MC-34385: Filter fields allowing HTML

ogorkun · ogorkun · commit 3f6d8c42a08c · 2020-07-15T14:32:40.000-05:00
diff --git a/app/code/Magento/Catalog/Model/Attribute/Backend/DefaultBackend.php b/app/code/Magento/Catalog/Model/Attribute/Backend/DefaultBackend.php
@@ -0,0 +1,94 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+declare(strict_types=1);
+
+namespace Magento\Catalog\Model\Attribute\Backend;
+
+use Magento\Catalog\Model\AbstractModel;
+use Magento\Catalog\Model\ResourceModel\Eav\Attribute;
+use Magento\Eav\Model\Entity\Attribute\Backend\DefaultBackend as ParentBackend;
+use Magento\Eav\Model\Entity\Attribute\Exception;
+use Magento\Framework\DataObject;
+use Magento\Framework\Exception\LocalizedException;
+use Magento\Framework\Validation\ValidationException;
+use Magento\Framework\Validator\HTML\WYSIWYGValidatorInterface;
+
+/**
+ * Default backend model for catalog attributes.
+ */
+class DefaultBackend extends ParentBackend
+{
+    /**
+     * @var WYSIWYGValidatorInterface
+     */
+    private $wysiwygValidator;
+
+    /**
+     * @param WYSIWYGValidatorInterface $wysiwygValidator
+     */
+    public function __construct(WYSIWYGValidatorInterface $wysiwygValidator)
+    {
+        $this->wysiwygValidator = $wysiwygValidator;
+    }
+
+    /**
+     * Validate user HTML value.
+     *
+     * @param DataObject $object
+     * @return void
+     * @throws LocalizedException
+     */
+    private function validateHtml(DataObject $object): void
+    {
+        $attribute = $this->getAttribute();
+        $code = $attribute->getAttributeCode();
+        if ($attribute instanceof Attribute && $attribute->getIsHtmlAllowedOnFront()) {
+            if ($object->getData($code)
+                && (!($object instanceof AbstractModel) || $object->getData($code) !== $object->getOrigData($code))
+            ) {
+                try {
+                    $this->wysiwygValidator->validate($object->getData($code));
+                } catch (ValidationException $exception) {
+                    $attributeException = new Exception(
+                        __(
+                            'Using restricted HTML elements for "%1". %2',
+                            $attribute->getName(),
+                            $exception->getMessage()
+                        ),
+                        $exception
+                    );
+                    $attributeException->setAttributeCode($code)->setPart('backend');
+                    throw $attributeException;
+                }
+            }
+        }
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function beforeSave($object)
+    {
+        parent::beforeSave($object);
+        $this->validateHtml($object);
+
+        return $this;
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function validate($object)
+    {
+        $isValid = parent::validate($object);
+        if ($isValid) {
+            $this->validateHtml($object);
+        }
+
+        return $isValid;
+    }
+}
diff --git a/app/code/Magento/Catalog/Model/ResourceModel/Eav/Attribute.php b/app/code/Magento/Catalog/Model/ResourceModel/Eav/Attribute.php
@@ -6,7 +6,9 @@
 
 namespace Magento\Catalog\Model\ResourceModel\Eav;
 
+use Magento\Catalog\Model\Attribute\Backend\DefaultBackend;
 use Magento\Catalog\Model\Attribute\LockValidatorInterface;
+use Magento\Eav\Model\Entity;
 use Magento\Framework\Api\AttributeValueFactory;
 use Magento\Framework\Stdlib\DateTime\DateTimeFormatterInterface;
 
@@ -901,4 +903,17 @@ public function setIsFilterableInGrid($isFilterableInGrid)
         $this->setData(self::IS_FILTERABLE_IN_GRID, $isFilterableInGrid);
         return $this;
     }
+
+    /**
+     * @inheritDoc
+     */
+    protected function _getDefaultBackendModel()
+    {
+        $backend = parent::_getDefaultBackendModel();
+        if ($backend === Entity::DEFAULT_BACKEND_MODEL) {
+            $backend = DefaultBackend::class;
+        }
+
+        return $backend;
+    }
 }
diff --git a/app/code/Magento/Catalog/Test/Unit/Model/Attribute/Backend/DefaultBackendTest.php b/app/code/Magento/Catalog/Test/Unit/Model/Attribute/Backend/DefaultBackendTest.php
@@ -0,0 +1,111 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+declare(strict_types=1);
+
+namespace Magento\Catalog\Test\Unit\Model\Attribute\Backend;
+
+use Magento\Catalog\Model\AbstractModel;
+use Magento\Catalog\Model\Attribute\Backend\DefaultBackend;
+use Magento\Framework\DataObject;
+use Magento\Framework\Validation\ValidationException;
+use Magento\Framework\Validator\HTML\WYSIWYGValidatorInterface;
+use PHPUnit\Framework\TestCase;
+use Magento\Eav\Model\Entity\Attribute as BasicAttribute;
+use Magento\Catalog\Model\ResourceModel\Eav\Attribute;
+use Magento\Eav\Model\Entity\Attribute\Exception as AttributeException;
+
+class DefaultBackendTest extends TestCase
+{
+    /**
+     * Different cases for attribute validation.
