Magento 2 @escapeNotVerified
I see a lot of occurences of this comment /* @escapeNotVerified */
in the template files for Magento2.
Does it have a special meaning?
Is there any use for this?
Examples:
- https://github.com/magento/magento2/blob/2.1/app/code/Magento/Catalog/view/frontend/templates/product/list.phtml#L23
- https://github.com/magento/magento2/blob/2.1/app/code/Magento/Catalog/view/frontend/templates/product/image_with_borders.phtml#L10
https://github.com/magento/magento2/blob/2.1/app/code/Magento/Catalog/view/frontend/templates/product/gallery.phtml#L12
I could go on for a few pages here.
magento2 template
add a comment |
I see a lot of occurences of this comment /* @escapeNotVerified */
in the template files for Magento2.
Does it have a special meaning?
Is there any use for this?
Examples:
- https://github.com/magento/magento2/blob/2.1/app/code/Magento/Catalog/view/frontend/templates/product/list.phtml#L23
- https://github.com/magento/magento2/blob/2.1/app/code/Magento/Catalog/view/frontend/templates/product/image_with_borders.phtml#L10
https://github.com/magento/magento2/blob/2.1/app/code/Magento/Catalog/view/frontend/templates/product/gallery.phtml#L12
I could go on for a few pages here.
magento2 template
21
Hey...Why the downvote? I'm not allowed to ask questions?
– Marius♦
Dec 8 '15 at 12:07
add a comment |
I see a lot of occurences of this comment /* @escapeNotVerified */
in the template files for Magento2.
Does it have a special meaning?
Is there any use for this?
Examples:
- https://github.com/magento/magento2/blob/2.1/app/code/Magento/Catalog/view/frontend/templates/product/list.phtml#L23
- https://github.com/magento/magento2/blob/2.1/app/code/Magento/Catalog/view/frontend/templates/product/image_with_borders.phtml#L10
https://github.com/magento/magento2/blob/2.1/app/code/Magento/Catalog/view/frontend/templates/product/gallery.phtml#L12
I could go on for a few pages here.
magento2 template
I see a lot of occurences of this comment /* @escapeNotVerified */
in the template files for Magento2.
Does it have a special meaning?
Is there any use for this?
Examples:
- https://github.com/magento/magento2/blob/2.1/app/code/Magento/Catalog/view/frontend/templates/product/list.phtml#L23
- https://github.com/magento/magento2/blob/2.1/app/code/Magento/Catalog/view/frontend/templates/product/image_with_borders.phtml#L10
https://github.com/magento/magento2/blob/2.1/app/code/Magento/Catalog/view/frontend/templates/product/gallery.phtml#L12
I could go on for a few pages here.
magento2 template
magento2 template
edited yesterday
Himanshu
702419
702419
asked Dec 8 '15 at 8:25
Marius♦
163k28311659
163k28311659
21
Hey...Why the downvote? I'm not allowed to ask questions?
– Marius♦
Dec 8 '15 at 12:07
add a comment |
21
Hey...Why the downvote? I'm not allowed to ask questions?
– Marius♦
Dec 8 '15 at 12:07
21
21
Hey...Why the downvote? I'm not allowed to ask questions?
– Marius♦
Dec 8 '15 at 12:07
Hey...Why the downvote? I'm not allowed to ask questions?
– Marius♦
Dec 8 '15 at 12:07
add a comment |
2 Answers
2
active
oldest
votes
This tag is used by static tests. Any potentially unsafe output must be marked with either @escapeNotVerified
or @noEscape
to pass tests, the latter means that this particular usage has been checked and is safe.
In the future releases all occurrences of @escapeNotVerified
will be verified and either marked with @noEscape
or escaped with one of these methods:
MagentoFrameworkViewElementAbstractBlock::escapeHtml
MagentoFrameworkViewElementAbstractBlock::escapeUrl
MagentoFrameworkViewElementAbstractBlock::escapeXssInUrl
MagentoFrameworkViewElementAbstractBlock::escapeQuote
Also note that some output is considered safe and should not be marked with such annotations:
- Enclosed in single quotes
- Enclosed in double quotes but without variables
- Type casting to bool, int
- Method calls which contain 'html' in their names, like
getTitleHtml
, are also expected to output escaped HTML
3
Greats answer @Alex
– Amit Bera♦
Dec 8 '15 at 9:24
Good Ans +1 @Alex :)
– Rama Chandran M
Mar 9 '18 at 2:40
It helps +1 @Alex
– Nikunj Vadariya
Jul 13 '18 at 6:39
add a comment |
I find it in devdocs of Magento2
Static Test
To improve security against XSS injections, a static test XssPhtmlTemplateTest.php
is added to devtestsstatictestsuiteMagentoTestPhp.
