magento
diff --git a/‎app/code/Magento/Backend/Block/Widget/Button.php
Lines changed: 1 addition & 1 deletion b/‎app/code/Magento/Backend/Block/Widget/Button.php
Lines changed: 1 addition & 1 deletion
diff --git a/‎app/code/Magento/Backend/Block/Widget/Button/SplitButton.php
Lines changed: 1 addition & 1 deletion b/‎app/code/Magento/Backend/Block/Widget/Button/SplitButton.php
Lines changed: 1 addition & 1 deletion
diff --git a/‎app/code/Magento/Backend/Block/Widget/Grid/Column/Renderer/Action.php
Lines changed: 3 additions & 1 deletion b/‎app/code/Magento/Backend/Block/Widget/Grid/Column/Renderer/Action.php
Lines changed: 3 additions & 1 deletion
diff --git a/‎app/code/Magento/Backend/Block/Widget/Grid/Massaction/AbstractMassaction.php
Lines changed: 1 addition & 1 deletion b/‎app/code/Magento/Backend/Block/Widget/Grid/Massaction/AbstractMassaction.php
Lines changed: 1 addition & 1 deletion
diff --git a/‎app/code/Magento/Backend/Block/Widget/Grid/Massaction/Extended.php
Lines changed: 1 addition & 1 deletion b/‎app/code/Magento/Backend/Block/Widget/Grid/Massaction/Extended.php
Lines changed: 1 addition & 1 deletion
diff --git a/‎app/code/Magento/Backend/view/adminhtml/templates/system/search.phtml
Lines changed: 1 addition & 1 deletion b/‎app/code/Magento/Backend/view/adminhtml/templates/system/search.phtml
Lines changed: 1 addition & 1 deletion
diff --git a/‎app/code/Magento/Backup/view/adminhtml/templates/backup/dialogs.phtml
Lines changed: 2 additions & 2 deletions b/‎app/code/Magento/Backup/view/adminhtml/templates/backup/dialogs.phtml
Lines changed: 2 additions & 2 deletions
diff --git a/‎app/code/Magento/Catalog/Block/Adminhtml/Product/Attribute/Set/Main.php
Lines changed: 1 addition & 1 deletion b/‎app/code/Magento/Catalog/Block/Adminhtml/Product/Attribute/Set/Main.php
Lines changed: 1 addition & 1 deletion
diff --git a/‎app/code/Magento/Catalog/view/adminhtml/templates/catalog/product/attribute/set/main.phtml
Lines changed: 4 additions & 4 deletions b/‎app/code/Magento/Catalog/view/adminhtml/templates/catalog/product/attribute/set/main.phtml
Lines changed: 4 additions & 4 deletions
diff --git a/‎app/code/Magento/Catalog/view/adminhtml/templates/catalog/product/composite/fieldset/options/type/date.phtml
Lines changed: 2 additions & 2 deletions b/‎app/code/Magento/Catalog/view/adminhtml/templates/catalog/product/composite/fieldset/options/type/date.phtml
Lines changed: 2 additions & 2 deletions
diff --git a/‎app/code/Magento/Catalog/view/adminhtml/templates/catalog/product/edit/price/tier.phtml
Lines changed: 2 additions & 2 deletions b/‎app/code/Magento/Catalog/view/adminhtml/templates/catalog/product/edit/price/tier.phtml
Lines changed: 2 additions & 2 deletions
diff --git a/‎app/code/Magento/ConfigurableProduct/view/adminhtml/templates/catalog/product/attribute/set/js.phtml
Lines changed: 3 additions & 3 deletions b/‎app/code/Magento/ConfigurableProduct/view/adminhtml/templates/catalog/product/attribute/set/js.phtml
