Merge branch 'main' into phpcs-ecg

.ddev/commands/web/magerun

@@ -5,7 +5,7 @@
 ## Example: "ddev magerun"
 
 if [ ! -f vendor/bin/n98-magerun ]; then
-  read -r -p "n98-magerun is not installed. Do you want to install it? [y/N] " INSTALL_MAGE
+  read -r -p "n98-magerun is not installed. Do you want to install it? [y/N] " INSTALL_MAGERUN
   INSTALL_MAGERUN=${INSTALL_MAGERUN,,} # to lower
   if [[ "${INSTALL_MAGERUN}" =~ ^(yes|y) ]]; then
     composer require --dev n98/magerun:dev-develop

.github/labeler.yml

@@ -887,6 +887,7 @@
 'phpstan':
   - changed-files:
     - any-glob-to-any-file: [
+      .phpstan*,
       phpstan*,
       .github/workflows/phpstan.yml
     ]

.github/workflows/codeql-analysis.yml

@@ -13,15 +13,8 @@ name: "CodeQL"
 
 on:
   workflow_call:
+  # Allow manually triggering the workflow.
   workflow_dispatch:
-  push:
-    branches: [ "main", "next", "v19" ]
-  pull_request:
-    # The branches below must be a subset of the branches above
-    branches: [ "main", "next", "v19" ]
-    paths-ignore:
-      - '**/*.md'
-      - '**/*.txt'
 
 jobs:
   analyze:

.gitignore

@@ -70,8 +70,11 @@
 .phpcs*.xml
 !.phpcs*.xml.dist
 
+# PhpStan
+.phpstan*.neon
 phpstan*.neon
-!phpstan.dist.*.neon
+!.phpstan.dist.neon
+!.phpstan.dist.*.neon
 
 # dev scripts loaded via composer
 /shell/update-copyright.php

.php-cs-fixer.dist.php

@@ -20,6 +20,8 @@
         'class_definition' => true,
         // Remove extra spaces in a nullable typehint.
         'compact_nullable_typehint' => true,
+        // Concatenation should be spaced according to configuration.
+        'concat_space' => ['spacing' => 'one'],
         // The PHP constants `true`, `false`, and `null` MUST be written using the correct casing.
         'constant_case' => true,
         // Equal sign in declare statement should be surrounded by spaces or not following configuration.

phpstan.dist.baseline.neon → .phpstan.dist.baseline.neon

@@ -3965,6 +3965,11 @@ parameters:
 			count: 1
 			path: app/code/core/Mage/Sales/Model/Entity/Quote/Address/Attribute/Frontend/Tax.php
 
+		-
+			message: "#^Negated boolean expression is always true\\.$#"
+			count: 1
+			path: app/code/core/Mage/Sales/Model/Order.php
+
 		-
 			message: "#^Variable \\$oldArea might not be defined\\.$#"
 			count: 1

phpstan.dist.neon → .phpstan.dist.neon

@@ -1,6 +1,6 @@
 includes:
     - vendor/macopedia/phpstan-magento1/extension.neon
-    - phpstan.dist.baseline.neon
+    - .phpstan.dist.baseline.neon
     - phar://phpstan.phar/conf/bleedingEdge.neon
 parameters:
     magentoRootPath: %currentWorkingDirectory%

app/Mage.php

@@ -433,7 +433,7 @@ public static function getStoreConfigAsInt(string $path, $store = null): int
      * Retrieve config flag for store by path
      *
      * @param string $path
-     * @param mixed $store
+     * @param null|string|bool|int|Mage_Core_Model_Store $store
      * @return bool
      */
     public static function getStoreConfigFlag($path, $store = null)

app/code/core/Mage/Adminhtml/Block/Catalog/Product/Edit/Tab/Super/Settings.php

@@ -76,7 +76,7 @@ protected function _prepareForm()
 
