From 7fba3ca400247fc5b0cc83b5f75612b46376d0a5 Mon Sep 17 00:00:00 2001
From: Jeff Matthews <matthews.jeffery@gmail.com>
Date: Fri, 30 Aug 2019 09:00:39 -0500
Subject: [PATCH 1/6] Added escapeCss function

---
 .../templates/template-security.md            | 39 ++++++++++++-------
 1 file changed, 24 insertions(+), 15 deletions(-)

diff --git a/guides/v2.3/frontend-dev-guide/templates/template-security.md b/guides/v2.3/frontend-dev-guide/templates/template-security.md
index 7a8d0eb5fc7..364412fe392 100644
--- a/guides/v2.3/frontend-dev-guide/templates/template-security.md
+++ b/guides/v2.3/frontend-dev-guide/templates/template-security.md
@@ -9,15 +9,15 @@ functional_areas:
 
 To prevent [XSS] issues Magento recommends the following rules for escaping output in templates:
 
-* If a method indicates that the content is escaped, do not escape: `getTitleHtml()`, `getHtmlTitle()` (the title is ready for the [HTML](https://glossary.magento.com/html) output)
+*  If a method indicates that the content is escaped, do not escape: `getTitleHtml()`, `getHtmlTitle()` (the title is ready for the [HTML](https://glossary.magento.com/html) output)
 
-* Type casting and [php](https://glossary.magento.com/php) function `count()` don't need escaping  (for example `echo (int)$var`, `echo (bool)$var`, `echo count($var)`)
+*  Type casting and [php](https://glossary.magento.com/php) function `count()` don't need escaping  (for example `echo (int)$var`, `echo (bool)$var`, `echo count($var)`)
 
-* Output in single quotes doesn't need escaping (for example `echo 'some text'`)
+*  Output in single quotes doesn't need escaping (for example `echo 'some text'`)
 
-* Output in double quotes without variables doesn't need escaping (for example `echo "some text"`)
+*  Output in double quotes without variables doesn't need escaping (for example `echo "some text"`)
 
-* For all other cases, escape the data using [specific escape functions](#escape-functions-for-templates).
+*  For all other cases, escape the data using [specific escape functions](#escape-functions-for-templates).
 
 The following code sample illustrates the XSS-safe output in templates:
 
@@ -32,10 +32,19 @@ The following code sample illustrates the XSS-safe output in templates:
 <a href="<?php echo $block->escapeUrl($block->getUrl()) ?>"><?php echo $block->getAnchorTextHtml() ?></a>
 ```
 
-#### Escape functions for templates
+### Escape functions for templates
 
 For the following output cases, use the specified function to generate XSS-safe output.
 
+**Case:** Escape string for the CSS context
+**Function:** `escapeCss`
+
+```php
+<?php header('Content-Type: application/xhtml+xml; charset=UTF-8');?>
+<?php $css = "background: #000\"><script>alert(1)</script>"; ?>
+<div style="<?= $block->escapeCss($css) ?>"></div>
+```
+
 **Case:** JSON output in script context\\
 **Function:** No function needed for JSON output.
 
@@ -44,8 +53,8 @@ For the following output cases, use the specified function to generate XSS-safe
   <script>
     var postData = <?php /* @noEscape */ echo $postData ?>;
   </script>
-
 ```
+
 **Case:** JSON output in html/attribute context\\
 **Function:** `escapeHtml`
 
@@ -124,20 +133,20 @@ This sniff finds all `echo` calls in PHTML-templates and determines if the outpu
 
 It covers the following cases:
 
-* `/* @noEscape */` before output. Output doesn't require escaping. Test is green.
+*  `/* @noEscape */` before output. Output doesn't require escaping. Test is green.
 
-* `/* @escapeNotVerified */` before output. Output escaping is not checked and should be verified. Test is green.
+*  `/* @escapeNotVerified */` before output. Output escaping is not checked and should be verified. Test is green.
 
-* Methods which contain `"html"` in their names (for example `echo $object->{suffix}Html{postfix}()`). Data is ready for the HTML output. Test is green.
+*  Methods which contain `"html"` in their names (for example `echo $object->{suffix}Html{postfix}()`). Data is ready for the HTML output. Test is green.
 
-* AbstractBlock methods `escapeHtml`, `escapeHtmlAttr`, `escapeUrl`, `escapeJs` are allowed. Test is green.
+*  AbstractBlock methods `escapeHtml`, `escapeHtmlAttr`, `escapeUrl`, `escapeJs` are allowed. Test is green.
 
-* Type casting and php function `count()` are allowed (for example `echo (int)$var`, `(bool)$var`, `count($var)`). Test is green.
+*  Type casting and php function `count()` are allowed (for example `echo (int)$var`, `(bool)$var`, `count($var)`). Test is green.
 
