Magento 2 @escapeNotVerified












61














I see a lot of occurences of this comment /* @escapeNotVerified */ in the template files for Magento2.

Does it have a special meaning?

Is there any use for this?



Examples:




  • https://github.com/magento/magento2/blob/2.1/app/code/Magento/Catalog/view/frontend/templates/product/list.phtml#L23

  • https://github.com/magento/magento2/blob/2.1/app/code/Magento/Catalog/view/frontend/templates/product/image_with_borders.phtml#L10

  • https://github.com/magento/magento2/blob/2.1/app/code/Magento/Catalog/view/frontend/templates/product/gallery.phtml#L12


  • I could go on for a few pages here.







magento2 template







share|improve this question




















  • 21




    Hey...Why the downvote? I'm not allowed to ask questions?
    – Marius
    Dec 8 '15 at 12:07


















61














I see a lot of occurences of this comment /* @escapeNotVerified */ in the template files for Magento2.

Does it have a special meaning?

Is there any use for this?



Examples:




  • https://github.com/magento/magento2/blob/2.1/app/code/Magento/Catalog/view/frontend/templates/product/list.phtml#L23

  • https://github.com/magento/magento2/blob/2.1/app/code/Magento/Catalog/view/frontend/templates/product/image_with_borders.phtml#L10

  • https://github.com/magento/magento2/blob/2.1/app/code/Magento/Catalog/view/frontend/templates/product/gallery.phtml#L12


  • I could go on for a few pages here.







magento2 template







share|improve this question




















  • 21




    Hey...Why the downvote? I'm not allowed to ask questions?
    – Marius
    Dec 8 '15 at 12:07
















61












61








61


10





I see a lot of occurences of this comment /* @escapeNotVerified */ in the template files for Magento2.

Does it have a special meaning?

Is there any use for this?



Examples:




  • https://github.com/magento/magento2/blob/2.1/app/code/Magento/Catalog/view/frontend/templates/product/list.phtml#L23

  • https://github.com/magento/magento2/blob/2.1/app/code/Magento/Catalog/view/frontend/templates/product/image_with_borders.phtml#L10

  • https://github.com/magento/magento2/blob/2.1/app/code/Magento/Catalog/view/frontend/templates/product/gallery.phtml#L12


  • I could go on for a few pages here.







magento2 template







share|improve this question















I see a lot of occurences of this comment /* @escapeNotVerified */ in the template files for Magento2.

Does it have a special meaning?

Is there any use for this?



Examples:




  • https://github.com/magento/magento2/blob/2.1/app/code/Magento/Catalog/view/frontend/templates/product/list.phtml#L23

  • https://github.com/magento/magento2/blob/2.1/app/code/Magento/Catalog/view/frontend/templates/product/image_with_borders.phtml#L10

  • https://github.com/magento/magento2/blob/2.1/app/code/Magento/Catalog/view/frontend/templates/product/gallery.phtml#L12


  • I could go on for a few pages here.







magento2 template




magento2 template






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited yesterday









Himanshu

702419




702419










asked Dec 8 '15 at 8:25









Marius

163k28311659




163k28311659








  • 21




    Hey...Why the downvote? I'm not allowed to ask questions?
    – Marius
    Dec 8 '15 at 12:07
















  • 21




    Hey...Why the downvote? I'm not allowed to ask questions?
    – Marius
    Dec 8 '15 at 12:07










21




21




Hey...Why the downvote? I'm not allowed to ask questions?
– Marius
Dec 8 '15 at 12:07






Hey...Why the downvote? I'm not allowed to ask questions?
– Marius
Dec 8 '15 at 12:07












2 Answers
2






active

oldest

votes


















82














This tag is used by static tests. Any potentially unsafe output must be marked with either @escapeNotVerified or @noEscape to pass tests, the latter means that this particular usage has been checked and is safe.