         $fieldset->addField('req_text', 'note', [
             'text' => '<ul class="messages"><li class="notice-msg"><ul><li>'
-                .  $this->__('Only attributes with scope "Global", input type "Dropdown" and Use To Create Configurable Product "Yes" are available.')
+                . $this->__('Only attributes with scope "Global", input type "Dropdown" and Use To Create Configurable Product "Yes" are available.')
                 . '</li></ul></li></ul>'
         ]);
 

app/code/core/Mage/Adminhtml/Block/Customer/Edit/Tab/Account.php

@@ -78,7 +78,7 @@ public function initForm()
             $form->getElement('website_id')->setAfterElementHtml(
                 '<script type="text/javascript">'
                 . "
-                var {$prefix}_websites = " . Mage::helper('core')->jsonEncode($websites) .";
+                var {$prefix}_websites = " . Mage::helper('core')->jsonEncode($websites) . ";
                 Validation.add(
                     'validate-website-has-store',
                     '" . Mage::helper('core')->jsQuoteEscape(

app/code/core/Mage/Adminhtml/Block/Customer/Edit/Tab/Addresses.php

@@ -63,7 +63,7 @@ protected function _prepareLayout()
                     'name'   => 'add_address_button',
                     'element_name' => 'add_address_button',
                     'disabled' => $this->isReadonly(),
-                    'class'  => 'add'  . ($this->isReadonly() ? ' disabled' : ''),
+                    'class'  => 'add' . ($this->isReadonly() ? ' disabled' : ''),
                     'onclick' => 'customerAddresses.addNewAddress()'
                 ])
         );
@@ -75,7 +75,7 @@ protected function _prepareLayout()
                     'id'     => 'cancel_add_address' . $this->getTemplatePrefix(),
                     'name'   => 'cancel_address',
                     'element_name' => 'cancel_address',
-                    'class'  => 'cancel delete-address'  . ($this->isReadonly() ? ' disabled' : ''),
+                    'class'  => 'cancel delete-address' . ($this->isReadonly() ? ' disabled' : ''),
                     'disabled' => $this->isReadonly(),
                     'onclick' => 'customerAddresses.cancelAdd(this)',
                 ])

app/code/core/Mage/Adminhtml/Block/Sales/Order/Comments/View.php

@@ -77,9 +77,9 @@ public function canSendCommentEmail()
     /**
      * Replace links in string
      *
-     * @param array|string $data
-     * @param null|array $allowedTags
-     * @return string
+     * @param string|string[] $data
+     * @param array|null $allowedTags
+     * @return null|string|string[]
      */
     public function escapeHtml($data, $allowedTags = null)
     {

app/code/core/Mage/Adminhtml/Block/Sales/Order/View/History.php

@@ -80,9 +80,9 @@ public function isCustomerNotificationNotApplicable(Mage_Sales_Model_Order_Statu
     /**
      * Replace links in string
      *
-     * @param array|string $data
-     * @param null|array $allowedTags
-     * @return string
+     * @param string|string[] $data
+     * @param array|null $allowedTags
+     * @return null|string|string[]
      */
     public function escapeHtml($data, $allowedTags = null)
     {

app/code/core/Mage/Adminhtml/Helper/Sales.php

@@ -109,9 +109,9 @@ public function applySalableProductTypesFilter($collection)
     /**
      * Escape string preserving links
      *
-     * @param array|string $data
-     * @param null|array $allowedTags
-     * @return string
+     * @param string|string[] $data
+     * @param array|null $allowedTags
+     * @return null|string|string[]
      */
     public function escapeHtmlWithLinks($data, $allowedTags = null)
     {

app/code/core/Mage/Catalog/Model/Product/Image.php

@@ -389,9 +389,9 @@ public function setBaseFile($file)
         // add misc params as a hash
         $miscParams = [
                 ($this->_keepAspectRatio ? '' : 'non') . 'proportional',
-                ($this->_keepFrame ? '' : 'no')  . 'frame',
-                ($this->_keepTransparency ? '' : 'no')  . 'transparency',
-                ($this->_constrainOnly ? 'do' : 'not')  . 'constrainonly',
+                ($this->_keepFrame ? '' : 'no') . 'frame',
+                ($this->_keepTransparency ? '' : 'no') . 'transparency',
+                ($this->_constrainOnly ? 'do' : 'not') . 'constrainonly',
                 $this->_backgroundColorStr,
                 'angle' . $this->_angle,
                 'quality' . $this->_quality

app/code/core/Mage/Core/Block/Abstract.php

@@ -165,6 +165,7 @@ abstract class Mage_Core_Block_Abstract extends Varien_Object
     /**
      * @var Varien_Object
      */
+    // phpcs:ignore Ecg.PHP.PrivateClassMember.PrivateClassMemberError
     private static $_transportObject;
 