This static test finds all echo calls in PHTML-templates and determines if it is properly escaped or not.
It covers the following cases:
/* @noEscape */
before output. Output doesn’t require escaping. Test is green./* @escapeNotVerified */
before output. Output escaping is not checked and should be verified. Test is green.
Read the Magento Docs at
2.0
or
2.1
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "479"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fmagento.stackexchange.com%2fquestions%2f92963%2fmagento-2-escapenotverified%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
This tag is used by static tests. Any potentially unsafe output must be marked with either @escapeNotVerified
or @noEscape
to pass tests, the latter means that this particular usage has been checked and is safe.
In the future releases all occurrences of @escapeNotVerified
will be verified and either marked with @noEscape
or escaped with one of these methods:
MagentoFrameworkViewElementAbstractBlock::escapeHtml
MagentoFrameworkViewElementAbstractBlock::escapeUrl
MagentoFrameworkViewElementAbstractBlock::escapeXssInUrl
MagentoFrameworkViewElementAbstractBlock::escapeQuote
Also note that some output is considered safe and should not be marked with such annotations:
- Enclosed in single quotes
- Enclosed in double quotes but without variables
- Type casting to bool, int
- Method calls which contain 'html' in their names, like
getTitleHtml
, are also expected to output escaped HTML
3
Greats answer @Alex
– Amit Bera♦
Dec 8 '15 at 9:24
Good Ans +1 @Alex :)
– Rama Chandran M
Mar 9 '18 at 2:40
It helps +1 @Alex
– Nikunj Vadariya
Jul 13 '18 at 6:39
add a comment |
This tag is used by static tests. Any potentially unsafe output must be marked with either @escapeNotVerified
or @noEscape
to pass tests, the latter means that this particular usage has been checked and is safe.
In the future releases all occurrences of @escapeNotVerified
will be verified and either marked with @noEscape
or escaped with one of these methods:
MagentoFrameworkViewElementAbstractBlock::escapeHtml
MagentoFrameworkViewElementAbstractBlock::escapeUrl
MagentoFrameworkViewElementAbstractBlock::escapeXssInUrl
MagentoFrameworkViewElementAbstractBlock::escapeQuote
Also note that some output is considered safe and should not be marked with such annotations:
- Enclosed in single quotes
- Enclosed in double quotes but without variables
- Type casting to bool, int
- Method calls which contain 'html' in their names, like
getTitleHtml
, are also expected to output escaped HTML
3
Greats answer @Alex
– Amit Bera♦
Dec 8 '15 at 9:24
Good Ans +1 @Alex :)
– Rama Chandran M
Mar 9 '18 at 2:40
It helps +1 @Alex
– Nikunj Vadariya
Jul 13 '18 at 6:39
add a comment |
This tag is used by static tests. Any potentially unsafe output must be marked with either @escapeNotVerified
or @noEscape
to pass tests, the latter means that this particular usage has been checked and is safe.
In the future releases all occurrences of @escapeNotVerified
will be verified and either marked with @noEscape
or escaped with one of these methods:
MagentoFrameworkViewElementAbstractBlock::escapeHtml
MagentoFrameworkViewElementAbstractBlock::escapeUrl
MagentoFrameworkViewElementAbstractBlock::escapeXssInUrl
MagentoFrameworkViewElementAbstractBlock::escapeQuote
Also note that some output is considered safe and should not be marked with such annotations:
- Enclosed in single quotes
- Enclosed in double quotes but without variables
- Type casting to bool, int
- Method calls which contain 'html' in their names, like
getTitleHtml
, are also expected to output escaped HTML
This tag is used by static tests. Any potentially unsafe output must be marked with either @escapeNotVerified
or @noEscape
to pass tests, the latter means that this particular usage has been checked and is safe.
