MC-10871: [Sec] XSS Injection in HTML Code Content Type

- Resolve issue with innerHTML usage
- Resolve issue with HTML code executing in the browser by storing HTML as an encoded string then decoding it on the storefront

Author: davemacaulay

app/code/Magento/PageBuilder/Plugin/Filter/TemplatePlugin.php

@@ -24,6 +24,11 @@ class TemplatePlugin
      */
     private $logger;
 
+    /**
+     * @var \DOMDocument
+     */
+    private $domDocument;
+
     /**
      * @param \Psr\Log\LoggerInterface $logger
      * @param \Magento\Framework\View\ConfigInterface $viewConfig
@@ -37,6 +42,8 @@ public function __construct(
     }
 
     /**
+     * After filter of template data apply transformations
+     *
      * @param \Magento\Framework\Filter\Template $subject
      * @param string $result
      *
@@ -47,48 +54,113 @@ public function afterFilter(\Magento\Framework\Filter\Template $subject, string
     {
         // Validate if the filtered result requires background image processing
         if (strpos($result, self::DATA_BACKGROUND_IMAGE) !== false) {
-            $domDocument = new \DOMDocument('1.0', 'UTF-8');
-            set_error_handler(
-                function ($errorNumber, $errorString) {
-                    throw new \Exception($errorString, $errorNumber);
-                }
-            );
-            $string = mb_convert_encoding($result, 'HTML-ENTITIES', 'UTF-8');
-            $wrapperElementId = uniqid();
-            try {
-                libxml_use_internal_errors(true);
-                $domDocument->loadHTML(
-                    '<html><body id="' . $wrapperElementId . '">' . $string . '</body></html>'
-                );
-                libxml_clear_errors();
-            } catch (\Exception $e) {
-                restore_error_handler();
-                $this->logger->critical($e);
-            }
-            restore_error_handler();
-            $xpath = new \DOMXPath($domDocument);
+            $document = $this->getDomDocument($result);
+            $this->generateBackgroundImageStyles($document);
+        }
 
-            $this->generateBackgroundImageStyles($xpath);
+        // Process any HTML content types, they need to be decoded on the front-end
+        if (strpos($result, 'data-role="html"') !== false) {
+            $document = $this->getDomDocument($result);
+            $this->decodeHtmlContentTypes($document);
+        }
 
+        if (isset($document)) {
             // Match the contents of the body from our generated document
             preg_match(
-                '/<body id="' . $wrapperElementId . '">(.+)<\/body><\/html>$/si',
-                $domDocument->saveHTML(),
+                '/<body>(.+)<\/body><\/html>$/si',
+                $document->saveHTML(),
                 $matches
             );
 
-            return !empty($matches) ? $matches[1] : $result;
+            $result = !empty($matches) ? $matches[1] : $result;
         }
+
         return $result;
     }
 
+    /**
+     * Create a DOM document from a given string
+     *
+     * @param string $html
+     *
+     * @return \DOMDocument
+     */
+    private function getDomDocument(string $html) : \DOMDocument
+    {
+        if (!$this->domDocument) {
+            $this->domDocument = $this->createDomDocument($html);
+        }
+
+        return $this->domDocument;
+    }
+
+    /**
+     * Create a DOMDocument from a string
+     *
+     * @param string $html
+     *
+     * @return \DOMDocument
+     */
+    private function createDomDocument(string $html) : \DOMDocument
+    {
+        $domDocument = new \DOMDocument('1.0', 'UTF-8');
+        set_error_handler(
+            function ($errorNumber, $errorString) {
+                throw new \Exception($errorString, $errorNumber);
+            }
+        );
+        $string = mb_convert_encoding($html, 'HTML-ENTITIES', 'UTF-8');
+        try {
+            libxml_use_internal_errors(true);
+            $domDocument->loadHTML(
+                '<html><body>' . $string . '</body></html>'
+            );
+            libxml_clear_errors();
+        } catch (\Exception $e) {
+            restore_error_handler();
+            $this->logger->critical($e);
+        }
+        restore_error_handler();
+
+        return $domDocument;
+    }
+
+    /**
+     * Decode the contents of any HTML content types for the store front
+     *
+     * @param \DOMDocument $document
+     */
+    private function decodeHtmlContentTypes(\DOMDocument $document): void
+    {
+        $xpath = new \DOMXPath($document);
+        $nodes = $xpath->query('//*[@data-role="html" and not(@data-decoded="true")]');
+        foreach ($nodes as $node) {
+            if (strlen(trim($node->nodeValue)) > 0) {
+                /* @var \DOMElement $node */
+                $fragment = $document->createDocumentFragment();
+                $fragment->appendXML($node->nodeValue);
+                // Store a decoded attribute on the element so we don't double decode
+                $node->setAttribute("data-decoded", "true");
+                $node->nodeValue = "";
+
+                // If the HTML code in the content type is invalid it may throw
+                try {
+                    $node->appendChild($fragment);
+                } catch (\Exception $e) {
+                    $this->logger->critical($e);
+                }
+            }
+        }
+    }
+
     /**
      * Generate the CSS for any background images on the page
      *
-     * @param \DOMXPath $xpath
+     * @param \DOMDocument $document
      */
-    private function generateBackgroundImageStyles(\DOMXPath $xpath) : void
+    private function generateBackgroundImageStyles(\DOMDocument $document) : void
     {
+        $xpath = new \DOMXPath($document);
         $nodes = $xpath->query('//*[@' . self:: DATA_BACKGROUND_IMAGE . ']');
         foreach ($nodes as $node) {
             /* @var \DOMElement $node */
@@ -101,7 +173,7 @@ private function generateBackgroundImageStyles(\DOMXPath $xpath) : void
                         'style',
                         $this->generateCssFromImages($elementClass, $images)
                     );
-                    $style->setAttribute("type", "text/css");
+                    $style->setAttribute('type', 'text/css');
                     $node->parentNode->appendChild($style);
 
