Magento 2 @escapeNotVerified












61














I see a lot of occurences of this comment /* @escapeNotVerified */ in the template files for Magento2.

Does it have a special meaning?

Is there any use for this?



Examples:




  • https://github.com/magento/magento2/blob/2.1/app/code/Magento/Catalog/view/frontend/templates/product/list.phtml#L23

  • https://github.com/magento/magento2/blob/2.1/app/code/Magento/Catalog/view/frontend/templates/product/image_with_borders.phtml#L10

  • https://github.com/magento/magento2/blob/2.1/app/code/Magento/Catalog/view/frontend/templates/product/gallery.phtml#L12


  • I could go on for a few pages here.











share|improve this question




















  • 21




    Hey...Why the downvote? I'm not allowed to ask questions?
    – Marius
    Dec 8 '15 at 12:07


















61














I see a lot of occurences of this comment /* @escapeNotVerified */ in the template files for Magento2.

Does it have a special meaning?

Is there any use for this?



Examples:




  • https://github.com/magento/magento2/blob/2.1/app/code/Magento/Catalog/view/frontend/templates/product/list.phtml#L23

  • https://github.com/magento/magento2/blob/2.1/app/code/Magento/Catalog/view/frontend/templates/product/image_with_borders.phtml#L10

  • https://github.com/magento/magento2/blob/2.1/app/code/Magento/Catalog/view/frontend/templates/product/gallery.phtml#L12


  • I could go on for a few pages here.











share|improve this question




















  • 21




    Hey...Why the downvote? I'm not allowed to ask questions?
    – Marius
    Dec 8 '15 at 12:07
















61












61








61


10





I see a lot of occurences of this comment /* @escapeNotVerified */ in the template files for Magento2.

Does it have a special meaning?

Is there any use for this?



Examples:




  • https://github.com/magento/magento2/blob/2.1/app/code/Magento/Catalog/view/frontend/templates/product/list.phtml#L23

  • https://github.com/magento/magento2/blob/2.1/app/code/Magento/Catalog/view/frontend/templates/product/image_with_borders.phtml#L10

  • https://github.com/magento/magento2/blob/2.1/app/code/Magento/Catalog/view/frontend/templates/product/gallery.phtml#L12


  • I could go on for a few pages here.











share|improve this question















I see a lot of occurences of this comment /* @escapeNotVerified */ in the template files for Magento2.

Does it have a special meaning?

Is there any use for this?



Examples:




  • https://github.com/magento/magento2/blob/2.1/app/code/Magento/Catalog/view/frontend/templates/product/list.phtml#L23

  • https://github.com/magento/magento2/blob/2.1/app/code/Magento/Catalog/view/frontend/templates/product/image_with_borders.phtml#L10

  • https://github.com/magento/magento2/blob/2.1/app/code/Magento/Catalog/view/frontend/templates/product/gallery.phtml#L12


  • I could go on for a few pages here.








magento2 template






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited yesterday









Himanshu

702419




702419










asked Dec 8 '15 at 8:25









Marius

163k28311659




163k28311659








  • 21




    Hey...Why the downvote? I'm not allowed to ask questions?
    – Marius
    Dec 8 '15 at 12:07
















  • 21




    Hey...Why the downvote? I'm not allowed to ask questions?
    – Marius
    Dec 8 '15 at 12:07










21




21




Hey...Why the downvote? I'm not allowed to ask questions?
– Marius
Dec 8 '15 at 12:07






Hey...Why the downvote? I'm not allowed to ask questions?
– Marius
Dec 8 '15 at 12:07












2 Answers
2






active

oldest

votes


















82














This tag is used by static tests. Any potentially unsafe output must be marked with either @escapeNotVerified or @noEscape to pass tests, the latter means that this particular usage has been checked and is safe.



In the future releases all occurrences of @escapeNotVerified will be verified and either marked with @noEscape or escaped with one of these methods:




  • MagentoFrameworkViewElementAbstractBlock::escapeHtml

  • MagentoFrameworkViewElementAbstractBlock::escapeUrl

  • MagentoFrameworkViewElementAbstractBlock::escapeXssInUrl

  • MagentoFrameworkViewElementAbstractBlock::escapeQuote


Also note that some output is considered safe and should not be marked with such annotations:




  • Enclosed in single quotes

  • Enclosed in double quotes but without variables

  • Type casting to bool, int

  • Method calls which contain 'html' in their names, like getTitleHtml, are also expected to output escaped HTML






share|improve this answer

















  • 3




    Greats answer @Alex
    – Amit Bera
    Dec 8 '15 at 9:24










  • Good Ans +1 @Alex :)
    – Rama Chandran M
    Mar 9 '18 at 2:40










  • It helps +1 @Alex
    – Nikunj Vadariya
    Jul 13 '18 at 6:39



















23














I find it in devdocs of Magento2



Static Test



To improve security against XSS injections, a static test XssPhtmlTemplateTest.php is added to devtestsstatictestsuiteMagentoTestPhp.



