diff --git a/app/code/Magento/Authorizenet/view/adminhtml/templates/directpost/info.phtml b/app/code/Magento/Authorizenet/view/adminhtml/templates/directpost/info.phtml
index 6c02076b5a7dbe55d9a81b7114599221c6c9f14e..9251ad16e7258cfb7938591fe66c9a1a2d353f50 100644
--- a/app/code/Magento/Authorizenet/view/adminhtml/templates/directpost/info.phtml
+++ b/app/code/Magento/Authorizenet/view/adminhtml/templates/directpost/info.phtml
@@ -9,7 +9,7 @@
* @var \Magento\Authorizenet\Block\Transparent\Iframe $block
* @see \Magento\Authorizenet\Block\Transparent\Iframe
*/
-$code = $block->getMethodCode();
+$code = $block->escapeHtml($block->getMethodCode());
$method = $block->getMethod();
$controller = $block->escapeHtml($block->getRequest()->getControllerName());
$orderUrl = $block->escapeUrl($this->helper('Magento\Authorizenet\Helper\Backend\Data')->getPlaceOrderAdminUrl());
@@ -20,12 +20,12 @@ $ccExpYear = $block->getInfoData('cc_exp_year');
<!-- IFRAME for request to our server -->
<iframe id="order-directpost-iframe" allowtransparency="true" frameborder="0" name="iframeSubmitOrder"
style="display:none;width:100%;background-color:transparent"
- src="<?php /* @noEscape */ echo $block->getViewFileUrl('blank.html'); ?>">
+ src="<?php echo $block->escapeUrl($block->getViewFileUrl('blank.html')); ?>">
</iframe>
<!-- IFRAME for request to Authorize.net -->
<iframe id="directpost-iframe" allowtransparency="true" frameborder="0" name="iframeDirectPost"
style="display:none;width:100%;background-color:transparent"
- src="<?php /* @noEscape */ echo $block->getViewFileUrl('blank.html'); ?>">
+ src="<?php echo $block->escapeUrl($block->getViewFileUrl('blank.html')); ?>">
</iframe>
<fieldset class="admin__fieldset payment-method" id="payment_form_<?php /* @noEscape */ echo $code; ?>"
style="display:none;">
@@ -124,9 +124,9 @@ $ccExpYear = $block->getInfoData('cc_exp_year');
'<?php /* @noEscape */ echo $controller; ?>',
'<?php /* @noEscape */ echo $orderUrl; ?>',
'<?php echo $block->escapeUrl($method->getCgiUrl()); ?>',
- '<?php /* @noEscape */ echo $block->getUrl('*/*/save', [
+ '<?php echo $block->escapeUrl($block->getUrl('*/*/save', [
'_secure' => $block->getRequest()->isSecure()
- ]);?>');
+ ]));?>');
<?php if (!$block->isAjaxRequest()): ?>
});
diff --git a/app/code/Magento/Braintree/view/adminhtml/templates/form.phtml b/app/code/Magento/Braintree/view/adminhtml/templates/form.phtml
index 5610e082e1715e36dcecc8f7cc241bf1aeee2798..508313a25527a942d6c55cea7fd64873528e91a6 100644
--- a/app/code/Magento/Braintree/view/adminhtml/templates/form.phtml
+++ b/app/code/Magento/Braintree/view/adminhtml/templates/form.phtml
@@ -7,7 +7,7 @@
// @codingStandardsIgnoreFile
/** @var \Magento\Braintree\Block\Form $block */
-$code = $block->getMethodCode();
+$code = $block->escapeHtml($block->getMethodCode());
$storedCards = $this->helper('\Magento\Braintree\Helper\Createorder')->getLoggedInCustomerCards();
$useVault = $block->useVault();
$useCvv = $block->useCvv();
diff --git a/app/code/Magento/Braintree/view/frontend/templates/PayPal/shortcut.phtml b/app/code/Magento/Braintree/view/frontend/templates/PayPal/shortcut.phtml
