Skip to content

Commit 4dfe552

Browse files
author
ogorkun
committed
MC-34385: Filter fields allowing HTML
1 parent b48568d commit 4dfe552

File tree

2 files changed

+18
-13
lines changed

2 files changed

+18
-13
lines changed

app/code/Magento/PageBuilder/Model/Validator/InnerHtmlValidator.php

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,7 @@ public function validate(
3333
return;
3434
}
3535

36+
// phpcs:ignore Magento2.Functions.DiscouragedFunction
3637
$recursiveValidator->validate(html_entity_decode($value));
3738
}
38-
}
39+
}

app/code/Magento/PageBuilder/Model/Validator/SrcAttributeValidator.php

Lines changed: 16 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -22,35 +22,39 @@ class SrcAttributeValidator implements AttributeValidatorInterface
2222
private $allowedHosts;
2323

2424
/**
25+
* SrcAttributeValidator constructor.
26+
*
2527
* @param string[] $allowedHosts
2628
*/
2729
public function __construct(array $allowedHosts)
2830
{
2931
$this->allowedHosts = $allowedHosts;
3032
}
3133

34+
/**
35+
* @inheritDoc
36+
*/
3237
public function validate(string $tag, string $attributeName, string $value): void
3338
{
3439
if ($tag !== 'iframe' || $attributeName !== 'src') {
3540
return;
3641
}
3742

3843
if (mb_strpos($value, 'http') !== 0) {
44+
//Relative link
3945
return;
4046
}
47+
// phpcs:ignore Magento2.Functions.DiscouragedFunction
4148
$srcHost = parse_url($value, PHP_URL_HOST);
42-
if ($srcHost && $this->allowedHosts) {
43-
$srcHostLength = mb_strlen($srcHost);
44-
$allowed = false;
45-
foreach ($this->allowedHosts as $host) {
46-
$hostLength = mb_strlen($host);
47-
$foundIndex = mb_strpos($srcHost, $host);
48-
if ($foundIndex !== false && ($foundIndex + $hostLength) === $srcHostLength) {
49-
$allowed = true;
50-
break;
51-
}
52-
}
53-
if ($allowed) {
49+
if (!$srcHost || !$this->allowedHosts) {
50+
//Either the link is invalid or we do not have the allowed list.
51+
return;
52+
}
53+
$srcHostLength = mb_strlen($srcHost);
54+
foreach ($this->allowedHosts as $host) {
55+
$hostLength = mb_strlen($host);
56+
$foundIndex = mb_strpos($srcHost, $host);
57+
if ($foundIndex !== false && ($foundIndex + $hostLength) === $srcHostLength) {
5458
return;
5559
}
5660
}

0 commit comments

Comments
 (0)