Lines changed: 3 additions & 3 deletions
diff --git a/‎app/code/Magento/CurrencySymbol/view/adminhtml/templates/grid.phtml
Lines changed: 2 additions & 2 deletions b/‎app/code/Magento/CurrencySymbol/view/adminhtml/templates/grid.phtml
Lines changed: 2 additions & 2 deletions
diff --git a/‎app/code/Magento/Customer/view/adminhtml/templates/tab/cart.phtml
Lines changed: 2 additions & 2 deletions b/‎app/code/Magento/Customer/view/adminhtml/templates/tab/cart.phtml
Lines changed: 2 additions & 2 deletions
diff --git a/‎app/code/Magento/GoogleAnalytics/Block/Ga.php
Lines changed: 6 additions & 7 deletions b/‎app/code/Magento/GoogleAnalytics/Block/Ga.php
Lines changed: 6 additions & 7 deletions
diff --git a/‎app/code/Magento/Integration/Block/Adminhtml/Widget/Grid/Column/Renderer/Button.php
Lines changed: 5 additions & 1 deletion b/‎app/code/Magento/Integration/Block/Adminhtml/Widget/Grid/Column/Renderer/Button.php
Lines changed: 5 additions & 1 deletion
diff --git a/‎app/code/Magento/Integration/Block/Adminhtml/Widget/Grid/Column/Renderer/Link.php
Lines changed: 1 addition & 1 deletion b/‎app/code/Magento/Integration/Block/Adminhtml/Widget/Grid/Column/Renderer/Link.php
Lines changed: 1 addition & 1 deletion
diff --git a/‎app/code/Magento/Integration/Test/Unit/Block/Adminhtml/Widget/Grid/Column/Renderer/ButtonTest.php
Lines changed: 2 additions & 0 deletions b/‎app/code/Magento/Integration/Test/Unit/Block/Adminhtml/Widget/Grid/Column/Renderer/ButtonTest.php
Lines changed: 2 additions & 0 deletions
diff --git a/‎app/code/Magento/Integration/Test/Unit/Block/Adminhtml/Widget/Grid/Column/Renderer/LinkTest.php
Lines changed: 1 addition & 0 deletions b/‎app/code/Magento/Integration/Test/Unit/Block/Adminhtml/Widget/Grid/Column/Renderer/LinkTest.php
Lines changed: 1 addition & 0 deletions
diff --git a/‎app/code/Magento/Integration/view/adminhtml/templates/integration/popup_container.phtml
Lines changed: 3 additions & 3 deletions b/‎app/code/Magento/Integration/view/adminhtml/templates/integration/popup_container.phtml
Lines changed: 3 additions & 3 deletions
diff --git a/‎app/code/Magento/Payment/Test/Unit/Block/InfoTest.php
Lines changed: 1 addition & 1 deletion b/‎app/code/Magento/Payment/Test/Unit/Block/InfoTest.php
Lines changed: 1 addition & 1 deletion
diff --git a/‎app/code/Magento/Payment/view/frontend/templates/transparent/iframe.phtml
Lines changed: 3 additions & 3 deletions b/‎app/code/Magento/Payment/view/frontend/templates/transparent/iframe.phtml
Lines changed: 3 additions & 3 deletions
@@ -113,7 +113,7 @@ protected function _attributesToHtml($attributes)
             if ($attributeValue === null || $attributeValue == '') {
                 continue;
             }
-            $html .= $attributeKey . '="' . $this->escapeHtml($attributeValue) . '" ';
+            $html .= $attributeKey . '="' . $this->escapeHtmlAttr($attributeValue, false) . '" ';
         }
 