index 267a6fede0644551bf2e45c5027bf2aebc9effe4..6edb66bd04c8f1c5858104007035a9b83c14fad9 100644
--- a/app/code/Magento/Braintree/view/frontend/templates/PayPal/shortcut.phtml
+++ b/app/code/Magento/Braintree/view/frontend/templates/PayPal/shortcut.phtml
@@ -42,7 +42,7 @@ $config = [
class="paypal checkout <?php echo $block->escapeHtml($block->getShowOrPosition()) ?> paypal-logo"
>
<fieldset class="fieldset paypal items">
- <div id="<?php /* @noEscape */ echo $containerId ?>"
+ <div id="<?php echo $block->escapeHtml($containerId); ?>"
data-mage-init='<?php /* @noEscape */ echo json_encode($config); ?>'></div>
</fieldset>
</div>
diff --git a/app/code/Magento/Braintree/view/frontend/templates/creditcard/edit.phtml b/app/code/Magento/Braintree/view/frontend/templates/creditcard/edit.phtml
index 6fcac2eae9c411929472c7b79ef1038836646183..44dc85b5404a1b51b2b3e508cbaa6b575788215e 100644
--- a/app/code/Magento/Braintree/view/frontend/templates/creditcard/edit.phtml
+++ b/app/code/Magento/Braintree/view/frontend/templates/creditcard/edit.phtml
@@ -164,7 +164,7 @@ $serializedFormData = $this->helper('Magento\Framework\Json\Helper\Data')->jsonE
class="year required-entry"
data-validate="{required:true}">
<?php foreach ($block->getCcYears() as $k => $v): ?>
- <option value="<?php /* @noEscape */ echo $k ? $k : ''; ?>"
+ <option value="<?php /* @noEscape */ echo $k ? $block->escapeHtml($k) : ''; ?>"
<?php if ($k == $defaultExpYear): ?> selected="selected"<?php endif; ?>>
<?php echo $block->escapeHtml($v); ?>
</option>
diff --git a/app/code/Magento/Braintree/view/frontend/templates/form.phtml b/app/code/Magento/Braintree/view/frontend/templates/form.phtml
index 459a61568cff7fa67f19d3146b1a2f7e0fb5ff5d..41029526cc388a58d93dc9c8ef119d99a1ccafd4 100644
--- a/app/code/Magento/Braintree/view/frontend/templates/form.phtml
+++ b/app/code/Magento/Braintree/view/frontend/templates/form.phtml
@@ -7,7 +7,7 @@
// @codingStandardsIgnoreFile
/** @var \Magento\Braintree\Block\Form $block */
-$code = $block->getMethodCode();
+$code = $block->escapeHtml($block->getMethodCode());
$loggedIn = $block->isCustomerLoggedIn();
$storedCards = $block->getStoredCards();
$useVault = $loggedIn && $block->useVault() && count($storedCards);
diff --git a/app/code/Magento/Multishipping/view/frontend/templates/checkout/success.phtml b/app/code/Magento/Multishipping/view/frontend/templates/checkout/success.phtml
index dc0c669468da9a1aaae43fc83bfa32cc22776044..21b83793d7d27f94ea511f1e7a6cde2ab0a8384f 100644
--- a/app/code/Magento/Multishipping/view/frontend/templates/checkout/success.phtml
+++ b/app/code/Magento/Multishipping/view/frontend/templates/checkout/success.phtml
@@ -8,16 +8,16 @@
?>
<div class="multicheckout success">
- <h2 class="subtitle"><?php /* @noEscape */ echo __('Thank you for your purchase!') ?></h2>
- <p><?php /* @escapeNotVerified */ echo __('Thanks for your order. We\'ll email you order details and tracking information.') ?></p>
+ <h2 class="subtitle"><?php echo $block->escapeHtml(__('Thank you for your purchase!')) ?></h2>
+ <p><?php echo $block->escapeHtml(__('Thanks for your order. We\'ll email you order details and tracking information.')) ?></p>
