MC-34385: Filter fields allowing HTML

Author: ogorkun

app/code/Magento/Cms/Command/WysiwygRestrictCommand.php

@@ -0,0 +1,70 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+declare(strict_types=1);
+
+namespace Magento\Cms\Command;
+
+use Magento\Cms\Model\Wysiwyg\Validator;
+use Symfony\Component\Console\Command\Command;
+use Symfony\Component\Console\Input\InputArgument;
+use Symfony\Component\Console\Input\InputInterface;
+use Symfony\Component\Console\Output\OutputInterface;
+use Magento\Framework\App\Config\ConfigResource\ConfigInterface as ConfigWriter;
+use Magento\Framework\App\Cache\TypeListInterface as Cache;
+
+/**
+ * Command to toggle WYSIWYG content validation on/off.
+ */
+class WysiwygRestrictCommand extends Command
+{
+    /**
+     * @var ConfigWriter
+     */
+    private $configWriter;
+
+    /**
+     * @var Cache
+     */
+    private $cache;
+
+    /**
+     * @param ConfigWriter $configWriter
+     * @param Cache $cache
+     */
+    public function __construct(ConfigWriter $configWriter, Cache $cache)
+    {
+        parent::__construct();
+
+        $this->configWriter = $configWriter;
+        $this->cache = $cache;
+    }
+
+    /**
+     * @inheritDoc
+     */
+    protected function configure()
+    {
+        $this->setName('cms:wysiwyg:restrict');
+        $this->setDescription('Set whether to enforce user HTML content validation or show a warning instead');
+        $this->setDefinition([new InputArgument('restrict', InputArgument::REQUIRED, 'y\n')]);
+
+        parent::configure();
+    }
+
+    /**
+     * @inheritDoc
+     */
+    protected function execute(InputInterface $input, OutputInterface $output)
+    {
+        $restrictArg = mb_strtolower((string)$input->getArgument('restrict'));
+        $restrict = $restrictArg === 'y' ? '1' : '0';
+        $this->configWriter->saveConfig(Validator::CONFIG_PATH_THROW_EXCEPTION, $restrict);
+        $this->cache->cleanType('config');
+
+        $output->writeln('HTML user content validation is now ' .($restrictArg === 'y' ? 'enforced' : 'suggested'));
+    }
+}

app/code/Magento/Cms/Model/Wysiwyg/Validator.php

@@ -0,0 +1,87 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+declare(strict_types=1);
+
+namespace Magento\Cms\Model\Wysiwyg;
+
+use Magento\Framework\App\Config\ScopeConfigInterface;
+use Magento\Framework\Message\ManagerInterface;
+use Magento\Framework\Validation\ValidationException;
+use Magento\Framework\Validator\HTML\WYSIWYGValidatorInterface;
+use Psr\Log\LoggerInterface;
+
+/**
+ * Processes backend validator results.
+ */
+class Validator implements WYSIWYGValidatorInterface
+{
+    public const CONFIG_PATH_THROW_EXCEPTION = 'cms/wysiwyg/force_valid';
+
+    /**
+     * @var WYSIWYGValidatorInterface
+     */
+    private $validator;
+
+    /**
+     * @var ManagerInterface
+     */
+    private $messages;
+
+    /**
+     * @var ScopeConfigInterface
+     */
+    private $config;
+
+    /**
+     * @var LoggerInterface
+     */
+    private $logger;
+
+    /**
+     * @param WYSIWYGValidatorInterface $validator
+     * @param ManagerInterface $messages
+     * @param ScopeConfigInterface $config
+     * @param LoggerInterface $logger
+     */
+    public function __construct(
+        WYSIWYGValidatorInterface $validator,
+        ManagerInterface $messages,
+        ScopeConfigInterface $config,
+        LoggerInterface $logger
+    ) {
+        $this->validator = $validator;
+        $this->messages = $messages;
+        $this->config = $config;
+        $this->logger = $logger;
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function validate(string $content): void
+    {
+        $throwException = $this->config->isSetFlag(self::CONFIG_PATH_THROW_EXCEPTION);
+        try {
+            $this->validator->validate($content);
+        } catch (ValidationException $exception) {
+            if ($throwException) {
+                throw $exception;
+            } else {
+                $this->messages->addWarningMessage(
+                    __('Temporarily allowed to save restricted HTML value. %1', $exception->getMessage())
+                );
+            }
+        } catch (\Throwable $exception) {
+            if ($throwException) {
+                throw $exception;
+            } else {
+                $this->messages->addWarningMessage(__('Invalid HTML provided')->render());
+                $this->logger->error($exception);
+            }
+        }
+    }
+}

