Skip to content

Commit

Permalink
Merge branch '2.3-develop' into feature/271-Customer-Attributes-Valid…
Browse files Browse the repository at this point in the history 
…ation
  • Loading branch information
@furseyev
furseyev committed Jun 15, 2019
2 parents 3641627 + 6e534ad commit ef078b6
Show file tree
Hide file tree
Showing 859 changed files with 41,489 additions and 6,456 deletions.
10 changes: 10 additions & 0 deletions SECURITY.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
# Reporting Security Issues

Magento values the contributions of the security research community, and we look forward to working with you to minimize risk to Magento merchants.

## Where should I report security issues?

We strongly encourage you to report all security issues privately via our [bug bounty program](https://hackerone.com/magento). Please provide us with relevant technical details and repro steps to expedite our investigation. If you prefer not to use HackerOne, email us directly at `[email protected]` with details and repro steps.

## Learning More About Security
To learn more about securing a Magento store, please visit the [Security Center](https://magento.com/security).
25 changes: 18 additions & 7 deletions app/code/Magento/AdminNotification/Model/Feed.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,11 @@ class Feed extends \Magento\Framework\Model\AbstractModel

const XML_LAST_UPDATE_PATH = 'system/adminnotification/last_update';

/**
* @var \Magento\Framework\Escaper
*/
private $escaper;

/**
* Feed url
*
Expand Down Expand Up @@ -77,6 +82,7 @@ class Feed extends \Magento\Framework\Model\AbstractModel
* @param \Magento\Framework\Model\ResourceModel\AbstractResource $resource
* @param \Magento\Framework\Data\Collection\AbstractDb $resourceCollection
* @param array $data
* @param \Magento\Framework\Escaper|null $escaper
* @SuppressWarnings(PHPMD.ExcessiveParameterList)
*/
public function __construct(
Expand All @@ -90,21 +96,26 @@ public function __construct(
\Magento\Framework\UrlInterface $urlBuilder,
\Magento\Framework\Model\ResourceModel\AbstractResource $resource = null,
\Magento\Framework\Data\Collection\AbstractDb $resourceCollection = null,
array $data = []
array $data = [],
\Magento\Framework\Escaper $escaper = null
) {
parent::__construct($context, $registry, $resource, $resourceCollection, $data);
$this->_backendConfig = $backendConfig;
$this->_inboxFactory = $inboxFactory;
$this->curlFactory = $curlFactory;
$this->_backendConfig = $backendConfig;
$this->_inboxFactory = $inboxFactory;
$this->curlFactory = $curlFactory;
$this->_deploymentConfig = $deploymentConfig;
$this->productMetadata = $productMetadata;
$this->urlBuilder = $urlBuilder;
$this->productMetadata = $productMetadata;
$this->urlBuilder = $urlBuilder;
$this->escaper = $escaper ?? \Magento\Framework\App\ObjectManager::getInstance()->get(
\Magento\Framework\Escaper::class
);
}

/**
* Init model
*
* @return void
* phpcs:disable Magento2.CodeAnalysis.EmptyBlock
*/
protected function _construct()
{
Expand Down Expand Up @@ -252,6 +263,6 @@ public function getFeedXml()
*/
private function escapeString(\SimpleXMLElement $data)
{
return htmlspecialchars((string)$data);
return $this->escaper->escapeHtml((string)$data);
}
}
12 changes: 5 additions & 7 deletions app/code/Magento/AdminNotification/view/adminhtml/templates/notification/window.phtml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,6 @@
* See COPYING.txt for license details.
*/

// @codingStandardsIgnoreFile

?>
<?php
/**
* @see \Magento\AdminNotification\Block\Window
*/
Expand All @@ -19,11 +15,13 @@
"autoOpen": true,
"buttons": false,
"modalClass": "modal-system-messages",
"title": "<?= /* @escapeNotVerified */ $block->getHeaderText() ?>"
"title": "<?= $block->escapeHtmlAttr($block->getHeaderText()) ?>"
}
}'>
<li class="message message-warning warning">
<?= /* @escapeNotVerified */ $block->getNoticeMessageText() ?><br/>
<a href="<?= /* @escapeNotVerified */ $block->getNoticeMessageUrl() ?>"><?= /* @escapeNotVerified */ $block->getReadDetailsText() ?></a>
<?= $block->escapeHtml($block->getNoticeMessageText()) ?><br/>
<a href="<?= $block->escapeUrl($block->getNoticeMessageUrl()) ?>">
<?= $block->escapeHtml($block->getReadDetailsText()) ?>
</a>
</li>
</ul>
26 changes: 13 additions & 13 deletions app/code/Magento/AdminNotification/view/adminhtml/templates/system/messages.phtml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,41 +4,41 @@
* See COPYING.txt for license details.
*/

// @codingStandardsIgnoreFile

/** @var $block \Magento\AdminNotification\Block\System\Messages */
?>
<?php /** @var $block \Magento\AdminNotification\Block\System\Messages */ ?>