<?php if ($_orderIds = $block->getOrderIds()): ?>
<p class="order-number">
<?php $flag = false ?>
<span>
<?php if (count($_orderIds) > 1): ?>
- <?php /* @noEscape */ echo __('Your order numbers are: ') ?>
+ <?php echo $block->escapeHtml(__('Your order numbers are: ')) ?>
<?php else : ?>
- <?php /* @noEscape */ echo __('Your order number is: ') ?>
+ <?php echo $block->escapeHtml(__('Your order number is: ')) ?>
<?php endif; ?>
</span>
<?php foreach ($_orderIds as $orderId => $incrementId): ?><?php if ($flag): ?><?php echo ', ' ?><?php endif; ?><?php $flag = true ?><a href="<?php /* @escapeNotVerified */ echo $block->getViewOrderUrl($orderId) ?>"><?php /* @escapeNotVerified */ echo $incrementId ?></a><?php endforeach; ?>
@@ -25,6 +25,6 @@
<?php endif; ?>
<?php echo $block->getChildHtml() ?>
<div class="actions">
- <a class="action continue" title="<?php /* @noEscape */ echo __('Continue Shopping') ?>" href="<?php /* @escapeNotVerified */ echo $block->getContinueUrl() ?>"><span><?php /* @noEscape */ echo __('Continue Shopping') ?></span></a>
+ <a class="action continue" title="<?php echo $block->escapeHtml(__('Continue Shopping')) ?>" href="<?php /* @escapeNotVerified */ echo $block->getContinueUrl() ?>"><span><?php echo $block->escapeHtml(__('Continue Shopping')) ?></span></a>
</div>
</div>
diff --git a/app/code/Magento/Payment/view/adminhtml/templates/form/cc.phtml b/app/code/Magento/Payment/view/adminhtml/templates/form/cc.phtml
index ab38d3752a679f68d8a0371d087c126268707a99..f1109afb7974ef65ee42d01d18162dc121c428ab 100644
--- a/app/code/Magento/Payment/view/adminhtml/templates/form/cc.phtml
+++ b/app/code/Magento/Payment/view/adminhtml/templates/form/cc.phtml
@@ -8,7 +8,7 @@
/**
* @var \Magento\Payment\Block\Adminhtml\Transparent\Form $block
*/
-$code = $block->getMethodCode();
+$code = $block->escapeHtml($block->getMethodCode());
$ccType = $block->getInfoData('cc_type');
$ccExpMonth = $block->getInfoData('cc_exp_month');
$ccExpYear = $block->getInfoData('cc_exp_year');
diff --git a/app/code/Magento/Payment/view/adminhtml/templates/transparent/form.phtml b/app/code/Magento/Payment/view/adminhtml/templates/transparent/form.phtml
index 1bb248e6fd5662bced43e2f7ee9d4c5a942a1f69..0d28d33caea9cadcfce22c7fb68e2da557c7935b 100644
--- a/app/code/Magento/Payment/view/adminhtml/templates/transparent/form.phtml
+++ b/app/code/Magento/Payment/view/adminhtml/templates/transparent/form.phtml
@@ -7,7 +7,7 @@
// @codingStandardsIgnoreFile
/** @var \Magento\Payment\Block\Transparent\Form $block */
-$code = $block->getMethodCode();
+$code = $block->escapeHtml($block->getMethodCode());
$ccType = $block->getInfoData('cc_type');
$ccExpYear = $block->getInfoData('cc_exp_year');
$ccExpMonth = $block->getInfoData('cc_exp_month');
@@ -29,7 +29,7 @@ $ccExpMonth = $block->getInfoData('cc_exp_month');
"controller":"<?php echo $block->escapeHtml($block->getRequest()->getControllerName()); ?>",
"gateway":"<?php /* @noEscape */ echo $code; ?>",
"dateDelim":"<?php echo $block->escapeHtml($block->getDateDelim()); ?>",
- "cardFieldsMap":<?php /* @noEscape */ echo $block->getCardFieldsMap(); ?>,
+ "cardFieldsMap":<?php echo $block->escapeHtml($block->getCardFieldsMap()); ?>,