In the future releases all occurrences of @escapeNotVerified will be verified and either marked with @noEscape or escaped with one of these methods:




  • MagentoFrameworkViewElementAbstractBlock::escapeHtml

  • MagentoFrameworkViewElementAbstractBlock::escapeUrl

  • MagentoFrameworkViewElementAbstractBlock::escapeXssInUrl

  • MagentoFrameworkViewElementAbstractBlock::escapeQuote


Also note that some output is considered safe and should not be marked with such annotations:




  • Enclosed in single quotes

  • Enclosed in double quotes but without variables

  • Type casting to bool, int

  • Method calls which contain 'html' in their names, like getTitleHtml, are also expected to output escaped HTML






share|improve this answer

















  • 3




    Greats answer @Alex
    – Amit Bera
    Dec 8 '15 at 9:24










  • Good Ans +1 @Alex :)
    – Rama Chandran M
    Mar 9 '18 at 2:40










  • It helps +1 @Alex
    – Nikunj Vadariya
    Jul 13 '18 at 6:39



















23














I find it in devdocs of Magento2



Static Test



To improve security against XSS injections, a static test XssPhtmlTemplateTest.php is added to devtestsstatictestsuiteMagentoTestPhp.



This static test finds all echo calls in PHTML-templates and determines if it is properly escaped or not.



It covers the following cases:




  • /* @noEscape */ before output. Output doesn’t require escaping. Test is green.


  • /* @escapeNotVerified */ before output. Output escaping is not checked and should be verified. Test is green.



Read the Magento Docs at
2.0
or
2.1






share|improve this answer























    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "479"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fmagento.stackexchange.com%2fquestions%2f92963%2fmagento-2-escapenotverified%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    82














    This tag is used by static tests. Any potentially unsafe output must be marked with either @escapeNotVerified or @noEscape to pass tests, the latter means that this particular usage has been checked and is safe.



    In the future releases all occurrences of @escapeNotVerified will be verified and either marked with @noEscape or escaped with one of these methods:




    • MagentoFrameworkViewElementAbstractBlock::escapeHtml

    • MagentoFrameworkViewElementAbstractBlock::escapeUrl

    • MagentoFrameworkViewElementAbstractBlock::escapeXssInUrl

    • MagentoFrameworkViewElementAbstractBlock::escapeQuote


    Also note that some output is considered safe and should not be marked with such annotations:




    • Enclosed in single quotes

    • Enclosed in double quotes but without variables

    • Type casting to bool, int

    • Method calls which contain 'html' in their names, like getTitleHtml, are also expected to output escaped HTML






    share|improve this answer

















    • 3




      Greats answer @Alex
      – Amit Bera
      Dec 8 '15 at 9:24










    • Good Ans +1 @Alex :)
      – Rama Chandran M
      Mar 9 '18 at 2:40










    • It helps +1 @Alex
      – Nikunj Vadariya
      Jul 13 '18 at 6:39
















    82














    This tag is used by static tests. Any potentially unsafe output must be marked with either @escapeNotVerified or @noEscape to pass tests, the latter means that this particular usage has been checked and is safe.



    In the future releases all occurrences of @escapeNotVerified will be verified and either marked with @noEscape or escaped with one of these methods:




    • MagentoFrameworkViewElementAbstractBlock::escapeHtml

    • MagentoFrameworkViewElementAbstractBlock::escapeUrl

    • MagentoFrameworkViewElementAbstractBlock::escapeXssInUrl

    • MagentoFrameworkViewElementAbstractBlock::escapeQuote


    Also note that some output is considered safe and should not be marked with such annotations:




    • Enclosed in single quotes

    • Enclosed in double quotes but without variables

    • Type casting to bool, int

    • Method calls which contain 'html' in their names, like getTitleHtml, are also expected to output escaped HTML






    share|improve this answer

















    • 3




      Greats answer @Alex
      – Amit Bera
      Dec 8 '15 at 9:24










    • Good Ans +1 @Alex :)
      – Rama Chandran M
      Mar 9 '18 at 2:40










    • It helps +1 @Alex
      – Nikunj Vadariya
      Jul 13 '18 at 6:39














    82












    82








    82






    This tag is used by static tests. Any potentially unsafe output must be marked with either @escapeNotVerified or @noEscape to pass tests, the latter means that this particular usage has been checked and is safe.



