MC-34385: Filter fields allowing HTML

ogorkun · ogorkun · commit 3dd1811cd5e4 · 2020-07-22T16:41:14.000-05:00
diff --git a/app/etc/di.xml b/app/etc/di.xml
@@ -1837,14 +1837,45 @@
             <argument name="allowedTags" xsi:type="array">
                 <item name="div" xsi:type="string">div</item>
                 <item name="a" xsi:type="string">a</item>
+                <item name="p" xsi:type="string">p</item>
+                <item name="span" xsi:type="string">span</item>
+                <item name="em" xsi:type="string">em</item>
+                <item name="strong" xsi:type="string">strong</item>
+                <item name="ul" xsi:type="string">ul</item>
+                <item name="li" xsi:type="string">li</item>
+                <item name="ol" xsi:type="string">ol</item>
+                <item name="h5" xsi:type="string">h5</item>
+                <item name="h4" xsi:type="string">h4</item>
+                <item name="h3" xsi:type="string">h3</item>
+                <item name="h2" xsi:type="string">h2</item>
+                <item name="h1" xsi:type="string">h1</item>
+                <item name="table" xsi:type="string">table</item>
+                <item name="tbody" xsi:type="string">tbody</item>
+                <item name="tr" xsi:type="string">tr</item>
+                <item name="td" xsi:type="string">td</item>
+                <item name="th" xsi:type="string">th</item>
+                <item name="tfoot" xsi:type="string">tfoot</item>
+                <item name="img" xsi:type="string">img</item>
             </argument>
             <argument name="allowedAttributes" xsi:type="array">
                 <item name="class" xsi:type="string">class</item>
+                <item name="width" xsi:type="string">width</item>
+                <item name="height" xsi:type="string">height</item>
+                <item name="style" xsi:type="string">style</item>
+                <item name="alt" xsi:type="string">alt</item>
+                <item name="title" xsi:type="string">title</item>
+                <item name="border" xsi:type="string">border</item>
             </argument>
             <argument name="attributesAllowedByTags" xsi:type="array">
                 <item name="a" xsi:type="array">
                     <item name="href" xsi:type="string">href</item>
                 </item>
+                <item name="img" xsi:type="array">
+                    <item name="src" xsi:type="string">src</item>
+                </item>
+            </argument>
+            <argument name="attributeValidators" xsi:type="array">
+                <item name="style" xsi:type="object">Magento\Framework\Validator\HTML\StyleAttributeValidator</item>
             </argument>
         </arguments>
     </virtualType>
diff --git a/lib/internal/Magento/Framework/Test/Unit/Validator/HTML/ConfigurableWYSIWYGValidatorTest.php b/lib/internal/Magento/Framework/Test/Unit/Validator/HTML/ConfigurableWYSIWYGValidatorTest.php
@@ -10,6 +10,7 @@
 
 use Magento\Framework\Validation\ValidationException;
 use Magento\Framework\Validator\HTML\ConfigurableWYSIWYGValidator;
+use Magento\Framework\Validator\HTML\AttributeValidatorInterface;
 use PHPUnit\Framework\TestCase;
 