"orderSaveUrl":"<?php echo $block->escapeUrl($block->getOrderUrl()); ?>",
"cgiUrl":"<?php echo $block->escapeUrl($block->getCgiUrl()); ?>",
"expireYearLength":"<?php echo $block->escapeHtml($block->getMethodConfigData('cc_year_length')); ?>",
@@ -102,7 +102,7 @@ $ccExpMonth = $block->getInfoData('cc_exp_month');
data-container="<?php /* @noEscape */ echo $code; ?>-cc-year" data-validate='{required:true}'>
<?php foreach ($block->getCcYears() as $k => $v): ?>
<option
- value="<?php /* @noEscape */ echo $k ? $k : '' ?>"
+ value="<?php /* @noEscape */ echo $k ? $block->escapeHtml($k) : '' ?>"
<?php if ($k == $ccExpYear): ?> selected="selected"<?php endif ?>>
<?php echo $block->escapeHtml($v); ?>
</option>
diff --git a/app/code/Magento/Payment/view/adminhtml/templates/transparent/info.phtml b/app/code/Magento/Payment/view/adminhtml/templates/transparent/info.phtml
index 8deddb094d1799a1f1459a6be34e7fdbf5a054f0..8b20f64b5a60109508916e2a2ed2b07d36fa586f 100644
--- a/app/code/Magento/Payment/view/adminhtml/templates/transparent/info.phtml
+++ b/app/code/Magento/Payment/view/adminhtml/templates/transparent/info.phtml
@@ -11,6 +11,6 @@
* @see \Magento\Payment\Block\Transparent\Info
*/
?>
-<fieldset id="payment_form_<?php /* @noEscape */ echo $block->getMethodCode(); ?>" style="display:none" class="fieldset items redirect">
+<fieldset id="payment_form_<?php echo $block->escapeHtml($block->getMethodCode()); ?>" style="display:none" class="fieldset items redirect">
<div><?php echo $block->escapeHtml(__('We\'ll ask for your payment details before you place an order.')); ?></div>
</fieldset>
diff --git a/app/code/Magento/Payment/view/frontend/templates/form/cc.phtml b/app/code/Magento/Payment/view/frontend/templates/form/cc.phtml
index 05d8d3c02c82cdfc54c16a9d77a6863422e7ecbd..a02de6dbaff84f73d2f9d7fa48dcc23c2b482f1d 100644
--- a/app/code/Magento/Payment/view/frontend/templates/form/cc.phtml
+++ b/app/code/Magento/Payment/view/frontend/templates/form/cc.phtml
@@ -8,7 +8,7 @@
/**
* @var \Magento\Payment\Block\Transparent\Form $block
*/
-$code = $block->getMethodCode();
+$code = $block->escapeHtml($block->getMethodCode());
$ccType = $block->getInfoData('cc_type');
$ccExpMonth = $block->getInfoData('cc_exp_month');
$ccExpYear = $block->getInfoData('cc_exp_year');
diff --git a/app/code/Magento/Payment/view/frontend/templates/transparent/form.phtml b/app/code/Magento/Payment/view/frontend/templates/transparent/form.phtml
index 64ea503996cd280d8b29dc154b4dc20e9e47f69d..a589900d6233ae186fbef507484d2334a64c1db6 100644
--- a/app/code/Magento/Payment/view/frontend/templates/transparent/form.phtml
+++ b/app/code/Magento/Payment/view/frontend/templates/transparent/form.phtml
@@ -7,7 +7,7 @@
// @codingStandardsIgnoreFile
/** @var \Magento\Payment\Block\Transparent\Form $block */
-$code = $block->getMethodCode();
+$code = $block->escapeHtml($block->getMethodCode());
$ccExpMonth = $block->getInfoData('cc_exp_month');
$ccExpYear = $block->getInfoData('cc_exp_year');
$ccType = $block->getInfoData('cc_type');
@@ -20,7 +20,7 @@ $content = '<img src=\"' . $block->getViewFileUrl('Magento_Checkout::cvv.png') .
