MC-34385: Filter fields allowing HTML

ogorkun · ogorkun · commit 62ccdbe6226d · 2020-07-23T16:17:26.000-05:00
diff --git a/app/code/Magento/Cms/etc/di.xml b/app/code/Magento/Cms/etc/di.xml
@@ -282,6 +282,8 @@
                 <item name="th" xsi:type="string">th</item>
                 <item name="tfoot" xsi:type="string">tfoot</item>
                 <item name="img" xsi:type="string">img</item>
+                <item name="hr" xsi:type="string">hr</item>
+                <item name="figure" xsi:type="string">figure</item>
             </argument>
             <argument name="allowedAttributes" xsi:type="array">
                 <item name="class" xsi:type="string">class</item>
diff --git a/app/etc/di.xml b/app/etc/di.xml
@@ -1875,7 +1875,9 @@
                 </item>
             </argument>
             <argument name="attributeValidators" xsi:type="array">
-                <item name="style" xsi:type="object">Magento\Framework\Validator\HTML\StyleAttributeValidator</item>
+                <item name="style" xsi:type="array">
+                    <item name="style" xsi:type="object">Magento\Framework\Validator\HTML\StyleAttributeValidator</item>
+                </item>
             </argument>
         </arguments>
     </virtualType>
diff --git a/lib/internal/Magento/Framework/Test/Unit/Validator/HTML/ConfigurableWYSIWYGValidatorTest.php b/lib/internal/Magento/Framework/Test/Unit/Validator/HTML/ConfigurableWYSIWYGValidatorTest.php
@@ -11,6 +11,7 @@
 use Magento\Framework\Validation\ValidationException;
 use Magento\Framework\Validator\HTML\ConfigurableWYSIWYGValidator;
 use Magento\Framework\Validator\HTML\AttributeValidatorInterface;
+use Magento\Framework\Validator\HTML\TagValidatorInterface;
 use PHPUnit\Framework\TestCase;
 
 class ConfigurableWYSIWYGValidatorTest extends TestCase
@@ -23,25 +24,43 @@ class ConfigurableWYSIWYGValidatorTest extends TestCase
     public function getConfigurations(): array
     {
         return [
-            'no-html' => [['div'], [], [], 'just text', true, []],
-            'allowed-tag' => [['div'], [], [], 'just text and <div>a div</div>', true, []],
+            'no-html' => [['div'], [], [], 'just text', true, [], []],
+            'allowed-tag' => [['div'], [], [], 'just text and <div>a div</div>', true, [], []],
             'restricted-tag' => [
                 ['div', 'p'],
                 [],
                 [],
                 'text and <p>a p</p>, <div>a div</div>,  <tr>a tr</tr>',
                 false,
+                [],
+                []
+            ],
+            'restricted-tag-wtih-attr' => [
+                ['div'],
+                [],
+                [],
+                'just text and <p class="fake-class">a p</p>',
+                false,
+                [],
+                []
+            ],
+            'allowed-tag-with-attr' => [
+                ['div'],
+                [],
+                [],
+                'just text and <div class="fake-class">a div</div>',
+                false,
+                [],
                 []
             ],
-            'restricted-tag-wtih-attr' => [['div'], [], [], 'just text and <p class="fake-class">a p</p>', false, []],
-            'allowed-tag-with-attr' => [['div'], [], [], 'just text and <div class="fake-class">a div</div>', false, []],
-            'multiple-tags' => [['div', 'p'], [], [], 'just text and <div>a div</div> and <p>a p</p>', true, []],
+            'multiple-tags' => [['div', 'p'], [], [], 'just text and <div>a div</div> and <p>a p</p>', true, [], []],
             'tags-with-attrs' => [
                 ['div', 'p'],
                 ['class', 'style'],
                 [],
                 'text and <div class="fake-class">a div</div> and <p style="color: blue">a p</p>',
                 true,
+                [],
                 []
             ],
             'tags-with-restricted-attrs' => [
@@ -50,6 +69,7 @@ public function getConfigurations(): array
                 [],
                 'text and <div class="fake-class">a div</div> and <p style="color: blue">a p</p>',
                 false,
+                [],
                 []
             ],
             'tags-with-specific-attrs' => [
@@ -59,6 +79,7 @@ public function getConfigurations(): array
                 '<div class="fake-class" style="color: blue">a div</div>, <a href="/some-path" class="a">an a</a>'
                 .', <p class="p-class">a p</p>',
                 true,
+                [],
                 []
             ],
             'tags-with-specific-restricted-attrs' => [
@@ -67,6 +88,7 @@ public function getConfigurations(): array
                 ['a' => ['href']],
                 'text and <div class="fake-class" href="what">a div</div> and <a href="/some-path" class="a">an a</a>',
                 false,
+                [],
                 []
             ],
             'invalid-tag-with-full-config' => [
@@ -76,6 +98,7 @@ public function getConfigurations(): array
                 '<div class="fake-class" style="color: blue">a div</div>, <a href="/some-path" class="a">an a</a>'
                 .', <p class="p-class">a p</p>, <img src="test.jpg" />',
                 false,
+                [],
                 []
             ],
             'invalid-html' => [
@@ -84,6 +107,7 @@ public function getConfigurations(): array
                 ['a' => ['href'], 'div' => ['style']],
                 'some </,none-> </html>',
                 true,
+                [],
                 []
             ],
             'invalid-html-with-violations' => [
@@ -92,6 +116,7 @@ public function getConfigurations(): array
                 ['a' => ['href'], 'div' => ['style']],
                 'some </,none-> </html> <tr>some trs</tr>',
                 false,
+                [],
                 []
             ],
             'invalid-html-attributes' => [
@@ -100,36 +125,58 @@ public function getConfigurations(): array
                 [],
                 'some <div class="value">DIV</div>',
                 false,
-                ['class' => false]
+                ['class' => false],
+                []
             ],
             'ignored-html-attributes' => [
                 ['div', 'a', 'p'],
                 ['class', 'src'],
                 [],
                 'some <div class="value">DIV</div>',
                 true,
-                ['src' => false, 'class' => true]
+                ['src' => false, 'class' => true],
+                []
             ],
             'valid-html-attributes' => [
                 ['div', 'a', 'p'],
                 ['class', 'src'],
                 [],
                 'some <div class="value">DIV</div>',
                 true,
-                ['src' => true, 'class' => true]
+                ['src' => true, 'class' => true],
+                []
+            ],
+            'invalid-allowed-tag' => [
+                ['div'],
+                ['class', 'src'],
+                [],
+                '<div class="some-class" src="some-src">IS A DIV</div>',
+                false,
+                [],
+                ['div' => ['class' => false]]
+            ],
+            'valid-allowed-tag' => [
+                ['div'],
+                ['class', 'src'],
+                [],
+                '<div class="some-class">IS A DIV</div>',
+                true,
+                [],
+                ['div' => ['src' => false]]
             ]
         ];
     }
 