         return $html;
 
@@ -229,7 +229,7 @@ protected function _getAttributesString($attributes)
             if ($attributeValue === null || $attributeValue == '') {
                 continue;
             }
-            $html[] = $attributeKey . '="' . $this->escapeHtml($attributeValue) . '"';
+            $html[] = $attributeKey . '="' . $this->escapeHtmlAttr($attributeValue, false) . '"';
         }
         return join(' ', $html);
     }
 
@@ -82,7 +82,9 @@ protected function _toOptionHtml($action, \Magento\Framework\DataObject $row)
         $actionCaption = '';
         $this->_transformActionData($action, $actionCaption, $row);
 
-        $htmlAttributes = ['value' => $this->escapeHtml($this->_jsonEncoder->encode($action))];
+        $htmlAttributes = [
+            'value' => $this->escapeHtmlAttr($this->_jsonEncoder->encode($action), false)
+        ];
         $actionAttributes->setData($htmlAttributes);
         return '<option ' . $actionAttributes->serialize() . '>' . $actionCaption . '</option>';
     }
 
@@ -54,7 +54,7 @@ protected function _construct()
     {
         parent::_construct();
 
-        $this->setErrorText($this->escapeJsQuote(__('Please select items.')));
+        $this->setErrorText($this->escapeHtml(__('Please select items.')));
 
         if (null !== $this->getOptions()) {
             foreach ($this->getOptions() as $optionId => $option) {
 
@@ -66,7 +66,7 @@ public function __construct(
     public function _construct()
     {
         parent::_construct();
-        $this->setErrorText($this->escapeJsQuote(__('Please select items.')));
+        $this->setErrorText($this->escapeHtml(__('Please select items.')));
     }
 
     /**
 
@@ -17,7 +17,7 @@
                     class="search-global-input"
                     id="search-global"
                     name="query"
-                    data-mage-init='<?php echo $block->escapeHtml($this->helper('Magento\Framework\Json\Helper\Data')->jsonEncode($block->getWidgetInitOptions()))?>'>
+                    data-mage-init='<?php /* @noEscape */ echo $this->helper('Magento\Framework\Json\Helper\Data')->jsonEncode($block->getWidgetInitOptions()) ?>'>
             <button
                 type="submit"
                 class="search-global-action"
 
@@ -147,8 +147,8 @@ require([
 
 //<![CDATA[
     backup = new AdminBackup();
-    backup.rollbackUrl = '<?php /* @escapeNotVerified */ echo $block->escapeJsQuote($rollbackUrl);?>';
-    backup.backupUrl = '<?php /* @escapeNotVerified */ echo $block->escapeJsQuote($backupUrl);?>';
+    backup.rollbackUrl = '<?php echo $block->escapeUrl($rollbackUrl); ?>';
+    backup.backupUrl = '<?php echo $block->escapeUrl($backupUrl); ?>';
 //]]>
 
 });
 
@@ -127,7 +127,7 @@ protected function _prepareLayout()
                 'Magento\Backend\Block\Widget\Button',
                 [
                     'label' => __('Delete'),
-                    'onclick' => 'deleteConfirm(\'' . $this->escapeJsQuote(
+                    'onclick' => 'deleteConfirm(\'' . $this->escapeJs(
                         __(
                             'You are about to delete all products in this attribute set. '
                             . 'Are you sure you want to do that?'
 
@@ -214,7 +214,7 @@
 
                             if( editSet.SystemNodesExists(editSet.currentNode) ) {
                                 alert({
-                                    content: '<?php /* @escapeNotVerified */ echo $block->escapeJsQuote(__('This group contains system attributes. Please move system attributes to another group and try again.')) ?>'
+                                    content: '<?php echo $block->escapeJs(__('This group contains system attributes. Please move system attributes to another group and try again.')) ?>'
                                 });
                                 return;
                             }
@@ -343,7 +343,7 @@
 
                         failure : function(o) {
                             alert({
-                                content: '<?php /* @escapeNotVerified */ echo $block->escapeJsQuote(__('Sorry, we\'re unable to complete this request.')) ?>'
+                                content: '<?php echo $block->escapeJs(__('Sorry, we\'re unable to complete this request.')) ?>'
                             });
                         },
 
@@ -360,7 +360,7 @@
                         rightBeforeAppend : function(tree, nodeThis, node, newParent) {
                             if (node.attributes.is_user_defined == 0) {
                                 alert({
-                                    content: '<?php /* @escapeNotVerified */ echo $block->escapeJsQuote(__('You can\'t remove attributes from this attribute set.')) ?>'
+                                    content: '<?php echo $block->escapeJs(__('You can\'t remove attributes from this attribute set.')) ?>'
                                 });
                                 return false;
                             } else {
@@ -376,7 +376,7 @@
 
                             if (node.attributes.is_unassignable == 0) {
                                 alert({
-                                    content: '<?php /* @escapeNotVerified */ echo $block->escapeJsQuote(__('You can\'t remove attributes from this attribute set.')) ?>'
+                                    content: '<?php echo $block->escapeJs(__('You can\'t remove attributes from this attribute set.')) ?>'
                                 });
                                 return false;
                             } else {
 
