MC-34385: Filter fields allowing HTML

ogorkun · ogorkun · commit 2c1e0363e4d3 · 2020-07-16T12:35:34.000-05:00
diff --git a/app/code/Magento/Cms/Model/BlockRepository.php b/app/code/Magento/Cms/Model/BlockRepository.php
@@ -12,10 +12,13 @@
 use Magento\Cms\Model\ResourceModel\Block\CollectionFactory as BlockCollectionFactory;
 use Magento\Framework\Api\DataObjectHelper;
 use Magento\Framework\Api\SearchCriteria\CollectionProcessorInterface;
+use Magento\Framework\App\ObjectManager;
 use Magento\Framework\Exception\CouldNotDeleteException;
 use Magento\Framework\Exception\CouldNotSaveException;
 use Magento\Framework\Exception\NoSuchEntityException;
 use Magento\Framework\Reflection\DataObjectProcessor;
+use Magento\Framework\Validation\ValidationException;
+use Magento\Framework\Validator\HTML\WYSIWYGValidatorInterface;
 use Magento\Store\Model\StoreManagerInterface;
 
 /**
@@ -69,6 +72,11 @@ class BlockRepository implements BlockRepositoryInterface
      */
     private $collectionProcessor;
 
+    /**
+     * @var WYSIWYGValidatorInterface
+     */
+    private $wysiwygValidator;
+
     /**
      * @param ResourceBlock $resource
      * @param BlockFactory $blockFactory
@@ -79,6 +87,7 @@ class BlockRepository implements BlockRepositoryInterface
      * @param DataObjectProcessor $dataObjectProcessor
      * @param StoreManagerInterface $storeManager
      * @param CollectionProcessorInterface $collectionProcessor
+     * @param WYSIWYGValidatorInterface|null $wysiwygValidator
      */
     public function __construct(
         ResourceBlock $resource,
@@ -89,7 +98,8 @@ public function __construct(
         DataObjectHelper $dataObjectHelper,
         DataObjectProcessor $dataObjectProcessor,
         StoreManagerInterface $storeManager,
-        CollectionProcessorInterface $collectionProcessor = null
+        CollectionProcessorInterface $collectionProcessor = null,
+        ?WYSIWYGValidatorInterface $wysiwygValidator = null
     ) {
         $this->resource = $resource;
         $this->blockFactory = $blockFactory;
@@ -100,13 +110,46 @@ public function __construct(
         $this->dataObjectProcessor = $dataObjectProcessor;
         $this->storeManager = $storeManager;
         $this->collectionProcessor = $collectionProcessor ?: $this->getCollectionProcessor();
+        $this->wysiwygValidator = $wysiwygValidator
+            ?? ObjectManager::getInstance()->get(WYSIWYGValidatorInterface::class);
+    }
+
+    /**
+     * Validate block's content.
+     *
+     * @param Data\BlockInterface|Block $block
+     * @throws CouldNotSaveException
+     * @return void
+     */
+    private function validateHtml(Data\BlockInterface $block): void
+    {
+        $oldContent = null;
+        if ($block->getId()) {
+            if ($block instanceof Block && $block->getOrigData()) {
+                $oldContent = $block->getOrigData(Data\BlockInterface::CONTENT);
+            } else {
+                $oldBlock = $this->getById($block->getId());
+                $oldContent = $oldBlock->getContent();
+            }
+        }
+        if ($block->getContent() && $block->getContent() !== $oldContent) {
+            //Validate HTML content.
+            try {
+                $this->wysiwygValidator->validate($block->getContent());
+            } catch (ValidationException $exception) {
+                throw new CouldNotSaveException(
+                    __('Content HTML has restricted elements. %1', $exception->getMessage()),
+                    $exception
+                );
+            }
+        }
     }
 
     /**
      * Save Block data
      *
      * @param \Magento\Cms\Api\Data\BlockInterface $block
-     * @return Block
+     * @return Block|Data\BlockInterface
      * @throws CouldNotSaveException
      */
     public function save(Data\BlockInterface $block)
@@ -115,6 +158,8 @@ public function save(Data\BlockInterface $block)
             $block->setStoreId($this->storeManager->getStore()->getId());
         }
 