This static test finds all echo calls in PHTML-templates and determines if it is properly escaped or not.



It covers the following cases:




  • /* @noEscape */ before output. Output doesn’t require escaping. Test is green.


  • /* @escapeNotVerified */ before output. Output escaping is not checked and should be verified. Test is green.



Read the Magento Docs at
2.0
or
2.1






share|improve this answer























    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "479"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fmagento.stackexchange.com%2fquestions%2f92963%2fmagento-2-escapenotverified%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    82














    This tag is used by static tests. Any potentially unsafe output must be marked with either @escapeNotVerified or @noEscape to pass tests, the latter means that this particular usage has been checked and is safe.



    In the future releases all occurrences of @escapeNotVerified will be verified and either marked with @noEscape or escaped with one of these methods:




    • MagentoFrameworkViewElementAbstractBlock::escapeHtml

    • MagentoFrameworkViewElementAbstractBlock::escapeUrl

    • MagentoFrameworkViewElementAbstractBlock::escapeXssInUrl

    • MagentoFrameworkViewElementAbstractBlock::escapeQuote


    Also note that some output is considered safe and should not be marked with such annotations:




    • Enclosed in single quotes

    • Enclosed in double quotes but without variables

    • Type casting to bool, int

    • Method calls which contain 'html' in their names, like getTitleHtml, are also expected to output escaped HTML






    share|improve this answer

















    • 3




      Greats answer @Alex
      – Amit Bera
      Dec 8 '15 at 9:24










    • Good Ans +1 @Alex :)
      – Rama Chandran M
      Mar 9 '18 at 2:40










    • It helps +1 @Alex
      – Nikunj Vadariya
      Jul 13 '18 at 6:39
















    82














    This tag is used by static tests. Any potentially unsafe output must be marked with either @escapeNotVerified or @noEscape to pass tests, the latter means that this particular usage has been checked and is safe.



    In the future releases all occurrences of @escapeNotVerified will be verified and either marked with @noEscape or escaped with one of these methods:




    • MagentoFrameworkViewElementAbstractBlock::escapeHtml

    • MagentoFrameworkViewElementAbstractBlock::escapeUrl

    • MagentoFrameworkViewElementAbstractBlock::escapeXssInUrl

    • MagentoFrameworkViewElementAbstractBlock::escapeQuote


    Also note that some output is considered safe and should not be marked with such annotations:




    • Enclosed in single quotes

    • Enclosed in double quotes but without variables

    • Type casting to bool, int

    • Method calls which contain 'html' in their names, like getTitleHtml, are also expected to output escaped HTML






    share|improve this answer

















    • 3




      Greats answer @Alex
      – Amit Bera
      Dec 8 '15 at 9:24










    • Good Ans +1 @Alex :)
      – Rama Chandran M
      Mar 9 '18 at 2:40










    • It helps +1 @Alex
      – Nikunj Vadariya
      Jul 13 '18 at 6:39














    82












    82








    82






    This tag is used by static tests. Any potentially unsafe output must be marked with either @escapeNotVerified or @noEscape to pass tests, the latter means that this particular usage has been checked and is safe.



    In the future releases all occurrences of @escapeNotVerified will be verified and either marked with @noEscape or escaped with one of these methods:




    • MagentoFrameworkViewElementAbstractBlock::escapeHtml

    • MagentoFrameworkViewElementAbstractBlock::escapeUrl

    • MagentoFrameworkViewElementAbstractBlock::escapeXssInUrl

    • MagentoFrameworkViewElementAbstractBlock::escapeQuote


    Also note that some output is considered safe and should not be marked with such annotations:




    • Enclosed in single quotes

    • Enclosed in double quotes but without variables

    • Type casting to bool, int

    • Method calls which contain 'html' in their names, like getTitleHtml, are also expected to output escaped HTML






    share|improve this answer












    This tag is used by static tests. Any potentially unsafe output must be marked with either @escapeNotVerified or @noEscape to pass tests, the latter means that this particular usage has been checked and is safe.



