MC-34385: Filter fields allowing HTML

Author: ogorkun

app/code/Magento/PageBuilder/Model/Validator/InnerHtmlValidator.php

@@ -0,0 +1,38 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+declare(strict_types=1);
+
+namespace Magento\PageBuilder\Model\Validator;
+
+use Magento\Framework\Validator\HTML\TagValidatorInterface;
+use Magento\Framework\Validator\HTML\WYSIWYGValidatorInterface;
+
+/**
+ * Validates HTML elements.
+ */
+class InnerHtmlValidator implements TagValidatorInterface
+{
+    private const HTML_TYPE_ATTRIBUTE = 'data-content-type';
+
+    /**
+     * @inheritDoc
+     */
+    public function validate(
+        string $tag,
+        array $attributes,
+        string $value,
+        WYSIWYGValidatorInterface $recursiveValidator
+    ): void {
+        if (!array_key_exists(self::HTML_TYPE_ATTRIBUTE, $attributes)
+            || strtolower($attributes[self::HTML_TYPE_ATTRIBUTE]) !== 'html'
+        ) {
+            return;
+        }
+
+        $recursiveValidator->validate(html_entity_decode($value));
+    }
+}

app/code/Magento/PageBuilder/Model/Validator/SrcAttributeValidator.php

@@ -0,0 +1,60 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+declare(strict_types=1);
+
+namespace Magento\PageBuilder\Model\Validator;
+
+use Magento\Framework\Validation\ValidationException;
+use Magento\Framework\Validator\HTML\AttributeValidatorInterface;
+
+/**
+ * Validates "src" of iframes.
+ */
+class SrcAttributeValidator implements AttributeValidatorInterface
+{
+    /**
+     * @var string[]
+     */
+    private $allowedHosts;
+
+    /**
+     * @param string[] $allowedHosts
+     */
+    public function __construct(array $allowedHosts)
+    {
+        $this->allowedHosts = $allowedHosts;
+    }
+
+    public function validate(string $tag, string $attributeName, string $value): void
+    {
+        if ($tag !== 'iframe' || $attributeName !== 'src') {
+            return;
+        }
+
+        if (mb_strpos($value, 'http') !== 0) {
+            return;
+        }
+        $srcHost = parse_url($value, PHP_URL_HOST);
+        if ($srcHost && $this->allowedHosts) {
+            $srcHostLength = mb_strlen($srcHost);
+            $allowed = false;
+            foreach ($this->allowedHosts as $host) {
+                $hostLength = mb_strlen($host);
+                $foundIndex = mb_strpos($srcHost, $host);
+                if ($foundIndex !== false && ($foundIndex + $hostLength) === $srcHostLength) {
+                    $allowed = true;
+                    break;
+                }
+            }
+            if ($allowed) {
+                return;
+            }
+        }
+
+        throw new ValidationException(__('Invalid IFRAME source provided'));
+    }
+}

app/code/Magento/PageBuilder/etc/di.xml

@@ -338,4 +338,77 @@
             <argument name="instanceName" xsi:type="string">Magento\PageBuilder\Model\Dom\HtmlDocument</argument>
         </arguments>
     </virtualType>
+    <type name="Magento\PageBuilder\Model\Validator\SrcAttributeValidator">
+        <arguments>
+            <argument name="allowedHosts" xsi:type="array">
+                <item name="youtube" xsi:type="string">youtube.com</item>
+                <item name="vimeo" xsi:type="string">vimeo.com</item>
+            </argument>
+        </arguments>
+    </type>
+    <virtualType name="DefaultWYSIWYGValidator">
+        <arguments>
+            <argument name="allowedTags" xsi:type="array">
+                <item name="iframe" xsi:type="string">iframe</item>
+            </argument>
+            <argument name="allowedAttributes" xsi:type="array">
+                <item name="data-content-type" xsi:type="string">data-content-type</item>
+                <item name="data-appearance" xsi:type="string">data-appearance</item>
+                <item name="data-element" xsi:type="string">data-element</item>
+                <item name="data-enable-parallax" xsi:type="string">data-enable-parallax</item>
+                <item name="data-parallax-speed" xsi:type="string">data-parallax-speed</item>
+                <item name="data-background-images" xsi:type="string">data-background-images</item>
+                <item name="data-background-type" xsi:type="string">data-background-type</item>
+                <item name="data-video-loop" xsi:type="string">data-video-loop</item>
+                <item name="data-video-play-only-visible" xsi:type="string">data-video-play-only-visible</item>
+                <item name="data-video-lazy-load" xsi:type="string">data-video-lazy-load</item>
+                <item name="data-video-fallback-src" xsi:type="string">data-video-fallback-src</item>
+                <item name="style" xsi:type="string">style</item>
+                <item name="class" xsi:type="string">class</item>
+                <item name="data-grid-size" xsi:type="string">data-grid-size</item>
+                <item name="data-active-tab" xsi:type="string">data-active-tab</item>
+                <item name="role" xsi:type="string">role</item>
+                <item name="href" xsi:type="string">href</item>
+                <item name="data-tab-name" xsi:type="string">data-tab-name</item>
+                <item name="id" xsi:type="string">id</item>
+                <item name="data-same-width" xsi:type="string">data-same-width</item>
+                <item name="target" xsi:type="string">target</item>
+                <item name="data-link-type" xsi:type="string">data-link-type</item>
+                <item name="alt" xsi:type="string">alt</item>
+                <item name="title" xsi:type="string">title</item>
+                <item name="data-show-button" xsi:type="string">data-show-button</item>
+                <item name="data-show-overlay" xsi:type="string">data-show-overlay</item>
+                <item name="data-overlay-color" xsi:type="string">data-overlay-color</item>
+                <item name="data-autoplay" xsi:type="string">data-autoplay</item>
+                <item name="data-autoplay-speed" xsi:type="string">data-autoplay-speed</item>
+                <item name="data-fade" xsi:type="string">data-fade</item>
+                <item name="data-infinite-loop" xsi:type="string">data-infinite-loop</item>
+                <item name="data-show-arrows" xsi:type="string">data-show-arrows</item>
+                <item name="data-show-dots" xsi:type="string">data-show-dots</item>
+                <item name="data-slide-name" xsi:type="string">data-slide-name</item>
+                <item name="data-show-controls" xsi:type="string">data-show-controls</item>
+                <item name="data-locations" xsi:type="string">data-locations</item>
+            </argument>
+            <argument name="attributesAllowedByTags" xsi:type="array">
+                <item name="a" xsi:type="array">
+                    <item name="target" xsi:type="string">target</item>
+                </item>
+                <item name="iframe" xsi:type="array">
+                    <item name="src" xsi:type="string">src</item>
+                    <item name="frameborder" xsi:type="string">frameborder</item>
+                    <item name="allowfullscreen" xsi:type="string">allowfullscreen</item>
+                </item>
+            </argument>
+            <argument name="attributeValidators" xsi:type="array">
+                <item name="src" xsi:type="array">
+                    <item name="iframe-src" xsi:type="object">Magento\PageBuilder\Model\Validator\SrcAttributeValidator</item>
+                </item>
+            </argument>
+            <argument name="tagValidators" xsi:type="array">
+                <item name="div" xsi:type="array">
+                    <item name="html" xsi:type="object">Magento\PageBuilder\Model\Validator\InnerHtmlValidator</item>
+                </item>
+            </argument>
+        </arguments>
+    </virtualType>
 </config>