+        $this->validateHtml($block);
+
         try {
             $this->resource->save($block);
         } catch (\Exception $exception) {
diff --git a/app/code/Magento/Cms/Model/PageRepository.php b/app/code/Magento/Cms/Model/PageRepository.php
@@ -133,15 +133,21 @@ public function __construct(
     private function validateLayoutUpdate(Data\PageInterface $page): void
     {
         //Persisted data
-        $savedPage = $page->getId() ? $this->getById($page->getId()) : null;
+        $oldData = null;
+        if ($page->getId() && $page instanceof Page) {
+            $oldData = $page->getOrigData();
+        }
         //Custom layout update can be removed or kept as is.
         if ($page->getCustomLayoutUpdateXml()
-            && (!$savedPage || $page->getCustomLayoutUpdateXml() !== $savedPage->getCustomLayoutUpdateXml())
+            && (
+                !$oldData
+                || $page->getCustomLayoutUpdateXml() !== $oldData[Data\PageInterface::CUSTOM_LAYOUT_UPDATE_XML]
+            )
         ) {
             throw new \InvalidArgumentException('Custom layout updates must be selected from a file');
         }
         if ($page->getLayoutUpdateXml()
-            && (!$savedPage || $page->getLayoutUpdateXml() !== $savedPage->getLayoutUpdateXml())
+            && (!$oldData || $page->getLayoutUpdateXml() !== $oldData[Data\PageInterface::LAYOUT_UPDATE_XML])
         ) {
             throw new \InvalidArgumentException('Custom layout updates must be selected from a file');
         }
@@ -161,12 +167,12 @@ public function save(\Magento\Cms\Api\Data\PageInterface $page)
             $page->setStoreId($storeId);
         }
         $pageId = $page->getId();
+        if ($pageId && !($page instanceof Page && $page->getOrigData())) {
+            $page = $this->hydrator->hydrate($this->getById($pageId), $this->hydrator->extract($page));
+        }
 
         try {
             $this->validateLayoutUpdate($page);
-            if ($pageId) {
-                $page = $this->hydrator->hydrate($this->getById($pageId), $this->hydrator->extract($page));
-            }
             $this->resource->save($page);
             $this->identityMap->add($page);
         } catch (\Exception $exception) {
diff --git a/app/code/Magento/Cms/Model/PageRepository/ValidationComposite.php b/app/code/Magento/Cms/Model/PageRepository/ValidationComposite.php
@@ -11,6 +11,8 @@
 use Magento\Cms\Api\Data\PageInterface;
 use Magento\Cms\Api\PageRepositoryInterface;
 use Magento\Framework\Api\SearchCriteriaInterface;
+use Magento\Framework\App\ObjectManager;
+use Magento\Framework\EntityManager\HydratorInterface;
 
 /**
  * Validates and saves a page
@@ -27,13 +29,20 @@ class ValidationComposite implements PageRepositoryInterface
      */
     private $validators;
 
+    /**
+     * @var HydratorInterface
+     */
+    private $hydrator;
+
     /**
      * @param PageRepositoryInterface $repository
      * @param ValidatorInterface[] $validators
+     * @param HydratorInterface|null $hydrator
      */
     public function __construct(
         PageRepositoryInterface $repository,
-        array $validators = []
+        array $validators = [],
+        ?HydratorInterface $hydrator = null
     ) {
         foreach ($validators as $validator) {
             if (!$validator instanceof ValidatorInterface) {
@@ -44,13 +53,17 @@ public function __construct(
         }
         $this->repository = $repository;
         $this->validators = $validators;
+        $this->hydrator = $hydrator ?? ObjectManager::getInstance()->get(HydratorInterface::class);
     }
 