     /**
@@ -524,6 +525,7 @@ public function unsetCallChild($alias, $callback, $result, $params)
             }
 
             Mage::helper('core/security')->validateAgainstBlockMethodBlacklist($child, $callback, $params);
+            // phpcs:ignore Ecg.Security.ForbiddenFunction.Found
             if ($result == call_user_func_array([&$child, $callback], $params)) {
                 $this->unsetChild($alias);
             }
@@ -863,7 +865,7 @@ public function getChildGroup($groupName, $callback = null, $skipEmptyResults =
      *
      * @param string $alias
      * @param string $key
-     * @return mixed
+     * @return mixed|void
      */
     public function getChildData($alias, $key = '')
     {
@@ -1167,6 +1169,7 @@ public function getModuleName()
     public function __()
     {
         $args = func_get_args();
+        // phpcs:ignore Ecg.Classes.ObjectInstantiation.DirectInstantiation
         $expr = new Mage_Core_Model_Translate_Expr(array_shift($args), $this->getModuleName());
         array_unshift($args, $expr);
         return $this->_getApp()->getTranslator()->translate($args);
@@ -1187,15 +1190,49 @@ public function htmlEscape($data, $allowedTags = null)
     /**
      * Escape html entities
      *
-     * @param   string|array $data
-     * @param   array $allowedTags
-     * @return  string
+     * @param string|string[] $data
+     * @param array|null $allowedTags
+     * @return null|string|string[]
      */
     public function escapeHtml($data, $allowedTags = null)
     {
         return $this->helper('core')->escapeHtml($data, $allowedTags);
     }
 
+    /**
+     * Wrapper for escapeHtml() function with keeping original value
+     *
+     * @param string $data
+     * @param string[]|null $allowedTags
+     * @return Mage_Core_Model_Security_HtmlEscapedString
+     *
+     * @see Mage_Core_Model_Security_HtmlEscapedString::getUnescapedValue()
+     */
+    public function escapeHtmlAsObject(string $data, ?array $allowedTags = null): Mage_Core_Model_Security_HtmlEscapedString
+    {
+        // phpcs:ignore Ecg.Classes.ObjectInstantiation.DirectInstantiation
+        return new Mage_Core_Model_Security_HtmlEscapedString($data, $allowedTags);
+    }
+
+    /**
+     * Wrapper for escapeHtml() function with keeping original value
+     *
+     * @param string[] $data
+     * @param string[]|null $allowedTags
+     * @return Mage_Core_Model_Security_HtmlEscapedString[]
+     *
+     *  @see Mage_Core_Model_Security_HtmlEscapedString::getUnescapedValue()
+     */
+    public function escapeHtmlArrayAsObject(array $data, ?array $allowedTags = null): array
+    {
+        $result = [];
+        foreach ($data as $key => $string) {
+            $result[$key] = $this->escapeHtmlAsObject($string, $allowedTags);
+        }
+
+        return $result;
+    }
+
     /**
      * Wrapper for standard strip_tags() function with extra functionality for html entities
      *

