('directory/json/countryRegion')) ?>";
+        this.regionsUrl = "<?= $block->escapeJs($block->escapeUrl($block->getUrl('directory/json/countryRegion'))) ?>";
 
         this.bindCountryRegionRelation();
     },

app/code/Magento/Config/view/adminhtml/templates/system/config/switcher.phtml

@@ -15,15 +15,15 @@
                 <?php if ($_option['is_close']) : ?>
                     </optgroup>
                 <?php else : ?>
-                    <optgroup label="<?= $block->escapeHtml($_option['label']) ?>"
-                              style="<?= $block->escapeHtml($_option['style']) ?>">
+                    <optgroup label="<?= $block->escapeHtmlAttr($_option['label']) ?>"
+                              style="<?= $block->escapeHtmlAttr($_option['style']) ?>">
                 <?php endif; ?>
                 <?php continue ?>
             <?php endif; ?>
-              <option value="<?= $block->escapeHtml($_value) ?>"
+              <option value="<?= $block->escapeHtmlAttr($_value) ?>"
                       url="<?= $block->escapeUrl($_option['url']) ?>"
                       <?= $_option['selected'] ? 'selected="selected"' : '' ?>
-                      style="<?= $block->escapeHtml($_option['style']) ?>">
+                      style="<?= $block->escapeHtmlAttr($_option['style']) ?>">
                   <?= $block->escapeHtml($_option['label']) ?>
               </option>
         <?php endforeach ?>

app/code/Magento/Config/view/adminhtml/templates/system/config/tabs.phtml

@@ -8,7 +8,7 @@
 ?>
 
 <?php if ($block->getTabs()) : ?>
-    <div id="<?= $block->escapeHtml($block->getId()) ?>" class="config-nav">
+    <div id="<?= $block->escapeHtmlAttr($block->getId()) ?>" class="config-nav">
         <?php
         /** @var $_tab \Magento\Config\Model\Config\Structure\Element\Tab */
         foreach ($block->getTabs() as $_tab) :
@@ -21,9 +21,9 @@
 
             <div class="config-nav-block admin__page-nav _collapsed
                 <?php if ($_tab->getClass()) : ?>
-                    <?= $block->escapeHtml($_tab->getClass()) ?>
+                    <?= $block->escapeHtmlAttr($_tab->getClass()) ?>
                 <?php endif ?>"
-                 data-mage-init='{"collapsible":{"active": "<?= $block->escapeHtml($activeCollapsible) ?>",
+                 data-mage-init='{"collapsible":{"active": "<?= $block->escapeHtmlAttr($activeCollapsible) ?>",
                  "openedState": "_show",
                  "closedState": "_hide",
                  "collapsible": true,

app/code/Magento/CurrencySymbol/view/adminhtml/templates/grid.phtml

@@ -11,29 +11,28 @@
 ?>
 
 <form id="currency-symbols-form" action="<?= $block->escapeUrl($block->getFormActionUrl()) ?>" method="post">
-    <input name="form_key" type="hidden" value="<?= $block->escapeHtml($block->getFormKey()) ?>" />
+    <input name="form_key" type="hidden" value="<?= $block->escapeHtmlAttr($block->getFormKey()) ?>" />
     <fieldset class="admin__fieldset">
         <?php foreach ($block->getCurrencySymbolsData() as $code => $data) : ?>
         <div class="admin__field _required">
-            <label class="admin__field-label" for="custom_currency_symbol<?= $block->escapeHtml($code) ?>">
+            <label class="admin__field-label" for="custom_currency_symbol<?= $block->escapeHtmlAttr($code) ?>">
                 <span><?= $block->escapeHtml($code) ?> (<?= $block->escapeHtml($data['displayName']) ?>)</span>
             </label>
             <div class="admin__field-control">
-                <input id="custom_currency_symbol<?= $block->escapeHtml($code) ?>"
+                <input id="custom_currency_symbol<?= $block->escapeHtmlAttr($code) ?>"
                        class="required-entry admin__control-text <?= $data['inherited'] ? 'disabled' : '' ?>"
                        type="text"
                        value="<?= $block->escapeHtmlAttr($data['displaySymbol']) ?>"
-                       name="custom_currency_symbol[<?= $block->escapeHtml($code) ?>]">
+                       name="custom_currency_symbol[<?= $block->escapeHtmlAttr($code) ?>]">
                 <div class="admin__field admin__field-option">
-                    <input id="custom_currency_symbol_inherit<?= $block->escapeHtml($code) ?>"
+                    <input id="custom_currency_symbol_inherit<?= $block->escapeHtmlAttr($code) ?>"
                            class="admin__control-checkbox" type="checkbox"
-                           onclick="toggleUseDefault(<?= '\'' . $block->escapeHtml($code) . '\',\'' .
-                                $block->escapeJs($data['parentSymbol']) . '\'' ?>)"
+                           onclick="toggleUseDefault(<?= '\'' . $block->escapeJs($code) . '\',\'' . $block->escapeJs($data['parentSymbol']) . '\'' ?>)"
                             <?= $data['inherited'] ? ' checked="checked"' : '' ?>
                            value="1"
-                           name="inherit_custom_currency_symbol[<?= $block->escapeHtml($code) ?>]">
+                           name="inherit_custom_currency_symbol[<?= $block->escapeHtmlAttr($code) ?>]">
                     <label class="admin__field-label"
-                           for="custom_currency_symbol_inherit<?= $block->escapeHtml($code) ?>">
+                           for="custom_currency_symbol_inherit<?= $block->escapeHtmlAttr($code) ?>">
                         <span>
                             <?= $block->escapeHtml($block->getInheritText()) ?>
                         </span>