-* Output in single quotes (for example `echo 'some text'`). Test is green.
+*  Output in single quotes (for example `echo 'some text'`). Test is green.
 
-* Output in double quotes without variables (for example `echo "some text"`). Test is green.
+*  Output in double quotes without variables (for example `echo "some text"`). Test is green.
 
-* Other of previously mentioned. Output is not escaped. Test is red.
+*  Other of previously mentioned. Output is not escaped. Test is red.
 
 [XSS]: https://en.wikipedia.org/wiki/Cross-site_scripting

From e9cc5658cdb1ee1745237860f430517f2e391652 Mon Sep 17 00:00:00 2001
From: Jeff Matthews <matthews.jeffery@gmail.com>
Date: Wed, 4 Sep 2019 12:49:55 -0500
Subject: [PATCH 2/6] Added example output for escaping CSS

---
 guides/v2.3/frontend-dev-guide/templates/template-security.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/guides/v2.3/frontend-dev-guide/templates/template-security.md b/guides/v2.3/frontend-dev-guide/templates/template-security.md
index 364412fe392..1c6571fd3c1 100644
--- a/guides/v2.3/frontend-dev-guide/templates/template-security.md
+++ b/guides/v2.3/frontend-dev-guide/templates/template-security.md
@@ -43,6 +43,9 @@ For the following output cases, use the specified function to generate XSS-safe
 <?php header('Content-Type: application/xhtml+xml; charset=UTF-8');?>
 <?php $css = "background: #000\"><script>alert(1)</script>"; ?>
 <div style="<?= $block->escapeCss($css) ?>"></div>
+
+// Escaping CSS
+<div style="background\3A \20 \23 000\22 \3E \3C script\3E alert\28 1\29 \3C \2F script\3E "></div>
 ```
 
 **Case:** JSON output in script context\\

From ccb0b8d15ca82e2059c50ea442d55074dc687291 Mon Sep 17 00:00:00 2001
From: Jeff Matthews <matthews.jeffery@gmail.com>
Date: Wed, 4 Sep 2019 15:28:40 -0500
Subject: [PATCH 3/6] Move output HTML to a new code block

---
 .../v2.3/frontend-dev-guide/templates/template-security.md  | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/guides/v2.3/frontend-dev-guide/templates/template-security.md b/guides/v2.3/frontend-dev-guide/templates/template-security.md
index 1c6571fd3c1..6e2a0fb8421 100644
--- a/guides/v2.3/frontend-dev-guide/templates/template-security.md
+++ b/guides/v2.3/frontend-dev-guide/templates/template-security.md
@@ -43,8 +43,12 @@ For the following output cases, use the specified function to generate XSS-safe
 <?php header('Content-Type: application/xhtml+xml; charset=UTF-8');?>
 <?php $css = "background: #000\"><script>alert(1)</script>"; ?>
 <div style="<?= $block->escapeCss($css) ?>"></div>
+```
+
+The following example show what the escaped HTML looks like:
 
-// Escaping CSS
+```html
+<!-- Escaping CSS -->
 <div style="background\3A \20 \23 000\22 \3E \3C script\3E alert\28 1\29 \3C \2F script\3E "></div>
 ```
 

From 872ad19a725aa6be7695c41a3d391057e420a401 Mon Sep 17 00:00:00 2001
From: Donald Booth <dobooth@adobe.com>
Date: Wed, 4 Sep 2019 15:58:21 -0500
Subject: [PATCH 4/6] Removed contractions.

---
 .../frontend-dev-guide/templates/template-security.md     | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/guides/v2.3/frontend-dev-guide/templates/template-security.md b/guides/v2.3/frontend-dev-guide/templates/template-security.md
index 6e2a0fb8421..4e38c320256 100644
--- a/guides/v2.3/frontend-dev-guide/templates/template-security.md
+++ b/guides/v2.3/frontend-dev-guide/templates/template-security.md
@@ -11,11 +11,11 @@ To prevent [XSS] issues Magento recommends the following rules for escaping outp
 
 *  If a method indicates that the content is escaped, do not escape: `getTitleHtml()`, `getHtmlTitle()` (the title is ready for the [HTML](https://glossary.magento.com/html) output)
 
-*  Type casting and [php](https://glossary.magento.com/php) function `count()` don't need escaping  (for example `echo (int)$var`, `echo (bool)$var`, `echo count($var)`)
+*  Type casting and [php](https://glossary.magento.com/php) function `count()` do not need escaping  (for example `echo (int)$var`, `echo (bool)$var`, `echo count($var)`)
 
-*  Output in single quotes doesn't need escaping (for example `echo 'some text'`)
+*  Output in single quotes does not need escaping (for example `echo 'some text'`)
 
-*  Output in double quotes without variables doesn't need escaping (for example `echo "some text"`)
+*  Output in double quotes without variables does not need escaping (for example `echo "some text"`)
 
 *  For all other cases, escape the data using [specific escape functions](#escape-functions-for-templates).
 