+     *
+     * @return array
+     */
+    public function getAttributeConfigurations(): array
+    {
+        return [
+            'basic-attribute' => [true, false, true, 'basic', 'value', false, true, false],
+            'non-html-attribute' => [false, false, false, 'non-html', 'value', false, false, false],
+            'empty-html-attribute' => [false, false, true, 'html', null, false, true, false],
+            'invalid-html-attribute' => [false, false, false, 'html', 'value', false, true, true],
+            'valid-html-attribute' => [false, true, false, 'html', 'value', false, true, false],
+            'changed-invalid-html-attribute' => [false, false, true, 'html', 'value', true, true, true],
+            'changed-valid-html-attribute' => [false, true, true, 'html', 'value', true, true, false]
+        ];
+    }
+
+    /**
+     * Test attribute validation.
+     *
+     * @param bool $isBasic
+     * @param bool $isValidated
+     * @param bool $isCatalogEntity
+     * @param string $code
+     * @param mixed $value
+     * @param bool $isChanged
+     * @param bool $isHtmlAttribute
+     * @param bool $exceptionThrown
+     * @dataProvider getAttributeConfigurations
+     */
+    public function testValidate(
+        bool $isBasic,
+        bool $isValidated,
+        bool $isCatalogEntity,
+        string $code,
+        $value,
+        bool $isChanged,
+        bool $isHtmlAttribute,
+        bool $exceptionThrown
+    ): void {
+        if ($isBasic) {
+            $attributeMock = $this->createMock(BasicAttribute::class);
+        } else {
+            $attributeMock = $this->createMock(Attribute::class);
+            $attributeMock->expects($this->any())
+                ->method('getIsHtmlAllowedOnFront')
+                ->willReturn($isHtmlAttribute);
+        }
+        $attributeMock->expects($this->any())->method('getAttributeCode')->willReturn($code);
+
+        $validatorMock = $this->getMockForAbstractClass(WYSIWYGValidatorInterface::class);
+        if (!$isValidated) {
+            $validatorMock->expects($this->any())
+                ->method('validate')
+                ->willThrowException(new ValidationException(__('HTML is invalid')));
+        } else {
+            $validatorMock->expects($this->any())->method('validate');
+        }
+
+        if ($isCatalogEntity) {
+            $objectMock = $this->createMock(AbstractModel::class);
+            $objectMock->expects($this->any())
+                ->method('getOrigData')
+                ->willReturn($isChanged ? $value .'-OLD' : $value);
+        } else {
+            $objectMock = $this->createMock(DataObject::class);
+        }
+        $objectMock->expects($this->any())->method('getData')->with($code)->willReturn($value);
+
+        $model = new DefaultBackend($validatorMock);
+        $model->setAttribute($attributeMock);
+
+        $actuallyThrownForSave = false;
+        try {
+            $model->beforeSave($objectMock);
+        } catch (AttributeException $exception) {
+            $actuallyThrownForSave = true;
+        }
+        $actuallyThrownForValidate = false;
+        try {
+            $model->validate($objectMock);
+        } catch (AttributeException $exception) {
+            $actuallyThrownForValidate = true;
+        }
+        $this->assertEquals($actuallyThrownForSave, $actuallyThrownForValidate);
+        $this->assertEquals($actuallyThrownForSave, $exceptionThrown);
+    }
+}
diff --git a/app/etc/di.xml b/app/etc/di.xml
@@ -1832,4 +1832,21 @@
             </argument>
         </arguments>
     </type>
+    <virtualType name="DefaultWYSIWYGValidator" type="Magento\Framework\Validator\HTML\ConfigurableWYSIWYGValidator">
+        <arguments>
+            <argument name="allowedTags" xsi:type="array">
+                <item name="div" xsi:type="string">div</item>
+                <item name="a" xsi:type="string">a</item>
+            </argument>
+            <argument name="allowedAttributes" xsi:type="array">
+                <item name="class" xsi:type="string">class</item>
+            </argument>
+            <argument name="attributesAllowedByTags" xsi:type="array">
+                <item name="a" xsi:type="array">
+                    <item name="href" xsi:type="string">href</item>
+                </item>
+            </argument>
+        </arguments>
+    </virtualType>
+    <preference for="Magento\Framework\Validator\HTML\WYSIWYGValidatorInterface" type="DefaultWYSIWYGValidator" />
 </config>
diff --git a/lib/internal/Magento/Framework/Test/Unit/Validator/HTML/ConfigurableWYSIWYGValidatorTest.php b/lib/internal/Magento/Framework/Test/Unit/Validator/HTML/ConfigurableWYSIWYGValidatorTest.php
@@ -0,0 +1,113 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+declare(strict_types=1);
+
+namespace Magento\Framework\Test\Unit\Validator\HTML;
+
+use Magento\Framework\Validation\ValidationException;
+use Magento\Framework\Validator\HTML\ConfigurableWYSIWYGValidator;
+use PHPUnit\Framework\TestCase;
+
+class ConfigurableWYSIWYGValidatorTest extends TestCase
+{
+    /**
+     * Configurations to test.
