MC-10871: [Sec] XSS Injection in HTML Code Content Type

- Filter HTML content types and encode their values

Author: davemacaulay

app/code/Magento/PageBuilder/Model/Stage/ScriptFilter.php renamed to app/code/Magento/PageBuilder/Model/Stage/HtmlFilter.php

@@ -11,19 +11,19 @@
 use Psr\Log\LoggerInterface;
 
 /**
- * Filters script tags from stage output
+ * Filters HTML from stage output
  *
  * @api
  */
-class ScriptFilter
+class HtmlFilter
 {
     /**
      * @var LoggerInterface
      */
     private $loggerInterface;
 
     /**
-     * ScriptFilter constructor.
+     * HtmlFilter constructor.
      * @param LoggerInterface $loggerInterface
      */
     public function __construct(
@@ -33,12 +33,12 @@ public function __construct(
     }
 
     /**
-     * Remove script tag from html
+     * Filter HTML text to remove script tags and encode HTML content types
      *
      * @param string $content
      * @return string
      */
-    public function removeScriptTags(string $content): string
+    public function filterHtml(string $content): string
     {
         $dom = new \DOMDocument();
         try {
@@ -49,9 +49,26 @@ public function removeScriptTags(string $content): string
             $this->loggerInterface->critical($e->getMessage());
         }
         libxml_use_internal_errors($previous);
+        // Remove all <script /> tags from output
         foreach (iterator_to_array($dom->getElementsByTagName('script')) as $item) {
             $item->parentNode->removeChild($item);
         }
+        $xpath = new \DOMXPath($dom);
+        $htmlContentTypes = $xpath->query('//*[@data-role="html"]');
+        foreach ($htmlContentTypes as $htmlContentType) {
+            /* @var \DOMElement $htmlContentType */
+            $innerHTML= '';
+            $children = $htmlContentType->childNodes;
+            foreach ($children as $child) {
+                $innerHTML .= $child->ownerDocument->saveXML($child);
+            }
+            $htmlContentType->removeAttribute("data-role");
+            $htmlContentType->setAttribute(
+                "class",
+                $htmlContentType->getAttribute("class") . " placeholder-html-code"
+            );
+            $htmlContentType->nodeValue = htmlentities($innerHTML);
+        }
         return $dom->saveHTML();
     }
 }

app/code/Magento/PageBuilder/Model/Stage/Renderer/CmsStaticBlock.php

@@ -33,28 +33,28 @@ class CmsStaticBlock implements \Magento\PageBuilder\Model\Stage\RendererInterfa
     private $loggerInterface;
 
     /**
-     * @var \Magento\PageBuilder\Model\Stage\ScriptFilter
+     * @var \Magento\PageBuilder\Model\Stage\HtmlFilter
      */
-    private $scriptFilter;
+    private $htmlFilter;
 
     /**
      * CmsStaticBlock constructor.
      *
      * @param \Magento\Cms\Model\ResourceModel\Block\CollectionFactory $blockCollectionFactory
      * @param WidgetDirective $widgetDirectiveRenderer
      * @param LoggerInterface $loggerInterface
-     * @param \Magento\PageBuilder\Model\Stage\ScriptFilter $scriptFilter
+     * @param \Magento\PageBuilder\Model\Stage\HtmlFilter $htmlFilter
      */
     public function __construct(
         \Magento\Cms\Model\ResourceModel\Block\CollectionFactory $blockCollectionFactory,
         WidgetDirective $widgetDirectiveRenderer,
         LoggerInterface $loggerInterface,
-        \Magento\PageBuilder\Model\Stage\ScriptFilter $scriptFilter
+        \Magento\PageBuilder\Model\Stage\HtmlFilter $htmlFilter
     ) {
         $this->blockCollectionFactory = $blockCollectionFactory;
         $this->widgetDirectiveRenderer = $widgetDirectiveRenderer;
         $this->loggerInterface = $loggerInterface;
-        $this->scriptFilter = $scriptFilter;
+        $this->htmlFilter = $htmlFilter;
     }
 
     /**
@@ -96,7 +96,7 @@ public function render(array $params): array
 
         if ($block->isActive()) {
             $directiveResult = $this->widgetDirectiveRenderer->render($params);
-            $result['content'] = $this->scriptFilter->removeScriptTags($directiveResult['content']);
+            $result['content'] = $this->htmlFilter->filterHtml($directiveResult['content']);
         } else {
             $result['error'] = __('Block disabled');
         }