<iframe width="0" height="0" id="<?php /* @noescape */ echo $code; ?>-transparent-iframe"
data-container="<?php /* @noEscape */ echo $code; ?>-transparent-iframe" allowtransparency="true"
frameborder="0" name="iframeTransparent" style="display:none;width:100%;background-color:transparent"
- src="<?php /* @noEscape */ echo $block->getViewFileUrl('blank.html') ?>"></iframe>
+ src="<?php echo $block->escapeUrl($block->getViewFileUrl('blank.html')) ?>"></iframe>
<form class="form" id="co-transparent-form" action="#" method="post" data-mage-init='{
"transparent":{
"controller":"<?php echo $block->escapeHtml($block->getRequest()->getControllerName()); ?>",
@@ -28,7 +28,7 @@ $content = '<img src=\"' . $block->getViewFileUrl('Magento_Checkout::cvv.png') .
"orderSaveUrl":"<?php echo $block->escapeUrl($block->getOrderUrl()); ?>",
"cgiUrl":"<?php echo $block->escapeUrl($block->getCgiUrl()); ?>",
"dateDelim":"<?php echo $block->escapeHtml($block->getDateDelim()); ?>",
- "cardFieldsMap":<?php /* @noEscape */ echo $block->getCardFieldsMap(); ?>,
+ "cardFieldsMap":<?php echo $block->escapeHtml($block->getCardFieldsMap()); ?>,
"nativeAction":"<?php echo $block->escapeUrl($block->getUrl('checkout/onepage/saveOrder', ['_secure' => $block->getRequest()->isSecure()])); ?>"
}, "validation":[]}'>
<fieldset class="fieldset ccard <?php /* @noEscape */ echo $code; ?>" id="payment_form_<?php /* @noEscape */ echo $code; ?>">
diff --git a/app/code/Magento/Payment/view/frontend/templates/transparent/info.phtml b/app/code/Magento/Payment/view/frontend/templates/transparent/info.phtml
index c3ce1e5dbb7029ed65db079fcbf0230839373a3b..84cd69f6e4f698ff8731f76c5367e1b8244e0dae 100644
--- a/app/code/Magento/Payment/view/frontend/templates/transparent/info.phtml
+++ b/app/code/Magento/Payment/view/frontend/templates/transparent/info.phtml
@@ -11,7 +11,7 @@
* @see \Magento\Payment\Block\Transparent\Info
*/
?>
-<fieldset id="payment_form_<?php /* @noEscape */ echo $block->getMethodCode(); ?>" style="display:none" class="fieldset items redirect">
+<fieldset id="payment_form_<?php echo $block->escapeHtml($block->getMethodCode()); ?>" style="display:none" class="fieldset items redirect">
<div>
<?php echo $block->escapeHtml(__('We\'ll ask for your payment details before you place an order.')); ?>
</div>
diff --git a/app/code/Magento/Paypal/view/adminhtml/templates/billing/agreement/form.phtml b/app/code/Magento/Paypal/view/adminhtml/templates/billing/agreement/form.phtml
index 0d933a861b54182146e34358253ac033072f4c28..e1f6c1ac9655bcaa39a0e78efcf0023c1564b6ae 100644
--- a/app/code/Magento/Paypal/view/adminhtml/templates/billing/agreement/form.phtml
+++ b/app/code/Magento/Paypal/view/adminhtml/templates/billing/agreement/form.phtml
@@ -7,7 +7,7 @@
// @codingStandardsIgnoreFile
/** @var \Magento\Paypal\Block\Adminhtml\Billing\Agreement\View\Form $block */
?>