    In the future releases all occurrences of @escapeNotVerified will be verified and either marked with @noEscape or escaped with one of these methods:




    • MagentoFrameworkViewElementAbstractBlock::escapeHtml

    • MagentoFrameworkViewElementAbstractBlock::escapeUrl

    • MagentoFrameworkViewElementAbstractBlock::escapeXssInUrl

    • MagentoFrameworkViewElementAbstractBlock::escapeQuote


    Also note that some output is considered safe and should not be marked with such annotations:




    • Enclosed in single quotes

    • Enclosed in double quotes but without variables

    • Type casting to bool, int

    • Method calls which contain 'html' in their names, like getTitleHtml, are also expected to output escaped HTML







    share|improve this answer












    share|improve this answer



    share|improve this answer










    answered Dec 8 '15 at 8:54









    Alex Paliarush

    10.5k23649




    10.5k23649








    • 3




      Greats answer @Alex
      – Amit Bera
      Dec 8 '15 at 9:24










    • Good Ans +1 @Alex :)
      – Rama Chandran M
      Mar 9 '18 at 2:40










    • It helps +1 @Alex
      – Nikunj Vadariya
      Jul 13 '18 at 6:39














    • 3




      Greats answer @Alex
      – Amit Bera
      Dec 8 '15 at 9:24










    • Good Ans +1 @Alex :)
      – Rama Chandran M
      Mar 9 '18 at 2:40










    • It helps +1 @Alex
      – Nikunj Vadariya
      Jul 13 '18 at 6:39








    3




    3




    Greats answer @Alex
    – Amit Bera
    Dec 8 '15 at 9:24




    Greats answer @Alex
    – Amit Bera
    Dec 8 '15 at 9:24












    Good Ans +1 @Alex :)
    – Rama Chandran M
    Mar 9 '18 at 2:40




    Good Ans +1 @Alex :)
    – Rama Chandran M
    Mar 9 '18 at 2:40












    It helps +1 @Alex
    – Nikunj Vadariya
    Jul 13 '18 at 6:39




    It helps +1 @Alex
    – Nikunj Vadariya
    Jul 13 '18 at 6:39













    23














    I find it in devdocs of Magento2



    Static Test



    To improve security against XSS injections, a static test XssPhtmlTemplateTest.php is added to devtestsstatictestsuiteMagentoTestPhp.



    This static test finds all echo calls in PHTML-templates and determines if it is properly escaped or not.



    It covers the following cases:




    • /* @noEscape */ before output. Output doesn’t require escaping. Test is green.


    • /* @escapeNotVerified */ before output. Output escaping is not checked and should be verified. Test is green.



    Read the Magento Docs at
    2.0
    or
    2.1






    share|improve this answer




























      23














      I find it in devdocs of Magento2



      Static Test



      To improve security against XSS injections, a static test XssPhtmlTemplateTest.php is added to devtestsstatictestsuiteMagentoTestPhp.



      This static test finds all echo calls in PHTML-templates and determines if it is properly escaped or not.



      It covers the following cases:




      • /* @noEscape */ before output. Output doesn’t require escaping. Test is green.


      • /* @escapeNotVerified */ before output. Output escaping is not checked and should be verified. Test is green.



      Read the Magento Docs at
      2.0
      or
      2.1






      share|improve this answer


























        23












        23








        23






        I find it in devdocs of Magento2



        Static Test



        To improve security against XSS injections, a static test XssPhtmlTemplateTest.php is added to devtestsstatictestsuiteMagentoTestPhp.



        This static test finds all echo calls in PHTML-templates and determines if it is properly escaped or not.



        It covers the following cases:




        • /* @noEscape */ before output. Output doesn’t require escaping. Test is green.


        • /* @escapeNotVerified */ before output. Output escaping is not checked and should be verified. Test is green.



        Read the Magento Docs at
        2.0
        or
        2.1






        share|improve this answer














        I find it in devdocs of Magento2



        Static Test



        To improve security against XSS injections, a static test XssPhtmlTemplateTest.php is added to devtestsstatictestsuiteMagentoTestPhp.



        This static test finds all echo calls in PHTML-templates and determines if it is properly escaped or not.



        It covers the following cases:




        • /* @noEscape */ before output. Output doesn’t require escaping. Test is green.


        • /* @escapeNotVerified */ before output. Output escaping is not checked and should be verified. Test is green.



        Read the Magento Docs at
        2.0
        or
        2.1







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited Mar 8 '17 at 2:31









        cyk

        17310




        17310










        answered Dec 8 '15 at 8:50









        Bill

        2,33721239




        2,33721239






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Magento Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.





            Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


            Please pay close attention to the following guidance:


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fmagento.stackexchange.com%2fquestions%2f92963%2fmagento-2-escapenotverified%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            1300-talet

            1300-talet

            Display a custom attribute below product name in the front-end Magento 1.9.3.8