MC-15311: [Sec] PageBuilder XSS Injection Possible Through Block on HTML Code Content Type For CSS Classes Attribute & in TinyMCE

Safely decode outer html on html content types

Author: danmooney2

app/code/Magento/PageBuilder/Plugin/Filter/TemplatePlugin.php

@@ -180,8 +180,27 @@ private function generateDecodedHtmlPlaceholderMappingInDocument(\DOMDocument $d
                 continue;
             }
 
+            // clone html code content type to save reference to its attributes/outerHTML, which we are not going to
+            // decode
+            $clonedHtmlContentTypeNode = clone $htmlContentTypeNode;
+
+            // clear inner contents of cloned node for replacement later with $decodedInnerHtml using sprintf;
+            // we want to retain html content type node and avoid doing any manipulation on it
+            $clonedHtmlContentTypeNode->nodeValue = '%s';
+
+            // remove potentially harmful attributes on html content type node itself
+            while ($htmlContentTypeNode->attributes->length) {
+                $htmlContentTypeNode->removeAttribute($htmlContentTypeNode->attributes->item(0)->name);
+            }
+
+            // decode outerHTML safely
             $preDecodedOuterHtml = $document->saveHTML($htmlContentTypeNode);
-            $decodedOuterHtml = html_entity_decode($preDecodedOuterHtml);
+
+            // clear empty <div> wrapper around outerHTML to replace with $clonedHtmlContentTypeNode
+            $decodedInnerHtml = preg_replace('#^<[^>]*>|</[^>]*>$#', '', html_entity_decode($preDecodedOuterHtml));
+
+            // Use $clonedHtmlContentTypeNode's placeholder to inject decoded inner html
+            $decodedOuterHtml = sprintf($document->saveHTML($clonedHtmlContentTypeNode), $decodedInnerHtml);
 
             // generate unique node name element to replace with decoded html contents at end of processing;
             // goal is to create a document as few times as possible to prevent inadvertent parsing of contents as html

dev/tests/integration/testsuite/Magento/PageBuilder/_files/template_plugin/html_content_type_encoded_content_on_outer_node_post_filter.html

@@ -0,0 +1,3 @@
+<div data-content-type="html" class="&gt;'&gt;&quot;&gt;&lt;img src=x onerror=alert(0)&gt;" data-decoded="true">
+    Nothing to see here
+</div>

dev/tests/integration/testsuite/Magento/PageBuilder/_files/template_plugin/html_content_type_encoded_content_on_outer_node_pre_filter.html

@@ -0,0 +1,3 @@
+<div data-content-type="html" class="&gt;'&gt;&quot;&gt;&lt;img src=x onerror=alert(0)&gt;">
+    Nothing to see here
+</div>