-<?php $code = $block->getMethodCode() ?>
+<?php $code = $block->escapeHtml($block->getMethodCode()) ?>
<fieldset class="form-list" id="payment_form_<?php /* @noEscape */ echo $code; ?>" style="display:none;">
<div class="admin__field _required">
<label for="<?php /* @noEscape */ echo $code; ?>_ba_agreement_id" class="admin__field-label">
diff --git a/app/code/Magento/Paypal/view/adminhtml/templates/payment/form/billing/agreement.phtml b/app/code/Magento/Paypal/view/adminhtml/templates/payment/form/billing/agreement.phtml
index d3a6bab129806819191d864a6dde2c60c952703f..66c2184c31012317eaa1cd704b3a3ba3ec0f5385 100644
--- a/app/code/Magento/Paypal/view/adminhtml/templates/payment/form/billing/agreement.phtml
+++ b/app/code/Magento/Paypal/view/adminhtml/templates/payment/form/billing/agreement.phtml
@@ -7,7 +7,7 @@
// @codingStandardsIgnoreFile
/* @var $block \Magento\Paypal\Block\Payment\Form\Billing\Agreement */
?>
-<?php $code = $block->getMethodCode() ?>
+<?php $code = $block->escapeHtml($block->getMethodCode()) ?>
<fieldset class="admin__fieldset payment-method form-list"
id="payment_form_<?php /* @noEscape */ echo $code; ?>" style="display:none;">
<div class="admin__field _required">
diff --git a/app/code/Magento/Paypal/view/frontend/templates/express/review.phtml b/app/code/Magento/Paypal/view/frontend/templates/express/review.phtml
index 892e8771da7dce8e89e43717a2cf0fbfd5f626da..9146130881cabf5d0bd40352950db4b897b58b4a 100644
--- a/app/code/Magento/Paypal/view/frontend/templates/express/review.phtml
+++ b/app/code/Magento/Paypal/view/frontend/templates/express/review.phtml
@@ -84,7 +84,7 @@
</strong>
<div class="box-content">
<address>
- <?php /* @noEscape */ echo $block->renderAddress($block->getShippingAddress()); ?>
+ <?php echo $block->escapeHtml($block->renderAddress($block->getShippingAddress())); ?>
</address>
</div>
<?php if ($block->getCanEditShippingAddress()): ?>
diff --git a/app/code/Magento/Paypal/view/frontend/templates/express/shortcut.phtml b/app/code/Magento/Paypal/view/frontend/templates/express/shortcut.phtml
index fa9afa80e5fa8abd356ed6ccfe3d54e80e3638a4..5858917ed8964d3c56b696e78d787f33f411819b 100644
--- a/app/code/Magento/Paypal/view/frontend/templates/express/shortcut.phtml
+++ b/app/code/Magento/Paypal/view/frontend/templates/express/shortcut.phtml
@@ -43,9 +43,7 @@ if ($block->getConfirmationUrl() || $block->getIsInCatalogProduct()) {
{
".paypal-logo.<?php /* @noEscape */ echo $shortcutHtmlId; ?>": {
"paypalCheckout": {
- "confirmMessage": "<?php /* @noEscape */ echo $block->escapeJsQuote(
- $block->getConfirmationMessage()
- ); ?>",
+ "confirmMessage": "<?php /* @noEscape */ echo $block->escapeJsQuote($block->getConfirmationMessage()); ?>",
"confirmUrl": "<?php /* @noEscape */ echo !empty($confirmationUrl) ? $confirmationUrl : false; ?>",
"isCatalogProduct": "<?php /* @noEscape */ echo !empty($isInCatalogProduct) ?
