MC-34385: Filter fields allowing HTML

Author: ogorkun

app/code/Magento/Cms/Command/WysiwygRestrictCommand.php

@@ -66,5 +66,7 @@ protected function execute(InputInterface $input, OutputInterface $output)
         $this->cache->cleanType('config');
 
         $output->writeln('HTML user content validation is now ' .($restrictArg === 'y' ? 'enforced' : 'suggested'));
+
+        return 0;
     }
 }

app/code/Magento/Cms/Model/BlockRepository.php

@@ -21,7 +21,7 @@
 use Magento\Framework\EntityManager\HydratorInterface;
 
 /**
- * Class BlockRepository
+ * Default block repo impl.
  * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
  */
 class BlockRepository implements BlockRepositoryInterface
@@ -87,6 +87,8 @@ class BlockRepository implements BlockRepositoryInterface
      * @param StoreManagerInterface $storeManager
      * @param CollectionProcessorInterface $collectionProcessor
      * @param HydratorInterface|null $hydrator
+     *
+     * @SuppressWarnings(PHPMD.ExcessiveParameterList)
      */
     public function __construct(
         ResourceBlock $resource,
@@ -217,7 +219,7 @@ private function getCollectionProcessor()
     {
         if (!$this->collectionProcessor) {
             $this->collectionProcessor = \Magento\Framework\App\ObjectManager::getInstance()->get(
-                'Magento\Cms\Model\Api\SearchCriteria\BlockCollectionProcessor'
+                \Magento\Cms\Model\Api\SearchCriteria\BlockCollectionProcessor::class
             );
         }
         return $this->collectionProcessor;

app/code/Magento/Cms/Model/Page.php

@@ -23,12 +23,13 @@
  * @method Page setStoreId(int $storeId)
  * @method int getStoreId()
  * @SuppressWarnings(PHPMD.ExcessivePublicCount)
+ * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
  * @since 100.0.2
  */
 class Page extends AbstractModel implements PageInterface, IdentityInterface
 {
     /**
-     * No route page id
+     * Page ID for the 404 page.
      */
     const NOROUTE_PAGE_ID = 'no-route';
 
@@ -605,6 +606,8 @@ private function validateNewIdentifier(): void
     /**
      * @inheritdoc
      * @since 101.0.0
+     * @SuppressWarnings(PHPMD.CyclomaticComplexity)
+     * @SuppressWarnings(PHPMD.NPathComplexity)
      */
     public function beforeSave()
     {

lib/internal/Magento/Framework/Test/Unit/Validator/HTML/ConfigurableWYSIWYGValidatorTest.php

@@ -20,6 +20,8 @@ class ConfigurableWYSIWYGValidatorTest extends TestCase
      * Configurations to test.
      *
      * @return array
+     *
+     * @SuppressWarnings(PHPMD.ExcessiveMethodLength)
      */
     public function getConfigurations(): array
     {
@@ -178,7 +180,9 @@ public function getConfigurations(): array
      * @param bool[] $attributeValidityMap
      * @param bool[][] $tagValidators
      * @return void
+     *
      * @dataProvider getConfigurations
+     * @SuppressWarnings(PHPMD.CyclomaticComplexity)
      */
     public function testConfigurations(
         array $allowedTags,
@@ -192,7 +196,7 @@ public function testConfigurations(
         $attributeValidator = $this->getMockForAbstractClass(AttributeValidatorInterface::class);
         $attributeValidator->method('validate')
             ->willReturnCallback(
-                function (string $tag, string $attribute, string $content) use ($attributeValidityMap): void {
+                function (string $tag, string $attribute) use ($attributeValidityMap): void {
                     if (array_key_exists($attribute, $attributeValidityMap) && !$attributeValidityMap[$attribute]) {
                         throw new ValidationException(__('Invalid attribute for %1', $tag));
                     }
@@ -207,7 +211,7 @@ function (string $tag, string $attribute, string $content) use ($attributeValidi
             $mock = $this->getMockForAbstractClass(TagValidatorInterface::class);
             $mock->method('validate')
                 ->willReturnCallback(
-                    function (string $givenTag, array $attrs, string $value) use($tag, $allowedAttributes): void {
+                    function (string $givenTag, array $attrs) use ($tag, $allowedAttributes): void {
                         if ($givenTag !== $tag) {
                             throw new \RuntimeException();
                         }

lib/internal/Magento/Framework/Validator/HTML/ConfigurableWYSIWYGValidator.php

@@ -82,7 +82,8 @@ public function validate(string $content): void
         $xpath = new \DOMXPath($dom);
 
         $this->validateConfigured($xpath);
-        $this->callDynamicValidators($xpath);
+        $this->callAttributeValidators($xpath);
+        $this->callTagValidators($xpath);
     }
 
     /**
@@ -96,7 +97,7 @@ private function validateConfigured(\DOMXPath $xpath): void
     {
         //Validating tags
         $found = $xpath->query(
-            $query='//*['
+            '//*['
                 . implode(
                     ' and ',
                     array_map(
@@ -117,10 +118,11 @@ function (string $tag): string {
         //Validating attributes
         if ($this->attributesAllowedByTags) {
             foreach ($this->allowedTags as $tag) {
-                $allowed = $this->allowedAttributes;
+                $allowed = [$this->allowedAttributes];
                 if (!empty($this->attributesAllowedByTags[$tag])) {
-                    $allowed = array_unique(array_merge($allowed, $this->attributesAllowedByTags[$tag]));
+                    $allowed[] = $this->attributesAllowedByTags[$tag];
                 }
+                $allowed = array_unique(array_merge(...$allowed));
                 $allowedQuery = '';
                 if ($allowed) {
                     $allowedQuery = '['
@@ -167,15 +169,14 @@ function (string $attribute): string {
     }
 
     /**
-     * Cycle dynamic validators.
+     * Validate allowed HTML attributes' content.
      *
      * @param \DOMXPath $xpath
-     * @return void
      * @throws ValidationException
+     * @return void
      */
-    private function callDynamicValidators(\DOMXPath $xpath): void
+    private function callAttributeValidators(\DOMXPath $xpath): void
     {
-        //Validating allowed attributes.
         if ($this->attributeValidators) {
             foreach ($this->attributeValidators as $attr => $validators) {
                 $found = $xpath->query("//@*[name() = '$attr']");
@@ -186,8 +187,17 @@ private function callDynamicValidators(\DOMXPath $xpath): void
                 }
             }
         }
+    }
 
-        //Validating allowed tags
+    /**
+     * Validate allowed tags.
+     *
+     * @param \DOMXPath $xpath
+     * @return void
+     * @throws ValidationException
+     */
+    private function callTagValidators(\DOMXPath $xpath): void
+    {
         if ($this->tagValidators) {
             foreach ($this->tagValidators as $tag => $validators) {
                 $found = $xpath->query("//*[name() = '$tag']");