Merge branch 'MC-10871-xss-html-code' into cms-team-1-delivery

Author: davemacaulay

app/code/Magento/PageBuilder/Controller/ContentType/Preview.php

@@ -9,12 +9,17 @@
 namespace Magento\PageBuilder\Controller\ContentType;
 
 use Magento\Framework\Controller\ResultFactory;
+use Magento\Framework\App\Action\HttpPostActionInterface;
 
 /**
  * Preview controller to render blocks preview on Stage
+ *
+ * This isn't placed within the adminhtml folder as it has to extend from the front-end controllers app action to
+ * ensure the content is rendered in the storefront scope.
+ *
  * @api
  */
-class Preview extends \Magento\Framework\App\Action\Action
+class Preview extends \Magento\Framework\App\Action\Action implements HttpPostActionInterface
 {
     /**
      * @var \Magento\PageBuilder\Model\Stage\RendererPool

app/code/Magento/PageBuilder/Model/Stage/ScriptFilter.php renamed to app/code/Magento/PageBuilder/Model/Stage/HtmlFilter.php

@@ -11,19 +11,19 @@
 use Psr\Log\LoggerInterface;
 
 /**
- * Filters script tags from stage output
+ * Filters HTML from stage output
  *
  * @api
  */
-class ScriptFilter
+class HtmlFilter
 {
     /**
      * @var LoggerInterface
      */
     private $loggerInterface;
 
     /**
-     * ScriptFilter constructor.
+     * HtmlFilter constructor.
      * @param LoggerInterface $loggerInterface
      */
     public function __construct(
@@ -33,12 +33,12 @@ public function __construct(
     }
 
     /**
-     * Remove script tag from html
+     * Filter HTML text to remove script tags and encode HTML content types
      *
      * @param string $content
      * @return string
      */
-    public function removeScriptTags(string $content): string
+    public function filterHtml(string $content): string
     {
         $dom = new \DOMDocument();
         try {
@@ -49,9 +49,25 @@ public function removeScriptTags(string $content): string
             $this->loggerInterface->critical($e->getMessage());
         }
         libxml_use_internal_errors($previous);
+        // Remove all <script /> tags from output
         foreach (iterator_to_array($dom->getElementsByTagName('script')) as $item) {
             $item->parentNode->removeChild($item);
         }
+        $xpath = new \DOMXPath($dom);
+        $htmlContentTypes = $xpath->query('//*[@data-role="html" and not(contains(@class, "placeholder-html-code"))]');
+        foreach ($htmlContentTypes as $htmlContentType) {
+            /* @var \DOMElement $htmlContentType */
+            $innerHTML= '';
+            $children = $htmlContentType->childNodes;
+            foreach ($children as $child) {
+                $innerHTML .= $child->ownerDocument->saveXML($child);
+            }
+            $htmlContentType->setAttribute(
+                "class",
+                $htmlContentType->getAttribute("class") . " placeholder-html-code"
+            );
+            $htmlContentType->nodeValue = htmlentities($innerHTML);
+        }
         return $dom->saveHTML();
     }
 }

app/code/Magento/PageBuilder/Model/Stage/Renderer/CmsStaticBlock.php

@@ -33,28 +33,28 @@ class CmsStaticBlock implements \Magento\PageBuilder\Model\Stage\RendererInterfa
     private $loggerInterface;
 
     /**
-     * @var \Magento\PageBuilder\Model\Stage\ScriptFilter
+     * @var \Magento\PageBuilder\Model\Stage\HtmlFilter
      */
-    private $scriptFilter;
+    private $htmlFilter;
 
     /**
      * CmsStaticBlock constructor.
      *
      * @param \Magento\Cms\Model\ResourceModel\Block\CollectionFactory $blockCollectionFactory
      * @param WidgetDirective $widgetDirectiveRenderer
      * @param LoggerInterface $loggerInterface
-     * @param \Magento\PageBuilder\Model\Stage\ScriptFilter $scriptFilter
+     * @param \Magento\PageBuilder\Model\Stage\HtmlFilter $htmlFilter
      */
     public function __construct(
         \Magento\Cms\Model\ResourceModel\Block\CollectionFactory $blockCollectionFactory,
         WidgetDirective $widgetDirectiveRenderer,
         LoggerInterface $loggerInterface,
-        \Magento\PageBuilder\Model\Stage\ScriptFilter $scriptFilter
+        \Magento\PageBuilder\Model\Stage\HtmlFilter $htmlFilter
     ) {
         $this->blockCollectionFactory = $blockCollectionFactory;
         $this->widgetDirectiveRenderer = $widgetDirectiveRenderer;
         $this->loggerInterface = $loggerInterface;
-        $this->scriptFilter = $scriptFilter;
+        $this->htmlFilter = $htmlFilter;
     }
 
     /**
@@ -96,7 +96,7 @@ public function render(array $params): array
 
         if ($block->isActive()) {
             $directiveResult = $this->widgetDirectiveRenderer->render($params);
-            $result['content'] = $this->scriptFilter->removeScriptTags($directiveResult['content']);
+            $result['content'] = $this->htmlFilter->filterHtml($directiveResult['content']);
         } else {
             $result['error'] = __('Block disabled');
         }

app/code/Magento/PageBuilder/Plugin/Filter/TemplatePlugin.php

@@ -24,6 +24,11 @@ class TemplatePlugin
      */
     private $logger;
 
+    /**
+     * @var \DOMDocument
+     */
+    private $domDocument;
+
     /**
      * @param \Psr\Log\LoggerInterface $logger
      * @param \Magento\Framework\View\ConfigInterface $viewConfig
@@ -37,6 +42,8 @@ public function __construct(
     }
 