(bool)$isInCatalogProduct : false;
diff --git a/app/code/Magento/Paypal/view/frontend/templates/hss/info.phtml b/app/code/Magento/Paypal/view/frontend/templates/hss/info.phtml
index 69bf40f9314e3efe35056fa5b0b1bc1915f61c33..c29f82418f83748e61f17632a13f6c891276bf38 100644
--- a/app/code/Magento/Paypal/view/frontend/templates/hss/info.phtml
+++ b/app/code/Magento/Paypal/view/frontend/templates/hss/info.phtml
@@ -11,7 +11,8 @@
* @see \Magento\Paypal\Block\Payflow\Link\Info
*/
?>
-<div id="payment_form_<?php /* @noEscape */ echo $block->getMethodCode(); ?>" style="display:none" class="hss items">
+<div id="payment_form_<?php echo $block->escapeHtml($block->getMethodCode()); ?>"
+ style="display:none" class="hss items">
<?php echo $block->escapeHtml(__(
'You will be required to enter your payment details after you place an order.'
)); ?>
diff --git a/app/code/Magento/Paypal/view/frontend/templates/payflowadvanced/info.phtml b/app/code/Magento/Paypal/view/frontend/templates/payflowadvanced/info.phtml
index a11a3786c2c2d9f40e13dddb8b5546c6d546016c..252622af0f40880c76412aa4a06e29d066275e05 100644
--- a/app/code/Magento/Paypal/view/frontend/templates/payflowadvanced/info.phtml
+++ b/app/code/Magento/Paypal/view/frontend/templates/payflowadvanced/info.phtml
@@ -9,7 +9,7 @@
* @var \Magento\Paypal\Block\Payflow\Advanced\Form $block
*/
?>
-<fieldset id="payment_form_<?php /* @noEscape */ echo $block->getMethodCode(); ?>" style="display:none"
+<fieldset id="payment_form_<?php echo $block->escapeHtml($block->getMethodCode()); ?>" style="display:none"
class="fieldset payflowadvanced items redirect">
<div>
<?php echo $block->escapeHtml(__('You will be required to enter your payment details after you place an order.')); ?>
diff --git a/app/code/Magento/Paypal/view/frontend/templates/payflowlink/info.phtml b/app/code/Magento/Paypal/view/frontend/templates/payflowlink/info.phtml
index 629141539e2aacd9865c42e85ec04396fc77a999..7296aaabccf4ea15d86f1be1ef07fcf62950b08d 100644
--- a/app/code/Magento/Paypal/view/frontend/templates/payflowlink/info.phtml
+++ b/app/code/Magento/Paypal/view/frontend/templates/payflowlink/info.phtml
@@ -8,7 +8,7 @@
* @var \Magento\Paypal\Block\Payflow\Link\Form $block
*/
?>
-<div class="payflowlink items" id="payment_form_<?php /* @noEscape */ echo $block->getMethodCode(); ?>"
+<div class="payflowlink items" id="payment_form_<?php echo $block->escapeHtml($block->getMethodCode()); ?>"
style="display:none">
<?php echo $block->escapeHtml(__('You will be required to enter your payment details after you place an order.'));?>
</div>
diff --git a/app/code/Magento/Paypal/view/frontend/templates/payment/form/billing/agreement.phtml b/app/code/Magento/Paypal/view/frontend/templates/payment/form/billing/agreement.phtml
index 834a623d65b3f0b59a37ae59e2cab5e67e3e0695..7eb9423ce3be47a5d0528d786e59d898e0eb5aa3 100644
--- a/app/code/Magento/Paypal/view/frontend/templates/payment/form/billing/agreement.phtml
+++ b/app/code/Magento/Paypal/view/frontend/templates/payment/form/billing/agreement.phtml
@@ -8,7 +8,7 @@
/**
* @var \Magento\Paypal\Block\Payment\Form\Billing\Agreement $block
*/
-$code = $block->getMethodCode();
+$code = $block->escapeHtml($block->getMethodCode());
?>
<div class="field items required" id="payment_form_<?php /* @noEscape */ echo $code; ?>" style="display:none;">