@@ -58,7 +58,7 @@ require([
                 if (dateTimeParts[i].value == "") return false;
             }
             return true;
-        }, '<?php /* @escapeNotVerified */ echo $block->escapeJsQuote( __('This is a required option.') )?>');
+        }, '<?php echo $block->escapeJs(__('This is a required option.')) ?>');
 <?php else: ?>
         jQuery.validator.addMethod('validate-datetime-<?php /* @escapeNotVerified */ echo $_optionId ?>', function(v) {
             var dateTimeParts = jQuery('.datetime-picker[id^="options_<?php /* @escapeNotVerified */ echo $_optionId ?>"]');
@@ -74,7 +74,7 @@ require([
                 }
             }
             return hasWithValue ^ hasWithNoValue;
-        }, '<?php /* @escapeNotVerified */ echo $block->escapeJsQuote( __('The field isn\'t complete.') )?>');
+        }, '<?php echo $block->escapeJs(__('The field isn\'t complete.')) ?>');
 <?php endif; ?>
     //]]>
 
 
@@ -58,12 +58,12 @@ var tierPriceRowTemplate = '<tr>'
     + '<td class="col-websites"<?php if (!$_showWebsite): ?> style="display:none"<?php endif; ?>>'
     + '<select class="<?php /* @escapeNotVerified */ echo $_htmlClass ?> required-entry" name="<?php /* @escapeNotVerified */ echo $_htmlName ?>[<%- data.index %>][website_id]" id="tier_price_row_<%- data.index %>_website">'
     <?php foreach ($block->getWebsites() as $_websiteId => $_info): ?>
-    + '<option value="<?php /* @escapeNotVerified */ echo $_websiteId ?>"><?php /* @escapeNotVerified */ echo $block->escapeJsQuote($block->escapeHtml($_info['name'])) ?><?php if (!empty($_info['currency'])): ?> [<?php echo $block->escapeHtml($_info['currency']) ?>]<?php endif; ?></option>'
+    + '<option value="<?php /* @escapeNotVerified */ echo $_websiteId ?>"><?php echo $block->escapeJs($_info['name']) ?><?php if (!empty($_info['currency'])): ?> [<?php echo $block->escapeHtml($_info['currency']) ?>]<?php endif; ?></option>'
     <?php endforeach ?>
     + '</select></td>'
     + '<td class="col-customer-group"><select class="<?php /* @escapeNotVerified */ echo $_htmlClass ?> custgroup required-entry" name="<?php /* @escapeNotVerified */ echo $_htmlName ?>[<%- data.index %>][cust_group]" id="tier_price_row_<%- data.index %>_cust_group">'
     <?php foreach ($block->getCustomerGroups() as $_groupId => $_groupName): ?>
-    + '<option value="<?php /* @escapeNotVerified */ echo $_groupId ?>"><?php /* @escapeNotVerified */ echo $block->escapeJsQuote($block->escapeHtml($_groupName)) ?></option>'
+    + '<option value="<?php /* @escapeNotVerified */ echo $_groupId ?>"><?php echo $block->escapeJs($_groupName) ?></option>'
     <?php endforeach ?>
     + '</select></td>'
     + '<td class="col-qty">'
 