+     *
+     * @return array
+     */
+    public function getConfigurations(): array
+    {
+        return [
+            'no-html' => [['div'], [], [], 'just text', true],
+            'allowed-tag' => [['div'], [], [], 'just text and <div>a div</div>', true],
+            'restricted-tag' => [['div', 'p'], [], [], 'text and <p>a p</p>, <div>a div</div>,  <tr>a tr</tr>', false],
+            'restricted-tag-wtih-attr' => [['div'], [], [], 'just text and <p class="fake-class">a p</p>', false],
+            'allowed-tag-with-attr' => [['div'], [], [], 'just text and <div class="fake-class">a div</div>', false],
+            'multiple-tags' => [['div', 'p'], [], [], 'just text and <div>a div</div> and <p>a p</p>', true],
+            'tags-with-attrs' => [
+                ['div', 'p'],
+                ['class', 'style'],
+                [],
+                'text and <div class="fake-class">a div</div> and <p style="color: blue">a p</p>',
+                true
+            ],
+            'tags-with-restricted-attrs' => [
+                ['div', 'p'],
+                ['class', 'align'],
+                [],
+                'text and <div class="fake-class">a div</div> and <p style="color: blue">a p</p>',
+                false
+            ],
+            'tags-with-specific-attrs' => [
+                ['div', 'a', 'p'],
+                ['class'],
+                ['a' => ['href'], 'div' => ['style']],
+                '<div class="fake-class" style="color: blue">a div</div>, <a href="/some-path" class="a">an a</a>'
+                .', <p class="p-class">a p</p>',
+                true
+            ],
+            'tags-with-specific-restricted-attrs' => [
+                ['div', 'a'],
+                ['class'],
+                ['a' => ['href']],
+                'text and <div class="fake-class" href="what">a div</div> and <a href="/some-path" class="a">an a</a>',
+                false
+            ],
+            'invalid-tag-with-full-config' => [
+                ['div', 'a', 'p'],
+                ['class', 'src'],
+                ['a' => ['href'], 'div' => ['style']],
+                '<div class="fake-class" style="color: blue">a div</div>, <a href="/some-path" class="a">an a</a>'
+                .', <p class="p-class">a p</p>, <img src="test.jpg" />',
+                false
+            ],
+            'invalid-html' => [
+                ['div', 'a', 'p'],
+                ['class', 'src'],
+                ['a' => ['href'], 'div' => ['style']],
+                'some </,none-> </html>',
+                true
+            ],
+            'invalid-html-with-violations' => [
+                ['div', 'a', 'p'],
+                ['class', 'src'],
+                ['a' => ['href'], 'div' => ['style']],
+                'some </,none-> </html> <tr>some trs</tr>',
+                false
+            ]
+        ];
+    }
+
+    /**
+     * Test different configurations and content.
+     *
+     * @param array $allowedTags
+     * @param array $allowedAttr
+     * @param array $allowedTagAttrs
+     * @param string $html
+     * @param bool $isValid
+     * @return void
+     * @dataProvider getConfigurations
+     */
+    public function testConfigurations(
+        array $allowedTags,
+        array $allowedAttr,
+        array $allowedTagAttrs,
+        string $html,
+        bool $isValid
+    ): void {
+        $validator = new ConfigurableWYSIWYGValidator($allowedTags, $allowedAttr, $allowedTagAttrs);
+        $valid = true;
+        try {
+            $validator->validate($html);
+        } catch (ValidationException $exception) {
+            $valid = false;
+        }
+
+        self::assertEquals($isValid, $valid);
+    }
+}
diff --git a/lib/internal/Magento/Framework/Validator/HTML/ConfigurableWYSIWYGValidator.php b/lib/internal/Magento/Framework/Validator/HTML/ConfigurableWYSIWYGValidator.php
diff --git a/lib/internal/Magento/Framework/Validator/HTML/WYSIWYGValidatorInterface.php b/lib/internal/Magento/Framework/Validator/HTML/WYSIWYGValidatorInterface.php