<?php $lastCritical = $block->getLastCritical();?>
<div id="system_messages" class="message-system<?php if ($lastCritical): ?> message-system-unread<?php endif; ?>">
<div id="system_messages"
class="message-system<?php if ($lastCritical) : ?>
message-system-unread<?php endif; ?>">
<div class="message-system-inner">
<?php if ($lastCritical): ?>
<?php if ($lastCritical) : ?>
<ul class="message-system-list">
<li class="message message-warning error">
<?= /* @escapeNotVerified */ $lastCritical->getText() ?>
<?= $block->escapeHtml($lastCritical->getText()) ?>
</li>
</ul>
<?php endif; ?>
<div class="message-system-short">
<span class="message-system-short-label">
<?= /* @escapeNotVerified */ __('System Messages:') ?>
<?= $block->escapeHtml(__('System Messages:')) ?>
</span>

<?php if ($block->getCriticalCount()): ?>
<?php if ($block->getCriticalCount()) : ?>
<div class="message message-warning error">
<a class="message-link" href="#" title="<?= $block->escapeHtml(__('Critical System Messages')) ?>">
<?= /* @escapeNotVerified */ $block->getCriticalCount() ?>
<?= (int) $block->getCriticalCount() ?>
</a>
</div>
<?php endif;?>
<?php endif; ?>

<?php if ($block->getMajorCount()): ?>
<?php if ($block->getMajorCount()) : ?>
<div class="message message-warning warning">
<a class="message-link" href="#" title="<?= $block->escapeHtml(__('Major System Messages')) ?>">
<?= /* @escapeNotVerified */ $block->getMajorCount() ?>
<?= (int) $block->getMajorCount() ?>
</a>
</div>
<?php endif;?>
<?php endif; ?>
</div>
<div id="message-system-all" title="<?= $block->escapeHtml(__('System messages')) ?>" data-mage-init='<?= $block->escapeHtml($block->getSystemMessageDialogJson()) ?>'></div>
</div>
Expand Down
13 changes: 6 additions & 7 deletions app/code/Magento/AdminNotification/view/adminhtml/templates/system/messages/popup.phtml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,16 +4,15 @@
* See COPYING.txt for license details.
*/

// @codingStandardsIgnoreFile

/** @var $block \Magento\AdminNotification\Block\System\Messages\UnreadMessagePopup */
?>
<?php /** @var $block \Magento\AdminNotification\Block\System\Messages\UnreadMessagePopup */ ?>

<div style="display:none" id="system_messages_list" data-role="system_messages_list" title="<?= $block->escapeHtml($block->getPopupTitle()) ?>">
<div style="display:none" id="system_messages_list" data-role="system_messages_list"
title="<?= $block->escapeHtmlAttr($block->getPopupTitle()) ?>">
<ul class="message-system-list messages">
<?php foreach ($block->getUnreadMessages() as $message): ?>
<li class="message message-warning <?= /* @escapeNotVerified */ $block->getItemClass($message) ?>">
<?= /* @escapeNotVerified */ $message->getText() ?>
<?php foreach ($block->getUnreadMessages() as $message) : ?>
<li class="message message-warning <?= $block->escapeHtmlAttr($block->getItemClass($message)) ?>">
<?= $block->escapeHtml($message->getText()) ?>
</li>
<?php endforeach;?>
</ul>
Expand Down
91 changes: 44 additions & 47 deletions app/code/Magento/AdminNotification/view/adminhtml/templates/toolbar_entry.phtml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,81 +4,78 @@
* See COPYING.txt for license details.
*/

// @codingStandardsIgnoreFile
/** @var $this \Magento\AdminNotification\Block\ToolbarEntry */

