MC-29420: Remove event handlers from CE

Author: svitja

app/code/Magento/Backend/Block/Widget/Form/Container.php

@@ -5,6 +5,10 @@
  */
 namespace Magento\Backend\Block\Widget\Form;
 
+use Magento\Backend\Block\Widget\Context;
+use Magento\Framework\App\ObjectManager;
+use Magento\Framework\View\Helper\SecureHtmlRenderer;
+
 /**
  * Backend form container block
  *
@@ -39,7 +43,7 @@ class Container extends \Magento\Backend\Block\Widget\Container
      * @var string
      */
     protected $_blockGroup = 'Magento_Backend';
-    
+
     /**
      *  @var string
      */
@@ -55,6 +59,25 @@ class Container extends \Magento\Backend\Block\Widget\Container
      */
     protected $_template = 'Magento_Backend::widget/form/container.phtml';
 
+    /**
+     * @var SecureHtmlRenderer
+     */
+    private $secureRenderer;
+
+    /**
+     * @param Context $context
+     * @param array $data
+     * @param SecureHtmlRenderer|null $secureRenderer
+     */
+    public function __construct(
+        Context $context,
+        array $data = [],
+        ?SecureHtmlRenderer $secureRenderer = null
+    ) {
+        $this->secureRenderer = $secureRenderer ?? ObjectManager::getInstance()->get(SecureHtmlRenderer::class);
+        parent::__construct($context, $data);
+    }
+
     /**
      * Initialize form.
      *
@@ -205,8 +228,14 @@ public function getFormHtml()
     public function getFormInitScripts()
     {
         if (!empty($this->_formInitScripts) && is_array($this->_formInitScripts)) {
-            return '<script>' . implode("\n", $this->_formInitScripts) . '</script>';
+            return $this->secureRenderer->renderTag(
+                'script',
+                [],
+                implode("\n", $this->_formInitScripts),
+                false
+            );
         }
+
         return '';
     }
 
@@ -218,8 +247,14 @@ public function getFormInitScripts()
     public function getFormScripts()
     {
         if (!empty($this->_formScripts) && is_array($this->_formScripts)) {
-            return '<script>' . implode("\n", $this->_formScripts) . '</script>';
+            return $this->secureRenderer->renderTag(
+                'script',
+                [],
+                implode("\n", $this->_formScripts),
+                false
+            );
         }
+
         return '';
     }
 

app/code/Magento/Backend/view/adminhtml/templates/widget/form/container.phtml

@@ -29,6 +29,7 @@
     </div>
 <?php endif; ?>
 <?php $scriptString = <<<script
+
 require([
     'jquery',
     'mage/backend/form',
@@ -51,6 +52,7 @@ require([
         });
 
 });
+
 script;
 ?>
 <?= /* @noEscape */ $secureRenderer->renderTag('script', [], $scriptString, false) ?>

app/code/Magento/Backend/view/adminhtml/templates/widget/grid.phtml

@@ -3,6 +3,7 @@
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
+
 ?>
 <?php
 /**
@@ -230,10 +231,10 @@ require(deps, function('. ($block->getDependencyJsObject() ? 'registry' : '') .'
 
         if ($block->getChildBlock('grid.massaction') &&
             $block->getChildBlock('grid.massaction')->isAvailable()) {
-            $scriptString .= /* @noEscape */ $block->getChildBlock('grid.massaction')->getJavaScript();
+            $scriptString .= /* @noEscape */ $block->getChildBlock('grid.massaction')->getJavaScript() . PHP_EOL;
         }
 
-        $scriptString .= /* @noEscape */ $block->getAdditionalJavaScript();
+        $scriptString .= /* @noEscape */ $block->getAdditionalJavaScript() . PHP_EOL;
 
         if ($block->getDependencyJsObject()) {
             $scriptString .=  '});' . PHP_EOL;