@@ -29,7 +29,7 @@ editSet.submit = editSet.submit.wrap(function(original) {
     if (editSet.currentNode){
         if (ConfigurableNodeExists(editSet.currentNode)) {
             alert({
-                content: '<?php /* @escapeNotVerified */ echo $block->escapeJsQuote(__('This group contains attributes used in configurable products. Please move these attributes to another group and try again.')) ?>'
+                content: '<?php echo $block->escapeJs(__('This group contains attributes used in configurable products. Please move these attributes to another group and try again.')) ?>'
             });
             return;
         }
@@ -40,7 +40,7 @@ editSet.submit = editSet.submit.wrap(function(original) {
 editSet.rightBeforeAppend = editSet.rightBeforeAppend.wrap(function(original, tree, nodeThis, node, newParent) {
     if (node.attributes.is_configurable == 1) {
         alert({
-            content: '<?php /* @escapeNotVerified */ echo $block->escapeJsQuote(__('This attribute is used in configurable products. You cannot remove it from the attribute set.')) ?>'
+            content: '<?php echo $block->escapeJs(__('This attribute is used in configurable products. You cannot remove it from the attribute set.')) ?>'
         });
         return false;
     }
@@ -50,7 +50,7 @@ editSet.rightBeforeAppend = editSet.rightBeforeAppend.wrap(function(original, tr
 editSet.rightBeforeInsert = editSet.rightBeforeInsert.wrap(function(original, tree, nodeThis, node, newParent) {
     if (node.attributes.is_configurable == 1) {
         alert({
-            content: '<?php /* @escapeNotVerified */ echo $block->escapeJsQuote(__('This attribute is used in configurable products. You cannot remove it from the attribute set.')) ?>'
+            content: '<?php echo $block->escapeJs(__('This attribute is used in configurable products. You cannot remove it from the attribute set.')) ?>'
         });
         return false;
     }
 
@@ -27,13 +27,13 @@
                 <input id="custom_currency_symbol<?php /* @escapeNotVerified */ echo $code; ?>"
                        class="required-entry admin__control-text"
                        type="text"
-                       value="<?php echo $block->escapeQuote($data['displaySymbol']); ?>"
+                       value="<?php echo $block->escapeHtmlAttr($data['displaySymbol']); ?>"
                        <?php echo $data['inherited'] ? ' disabled="disabled"' : '';?>
                        name="custom_currency_symbol[<?php /* @escapeNotVerified */ echo $code; ?>]">
                 <div class="admin__field admin__field-option">
                     <input id="custom_currency_symbol_inherit<?php /* @escapeNotVerified */ echo $code; ?>"
                            class="admin__control-checkbox" type="checkbox"
-                           onclick="toggleUseDefault(<?php /* @escapeNotVerified */ echo '\'' . $code . '\',\'' . $block->escapeQuote($data['parentSymbol'], true) . '\''; ?>)"
+                           onclick="toggleUseDefault(<?php /* @escapeNotVerified */ echo '\'' . $code . '\',\'' . $block->escapeJs($data['parentSymbol']) . '\''; ?>)"
                             <?php echo $data['inherited'] ? ' checked="checked"' : ''; ?>
                            value="1"
                            name="inherit_custom_currency_symbol[<?php /* @escapeNotVerified */ echo $code; ?>]">
 
@@ -57,14 +57,14 @@ require([
 
         if (!itemId) {
             alert({
-                content: '<?php /* @escapeNotVerified */ echo $block->escapeJsQuote(__('No item specified.')) ?>'
+                content: '<?php echo $block->escapeJs(__('No item specified.')) ?>'
             });
 
             return false;
         }
 
         confirm({
-            content: '<?php /* @escapeNotVerified */ echo $block->escapeJsQuote(__('Are you sure you want to remove this item?')) ?>',
+            content: '<?php echo $block->escapeJs(__('Are you sure you want to remove this item?')) ?>',
             actions: {
                 confirm: function(){
                     self.reload({'delete':itemId});
 
@@ -77,12 +77,11 @@ public function getPageTrackingCode($accountId)
         $pageName = trim($this->getPageName());
         $optPageURL = '';
         if ($pageName && substr($pageName, 0, 1) == '/' && strlen($pageName) > 1) {
-            $optPageURL = ", '{$this->escapeJsQuote($pageName)}'";
+            $optPageURL = ", '" . $this->escapeHtmlAttr($pageName, false) . "'";
         }
 
-        return "\nga('create', '{$this->escapeJsQuote(
-            $accountId
-        )}', 'auto');\nga('send', 'pageview'{$optPageURL});\n";
+        return "\nga('create', '" . $this->escapeHtmlAttr($accountId, false)
+            . ", 'auto');\nga('send', 'pageview'{$optPageURL});\n";
     }
 