?>
<?php /** @var $this \Magento\AdminNotification\Block\ToolbarEntry */ ?>
<?php
$notificationCount = $block->getUnreadNotificationCount();
$notificationCounterMax = $block->getNotificationCounterMax();
?>
<div
data-mage-init='{"toolbarEntry": {}}'
class="notifications-wrapper admin__action-dropdown-wrap"
data-notification-count="<?= /* @escapeNotVerified */ $notificationCount ?>">
data-notification-count="<?= (int)$notificationCount ?>">
<?php if ($notificationCount > 0) : ?>
<a
href="<?= /* @escapeNotVerified */ $block->getUrl('adminhtml/notification/index') ?>"
href="<?= $block->escapeUrl($block->getUrl('adminhtml/notification/index')) ?>"
class="notifications-action admin__action-dropdown"
data-mage-init='{"dropdown":{}}'
title="<?= /* @escapeNotVerified */ __('Notifications') ?>"
title="<?= $block->escapeHtmlAttr(__('Notifications')) ?>"
data-toggle="dropdown">
<span class="notifications-counter">
<?= /* @escapeNotVerified */ ($notificationCount > $notificationCounterMax) ? $notificationCounterMax . '+' : $notificationCount ?>
<?= /* @noEscape */ ($notificationCount > $notificationCounterMax) ? (int)$notificationCounterMax . '+' : (int)$notificationCount ?>
</span>
</a>
<ul
class="admin__action-dropdown-menu"
data-mark-as-read-url="<?= /* @escapeNotVerified */ $block->getUrl('adminhtml/notification/ajaxMarkAsRead') ?>">
data-mark-as-read-url="<?= $block->escapeUrl($block->getUrl('adminhtml/notification/ajaxMarkAsRead')) ?>">
<?php foreach ($block->getLatestUnreadNotifications() as $notification) : ?>
<?php /** @var $notification \Magento\AdminNotification\Model\Inbox*/ ?>
<li class="notifications-entry<?php if ($notification->getSeverity() == 1): ?> notifications-critical<?php endif; ?>"
data-notification-id="<?= /* @escapeNotVerified */ $notification->getId() ?>"
data-notification-severity="<?php if ($notification->getSeverity() == 1): ?>1<?php endif; ?>">
<?php
$notificationDescription = $block->escapeHtml($notification->getDescription());
$notificationDescriptionLength = $block->getNotificationDescriptionLength();
?>
<strong class="notifications-entry-title">
<?= $block->escapeHtml($notification->getTitle()) ?>
</strong>
<?php if (strlen($notificationDescription) > $notificationDescriptionLength) : ?>
<p class="notifications-entry-description _cutted">
<span class="notifications-entry-description-start">
<?= /* @escapeNotVerified */ substr($notificationDescription, 0, $notificationDescriptionLength) ?>
</span>
<span class="notifications-entry-description-end">
<?= /* @escapeNotVerified */ substr($notificationDescription, $notificationDescriptionLength) ?>
</span>
</p>
<?php else : ?>
<p class="notifications-entry-description">
<?= /* @escapeNotVerified */ $notificationDescription ?>
</p>
<?php endif; ?>
<time class="notifications-entry-time">
<?= /* @escapeNotVerified */ $block->formatNotificationDate($notification->getDateAdded()) ?>
</time>
<button
type="button"
class="notifications-close"
title="<?= /* @escapeNotVerified */ __('Close') ?>"
></button>
</li>
<?php /** @var $notification \Magento\AdminNotification\Model\Inbox */ ?>
<li class="notifications-entry<?php if ($notification->getSeverity() == 1) : ?> notifications-critical<?php endif; ?>"
data-notification-id="<?= $block->escapeHtmlAttr($notification->getId()) ?>"
data-notification-severity="<?php if ($notification->getSeverity() == 1) : ?>1<?php endif; ?>">
<?php
$notificationDescription = $notification->getDescription();
$notificationDescriptionLength = $block->getNotificationDescriptionLength();
?>
<strong class="notifications-entry-title">
<?= $block->escapeHtml($notification->getTitle()) ?>
</strong>
<?php if (strlen($notificationDescription) > $notificationDescriptionLength) : ?>
<p class="notifications-entry-description _cutted">
<span class="notifications-entry-description-start">
<?= $block->escapeHtml(substr($notificationDescription, 0, $notificationDescriptionLength)) ?>
</span>
<span class="notifications-entry-description-end">
<?= $block->escapeHtml(substr($notificationDescription, $notificationDescriptionLength)) ?>
</span>
</p>
<?php else : ?>
<p class="notifications-entry-description">
<?= $block->escapeHtml($notificationDescription) ?>
</p>
<?php endif; ?>
<time class="notifications-entry-time">
<?= $block->escapeHtml($block->formatNotificationDate($notification->getDateAdded())) ?>
</time>
<button
type="button"
class="notifications-close"
title="<?= $block->escapeHtmlAttr(__('Close')) ?>"
></button>
</li>
<?php endforeach; ?>
<li class="notifications-entry notifications-entry-last">
<a
href="<?= /* @escapeNotVerified */ $block->getUrl('adminhtml/notification/index') ?>"
href="<?= $block->escapeUrl($block->getUrl('adminhtml/notification/index')) ?>"
class="action-tertiary action-more">
<?= /* @escapeNotVerified */ __('See All (') ?><span class="notifications-counter"><?= /* @escapeNotVerified */ $notificationCount ?></span><?= /* @escapeNotVerified */ __(' unread)') ?>
<?= $block->escapeHtml(__('See All (')) ?><span class="notifications-counter"><?= (int)$notificationCount ?></span><?= $block->escapeHtml(__(' unread)')) ?>
</a>
</li>
</ul>
<?php else : ?>
<a
class="notifications-action admin__action-dropdown"
href="<?= /* @escapeNotVerified */ $block->getUrl('adminhtml/notification/index') ?>"
title="<?= /* @escapeNotVerified */ __('Notifications') ?>">
href="<?= $block->escapeUrl($block->getUrl('adminhtml/notification/index')) ?>"
title="<?= $block->escapeHtmlAttr(__('Notifications')) ?>">
</a>
<?php endif; ?>
</div>
Loading

0 comments on commit ef078b6

Please sign in to comment.