<label for="<?php /* @noEscape */ echo $code; ?>_ba_agreement_id" class="label">
diff --git a/app/code/Magento/Paypal/view/frontend/templates/payment/redirect.phtml b/app/code/Magento/Paypal/view/frontend/templates/payment/redirect.phtml
index 5397d9aba46151905be8f46ee6da030f2567c5eb..b10e2f975964f649791f9c5788d57b76819beb17 100644
--- a/app/code/Magento/Paypal/view/frontend/templates/payment/redirect.phtml
+++ b/app/code/Magento/Paypal/view/frontend/templates/payment/redirect.phtml
@@ -12,7 +12,7 @@
$code = $block->escapeHtml($block->getBillingAgreementCode());
?>
<fieldset class="fieldset paypal items redirect" style="display:none;"
- id="payment_form_<?php /* @noEscape */ echo $block->getMethodCode(); ?>">
+ id="payment_form_<?php echo $block->escapeHtml($block->getMethodCode()); ?>">
<div><?php echo $block->escapeHtml($block->getRedirectMessage()); ?></div>
<?php ?>
<?php if ($code): ?>
diff --git a/app/code/Magento/Ups/view/adminhtml/templates/system/shipping/carrier_config.phtml b/app/code/Magento/Ups/view/adminhtml/templates/system/shipping/carrier_config.phtml
index c3ca415c7c2869ffad51232487b894c7599a2f9f..7cffb845b9387b55dbb5d51eb89e8d332ee9b3bb 100644
--- a/app/code/Magento/Ups/view/adminhtml/templates/system/shipping/carrier_config.phtml
+++ b/app/code/Magento/Ups/view/adminhtml/templates/system/shipping/carrier_config.phtml
@@ -20,19 +20,19 @@ if (!$storeCode && $websiteCode) {
/** @var $web \Magento\Store\Model\Website */
$web = $block->getWebsiteModel()->load($websiteCode);
$storedAllowedMethods = explode(',', $web->getConfig('carriers/ups/allowed_methods'));
- $storedOriginShipment = $web->getConfig('carriers/ups/origin_shipment');
- $storedFreeShipment = $web->getConfig('carriers/ups/free_method');
- $storedUpsType = $web->getConfig('carriers/ups/type');
+ $storedOriginShipment = $block->escapeHtml($web->getConfig('carriers/ups/origin_shipment'));
+ $storedFreeShipment = $block->escapeHtml($web->getConfig('carriers/ups/free_method'));
+ $storedUpsType = $block->escapeHtml($web->getConfig('carriers/ups/type'));
} elseif ($storeCode) {
$storedAllowedMethods = explode(',', $block->getConfig('carriers/ups/allowed_methods', $storeCode));
- $storedOriginShipment = $block->getConfig('carriers/ups/origin_shipment', $storeCode);
- $storedFreeShipment = $block->getConfig('carriers/ups/free_method', $storeCode);
- $storedUpsType = $block->getConfig('carriers/ups/type', $storeCode);
+ $storedOriginShipment = $block->escapeHtml($block->getConfig('carriers/ups/origin_shipment', $storeCode));
+ $storedFreeShipment = $block->escapeHtml($block->getConfig('carriers/ups/free_method', $storeCode));
+ $storedUpsType = $block->escapeHtml($block->getConfig('carriers/ups/type', $storeCode));
} else {
$storedAllowedMethods = explode(',', $block->getConfig('carriers/ups/allowed_methods'));
- $storedOriginShipment = $block->getConfig('carriers/ups/origin_shipment');
- $storedFreeShipment = $block->getConfig('carriers/ups/free_method');
- $storedUpsType = $block->getConfig('carriers/ups/type');
+ $storedOriginShipment = $block->escapeHtml($block->getConfig('carriers/ups/origin_shipment'));
+ $storedFreeShipment = $block->escapeHtml($block->getConfig('carriers/ups/free_method'));
+ $storedUpsType = $block->escapeHtml($block->getConfig('carriers/ups/type'));
}
?>
<script>