app/code/Magento/CurrencySymbol/view/adminhtml/templates/system/currency/rate/matrix.phtml

@@ -35,8 +35,8 @@ $_rates = ($_newRates) ? $_newRates : $_oldRates;
                                 <td><span class="admin__control-support-text"><?= $block->escapeHtml($_currencyCode) ?></span></td>
                                 <td>
                                     <input type="text"
-                                           name="rate[<?= $block->escapeHtml($_currencyCode) ?>][<?= $block->escapeHtml($_rate) ?>]"
-                                           value="<?= ($_currencyCode == $_rate) ? '1.0000' : ($_value>0 ? $block->escapeHtml($_value) : (isset($_oldRates[$_currencyCode][$_rate]) ? $block->escapeHtml($_oldRates[$_currencyCode][$_rate]) : '')) ?>"
+                                           name="rate[<?= $block->escapeHtmlAttr($_currencyCode) ?>][<?= $block->escapeHtmlAttr($_rate) ?>]"
+                                           value="<?= ($_currencyCode == $_rate) ? '1.0000' : ($_value>0 ? $block->escapeHtmlAttr($_value) : (isset($_oldRates[$_currencyCode][$_rate]) ? $block->escapeHtmlAttr($_oldRates[$_currencyCode][$_rate]) : '')) ?>"
                                            class="admin__control-text"
                                             <?= ($_currencyCode == $_rate) ? ' disabled' : '' ?> />
                                     <?php if (isset($_newRates) && $_currencyCode != $_rate && isset($_oldRates[$_currencyCode][$_rate])) : ?>
@@ -46,8 +46,8 @@ $_rates = ($_newRates) ? $_newRates : $_oldRates;
                             <?php else : ?>
                                 <td>
                                     <input type="text"
-                                           name="rate[<?= $block->escapeHtml($_currencyCode) ?>][<?= $block->escapeHtml($_rate) ?>]"
-                                           value="<?= ($_currencyCode == $_rate) ? '1.0000' : ($_value>0 ? $block->escapeHtml($_value) : (isset($_oldRates[$_currencyCode][$_rate]) ? $block->escapeHtml($_oldRates[$_currencyCode][$_rate]) : '')) ?>"
+                                           name="rate[<?= $block->escapeHtmlAttr($_currencyCode) ?>][<?= $block->escapeHtmlAttr($_rate) ?>]"
+                                           value="<?= ($_currencyCode == $_rate) ? '1.0000' : ($_value>0 ? $block->escapeHtmlAttr($_value) : (isset($_oldRates[$_currencyCode][$_rate]) ? $block->escapeHtmlAttr($_oldRates[$_currencyCode][$_rate]) : '')) ?>"
                                            class="admin__control-text"
                                            <?= ($_currencyCode == $_rate) ? ' disabled' : '' ?> />
                                     <?php if (isset($_newRates) && $_currencyCode != $_rate && isset($_oldRates[$_currencyCode][$_rate])) : ?>