AC-11004: Exception on Storefront when Admin adds CustomerCustomAttribute block via CMS Page Content

Author: wip44850

app/code/Magento/Cms/Model/Validator/DirectiveValidator.php

@@ -0,0 +1,91 @@
+<?php
+/**
+ * Copyright 2025 Adobe
+ * All Rights Reserved.
+ */
+declare(strict_types=1);
+
+namespace Magento\Cms\Model\Validator;
+
+class DirectiveValidator
+{
+    /**
+     * Verify block content
+     *
+     * @param string $html
+     * @return bool
+     */
+    public function isValid(string $html): bool
+    {
+        if (preg_match('#<(pre|code)\b[^>]*>.*?{{\s*block\b.*?}}.*?</\1>#si', $html)) {
+            return false;
+        }
+
+        if (!preg_match_all('/{{\s*block\b(.*?)}}/si', $html, $matches, PREG_SET_ORDER)) {
+            return true;
+        }
+
+        foreach ($matches as $m) {
+            $raw = $m[1] ?? '';
+
+            if ($raw !== strip_tags($raw)) {
+                return false;
+            }
+
+            // phpcs:ignore Magento2.Functions.DiscouragedFunction
+            $body = html_entity_decode($raw, ENT_QUOTES);
+            $params = $this->parseParams($body);
+
+            if (!isset($params['class']) && !isset($params['id'])) {
+                return false;
+            }
+
+            if (isset($params['class'])) {
+                $class = trim((string)$params['class']);
+                if (!preg_match('/^\\\\?[A-Za-z_][A-Za-z0-9_]*(\\\\[A-Za-z_][A-Za-z0-9_]*)*$/', $class)) {
+                    return false;
+                }
+            }
+
+            if (isset($params['name'])) {
+                $name = (string)$params['name'];
+                if (!preg_match('/^[A-Za-z0-9_.-]+$/', $name)) {
+                    return false;
+                }
+            }
+
+            if (isset($params['template'])) {
+                $template = (string)$params['template'];
+                if (!preg_match('/^[A-Za-z0-9_]+(?:_[A-Za-z0-9_]+)*::[A-Za-z0-9_.\-\/]+$/', $template)) {
+                    return false;
+                }
+            }
+
+            if (isset($params['id'])) {
+                $id = (string)$params['id'];
+                if (!preg_match('/^[A-Za-z0-9_\-]+$/', $id)) {
+                    return false;
+                }
+            }
+        }
+
+        return true;
+    }
+
+    /**
+     * Parses a parameter string into an associative array.
+     *
+     * @param string $value
+     * @return array
+     */
+    private function parseParams(string $value): array
+    {
+        $params = [];
+        if (preg_match_all('/(\w+)\s*=\s*("([^"]*)"|\'([^\']*)\'|(\S+))/u', $value, $mm, PREG_SET_ORDER)) {
+            foreach ($mm as $p) {
+                $params[$p[1]] = $p[3] ?? ($p[4] ?? $p[5] ?? '');
+            }
+        }
+        return $params;
+    }
+}

app/code/Magento/Cms/Plugin/BlockRepositoryValidatePlugin.php

@@ -0,0 +1,48 @@
+<?php
+/**
+ * Copyright 2025 Adobe
+ * All Rights Reserved.
+ */
+declare(strict_types=1);
+
+namespace Magento\Cms\Plugin;
+
+use Magento\Cms\Api\BlockRepositoryInterface;
+use Magento\Cms\Api\Data\BlockInterface;
+use Magento\Framework\Exception\LocalizedException;
+use Magento\Cms\Model\Validator\DirectiveValidator;
+
+class BlockRepositoryValidatePlugin
+{
+    /**
+     * @var DirectiveValidator
+     */
+    private DirectiveValidator $validator;
+
+    /**
+     * @param DirectiveValidator $validator
+     */
+    public function __construct(DirectiveValidator $validator)
+    {
+        $this->validator = $validator;
+    }
+
+    /**
+     * Validate Cms block before save
+     *
+     * @param BlockRepositoryInterface $subject
+     * @param BlockInterface $block
+     * @return BlockInterface[]
+     * @throws LocalizedException
+     * @SuppressWarnings(PHPMD.UnusedFormalParameter)
+     */
+    public function beforeSave(BlockRepositoryInterface $subject, BlockInterface $block): array
+    {
+        if (!$this->validator->isValid((string)$block->getContent())) {
+            throw new \Magento\Framework\Exception\LocalizedException(
+                __('CMS block contains invalid content — please review and correct the block.')
+            );
+        }
+        return [$block];
+    }
+}