     /**
      * Test different configurations and content.
      *
-     * @param array $allowedTags
-     * @param array $allowedAttr
-     * @param array $allowedTagAttrs
+     * @param string[] $allowedTags
+     * @param string[] $allowedAttr
+     * @param string[][] $allowedTagAttrs
      * @param string $html
      * @param bool $isValid
-     * @param array $attributeValidityMap
+     * @param bool[] $attributeValidityMap
+     * @param bool[][] $tagValidators
      * @return void
      * @dataProvider getConfigurations
      */
@@ -139,7 +186,8 @@ public function testConfigurations(
         array $allowedTagAttrs,
         string $html,
         bool $isValid,
-        array $attributeValidityMap
+        array $attributeValidityMap,
+        array $tagValidators
     ): void {
         $attributeValidator = $this->getMockForAbstractClass(AttributeValidatorInterface::class);
         $attributeValidator->method('validate')
@@ -152,13 +200,32 @@ function (string $tag, string $attribute, string $content) use ($attributeValidi
             );
         $attrValidators = [];
         foreach (array_keys($attributeValidityMap) as $attr) {
-            $attrValidators[$attr] = $attributeValidator;
+            $attrValidators[$attr] = [$attributeValidator];
+        }
+        $tagValidatorsMocks = [];
+        foreach ($tagValidators as $tag => $allowedAttributes) {
+            $mock = $this->getMockForAbstractClass(TagValidatorInterface::class);
+            $mock->method('validate')
+                ->willReturnCallback(
+                    function (string $givenTag, array $attrs, string $value) use($tag, $allowedAttributes): void {
+                        if ($givenTag !== $tag) {
+                            throw new \RuntimeException();
+                        }
+                        foreach (array_keys($attrs) as $attr) {
+                            if (array_key_exists($attr, $allowedAttributes) && !$allowedAttributes[$attr]) {
+                                throw new ValidationException(__('Invalid tag'));
+                            }
+                        }
+                    }
+                );
+            $tagValidatorsMocks[$tag] = [$mock];
         }
         $validator = new ConfigurableWYSIWYGValidator(
             $allowedTags,
             $allowedAttr,
             $allowedTagAttrs,
-            $attrValidators
+            $attrValidators,
+            $tagValidatorsMocks
         );
         $valid = true;
         try {
diff --git a/lib/internal/Magento/Framework/Validator/HTML/ConfigurableWYSIWYGValidator.php b/lib/internal/Magento/Framework/Validator/HTML/ConfigurableWYSIWYGValidator.php
@@ -31,21 +31,28 @@ class ConfigurableWYSIWYGValidator implements WYSIWYGValidatorInterface
     private $attributesAllowedByTags;
 