                     // Append our new class to the DOM element
@@ -148,14 +220,14 @@ private function generateCssFromImages(string $elementClass, array $images) : st
      */
     private function cssFromArray(array $css) : string
     {
-        $output = "";
+        $output = '';
         foreach ($css as $selector => $body) {
             if (is_array($body)) {
-                $output .= $selector . " {";
+                $output .= $selector . ' {';
                 $output .= $this->cssFromArray($body);
-                $output .= "}";
+                $output .= '}';
             } else {
-                $output .= $selector . ': ' . $body . ";";
+                $output .= $selector . ': ' . $body . ';';
             }
         }
         return $output;
@@ -173,9 +245,9 @@ private function getMobileMediaQuery() : ?string
             'breakpoints/mobile/conditions'
         );
         if ($breakpoints && count($breakpoints) > 0) {
-            $mobileBreakpoint = "@media only screen ";
+            $mobileBreakpoint = '@media only screen ';
             foreach ($breakpoints as $key => $value) {
-                $mobileBreakpoint .= "and (" . $key . ": " . $value . ") ";
+                $mobileBreakpoint .= 'and (' . $key . ': ' . $value . ') ';
             }
             return rtrim($mobileBreakpoint);
         }

app/code/Magento/PageBuilder/view/adminhtml/pagebuilder/content_type/html.xml

@@ -34,7 +34,7 @@
                         <style name="padding" storage_key="margins_and_padding" reader="Magento_PageBuilder/js/property/paddings" converter="Magento_PageBuilder/js/converter/style/paddings"/>
                         <attribute name="name" source="data-role"/>
                         <attribute name="appearance" source="data-appearance"/>
-                        <html name="html"/>
+                        <html name="html" converter="Magento_PageBuilder/js/converter/html/encode"/>
                         <css name="css_classes"/>
                     </element>
                 </elements>

app/code/Magento/PageBuilder/view/adminhtml/ui_component/pagebuilder_html_form.xml

@@ -88,6 +88,7 @@
                 <dataScope>html</dataScope>
                 <dataType>text</dataType>
                 <placeholder translate="true">Enter HTML, CSS or JavaScript code</placeholder>
+                <notice translate="true">HTML code must be valid, all CSS &amp; JavaScript must be wrapped in their HTML elements.</notice>
             </settings>
         </field>
     </fieldset>

app/code/Magento/PageBuilder/view/adminhtml/web/css/source/content-type/html/_default.less

@@ -44,8 +44,8 @@
 }
 
 .admin__font-console {
-    font-family: @font-family__console;
     textarea {
+        font-family: @font-family__console;
         font-size: 14px;
         height: 500px;
         line-height: 22px;

app/code/Magento/PageBuilder/view/adminhtml/web/js/converter/html/encode.js

@@ -5,4 +5,4 @@
  */
 -->
 
-<div attr="data.main.attributes" css="data.main.css" ko-style="data.main.style" html="data.main.html" class="bypass-html-filter"></div>
+<div attr="data.main.attributes" css="data.main.css" ko-style="data.main.style" text="data.main.html" class="bypass-html-filter"></div>

app/code/Magento/PageBuilder/view/adminhtml/web/js/master-format/validator.js

@@ -0,0 +1,36 @@
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+import {DataObject} from "../../data-store";
+import {get} from "../../utils/object";
+import ConverterInterface from "../converter-interface";
+
+/**
+ * @api
+ */
+export default class Encode implements ConverterInterface {
+    /**
+     * Convert value to internal format
+     *
+     * @param {string} value
+     * @returns {string | object}
+     */
+    public fromDom(value: string): string | object {
+        // Convert the encoded string back to HTML without executing
+        const html = new DOMParser().parseFromString(value, "text/html");
+        return html.body.textContent;
+    }
+
+    /**
+     * Convert value to knockout format
+     *
+     * @param {string} name
+     * @param {Object} data
+     * @returns {string}
+     */
+    public toDom(name: string, data: DataObject): string {
+        return get(data, name);
+    }
+}

app/code/Magento/PageBuilder/view/adminhtml/web/js/stage-builder.js

@@ -6,17 +6,14 @@
 import Config from "../config";
 
 /**
- * Validate if content has page builder format
+ * Validate if content has page builder format by checking for any data-role attributes
  *
  * @param {string} content
  * @returns {boolean}
  */
-export default function Validate(content: string) {
-    const stageDocument = document.createElement("div");
-
-    stageDocument.setAttribute(Config.getConfig("dataRoleAttributeName"), "stage");
-    stageDocument.innerHTML = content;
+export default function validate(content: string) {
+    const stageDocument = new DOMParser().parseFromString(content, "text/html");
     return !!stageDocument.querySelector(
-        "[" + Config.getConfig("dataRoleAttributeName") + "=\"row\"]",
+        `[${Config.getConfig("dataRoleAttributeName")}]`,
     );
 }