 class ConfigurableWYSIWYGValidatorTest extends TestCase
@@ -22,62 +23,100 @@ class ConfigurableWYSIWYGValidatorTest extends TestCase
     public function getConfigurations(): array
     {
         return [
-            'no-html' => [['div'], [], [], 'just text', true],
-            'allowed-tag' => [['div'], [], [], 'just text and <div>a div</div>', true],
-            'restricted-tag' => [['div', 'p'], [], [], 'text and <p>a p</p>, <div>a div</div>,  <tr>a tr</tr>', false],
-            'restricted-tag-wtih-attr' => [['div'], [], [], 'just text and <p class="fake-class">a p</p>', false],
-            'allowed-tag-with-attr' => [['div'], [], [], 'just text and <div class="fake-class">a div</div>', false],
-            'multiple-tags' => [['div', 'p'], [], [], 'just text and <div>a div</div> and <p>a p</p>', true],
+            'no-html' => [['div'], [], [], 'just text', true, []],
+            'allowed-tag' => [['div'], [], [], 'just text and <div>a div</div>', true, []],
+            'restricted-tag' => [
+                ['div', 'p'],
+                [],
+                [],
+                'text and <p>a p</p>, <div>a div</div>,  <tr>a tr</tr>',
+                false,
+                []
+            ],
+            'restricted-tag-wtih-attr' => [['div'], [], [], 'just text and <p class="fake-class">a p</p>', false, []],
+            'allowed-tag-with-attr' => [['div'], [], [], 'just text and <div class="fake-class">a div</div>', false, []],
+            'multiple-tags' => [['div', 'p'], [], [], 'just text and <div>a div</div> and <p>a p</p>', true, []],
             'tags-with-attrs' => [
                 ['div', 'p'],
                 ['class', 'style'],
                 [],
                 'text and <div class="fake-class">a div</div> and <p style="color: blue">a p</p>',
-                true
+                true,
+                []
             ],
             'tags-with-restricted-attrs' => [
                 ['div', 'p'],
                 ['class', 'align'],
                 [],
                 'text and <div class="fake-class">a div</div> and <p style="color: blue">a p</p>',
-                false
+                false,
+                []
             ],
             'tags-with-specific-attrs' => [
                 ['div', 'a', 'p'],
                 ['class'],
                 ['a' => ['href'], 'div' => ['style']],
                 '<div class="fake-class" style="color: blue">a div</div>, <a href="/some-path" class="a">an a</a>'
                 .', <p class="p-class">a p</p>',
-                true
+                true,
+                []
             ],
             'tags-with-specific-restricted-attrs' => [
                 ['div', 'a'],
                 ['class'],
                 ['a' => ['href']],
                 'text and <div class="fake-class" href="what">a div</div> and <a href="/some-path" class="a">an a</a>',
-                false
+                false,
+                []
             ],
             'invalid-tag-with-full-config' => [
                 ['div', 'a', 'p'],
                 ['class', 'src'],
                 ['a' => ['href'], 'div' => ['style']],
                 '<div class="fake-class" style="color: blue">a div</div>, <a href="/some-path" class="a">an a</a>'
                 .', <p class="p-class">a p</p>, <img src="test.jpg" />',
-                false
+                false,
+                []
             ],
             'invalid-html' => [
                 ['div', 'a', 'p'],
                 ['class', 'src'],
                 ['a' => ['href'], 'div' => ['style']],
                 'some </,none-> </html>',
-                true
+                true,
+                []
             ],
             'invalid-html-with-violations' => [
                 ['div', 'a', 'p'],
                 ['class', 'src'],
                 ['a' => ['href'], 'div' => ['style']],
                 'some </,none-> </html> <tr>some trs</tr>',
-                false
+                false,
+                []
+            ],
+            'invalid-html-attributes' => [
+                ['div', 'a', 'p'],
+                ['class', 'src'],
+                [],
+                'some <div class="value">DIV</div>',
+                false,
+                ['class' => false]
+            ],
+            'ignored-html-attributes' => [
+                ['div', 'a', 'p'],
+                ['class', 'src'],
+                [],
+                'some <div class="value">DIV</div>',
+                true,
+                ['src' => false, 'class' => true]
+            ],
+            'valid-html-attributes' => [
+                ['div', 'a', 'p'],
+                ['class', 'src'],
+                [],
+                'some <div class="value">DIV</div>',
+                true,
+                ['src' => true, 'class' => true]
             ]
         ];
     }
@@ -90,6 +129,7 @@ public function getConfigurations(): array
      * @param array $allowedTagAttrs
      * @param string $html
      * @param bool $isValid
+     * @param array $attributeValidityMap
      * @return void
      * @dataProvider getConfigurations
      */
@@ -98,9 +138,28 @@ public function testConfigurations(
         array $allowedAttr,
         array $allowedTagAttrs,
         string $html,
-        bool $isValid
+        bool $isValid,
+        array $attributeValidityMap
     ): void {
-        $validator = new ConfigurableWYSIWYGValidator($allowedTags, $allowedAttr, $allowedTagAttrs);
+        $attributeValidator = $this->getMockForAbstractClass(AttributeValidatorInterface::class);
+        $attributeValidator->method('validate')
+            ->willReturnCallback(
+                function (string $tag, string $attribute, string $content) use ($attributeValidityMap): void {
+                    if (array_key_exists($attribute, $attributeValidityMap) && !$attributeValidityMap[$attribute]) {
+                        throw new ValidationException(__('Invalid attribute for %1', $tag));
+                    }
+                }
+            );
+        $attrValidators = [];
+        foreach (array_keys($attributeValidityMap) as $attr) {
+            $attrValidators[$attr] = $attributeValidator;
+        }
+        $validator = new ConfigurableWYSIWYGValidator(
+            $allowedTags,
+            $allowedAttr,
+            $allowedTagAttrs,
+            $attrValidators
+        );
         $valid = true;
         try {
             $validator->validate($html);
diff --git a/lib/internal/Magento/Framework/Test/Unit/Validator/HTML/StyleAttributeValidatorTest.php b/lib/internal/Magento/Framework/Test/Unit/Validator/HTML/StyleAttributeValidatorTest.php
@@ -0,0 +1,57 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+declare(strict_types=1);
+
+namespace Magento\Framework\Test\Unit\Validator\HTML;
+
+use Magento\Framework\Validation\ValidationException;
+use Magento\Framework\Validator\HTML\StyleAttributeValidator;
+use PHPUnit\Framework\TestCase;
+
+class StyleAttributeValidatorTest extends TestCase
+{
+    /**
+     * Cases for "validate" test.
+     *
+     * @return array
+     */
+    public function getAttributes(): array
+    {
+        return [
+            'not a style' => ['class', 'value', true],
+            'valid style' => ['style', 'color: blue', true],
+            'invalid position style' => ['style', 'color: blue; position: absolute; width: 100%', false],
+            'another invalid position style' => ['style', 'position: fixed; width: 100%', false],
+            'valid position style' => ['style', 'color: blue; position: inherit; width: 100%', true],
+            'valid background style' => ['style', 'color: blue; background-position: left; width: 100%', true],
+            'invalid opacity style' => ['style', 'color: blue; width: 100%; opacity: 0.5', false],
+            'invalid z-index style' => ['style', 'color: blue; width: 100%; z-index: 11', false]
+        ];
+    }
+
+    /**
+     * Test "validate" method.
+     *
+     * @param string $attr
+     * @param string $value
+     * @param bool $expectedValid
+     * @return void
+     * @dataProvider getAttributes
+     */
+    public function testValidate(string $attr, string $value, bool $expectedValid): void
+    {
+        $validator = new StyleAttributeValidator();
+
+        try {
+            $validator->validate('does not matter', $attr, $value);
+            $actuallyValid = true;
+        } catch (ValidationException $exception) {
+            $actuallyValid = false;
+        }
+        $this->assertEquals($expectedValid, $actuallyValid);
+    }
+}
diff --git a/lib/internal/Magento/Framework/Validator/HTML/AttributeValidatorInterface.php b/lib/internal/Magento/Framework/Validator/HTML/AttributeValidatorInterface.php
@@ -0,0 +1,28 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+declare(strict_types=1);
+
+namespace Magento\Framework\Validator\HTML;
+
+use Magento\Framework\Validation\ValidationException;
+
+/**
+ * Validates HTML attributes content.
+ */
+interface AttributeValidatorInterface
+{
+    /**
+     * Validate attribute.
+     *
+     * @param string $tag
+     * @param string $attributeName
+     * @param string $value
+     * @return void
+     * @throws ValidationException
+     */
+    public function validate(string $tag, string $attributeName, string $value): void;
+}
diff --git a/lib/internal/Magento/Framework/Validator/HTML/ConfigurableWYSIWYGValidator.php b/lib/internal/Magento/Framework/Validator/HTML/ConfigurableWYSIWYGValidator.php
@@ -31,12 +31,22 @@ class ConfigurableWYSIWYGValidator implements WYSIWYGValidatorInterface
     private $attributesAllowedByTags;
 