     /**
@@ -121,8 +120,8 @@ public function getOrdersTrackingCode()
                         'price': '%s',
                         'quantity': %s
                     });",
-                    $this->escapeJsQuote($item->getSku()),
-                    $this->escapeJsQuote($item->getName()),
+                    $this->escapeJs($item->getSku()),
+                    $this->escapeJs($item->getName()),
                     $item->getBasePrice(),
                     $item->getQtyOrdered()
                 );
@@ -137,7 +136,7 @@ public function getOrdersTrackingCode()
                     'shipping': '%s'
                 });",
                 $order->getIncrementId(),
-                $this->escapeJsQuote($this->_storeManager->getStore()->getFrontendName()),
+                $this->escapeJs($this->_storeManager->getStore()->getFrontendName()),
                 $order->getBaseGrandTotal(),
                 $order->getBaseTaxAmount(),
                 $order->getBaseShippingAmount()
 
@@ -85,7 +85,11 @@ protected function _prepareAttributes(DataObject $row)
             ) : $this->getColumn()->{$rowMethodName}();
 
             if ($attributeValue) {
-                $attributes[] = sprintf('%s="%s"', $attributeName, $this->escapeHtml($attributeValue));
+                $attributes[] = sprintf(
+                    '%s="%s"',
+                    $attributeName,
+                    $this->escapeHtmlAttr($attributeValue, false)
+                );
             }
         }
         return $attributes;
 
@@ -118,7 +118,7 @@ protected function _getAttributesHtml()
             if ($value === null || $value == '') {
                 continue;
             }
-            $html[] = sprintf('%s="%s"', $key, $this->escapeHtml($value));
+            $html[] = sprintf('%s="%s"', $key, $this->escapeHtmlAttr($value, false));
         }
 
         return join(' ', $html);
 
@@ -58,6 +58,8 @@ public function testRender()
         $column->expects($this->any())
             ->method('getId')
             ->willReturn('1');
+        $this->escaperMock->expects($this->at(0))->method('escapeHtmlAttr')->willReturn('1');
+        $this->escaperMock->expects($this->at(1))->method('escapeHtmlAttr')->willReturn('bigButton');
         $column->expects($this->any())
             ->method('getIndex')
             ->willReturn('name');
 
@@ -74,6 +74,7 @@ public function testRender()
         $column->expects($this->any())
             ->method('getId')
             ->willReturn('1');
+        $this->escaperMock->expects($this->at(0))->method('escapeHtmlAttr')->willReturn('Link Caption');
         $this->linkRenderer->setColumn($column);
         $object = new \Magento\Framework\DataObject(['id' => '1']);
         $actualResult = $this->linkRenderer->render($object);
 
@@ -19,9 +19,9 @@
     ], function ($, Confirm) {
 
         window.integration = new Integration(
-            '<?php /* @escapeNotVerified */ echo $block->getUrl('*/*/permissionsDialog', ['id' => ':id', 'reauthorize' => ':isReauthorize']); ?>',
-            '<?php /* @escapeNotVerified */ echo $block->getUrl('*/*/tokensDialog', ['id' => ':id', 'reauthorize' => ':isReauthorize']); ?>',
-            '<?php /* @escapeNotVerified */ echo $block->getUrl('*/*/tokensExchange', ['id' => ':id', 'reauthorize' => ':isReauthorize']); ?>',
+            '<?php /* @escapeNotVerified */ echo $block->getUrl('*/*/permissionsDialog', ['id' => ':id', 'reauthorize' => ':isReauthorize', '_escape_params' => false]); ?>',
+            '<?php /* @escapeNotVerified */ echo $block->getUrl('*/*/tokensDialog', ['id' => ':id', 'reauthorize' => ':isReauthorize', '_escape_params' => false]); ?>',
+            '<?php /* @escapeNotVerified */ echo $block->getUrl('*/*/tokensExchange', ['id' => ':id', 'reauthorize' => ':isReauthorize', '_escape_params' => false]); ?>',
             '<?php /* @escapeNotVerified */ echo $block->getUrl('*/*'); ?>',
             '<?php /* @escapeNotVerified */ echo $block->getUrl('*/*/loginSuccessCallback'); ?>'
         );
 