app/code/core/Mage/Core/Helper/Abstract.php

@@ -178,9 +178,10 @@ public function __()
     }
 
     /**
-     * @param array $data
-     * @param array $allowedTags
-     * @return mixed
+     * @param string|string[] $data
+     * @param array|null $allowedTags
+     * @return null|string|string[]
+     *
      * @see self::escapeHtml()
      * @deprecated after 1.4.0.0-rc1
      */
@@ -192,9 +193,9 @@ public function htmlEscape($data, $allowedTags = null)
     /**
      * Escape html entities
      *
-     * @param   string|array $data
-     * @param   array $allowedTags
-     * @return  mixed
+     * @param string|string[] $data
+     * @param array|null $allowedTags
+     * @return null|string|string[]
      */
     public function escapeHtml($data, $allowedTags = null)
     {
@@ -244,7 +245,7 @@ function ($matches) {
      * Wrapper for standard strip_tags() function with extra functionality for html entities
      *
      * @param string $data
-     * @param string $allowableTags
+     * @param null|string|string[] $allowableTags
      * @param bool $escape
      * @return string
      */
@@ -320,9 +321,9 @@ public function escapeScriptIdentifiers($data)
     /**
      * Escape quotes in java script
      *
-     * @param mixed $data
+     * @param string|string[] $data
      * @param string $quote
-     * @return mixed
+     * @return string|string[]
      */
     public function jsQuoteEscape($data, $quote = '\'')
     {

app/code/core/Mage/Core/Model/Layout.php

@@ -419,7 +419,7 @@ protected function _translateLayoutNode($node, &$args)
      * Save block in blocks registry
      *
      * @param string $name
-     * @param Mage_Core_Model_Layout $block
+     * @param Mage_Core_Block_Abstract $block
      * @return $this
      */
     public function setBlock($name, $block)

app/code/core/Mage/Core/Model/Security/HtmlEscapedString.php

@@ -3,12 +3,35 @@
 declare(strict_types=1);
 
 /**
+ * OpenMage
  *
+ * This source file is subject to the Open Software License (OSL 3.0)
+ * that is bundled with this package in the file LICENSE.txt.
+ * It is also available at https://opensource.org/license/osl-3-0-php
+ *
+ * @category   Mage
+ * @package    Mage_Core
+ * @copyright  Copyright (c) 2024 The OpenMage Contributors (https://www.openmage.org)
+ * @license    https://opensource.org/licenses/osl-3.0.php  Open Software License (OSL 3.0)
+ */
+
+/**
+ * Wrapper to escape a string value with a method to get the original string value
+ *
+ * @category   Mage
+ * @package    Mage_Core
  */
 class Mage_Core_Model_Security_HtmlEscapedString implements Stringable
 {
-    protected $originalValue;
-    protected $allowedTags;
+    /**
+     * @var string
+     */
+    protected string $originalValue;
+
+    /**
+     * @var string[]|null
+     */
+    protected ?array $allowedTags;
 
     /**
      * @param string $originalValue
@@ -20,6 +43,11 @@ public function __construct(string $originalValue, ?array $allowedTags = null)
         $this->allowedTags = $allowedTags;
     }
 
+    /**
+     * Get escaped html entities
+     *
+     * @return string
+     */
     public function __toString(): string
     {
         return (string) Mage::helper('core')->escapeHtml(
@@ -28,6 +56,11 @@ public function __toString(): string
         );
     }
 
+    /**
+     * Get un-escaped html entities
+     *
+     * @return string
+     */
     public function getUnescapedValue(): string
     {
         return $this->originalValue;

app/code/core/Mage/Core/Model/Translate.php

@@ -465,7 +465,7 @@ public function getTemplateFile($file, $type, $localeCode = null)
             $localeCode = $this->getLocale();
         }
 
-        $filePath = Mage::getBaseDir('locale')  . DS
+        $filePath = Mage::getBaseDir('locale') . DS
                   . $localeCode . DS . 'template' . DS . $type . DS . $file;
 
         if (!file_exists($filePath)) { // If no template specified for this locale, use store default

app/code/core/Mage/Customer/controllers/AccountController.php

@@ -895,8 +895,8 @@ public function resetPasswordPostAction()
      */
     protected function getCustomerId()
     {
-        $customerId = $this->getRequest()->getQuery('id');
-        if (strlen($customerId) > 12) {
+        $customerId = $this->getRequest()->getQuery('id', false);
+        if (is_string($customerId) && strlen($customerId) > 12) {
             $customerCollection = Mage::getModel('customer/customer')
                 ->getCollection()
                 ->addAttributeToSelect(['rp_customer_id'])