app/code/Magento/Backend/view/adminhtml/templates/widget/grid/extended.phtml

@@ -150,7 +150,7 @@ $numColumns = count($block->getColumns());
                                 'onclick',
                                 /* @noEscape */ $block->getJsObjectName() . '.setPage(\'' .
                                 /* @noEscape */ ($_curPage + 1) . '\');return false;',
-                                '. admin__data-grid-pager button.action-next'
+                                '.admin__data-grid-pager button.action-next'
                             ) ?>
                         <?php else: ?>
                             <button type="button" class="action-next disabled">
@@ -290,16 +290,19 @@ $numColumns = count($block->getColumns());
     $jsonHelper = $block->getData('jsonHelper');
     if ($block->canDisplayContainer()):
         $scriptString = <<<script
+
     var deps = [];
 script;
         if ($block->getDependencyJsObject()):
             $scriptString .= <<<script
+
     deps.push('uiRegistry');
 script;
         endif;
 
         if (strpos($block->getRowClickCallback(), 'order.') !== false):
             $scriptString .= <<<script
+
     deps.push('Magento_Sales/order/create/form')
 script;
         endif;
@@ -310,6 +313,7 @@ script;
         if (is_array($block->getRequireJsDependencies())):
             foreach ($block->getRequireJsDependencies() as $dependency):
                 $scriptString .= <<<script
+
             deps.push('{$block->escapeJs($dependency)}');
 script;
             endforeach;

app/code/Magento/Msrp/view/frontend/templates/render/item/price_msrp_item.phtml

@@ -49,6 +49,11 @@
                                          "cartForm": "#wishlist-view-form"}}'>
             <?= $block->escapeHtml(__('Click for price')) ?>
         </a>
+        <?= /* @noEscape */ $secureRenderer->renderEventListenerAsTag(
+            'onclick',
+            'e.preventDefault()',
+            'a#' . /* @noEscape */ ($popupId)
+        ) ?>
     <?php else: ?>
         <span class="msrp-message">
             <?= $block->escapeHtml($_catalogHelper->getMsrpPriceMessage($_product)) ?>
@@ -61,4 +66,9 @@
        class="link tip">
         <?= $block->escapeHtml(__("What's this?")) ?>
     </a>
+    <?= /* @noEscape */ $secureRenderer->renderEventListenerAsTag(
+        'onclick',
+        'e.preventDefault()',
+        'a#' . /* @noEscape */ ($helpLinkId)
+    ) ?>
 </div>

app/code/Magento/Multishipping/view/frontend/templates/checkout/billing.phtml

@@ -17,7 +17,7 @@
              alt="<?= $block->escapeHtml(__('Loading...')); ?>">
     </div>
 </div>
-<?= /* @noEscape */ $secureRenderer->renderStyleAsTag('position: absolute;', 'div#checkout-loader .loader image') ?>
+<?= /* @noEscape */ $secureRenderer->renderStyleAsTag('position: absolute;', 'div#checkout-loader .loader img') ?>
 <?php $checkoutConfig = /* @noEscape */ $block->getCheckoutData()->getSerializedCheckoutConfigs();
 $scriptString = <<<script
     window.checkoutConfig = {$checkoutConfig};
@@ -148,6 +148,7 @@ script;
 </form>
 <?php $quoteBaseGrandTotal = (float)$block->getQuoteBaseGrandTotal();
 $scriptString = <<<script
+
     require(['jquery', 'mage/mage'], function(jQuery) {
         var addtocartForm = jQuery('#multishipping-billing-form');
 
@@ -165,11 +166,13 @@ $scriptString = <<<script
             }
         });
     });
+
 script;
 ?>
 <?= /* @noEscape */ $secureRenderer->renderTag('script', [], $scriptString, false) ?>
 
 <?php $scriptString = <<<script
+
     //<![CDATA[
     require(
         [
@@ -198,6 +201,7 @@ $scriptString .= <<<script
             });
         });
     //]]>
+
 script;
 ?>
 <?= /* @noEscape */ $secureRenderer->renderTag('script', [], $scriptString, false) ?>

app/code/Magento/OfflinePayments/view/adminhtml/templates/form/checkmo.phtml

@@ -25,5 +25,5 @@
 </fieldset>
 <?= /* @noEscape */ $secureRenderer->renderStyleAsTag(
     "display:none",
-    'fieldset#payment_form_' . $block->escapeHtml($block->getMethodCode())
+    'fieldset#payment_form_' . $block->escapeJs($block->getMethodCode())
 ) ?>

app/code/Magento/OfflinePayments/view/adminhtml/templates/form/purchaseorder.phtml