@@ -155,7 +155,7 @@ public function getValueAsArrayDataProvider()
             [[], false, []],
             ['string', true, [0 => 'string']],
             ['string', false, ['string']],
-            [['key' => 'v"a!@#%$%^^&&*(*/\'\]l'], true, ['key' => 'v&quot;a!@#%$%^^&amp;&amp;*(*/\'\]l']],
+            [['key' => 'v"a!@#%$%^^&&*(*/\'\]l'], true, ['key' => 'v&quot;a!@#%$%^^&amp;&amp;*(*/&#039;\]l']],
             [['key' => 'val'], false, ['key' => 'val']]
         ];
     }
 
@@ -14,7 +14,7 @@ $params = $block->getParams();
     <head>
         <script>
         <?php if (isset($params['redirect'])): ?>
-            window.location="<?php echo $block->escapeXssInUrl($params['redirect']); ?>";
+            window.location="<?php echo $block->escapeUrl($params['redirect']); ?>";
         <?php elseif (isset($params['redirect_parent'])): ?>
             var require = window.top.require;
             require(
@@ -24,7 +24,7 @@ $params = $block->getParams();
                 function($) {
                     var parent = window.top;
                     $(parent).trigger('clearTimeout');
-                    parent.location="<?php echo $block->escapeXssInUrl($params['redirect_parent']); ?>";
+                    parent.location="<?php echo $block->escapeUrl($params['redirect_parent']); ?>";
                 }
             );
         <?php elseif (isset($params['error_msg'])): ?>
@@ -44,7 +44,7 @@ $params = $block->getParams();
                 }
             );
         <?php elseif (isset($params['order_success'])): ?>
-            window.top.location = "<?php echo $block->escapeXssInUrl($params['order_success']); ?>";
+            window.top.location = "<?php echo $block->escapeUrl($params['order_success']); ?>";
         <?php else: ?>
             var require = window.top.require;
             require(
Original file line number	Diff line number	Diff line change
`@@ -113,7 +113,7 @@ protected function _attributesToHtml($attributes)`
`113`	`113`	`if ($attributeValue === null \|\| $attributeValue == '') {`
`114`	`114`	`continue;`
`115`	`115`	`}`
`116`		`- $html .= $attributeKey . '="' . $this->escapeHtml($attributeValue) . '" ';`
	`116`	`+ $html .= $attributeKey . '="' . $this->escapeHtmlAttr($attributeValue, false) . '" ';`
`117`	`117`	`}`
`118`	`118`
`119`	`119`	`return $html;`
Original file line number	Diff line number	Diff line change
`@@ -229,7 +229,7 @@ protected function _getAttributesString($attributes)`
`229`	`229`	`if ($attributeValue === null \|\| $attributeValue == '') {`
`230`	`230`	`continue;`
`231`	`231`	`}`
`232`		`- $html[] = $attributeKey . '="' . $this->escapeHtml($attributeValue) . '"';`
	`232`	`+ $html[] = $attributeKey . '="' . $this->escapeHtmlAttr($attributeValue, false) . '"';`
`233`	`233`	`}`
`234`	`234`	`return join(' ', $html);`
`235`	`235`	`}`
Original file line number	Diff line number	Diff line change
`@@ -54,7 +54,7 @@ protected function _construct()`
`54`	`54`	`{`
`55`	`55`	`parent::_construct();`
`56`	`56`
`57`		`- $this->setErrorText($this->escapeJsQuote(__('Please select items.')));`
	`57`	`+ $this->setErrorText($this->escapeHtml(__('Please select items.')));`
`58`	`58`
`59`	`59`	`if (null !== $this->getOptions()) {`
`60`	`60`	`foreach ($this->getOptions() as $optionId => $option) {`
Original file line number	Diff line number	Diff line change
