MC-34385: Filter fields allowing HTML

ogorkun · ogorkun · commit 9b094232f14e · 2020-07-17T15:53:44.000-05:00
diff --git a/app/code/Magento/Cms/Model/Block.php b/app/code/Magento/Cms/Model/Block.php
@@ -6,8 +6,15 @@
 namespace Magento\Cms\Model;
 
 use Magento\Cms\Api\Data\BlockInterface;
+use Magento\Framework\App\ObjectManager;
 use Magento\Framework\DataObject\IdentityInterface;
 use Magento\Framework\Model\AbstractModel;
+use Magento\Framework\Validation\ValidationException;
+use Magento\Framework\Validator\HTML\WYSIWYGValidatorInterface;
+use Magento\Framework\Model\Context;
+use Magento\Framework\Registry;
+use Magento\Framework\Model\ResourceModel\AbstractResource;
+use Magento\Framework\Data\Collection\AbstractDb;
 
 /**
  * CMS block model
@@ -40,6 +47,32 @@ class Block extends AbstractModel implements BlockInterface, IdentityInterface
      */
     protected $_eventPrefix = 'cms_block';
 
+    /**
+     * @var WYSIWYGValidatorInterface
+     */
+    private $wysiwygValidator;
+
+    /**
+     * @param Context $context
+     * @param Registry $registry
+     * @param AbstractResource|null $resource
+     * @param AbstractDb|null $resourceCollection
+     * @param array $data
+     * @param WYSIWYGValidatorInterface|null $wysiwygValidator
+     */
+    public function __construct(
+        Context $context,
+        Registry $registry,
+        AbstractResource $resource = null,
+        AbstractDb $resourceCollection = null,
+        array $data = [],
+        ?WYSIWYGValidatorInterface $wysiwygValidator = null
+    ) {
+        parent::__construct($context, $registry, $resource, $resourceCollection, $data);
+        $this->wysiwygValidator = $wysiwygValidator
+            ?? ObjectManager::getInstance()->get(WYSIWYGValidatorInterface::class);
+    }
+
     /**
      * Construct.
      *
@@ -63,12 +96,26 @@ public function beforeSave()
         }
 
         $needle = 'block_id="' . $this->getId() . '"';
-        if (false == strstr($this->getContent(), (string) $needle)) {
-            return parent::beforeSave();
+        if (strstr($this->getContent(), (string) $needle) !== false) {
+            throw new \Magento\Framework\Exception\LocalizedException(
+                __('Make sure that static block content does not reference the block itself.')
+            );
         }
-        throw new \Magento\Framework\Exception\LocalizedException(
-            __('Make sure that static block content does not reference the block itself.')
-        );
+        parent::beforeSave();
+
+        //Validating HTML content.
+        if ($this->getContent() && $this->getContent() !== $this->getOrigData(self::CONTENT)) {
+            try {
+                $this->wysiwygValidator->validate($this->getContent());
+            } catch (ValidationException $exception) {
+                throw new ValidationException(
+                    __('Content field contains restricted HTML elements. %1', $exception->getMessage()),
+                    $exception
+                );
+            }
+        }
+
+        return $this;
     }
 
     /**
diff --git a/app/code/Magento/Cms/Model/BlockRepository.php b/app/code/Magento/Cms/Model/BlockRepository.php
@@ -17,9 +17,8 @@
 use Magento\Framework\Exception\CouldNotSaveException;
 use Magento\Framework\Exception\NoSuchEntityException;
 use Magento\Framework\Reflection\DataObjectProcessor;
-use Magento\Framework\Validation\ValidationException;
-use Magento\Framework\Validator\HTML\WYSIWYGValidatorInterface;
 use Magento\Store\Model\StoreManagerInterface;
+use Magento\Framework\EntityManager\HydratorInterface;
 
 /**
  * Class BlockRepository
@@ -73,9 +72,9 @@ class BlockRepository implements BlockRepositoryInterface
     private $collectionProcessor;
 