In the future releases all occurrences of @escapeNotVerified
will be verified and either marked with @noEscape
or escaped with one of these methods:
MagentoFrameworkViewElementAbstractBlock::escapeHtml
MagentoFrameworkViewElementAbstractBlock::escapeUrl
MagentoFrameworkViewElementAbstractBlock::escapeXssInUrl
MagentoFrameworkViewElementAbstractBlock::escapeQuote
Also note that some output is considered safe and should not be marked with such annotations:
- Enclosed in single quotes
- Enclosed in double quotes but without variables
- Type casting to bool, int
- Method calls which contain 'html' in their names, like
getTitleHtml
, are also expected to output escaped HTML
answered Dec 8 '15 at 8:54
Alex Paliarush
10.5k23649
10.5k23649
3
Greats answer @Alex
– Amit Bera♦
Dec 8 '15 at 9:24
Good Ans +1 @Alex :)
– Rama Chandran M
Mar 9 '18 at 2:40
It helps +1 @Alex
– Nikunj Vadariya
Jul 13 '18 at 6:39
add a comment |
3
Greats answer @Alex
– Amit Bera♦
Dec 8 '15 at 9:24
Good Ans +1 @Alex :)
– Rama Chandran M
Mar 9 '18 at 2:40
It helps +1 @Alex
– Nikunj Vadariya
Jul 13 '18 at 6:39
3
3
Greats answer @Alex
– Amit Bera♦
Dec 8 '15 at 9:24
Greats answer @Alex
– Amit Bera♦
Dec 8 '15 at 9:24
Good Ans +1 @Alex :)
– Rama Chandran M
Mar 9 '18 at 2:40
Good Ans +1 @Alex :)
– Rama Chandran M
Mar 9 '18 at 2:40
It helps +1 @Alex
– Nikunj Vadariya
Jul 13 '18 at 6:39
It helps +1 @Alex
– Nikunj Vadariya
Jul 13 '18 at 6:39
add a comment |
I find it in devdocs of Magento2
Static Test
To improve security against XSS injections, a static test XssPhtmlTemplateTest.php
is added to devtestsstatictestsuiteMagentoTestPhp.
This static test finds all echo calls in PHTML-templates and determines if it is properly escaped or not.
It covers the following cases:
/* @noEscape */
before output. Output doesn’t require escaping. Test is green./* @escapeNotVerified */
before output. Output escaping is not checked and should be verified. Test is green.
Read the Magento Docs at
2.0
or
2.1
add a comment |
I find it in devdocs of Magento2
Static Test
To improve security against XSS injections, a static test XssPhtmlTemplateTest.php
is added to devtestsstatictestsuiteMagentoTestPhp.
This static test finds all echo calls in PHTML-templates and determines if it is properly escaped or not.
It covers the following cases:
/* @noEscape */
before output. Output doesn’t require escaping. Test is green./* @escapeNotVerified */
before output. Output escaping is not checked and should be verified. Test is green.
Read the Magento Docs at
2.0
or
2.1
add a comment |
I find it in devdocs of Magento2
Static Test
To improve security against XSS injections, a static test XssPhtmlTemplateTest.php
is added to devtestsstatictestsuiteMagentoTestPhp.
This static test finds all echo calls in PHTML-templates and determines if it is properly escaped or not.
It covers the following cases:
/* @noEscape */
before output. Output doesn’t require escaping. Test is green./* @escapeNotVerified */
before output. Output escaping is not checked and should be verified. Test is green.
Read the Magento Docs at
2.0
or
2.1
I find it in devdocs of Magento2
Static Test
To improve security against XSS injections, a static test XssPhtmlTemplateTest.php
is added to devtestsstatictestsuiteMagentoTestPhp.
This static test finds all echo calls in PHTML-templates and determines if it is properly escaped or not.
It covers the following cases:
/* @noEscape */
before output. Output doesn’t require escaping. Test is green./* @escapeNotVerified */
before output. Output escaping is not checked and should be verified. Test is green.
Read the Magento Docs at
2.0
or
2.1
edited Mar 8 '17 at 2:31
cyk
17310
17310
answered Dec 8 '15 at 8:50
Bill
2,33721239
2,33721239
add a comment |
add a comment |
Thanks for contributing an answer to Magento Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fmagento.stackexchange.com%2fquestions%2f92963%2fmagento-2-escapenotverified%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
21
Hey...Why the downvote? I'm not allowed to ask questions?
– Marius♦
Dec 8 '15 at 12:07