app/code/Magento/Cms/Test/Unit/Model/Wysiwyg/ValidatorTest.php

@@ -0,0 +1,78 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+declare(strict_types=1);
+
+namespace Magento\Cms\Test\Unit\Model\Wysiwyg;
+
+use Magento\Cms\Model\Wysiwyg\Validator;
+use Magento\Framework\App\Config\ScopeConfigInterface;
+use Magento\Framework\Message\ManagerInterface;
+use Magento\Framework\Validation\ValidationException;
+use Magento\Framework\Validator\HTML\WYSIWYGValidatorInterface;
+use PHPUnit\Framework\TestCase;
+use Psr\Log\LoggerInterface;
+
+class ValidatorTest extends TestCase
+{
+    /**
+     * Validation cases.
+     *
+     * @return array
+     */
+    public function getValidationCases(): array
+    {
+        return [
+            'invalid-exception' => [true, new ValidationException(__('Invalid html')), true, false],
+            'invalid-warning' => [false, new \RuntimeException('Invalid html'), false, true],
+            'valid' => [false, null, false, false]
+        ];
+    }
+
+    /**
+     * Test validation.
+     *
+     * @param bool $isFlagSet
+     * @param \Throwable|null $thrown
+     * @param bool $exceptionThrown
+     * @param bool $warned
+     * @dataProvider getValidationCases
+     */
+    public function testValidate(bool $isFlagSet, ?\Throwable $thrown, bool $exceptionThrown, bool $warned): void
+    {
+        $actuallyWarned = false;
+
+        $configMock = $this->getMockForAbstractClass(ScopeConfigInterface::class);
+        $configMock->method('isSetFlag')
+            ->with(Validator::CONFIG_PATH_THROW_EXCEPTION)
+            ->willReturn($isFlagSet);
+
+        $backendMock = $this->getMockForAbstractClass(WYSIWYGValidatorInterface::class);
+        if ($thrown) {
+            $backendMock->method('validate')->willThrowException($thrown);
+        }
+
+        $messagesMock = $this->getMockForAbstractClass(ManagerInterface::class);
+        $messagesMock->method('addWarningMessage')
+            ->willReturnCallback(
+                function () use (&$actuallyWarned): void {
+                    $actuallyWarned = true;
+                }
+            );
+
+        $loggerMock = $this->getMockForAbstractClass(LoggerInterface::class);
+
+        $validator = new Validator($backendMock, $messagesMock, $configMock, $loggerMock);
+        try {
+            $validator->validate('content');
+            $actuallyThrown = false;
+        } catch (\Throwable $exception) {
+            $actuallyThrown = true;
+        }
+        $this->assertEquals($exceptionThrown, $actuallyThrown);
+        $this->assertEquals($warned, $actuallyWarned);
+    }
+}

app/code/Magento/Cms/etc/config.xml

@@ -24,6 +24,7 @@
             <wysiwyg>
                 <enabled>enabled</enabled>
                 <editor>mage/adminhtml/wysiwyg/tiny_mce/tinymce4Adapter</editor>
+                <force_valid>0</force_valid>
             </wysiwyg>
         </cms>
         <system>

app/code/Magento/Cms/etc/di.xml

@@ -243,4 +243,10 @@
         </arguments>
     </type>
     <preference for="Magento\Cms\Model\Page\CustomLayoutRepositoryInterface" type="Magento\Cms\Model\Page\CustomLayout\CustomLayoutRepository" />
+    <type name="Magento\Cms\Model\Wysiwyg\Validator">
+        <arguments>
+            <argument name="validator" xsi:type="object">DefaultWYSIWYGValidator</argument>
+        </arguments>
+    </type>
+    <preference for="Magento\Framework\Validator\HTML\WYSIWYGValidatorInterface" type="Magento\Cms\Model\Wysiwyg\Validator" />
 </config>

dev/tests/integration/testsuite/Magento/Cms/Command/WysiwygRestrictCommandTest.php

@@ -0,0 +1,78 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+declare(strict_types=1);
+
+namespace Magento\Cms\Command;
+
+use Magento\Cms\Model\Wysiwyg\Validator;
+use Magento\Framework\App\Config\ReinitableConfigInterface;
+use Magento\TestFramework\Helper\Bootstrap;
+use PHPUnit\Framework\TestCase;
+use Symfony\Component\Console\Tester\CommandTester;
+
+/**
+ * Test the command.
+ *
+ * @magentoAppIsolation enabled
+ * @magentoDbIsolation enabled
+ */
+class WysiwygRestrictCommandTest extends TestCase
+{
+    /**
+     * @var ReinitableConfigInterface
+     */
+    private $config;
+
+    /**
+     * @var WysiwygRestrictCommandFactory
+     */
+    private $factory;
+
+    /**
+     * @inheritDoc
+     */
+    protected function setUp(): void
+    {
+        $objectManager = Bootstrap::getObjectManager();
+        $this->config = $objectManager->get(ReinitableConfigInterface::class);
+        $this->factory = $objectManager->get(WysiwygRestrictCommandFactory::class);
+    }
+
+    /**
+     * "Execute" method cases.
+     *
+     * @return array
+     */
+    public function getExecuteCases(): array
+    {
+        return [
+            'yes' => ['y', true],
+            'no' => ['n', false],
+            'no-but-different' => ['what', false]
+        ];
+    }
+
+    /**
+     * Test the command.
+     *
+     * @param string $argument
+     * @param bool $expectedFlag
+     * @return void
+     * @dataProvider getExecuteCases
+     * @magentoConfigFixture default_store cms/wysiwyg/force_valid 0
+     */
+    public function testExecute(string $argument, bool $expectedFlag): void
+    {
+        /** @var WysiwygRestrictCommand $model */
+        $model = $this->factory->create();
+        $tester = new CommandTester($model);
+        $tester->execute(['restrict' => $argument]);
+
+        $this->config->reinit();
+        $this->assertEquals($expectedFlag, $this->config->isSetFlag(Validator::CONFIG_PATH_THROW_EXCEPTION));
+    }
+}