app/code/Magento/Cms/Plugin/PageRepositoryValidatePlugin.php

@@ -0,0 +1,48 @@
+<?php
+/**
+ * Copyright 2025 Adobe
+ * All Rights Reserved.
+ */
+declare(strict_types=1);
+
+namespace Magento\Cms\Plugin;
+
+use Magento\Cms\Api\Data\PageInterface;
+use Magento\Cms\Api\PageRepositoryInterface;
+use Magento\Framework\Exception\LocalizedException;
+use Magento\Cms\Model\Validator\DirectiveValidator;
+
+class PageRepositoryValidatePlugin
+{
+    /**
+     * @var DirectiveValidator
+     */
+    private DirectiveValidator $validator;
+
+    /**
+     * @param DirectiveValidator $validator
+     */
+    public function __construct(DirectiveValidator $validator)
+    {
+        $this->validator = $validator;
+    }
+
+    /**
+     * Validate Cms Page before save
+     *
+     * @param PageRepositoryInterface $subject
+     * @param PageInterface $page
+     * @return PageInterface[]
+     * @throws LocalizedException
+     * @SuppressWarnings(PHPMD.UnusedFormalParameter)
+     */
+    public function beforeSave(PageRepositoryInterface $subject, PageInterface $page): array
+    {
+        if (!$this->validator->isValid((string)$page->getContent())) {
+            throw new \Magento\Framework\Exception\LocalizedException(
+                __('CMS page contains invalid content — please review and correct the page.')
+            );
+        }
+        return [$page];
+    }
+}

app/code/Magento/Cms/Test/Unit/Validator/DirectiveValidatorTest.php

@@ -0,0 +1,75 @@
+<?php
+/**
+ * Copyright 2025 Adobe
+ * All Rights Reserved.
+ */
+declare(strict_types=1);
+
+namespace Vendor\CmsValidate\Test\Unit\Model\Validator;
+
+use Magento\Cms\Model\Validator\DirectiveValidator;
+use PHPUnit\Framework\TestCase;
+
+class DirectiveValidatorTest extends TestCase
+{
+    private DirectiveValidator $validator;
+
+    protected function setUp(): void
+    {
+        $this->validator = new DirectiveValidator();
+    }
+
+    public function testAllowsCleanBlockDirective(): void
+    {
+        $html = '{{block class="Magento\\Customer\\Block\\Form\\Register" name="home.form.customattributes" template="Magento_Customer::form/register.phtml"}}';
+        $this->assertTrue($this->validator->isValid($html));
+    }
+
+    public function testRejectsBlockInsidePre(): void
+    {
+        $html = '<pre class="code-java">{{block class="A\\B" id="x"}}</pre>';
+        $this->assertFalse($this->validator->isValid($html));
+    }
+
+    public function testRejectsHtmlInjectedParams(): void
+    {
+        $html = '{{block class=<span class="code-quote">"A\\B"</span> id="x"}}';
+        $this->assertFalse($this->validator->isValid($html));
+    }
+
+    public function testRequiresClassOrId(): void
+    {
+        $html = '{{block name="only-name"}}';
+        $this->assertFalse($this->validator->isValid($html));
+    }
+
+    public function testInvalidClassCharacters(): void
+    {
+        $html = '{{block class="Bad-Class" id="x"}}';
+        $this->assertFalse($this->validator->isValid($html));
+    }
+
+    public function testValidClassCharacters(): void
+    {
+        $html = '{{block class="Vendor\\Module\\Block\\My_Block" id="x"}}';
+        $this->assertTrue($this->validator->isValid($html));
+    }
+
+    public function testValidTemplateCharacters(): void
+    {
+        $html = '{{block class="A\\B" template="Magento_Customer::form/register.phtml"}}';
+        $this->assertTrue($this->validator->isValid($html));
+    }
+
+    public function testInvalidIdCharacters(): void
+    {
+        $html = '{{block id="bad id"}}';
+        $this->assertFalse($this->validator->isValid($html));
+    }
+
+    public function testValidIdCharacters(): void
+    {
+        $html = '{{block id="good_id-123"}}';
+        $this->assertTrue($this->validator->isValid($html));
+    }
+}

app/code/Magento/Cms/etc/adminhtml/di.xml

@@ -68,4 +68,10 @@
             <argument name="frontendUrlBuilder" xsi:type="object">Magento\Framework\Url</argument>
         </arguments>
     </type>
+    <type name="Magento\Cms\Api\PageRepositoryInterface">
+        <plugin name="vendor_cmsvalidate_page_save" type="Magento\Cms\Plugin\PageRepositoryValidatePlugin" sortOrder="10"/>
+    </type>
+    <type name="Magento\Cms\Api\BlockRepositoryInterface">
+        <plugin name="vendor_cmsvalidate_block_save" type="Magento\Cms\Plugin\BlockRepositoryValidatePlugin" sortOrder="10"/>
+    </type>
 </config>