@@ -140,7 +140,7 @@ This sniff finds all `echo` calls in PHTML-templates and determines if the outpu
 
 It covers the following cases:
 
-*  `/* @noEscape */` before output. Output doesn't require escaping. Test is green.
+*  `/* @noEscape */` before output. Output does not require escaping. Test is green.
 
 *  `/* @escapeNotVerified */` before output. Output escaping is not checked and should be verified. Test is green.
 

From 53f969dfe7564f6951d41faf18ce3615835e36b8 Mon Sep 17 00:00:00 2001
From: Jeff Matthews <matthews.jeffery@gmail.com>
Date: Thu, 5 Sep 2019 07:11:45 -0500
Subject: [PATCH 5/6] Update
 guides/v2.3/frontend-dev-guide/templates/template-security.md

Co-Authored-By: Margaret Eker <meker@adobe.com>
---
 guides/v2.3/frontend-dev-guide/templates/template-security.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/guides/v2.3/frontend-dev-guide/templates/template-security.md b/guides/v2.3/frontend-dev-guide/templates/template-security.md
index 4e38c320256..d756f99cbc9 100644
--- a/guides/v2.3/frontend-dev-guide/templates/template-security.md
+++ b/guides/v2.3/frontend-dev-guide/templates/template-security.md
@@ -45,7 +45,7 @@ For the following output cases, use the specified function to generate XSS-safe
 <div style="<?= $block->escapeCss($css) ?>"></div>
 ```
 
-The following example show what the escaped HTML looks like:
+The following example shows the escaped HTML output:
 
 ```html
 <!-- Escaping CSS -->

From 0ac7b39342d6bddfc52c44fee149fbc6cd5632f6 Mon Sep 17 00:00:00 2001
From: Donald Booth <dobooth@adobe.com>
Date: Fri, 6 Sep 2019 10:58:31 -0500
Subject: [PATCH 6/6] Removed back slashes.

---
 .../templates/template-security.md                   | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/guides/v2.3/frontend-dev-guide/templates/template-security.md b/guides/v2.3/frontend-dev-guide/templates/template-security.md
index d756f99cbc9..bbcf02f4c3e 100644
--- a/guides/v2.3/frontend-dev-guide/templates/template-security.md
+++ b/guides/v2.3/frontend-dev-guide/templates/template-security.md
@@ -52,7 +52,7 @@ The following example shows the escaped HTML output:
 <div style="background\3A \20 \23 000\22 \3E \3C script\3E alert\28 1\29 \3C \2F script\3E "></div>
 ```
 
-**Case:** JSON output in script context\\
+**Case:** JSON output in script context
 **Function:** No function needed for JSON output.
 
 ```html
@@ -62,7 +62,7 @@ The following example shows the escaped HTML output:
   </script>
 ```
 
-**Case:** JSON output in html/attribute context\\
+**Case:** JSON output in html/attribute context
 **Function:** `escapeHtml`
 
 ```html
@@ -70,7 +70,7 @@ The following example shows the escaped HTML output:
   <button class="action" data-post="<?php echo $block->escapeHtml($postData) ?>" />
 ```
 
-**Case:** String output that should not contain HTML\\
+**Case:** String output that should not contain HTML
 **Function:** `escapeHtml`
 
 You can pass in an optional array of allowed tags that will not be escaped.
@@ -89,7 +89,7 @@ If your text contains special characters, they must be encoded as HTML entities,
   <div id='my-element'><?php echo $block->escapeHtml(__('Only registered users can write reviews. Please <a href="%1">Sign in</a> or <a href="%2">create an account</a>', $block->getLoginUrl(), $block->getCreateAccountUrl()), ['a']) ?></div>
 ```
 
-**Case:** URL output\\
+**Case:** URL output
 **Function:** `escapeUrl`
 
 ```html
@@ -99,7 +99,7 @@ If your text contains special characters, they must be encoded as HTML entities,
   </script>
 ```
 
-**Case:** Strings inside JavaScript\\
+**Case:** Strings inside JavaScript
 **Function:** In a JavaScript context, use the `escapeJs` function.
 
 In cases where the JavaScript code outputs content onto the page, use the `escapeUrl` or the `escapeHtml` function where appropriate.
@@ -121,7 +121,7 @@ For example, when a URL output string is inside a JavaScript context, use both `
   alert('<?php echo $block->escapeJs(__('You are not authorized to perform this action.')) ?>');
 ```
 
-**Case:** Strings inside HTML attributes\\
+**Case:** Strings inside HTML attributes
 **Function:** `escapeHtmlAttr`
 
 ```html