From 4bae4df2f0edac876e458943a9ead7912a95834d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jose=20Luis=20Narv=C3=A1ez?= Date: Thu, 27 Apr 2023 08:18:22 +0200 Subject: [PATCH] Fix syntax in escaping comment ## Purpose of this pull request This pull request (PR) updates the comments syntax for escaping. ## Affected pages - https://developer.adobe.com/commerce/php/development/security/cross-site-scripting/ --- src/pages/development/security/cross-site-scripting.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/pages/development/security/cross-site-scripting.md b/src/pages/development/security/cross-site-scripting.md index 76cfd7c14..209cb0acf 100644 --- a/src/pages/development/security/cross-site-scripting.md +++ b/src/pages/development/security/cross-site-scripting.md @@ -192,8 +192,8 @@ To check your .phtml template for XSS vulnerabilities, use the _Magento2.Securit This sniff finds all _echo_ calls in PHTML-templates and determines if the output is properly escaped. It covers the following cases: -- `/_ @noEscape _/` before output. Output does not require escaping. Test is green. -- `/_ @escapeNotVerified _/` before output. Output escaping is not checked and should be verified. Test is green. +- `/* @noEscape */` before output. Output does not require escaping. Test is green. +- `/* @escapeNotVerified */` before output. Output escaping is not checked and should be verified. Test is green. - Methods which contain "html" in their names (for example echo $object->{suffix}Html{postfix}()). Data is ready for the HTML output. Test is green. - AbstractBlock methods `escapeHtml`, `escapeHtmlAttr`, `escapeUrl`, `escapeJs` are allowed. Test is green. - Type casting and php function `count()` are allowed (for example `echo (int)$var`, `(bool)$var`, `count($var)`). Test is green.