     /**
-     * @param array $allowedTags
-     * @param array $allowedAttributes
-     * @param array $attributesAllowedByTags
+     * @var AttributeValidatorInterface[]
      */
-    public function __construct(array $allowedTags, array $allowedAttributes = [], array $attributesAllowedByTags = [])
-    {
+    private $attributeValidators;
+
+    /**
+     * @param string[] $allowedTags
+     * @param string[] $allowedAttributes
+     * @param string[] $attributesAllowedByTags
+     * @param AttributeValidatorInterface[] $attributeValidators
+     */
+    public function __construct(
+        array $allowedTags,
+        array $allowedAttributes = [],
+        array $attributesAllowedByTags = [],
+        array $attributeValidators = []
+    ) {
         if (empty(array_filter($allowedTags))) {
             throw new \InvalidArgumentException('List of allowed HTML tags cannot be empty');
         }
@@ -49,6 +59,7 @@ function (string $tag) use ($allowedTags): bool {
             },
             ARRAY_FILTER_USE_KEY
         );
+        $this->attributeValidators = $attributeValidators;
     }
 
     /**
@@ -132,6 +143,17 @@ function (string $attribute): string {
                 );
             }
         }
+
+        //Validating allowed attributes.
+        if ($this->attributeValidators) {
+            foreach ($this->attributeValidators as $attr => $validator) {
+                $found = $xpath->query("//@*[name() = '$attr']");
+                foreach ($found as $attribute) {
+                    $validator->validate($attribute->parentNode->tagName, $attribute->name, $attribute->value);
+                }
+            }
+        }
+
     }
 
     /**
diff --git a/lib/internal/Magento/Framework/Validator/HTML/StyleAttributeValidator.php b/lib/internal/Magento/Framework/Validator/HTML/StyleAttributeValidator.php
@@ -0,0 +1,31 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+declare(strict_types=1);
+
+namespace Magento\Framework\Validator\HTML;
+
+use Magento\Framework\Validation\ValidationException;
+
+/**
+ * Validates "style" attribute.
+ */
+class StyleAttributeValidator implements AttributeValidatorInterface
+{
+    /**
+     * @inheritDoc
+     */
+    public function validate(string $tag, string $attributeName, string $value): void
+    {
+        if ($attributeName !== 'style' || !$value) {
+            return;
+        }
+
+        if (preg_match('/([^\-]position\s*?\:\s*?[^i\s][^n\s]\w)|(opacity)|(z-index)/ims', " $value")) {
+            throw new ValidationException(__('HTML attribute "style" contains restricted styles'));
+        }
+    }
+}