@@ -24,5 +24,5 @@
 </fieldset>
 <?= /* @noEscape */ $secureRenderer->renderStyleAsTag(
     "display:none",
-    'fieldset#payment_form_' . $block->escapeHtml($block->getMethodCode())
+    'fieldset#payment_form_' . $block->escapeJs($block->getMethodCode())
 ) ?>

app/code/Magento/OfflinePayments/view/frontend/templates/form/checkmo.phtml

@@ -26,6 +26,6 @@
     </dl>
     <?= /* @noEscape */ $secureRenderer->renderStyleAsTag(
         "display:none",
-        'dl#payment_form_' . $block->escapeHtml($block->getMethodCode())
+        'dl#payment_form_' . $block->escapeJs($block->getMethodCode())
     ) ?>
 <?php endif; ?>

app/code/Magento/Paypal/view/frontend/templates/partner/logo.phtml

@@ -25,7 +25,7 @@
 <?= /* @noEscape */ $secureRenderer->renderEventListenerAsTag(
     'onclick',
     "javascript:window.open(
-               '" . $block->escapeUrl($block->getAboutPaypalPageUrl()) . "',
+               '" . $block->escapeJs($block->getAboutPaypalPageUrl()) . "',
                'paypal',
                'width=600,height=350,left=0,top=0,location=no,status=yes,scrollbars=yes,resizable=yes'
                ); return false;",

app/code/Magento/Paypal/view/frontend/templates/payflowlink/redirect.phtml

@@ -16,6 +16,7 @@
 </head>
 <body>
 <?php $scriptString= <<<script
+
     (function() {
         'use strict';
 
@@ -32,7 +33,7 @@
 
         var cartUrl = '{$block->escapeJs($block->getUrl('checkout/cart'))}',
             successUrl = '{$block->escapeJs($block->getUrl('checkout/onepage/success'))}',
-            goToSuccessPage = '{$block->escapeUrl($block->getGotoSuccessPage())}',
+            goToSuccessPage = '{$block->escapeJs($block->getGotoSuccessPage())}',
             require = window.top.require,
             windowContext = window,
             errorMessage = {
@@ -50,8 +51,8 @@
             })
         }
 
-
     })();
+
 script;
 ?>
 <?= /* @noEscape */ $secureRenderer->renderTag('script', [], $scriptString, false) ?>

app/code/Magento/Paypal/view/frontend/templates/payment/mark.phtml

@@ -25,7 +25,7 @@ $url = $block->escapeUrl($block->getPaymentAcceptanceMarkHref());
 <?= /* @noEscape */ $secureRenderer->renderEventListenerAsTag(
     'onclick',
     "javascript:window.open(
-           '" . /* @noEscape */ $url . "',
+           '" . /* @noEscape */ $block->escapeJs($block->getPaymentAcceptanceMarkHref()) . "',
            'olcwhatispaypal',
            'toolbar=no, location=no, directories=no, status=no, menubar=no, scrollbars=yes, resizable=yes, ,' +
            'left=0, top=0, width=400, height=350'

app/code/Magento/ProductVideo/view/adminhtml/templates/product/edit/slideout/form.phtml

@@ -8,7 +8,7 @@
  * @var \Magento\Framework\View\Helper\SecureHtmlRenderer $secureRenderer
  */
 ?>
-<div id="video_name_<?= $block->escapeHtmlAttr($block->getNameInLayout()) ?>"
+<div id="<?= $block->escapeHtmlAttr($block->getNameInLayout()) ?>"
     data-modal-info='<?= /* @noEscape */ $block->getWidgetOptions() ?>'
 >
     <?= $block->getFormHtml() ?>
@@ -28,7 +28,7 @@
         </div>
     </div>
 </div>
-<?= /* @noEscape */ $secureRenderer->renderTag(
+<?= /* @noEscape */ $secureRenderer->renderStyleAsTag(
     'display:none',
-    'div#video_name_' . $block->escapeHtmlAttr($block->getNameInLayout())
+    'div#' . $block->escapeJs($block->getNameInLayout())
 ) ?>