    In the future releases all occurrences of @escapeNotVerified will be verified and either marked with @noEscape or escaped with one of these methods:




    • MagentoFrameworkViewElementAbstractBlock::escapeHtml

    • MagentoFrameworkViewElementAbstractBlock::escapeUrl

    • MagentoFrameworkViewElementAbstractBlock::escapeXssInUrl

    • MagentoFrameworkViewElementAbstractBlock::escapeQuote


    Also note that some output is considered safe and should not be marked with such annotations:




    • Enclosed in single quotes

    • Enclosed in double quotes but without variables

    • Type casting to bool, int

    • Method calls which contain 'html' in their names, like getTitleHtml, are also expected to output escaped HTML






    share|improve this answer












    This tag is used by static tests. Any potentially unsafe output must be marked with either @escapeNotVerified or @noEscape to pass tests, the latter means that this particular usage has been checked and is safe.



    In the future releases all occurrences of @escapeNotVerified will be verified and either marked with @noEscape or escaped with one of these methods:




    • MagentoFrameworkViewElementAbstractBlock::escapeHtml

    • MagentoFrameworkViewElementAbstractBlock::escapeUrl

    • MagentoFrameworkViewElementAbstractBlock::escapeXssInUrl

    • MagentoFrameworkViewElementAbstractBlock::escapeQuote


    Also note that some output is considered safe and should not be marked with such annotations:




    • Enclosed in single quotes

    • Enclosed in double quotes but without variables

    • Type casting to bool, int

    • Method calls which contain 'html' in their names, like getTitleHtml, are also expected to output escaped HTML







    share|improve this answer












    share|improve this answer



    share|improve this answer










    answered Dec 8 '15 at 8:54









    Alex Paliarush

    10.5k23649




    10.5k23649








    • 3




      Greats answer @Alex
      – Amit Bera
      Dec 8 '15 at 9:24










    • Good Ans +1 @Alex :)
      – Rama Chandran M
      Mar 9 '18 at 2:40










    • It helps +1 @Alex
      – Nikunj Vadariya
      Jul 13 '18 at 6:39














    • 3




      Greats answer @Alex
      – Amit Bera
      Dec 8 '15 at 9:24










    • Good Ans +1 @Alex :)
      – Rama Chandran M
      Mar 9 '18 at 2:40










    • It helps +1 @Alex
      – Nikunj Vadariya
      Jul 13 '18 at 6:39








    3




    3




    Greats answer @Alex
    – Amit Bera
    Dec 8 '15 at 9:24




    Greats answer @Alex
    – Amit Bera
    Dec 8 '15 at 9:24












    Good Ans +1 @Alex :)
    – Rama Chandran M
    Mar 9 '18 at 2:40




    Good Ans +1 @Alex :)
    – Rama Chandran M
    Mar 9 '18 at 2:40












    It helps +1 @Alex
    – Nikunj Vadariya
    Jul 13 '18 at 6:39




    It helps +1 @Alex
    – Nikunj Vadariya
    Jul 13 '18 at 6:39













    23














    I find it in devdocs of Magento2



    Static Test



    To improve security against XSS injections, a static test XssPhtmlTemplateTest.php is added to devtestsstatictestsuiteMagentoTestPhp.



    This static test finds all echo calls in PHTML-templates and determines if it is properly escaped or not.



    It covers the following cases:




    • /* @noEscape */ before output. Output doesn’t require escaping. Test is green.


    • /* @escapeNotVerified */ before output. Output escaping is not checked and should be verified. Test is green.



    Read the Magento Docs at
    2.0
    or
    2.1






    share|improve this answer




























      23














      I find it in devdocs of Magento2



      Static Test



      To improve security against XSS injections, a static test XssPhtmlTemplateTest.php is added to devtestsstatictestsuiteMagentoTestPhp.