`@@ -66,7 +66,7 @@ public function __construct(`
`66`	`66`	`public function _construct()`
`67`	`67`	`{`
`68`	`68`	`parent::_construct();`
`69`		`- $this->setErrorText($this->escapeJsQuote(__('Please select items.')));`
	`69`	`+ $this->setErrorText($this->escapeHtml(__('Please select items.')));`
`70`	`70`	`}`
`71`	`71`
`72`	`72`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -127,7 +127,7 @@ protected function _prepareLayout()`
`127`	`127`	`'Magento\Backend\Block\Widget\Button',`
`128`	`128`	`[`
`129`	`129`	`'label' => __('Delete'),`
`130`		`- 'onclick' => 'deleteConfirm(\'' . $this->escapeJsQuote(`
	`130`	`+ 'onclick' => 'deleteConfirm(\'' . $this->escapeJs(`
`131`	`131`	`__(`
`132`	`132`	`'You are about to delete all products in this attribute set. '`
`133`	`133`	`. 'Are you sure you want to do that?'`
Original file line number	Diff line number	Diff line change
`@@ -58,7 +58,7 @@ require([`
`58`	`58`	`if (dateTimeParts[i].value == "") return false;`
`59`	`59`	`}`
`60`	`60`	`return true;`
`61`		`- }, '<?php /* @escapeNotVerified */ echo $block->escapeJsQuote( __('This is a required option.') )?>');`
	`61`	`+ }, '<?php echo $block->escapeJs(__('This is a required option.')) ?>');`
`62`	`62`	`<?php else: ?>`
`63`	`63`	`jQuery.validator.addMethod('validate-datetime-<?php /* @escapeNotVerified */ echo $_optionId ?>', function(v) {`
`64`	`64`	`var dateTimeParts = jQuery('.datetime-picker[id^="options_<?php /* @escapeNotVerified */ echo $_optionId ?>"]');`
`@@ -74,7 +74,7 @@ require([`
`74`	`74`	`}`
`75`	`75`	`}`
`76`	`76`	`return hasWithValue ^ hasWithNoValue;`
`77`		`- }, '<?php /* @escapeNotVerified */ echo $block->escapeJsQuote( __('The field isn\'t complete.') )?>');`
	`77`	`+ }, '<?php echo $block->escapeJs(__('The field isn\'t complete.')) ?>');`
`78`	`78`	`<?php endif; ?>`
`79`	`79`	`//]]>`
`80`	`80`
Original file line number	Diff line number	Diff line change
`@@ -85,7 +85,11 @@ protected function _prepareAttributes(DataObject $row)`
`85`	`85`	`) : $this->getColumn()->{$rowMethodName}();`
`86`	`86`
`87`	`87`	`if ($attributeValue) {`
`88`		`- $attributes[] = sprintf('%s="%s"', $attributeName, $this->escapeHtml($attributeValue));`
	`88`	`+ $attributes[] = sprintf(`
	`89`	`+ '%s="%s"',`
	`90`	`+ $attributeName,`
	`91`	`+ $this->escapeHtmlAttr($attributeValue, false)`
	`92`	`+ );`
`89`	`93`	`}`
`90`	`94`	`}`
`91`	`95`	`return $attributes;`
Original file line number	Diff line number	Diff line change
`@@ -118,7 +118,7 @@ protected function _getAttributesHtml()`
`118`	`118`	`if ($value === null \|\| $value == '') {`
`119`	`119`	`continue;`
`120`	`120`	`}`
`121`		`- $html[] = sprintf('%s="%s"', $key, $this->escapeHtml($value));`
	`121`	`+ $html[] = sprintf('%s="%s"', $key, $this->escapeHtmlAttr($value, false));`
`122`	`122`	`}`
`123`	`123`
`124`	`124`	`return join(' ', $html);`
Original file line number	Diff line number	Diff line change
`@@ -155,7 +155,7 @@ public function getValueAsArrayDataProvider()`
`155`	`155`	`[[], false, []],`
`156`	`156`	`['string', true, [0 => 'string']],`
`157`	`157`	`['string', false, ['string']],`
`158`		`- [['key' => 'v"a!@#%$%^^&&(/\'\]l'], true, ['key' => 'v"a!@#%$%^^&&(/\'\]l']],`
	`158`	`+ [['key' => 'v"a!@#%$%^^&&(/\'\]l'], true, ['key' => 'v"a!@#%$%^^&&(/'\]l']],`
`159`	`159`	`[['key' => 'val'], false, ['key' => 'val']]`
`160`	`160`	`];`
`161`	`161`	`}`