     /**
-     * @var WYSIWYGValidatorInterface
+     * @var HydratorInterface
      */
-    private $wysiwygValidator;
+    private $hydrator;
 
     /**
      * @param ResourceBlock $resource
@@ -87,7 +86,7 @@ class BlockRepository implements BlockRepositoryInterface
      * @param DataObjectProcessor $dataObjectProcessor
      * @param StoreManagerInterface $storeManager
      * @param CollectionProcessorInterface $collectionProcessor
-     * @param WYSIWYGValidatorInterface|null $wysiwygValidator
+     * @param HydratorInterface|null $hydrator
      */
     public function __construct(
         ResourceBlock $resource,
@@ -99,7 +98,7 @@ public function __construct(
         DataObjectProcessor $dataObjectProcessor,
         StoreManagerInterface $storeManager,
         CollectionProcessorInterface $collectionProcessor = null,
-        ?WYSIWYGValidatorInterface $wysiwygValidator = null
+        ?HydratorInterface $hydrator = null
     ) {
         $this->resource = $resource;
         $this->blockFactory = $blockFactory;
@@ -110,46 +109,14 @@ public function __construct(
         $this->dataObjectProcessor = $dataObjectProcessor;
         $this->storeManager = $storeManager;
         $this->collectionProcessor = $collectionProcessor ?: $this->getCollectionProcessor();
-        $this->wysiwygValidator = $wysiwygValidator
-            ?? ObjectManager::getInstance()->get(WYSIWYGValidatorInterface::class);
-    }
-
-    /**
-     * Validate block's content.
-     *
-     * @param Data\BlockInterface|Block $block
-     * @throws CouldNotSaveException
-     * @return void
-     */
-    private function validateHtml(Data\BlockInterface $block): void
-    {
-        $oldContent = null;
-        if ($block->getId()) {
-            if ($block instanceof Block && $block->getOrigData()) {
-                $oldContent = $block->getOrigData(Data\BlockInterface::CONTENT);
-            } else {
-                $oldBlock = $this->getById($block->getId());
-                $oldContent = $oldBlock->getContent();
-            }
-        }
-        if ($block->getContent() && $block->getContent() !== $oldContent) {
-            //Validate HTML content.
-            try {
-                $this->wysiwygValidator->validate($block->getContent());
-            } catch (ValidationException $exception) {
-                throw new CouldNotSaveException(
-                    __('Content HTML has restricted elements. %1', $exception->getMessage()),
-                    $exception
-                );
-            }
-        }
+        $this->hydrator = $hydrator ?? ObjectManager::getInstance()->get(HydratorInterface::class);
     }
 
     /**
      * Save Block data
      *
      * @param \Magento\Cms\Api\Data\BlockInterface $block
-     * @return Block|Data\BlockInterface
+     * @return Block
      * @throws CouldNotSaveException
      */
     public function save(Data\BlockInterface $block)
@@ -158,7 +125,9 @@ public function save(Data\BlockInterface $block)
             $block->setStoreId($this->storeManager->getStore()->getId());
         }
 
-        $this->validateHtml($block);
+        if ($block->getId() && $block instanceof Block && !$block->getOrigData()) {
+            $block = $this->hydrator->hydrate($this->getById($block->getId()), $this->hydrator->extract($block));
+        }
 
         try {
             $this->resource->save($block);
diff --git a/app/code/Magento/Cms/etc/di.xml b/app/code/Magento/Cms/etc/di.xml
@@ -215,6 +215,7 @@
     <type name="Magento\Cms\Model\BlockRepository">
         <arguments>
             <argument name="collectionProcessor" xsi:type="object">Magento\Cms\Model\Api\SearchCriteria\BlockCollectionProcessor</argument>
+            <argument name="hydrator" xsi:type="object">Magento\Framework\EntityManager\AbstractModelHydrator</argument>
         </arguments>
     </type>
 