      This static test finds all echo calls in PHTML-templates and determines if it is properly escaped or not.



      It covers the following cases:




      • /* @noEscape */ before output. Output doesn’t require escaping. Test is green.


      • /* @escapeNotVerified */ before output. Output escaping is not checked and should be verified. Test is green.



      Read the Magento Docs at
      2.0
      or
      2.1






      share|improve this answer


























        23












        23








        23






        I find it in devdocs of Magento2



        Static Test



        To improve security against XSS injections, a static test XssPhtmlTemplateTest.php is added to devtestsstatictestsuiteMagentoTestPhp.



        This static test finds all echo calls in PHTML-templates and determines if it is properly escaped or not.



        It covers the following cases:




        • /* @noEscape */ before output. Output doesn’t require escaping. Test is green.


        • /* @escapeNotVerified */ before output. Output escaping is not checked and should be verified. Test is green.



        Read the Magento Docs at
        2.0
        or
        2.1






        share|improve this answer














        I find it in devdocs of Magento2



        Static Test



        To improve security against XSS injections, a static test XssPhtmlTemplateTest.php is added to devtestsstatictestsuiteMagentoTestPhp.



        This static test finds all echo calls in PHTML-templates and determines if it is properly escaped or not.



        It covers the following cases:




        • /* @noEscape */ before output. Output doesn’t require escaping. Test is green.


        • /* @escapeNotVerified */ before output. Output escaping is not checked and should be verified. Test is green.



        Read the Magento Docs at
        2.0
        or
        2.1







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited Mar 8 '17 at 2:31









        cyk

        17310




        17310










        answered Dec 8 '15 at 8:50









        Bill

        2,33721239




        2,33721239






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Magento Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.





            Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


            Please pay close attention to the following guidance:


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fmagento.stackexchange.com%2fquestions%2f92963%2fmagento-2-escapenotverified%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            An IMO inspired problem

            Image
            14 4 This problem from IMO 1988 is said to be one of the most elegant ones in functional equations. Problem : The function $f$ is defined on the set of all positive integers as follows: begin{align} f(1) = 1, f(3) &= 3, f(2n) = f(n), \ f(4n+1) &= 2f(2n+1) - f(n), \ f(4n+3) &= 3 f(2n+1) - 2f(n) end{align} Find the number of $n$ with $f(n) = n, 1 leq n leq 1988$. The main idea towards the solution is realizing that these conditions stand for the fact that $f(n)$ just reverses the digits in the binary representation of the number $n$. So, essentially the solution is finding the number of binary pallindromes $leq 1988_{10}$. My question is the following : How to reformulate the problem so that $f(n)$ reverses the digits of $n$ in its ternary representation. Or even better, can we reformulate it for a
            Read more

            Management

            Image
            Management From Wikipedia, the free encyclopedia Jump to navigation Jump to search "Manager" redirects here. For other uses, see Management (disambiguation) and Manager (disambiguation). An organization chart for the United States Coast Guard shows the hierarchy of managerial roles in that organization. Business administration Management of a business Accounting Management accounting Financial accounting Financial audit Business entities Cooperative Corporation Limited liability company Partnership Sole proprietorship State-owned enterprise Corporate governance Annual general meeting Board of directors Supervisory board Advisory board Audit committee Corporate law Commercial law Constitutional documents Contract Corporate crime Corporate liability Insolvency law International trade law Mergers and acquisitions Economics Commodity Pu
            Read more

            Investment

            Image
            Investment From Wikipedia, the free encyclopedia Jump to navigation Jump to search This article is about investment in finance. For investment in macroeconomics, see Investment (macroeconomics). For other uses, see Investment (disambiguation). "Invest" redirects here. For the term in meteorology, see Invest (meteorology). This article needs additional citations for verification . Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed. ( February 2017 ) (Learn how and when to remove this template message) In general, to invest is to distribute money in the expectation of some benefit in the future – for example, investment in durable goods, in real estate by the service industry, in factories for manufacturing, in product development, and in research and development. However, this article focuses specifically on investment in financial
            Read more