     /**
-     * @var AttributeValidatorInterface[]
+     * @var AttributeValidatorInterface[][]
      */
     private $attributeValidators;
 
+    /**
+     * @var TagValidatorInterface[][]
+     */
+    private $tagValidators;
+
     /**
      * @param string[] $allowedTags
      * @param string[] $allowedAttributes
-     * @param string[] $attributesAllowedByTags
-     * @param AttributeValidatorInterface[] $attributeValidators
+     * @param string[][] $attributesAllowedByTags
+     * @param AttributeValidatorInterface[][] $attributeValidators
+     * @param TagValidatorInterface[][] $tagValidators
      */
     public function __construct(
         array $allowedTags,
         array $allowedAttributes = [],
         array $attributesAllowedByTags = [],
-        array $attributeValidators = []
+        array $attributeValidators = [],
+        array $tagValidators = []
     ) {
         if (empty(array_filter($allowedTags))) {
             throw new \InvalidArgumentException('List of allowed HTML tags cannot be empty');
@@ -60,6 +67,7 @@ function (string $tag) use ($allowedTags): bool {
             ARRAY_FILTER_USE_KEY
         );
         $this->attributeValidators = $attributeValidators;
+        $this->tagValidators = $tagValidators;
     }
 
     /**
@@ -73,19 +81,32 @@ public function validate(string $content): void
         $dom = $this->loadHtml($content);
         $xpath = new \DOMXPath($dom);
 
+        $this->validateConfigured($xpath);
+        $this->callDynamicValidators($xpath);
+    }
+
+    /**
+     * Check declarative restrictions
+     *
+     * @param \DOMXPath $xpath
+     * @return void
+     * @throws ValidationException
+     */
+    private function validateConfigured(\DOMXPath $xpath): void
+    {
         //Validating tags
         $found = $xpath->query(
             $query='//*['
-            . implode(
-                ' and ',
-                array_map(
-                    function (string $tag): string {
-                        return "name() != '$tag'";
-                    },
-                    array_merge($this->allowedTags, ['body', 'html'])
+                . implode(
+                    ' and ',
+                    array_map(
+                        function (string $tag): string {
+                            return "name() != '$tag'";
+                        },
+                        array_merge($this->allowedTags, ['body', 'html'])
+                    )
                 )
-            )
-            .']'
+                .']'
         );
         if (count($found)) {
             throw new ValidationException(
@@ -143,17 +164,48 @@ function (string $attribute): string {
                 );
             }
         }
+    }
 
+    /**
+     * Cycle dynamic validators.
+     *
+     * @param \DOMXPath $xpath
+     * @return void
+     * @throws ValidationException
+     */
+    private function callDynamicValidators(\DOMXPath $xpath): void
+    {
         //Validating allowed attributes.
         if ($this->attributeValidators) {
-            foreach ($this->attributeValidators as $attr => $validator) {
+            foreach ($this->attributeValidators as $attr => $validators) {
                 $found = $xpath->query("//@*[name() = '$attr']");
                 foreach ($found as $attribute) {
-                    $validator->validate($attribute->parentNode->tagName, $attribute->name, $attribute->value);
+                    foreach ($validators as $validator) {
+                        $validator->validate($attribute->parentNode->tagName, $attribute->name, $attribute->value);
+                    }
                 }
             }
         }
 
+        //Validating allowed tags
+        if ($this->tagValidators) {
+            foreach ($this->tagValidators as $tag => $validators) {
+                $found = $xpath->query("//*[name() = '$tag']");
+                /** @var \DOMElement $tagNode */
+                foreach ($found as $tagNode) {
+                    $attributes = [];
+                    if ($tagNode->hasAttributes()) {
+                        /** @var \DOMAttr $attributeNode */
+                        foreach ($tagNode->attributes as $attributeNode) {
+                            $attributes[$attributeNode->name] = $attributeNode->value;
+                        }
+                    }
+                    foreach ($validators as $validator) {
+                        $validator->validate($tagNode->tagName, $attributes, $tagNode->textContent, $this);
+                    }
+                }
+            }
+        }
     }
 
     /**
@@ -166,7 +218,6 @@ function (string $attribute): string {
     private function loadHtml(string $content): \DOMDocument
     {
         $dom = new \DOMDocument('1.0', 'UTF-8');
-        $loaded = true;
         set_error_handler(
             function () use (&$loaded) {
                 $loaded = false;
diff --git a/lib/internal/Magento/Framework/Validator/HTML/TagValidatorInterface.php b/lib/internal/Magento/Framework/Validator/HTML/TagValidatorInterface.php