     /**
      * @inheritdoc
      */
     public function save(PageInterface $page)
     {
+        if ($page->getId()) {
+            $page = $this->hydrator->hydrate($this->getById($page->getId()), $this->hydrator->extract($page));
+        }
         foreach ($this->validators as $validator) {
             $validator->validate($page);
         }
diff --git a/app/code/Magento/Cms/Model/PageRepository/Validator/ContentValidator.php b/app/code/Magento/Cms/Model/PageRepository/Validator/ContentValidator.php
@@ -0,0 +1,57 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+declare(strict_types=1);
+
+namespace Magento\Cms\Model\PageRepository\Validator;
+
+use Magento\Cms\Api\Data\PageInterface;
+use Magento\Cms\Model\Page;
+use Magento\Cms\Model\PageRepository\ValidatorInterface;
+use Magento\Framework\Validation\ValidationException;
+use Magento\Framework\Validator\HTML\WYSIWYGValidatorInterface;
+
+/**
+ * Validates pages' content.
+ */
+class ContentValidator implements ValidatorInterface
+{
+
+    /**
+     * @var WYSIWYGValidatorInterface
+     */
+    private $wysiwygValidator;
+
+    /**
+     * @param WYSIWYGValidatorInterface $wysiwygValidator
+     */
+    public function __construct(WYSIWYGValidatorInterface $wysiwygValidator)
+    {
+        $this->wysiwygValidator = $wysiwygValidator;
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function validate(PageInterface $page): void
+    {
+        $oldValue = null;
+        if ($page->getId() && $page instanceof Page && $page->getOrigData()) {
+            $oldValue = $page->getOrigData(PageInterface::CONTENT);
+        }
+
+        if ($page->getContent() && $page->getContent() !== $oldValue) {
+            try {
+                $this->wysiwygValidator->validate($page->getContent());
+            } catch (ValidationException $exception) {
+                throw new ValidationException(
+                    __('Content HTML contains restricted elements. %1', $exception->getMessage()),
+                    $exception
+                );
+            }
+        }
+    }
+}
diff --git a/app/code/Magento/Cms/etc/di.xml b/app/code/Magento/Cms/etc/di.xml
@@ -233,6 +233,7 @@
             <argument name="repository" xsi:type="object">Magento\Cms\Model\PageRepository</argument>
             <argument name="validators" xsi:type="array">
                 <item name="layout_update" xsi:type="object">Magento\Cms\Model\PageRepository\Validator\LayoutUpdateValidator</item>
+                <item name="content" xsi:type="object">Magento\Cms\Model\PageRepository\Validator\ContentValidator</item>
             </argument>
         </arguments>
     </type>
@@ -249,4 +250,16 @@
         </arguments>
     </type>
     <preference for="Magento\Framework\Validator\HTML\WYSIWYGValidatorInterface" type="Magento\Cms\Model\Wysiwyg\Validator" />
+    <type name="Magento\Framework\Console\CommandListInterface">
+        <arguments>
+            <argument name="commands" xsi:type="array">
+                <item name="cms_wysiwyg_restrict" xsi:type="object">Magento\Cms\Command\WysiwygRestrictCommand</item>
+            </argument>
+        </arguments>
+    </type>
+    <type name="Magento\Cms\Model\PageRepository\Validator\ContentValidator">
+        <arguments>
+            <argument name="hydrator" xsi:type="object">Magento\Framework\EntityManager\AbstractModelHydrator</argument>
+        </arguments>
+    </type>
 </config>
diff --git a/lib/internal/Magento/Framework/Validator/HTML/ConfigurableWYSIWYGValidator.php b/lib/internal/Magento/Framework/Validator/HTML/ConfigurableWYSIWYGValidator.php
@@ -56,6 +56,9 @@ function (string $tag) use ($allowedTags): bool {
      */
     public function validate(string $content): void
     {
+        if (mb_strlen($content) === 0) {
+            return;
+        }
         $dom = $this->loadHtml($content);
         $xpath = new \DOMXPath($dom);
 

Original file line number	Diff line number	Diff line change
`@@ -56,6 +56,9 @@ function (string $tag) use ($allowedTags): bool {`
`56`	`56`	`*/`
`57`	`57`	`public function validate(string $content): void`
`58`	`58`	`{`
	`59`	`+ if (mb_strlen($content) === 0) {`
	`60`	`+ return;`
	`61`	`+ }`
`59`	`62`	`$dom = $this->loadHtml($content);`
`60`	`63`	`$xpath = new \DOMXPath($dom);`
`61`	`64`