     /**
+     * After filter of template data apply transformations
+     *
      * @param \Magento\Framework\Filter\Template $subject
      * @param string $result
      *
@@ -45,50 +52,118 @@ public function __construct(
      */
     public function afterFilter(\Magento\Framework\Filter\Template $subject, string $result) : string
     {
+        $this->domDocument = false;
+
         // Validate if the filtered result requires background image processing
         if (strpos($result, self::DATA_BACKGROUND_IMAGE) !== false) {
-            $domDocument = new \DOMDocument('1.0', 'UTF-8');
-            set_error_handler(
-                function ($errorNumber, $errorString) {
-                    throw new \Exception($errorString, $errorNumber);
-                }
-            );
-            $string = mb_convert_encoding($result, 'HTML-ENTITIES', 'UTF-8');
-            $wrapperElementId = uniqid();
-            try {
-                libxml_use_internal_errors(true);
-                $domDocument->loadHTML(
-                    '<html><body id="' . $wrapperElementId . '">' . $string . '</body></html>'
-                );
-                libxml_clear_errors();
-            } catch (\Exception $e) {
-                restore_error_handler();
-                $this->logger->critical($e);
-            }
-            restore_error_handler();
-            $xpath = new \DOMXPath($domDocument);
+            $document = $this->getDomDocument($result);
+            $this->generateBackgroundImageStyles($document);
+        }
 
-            $this->generateBackgroundImageStyles($xpath);
+        // Process any HTML content types, they need to be decoded on the front-end
+        if (strpos($result, 'data-role="html"') !== false) {
+            $document = $this->getDomDocument($result);
+            $this->decodeHtmlContentTypes($document);
+        }
 
+        // If a document was retrieved we've modified the output so need to retrieve it from within the document
+        if (isset($document)) {
             // Match the contents of the body from our generated document
             preg_match(
-                '/<body id="' . $wrapperElementId . '">(.+)<\/body><\/html>$/si',
-                $domDocument->saveHTML(),
+                '/<body>(.+)<\/body><\/html>$/si',
+                $document->saveHTML(),
                 $matches
             );
 
             return !empty($matches) ? $matches[1] : $result;
         }
+
         return $result;
     }
 
+    /**
+     * Create a DOM document from a given string
+     *
+     * @param string $html
+     *
+     * @return \DOMDocument
+     */
+    private function getDomDocument(string $html) : \DOMDocument
+    {
+        if (!$this->domDocument) {
+            $this->domDocument = $this->createDomDocument($html);
+        }
+
+        return $this->domDocument;
+    }
+
+    /**
+     * Create a DOMDocument from a string
+     *
+     * @param string $html
+     *
+     * @return \DOMDocument
+     */
+    private function createDomDocument(string $html) : \DOMDocument
+    {
+        $domDocument = new \DOMDocument('1.0', 'UTF-8');
+        set_error_handler(
+            function ($errorNumber, $errorString) {
+                throw new \Exception($errorString, $errorNumber);
+            }
+        );
+        $string = mb_convert_encoding($html, 'HTML-ENTITIES', 'UTF-8');
+        try {
+            libxml_use_internal_errors(true);
+            $domDocument->loadHTML(
+                '<html><body>' . $string . '</body></html>'
+            );
+            libxml_clear_errors();
+        } catch (\Exception $e) {
+            restore_error_handler();
+            $this->logger->critical($e);
+        }
+        restore_error_handler();
+
+        return $domDocument;
+    }
+
+    /**
+     * Decode the contents of any HTML content types for the store front
+     *
+     * @param \DOMDocument $document
+     */
+    private function decodeHtmlContentTypes(\DOMDocument $document): void
+    {
+        $xpath = new \DOMXPath($document);
+        $nodes = $xpath->query('//*[@data-role="html" and not(@data-decoded="true")]');
+        foreach ($nodes as $node) {
+            if (strlen(trim($node->nodeValue)) > 0) {
+                /* @var \DOMElement $node */
+                $fragment = $document->createDocumentFragment();
+                $fragment->appendXML($node->nodeValue);
+                // Store a decoded attribute on the element so we don't double decode
+                $node->setAttribute("data-decoded", "true");
+                $node->nodeValue = "";
+
+                // If the HTML code in the content type is invalid it may throw
+                try {
+                    $node->appendChild($fragment);
+                } catch (\Exception $e) {
+                    $this->logger->critical($e);
+                }
+            }
+        }
+    }
+
     /**
      * Generate the CSS for any background images on the page
      *
-     * @param \DOMXPath $xpath
+     * @param \DOMDocument $document
      */
-    private function generateBackgroundImageStyles(\DOMXPath $xpath) : void
+    private function generateBackgroundImageStyles(\DOMDocument $document) : void
     {
+        $xpath = new \DOMXPath($document);
         $nodes = $xpath->query('//*[@' . self:: DATA_BACKGROUND_IMAGE . ']');
         foreach ($nodes as $node) {
             /* @var \DOMElement $node */
@@ -101,7 +176,7 @@ private function generateBackgroundImageStyles(\DOMXPath $xpath) : void
                         'style',
                         $this->generateCssFromImages($elementClass, $images)
                     );
-                    $style->setAttribute("type", "text/css");
+                    $style->setAttribute('type', 'text/css');
                     $node->parentNode->appendChild($style);
 
                     // Append our new class to the DOM element
@@ -148,14 +223,14 @@ private function generateCssFromImages(string $elementClass, array $images) : st
      */
     private function cssFromArray(array $css) : string
     {
-        $output = "";
+        $output = '';
         foreach ($css as $selector => $body) {
             if (is_array($body)) {
-                $output .= $selector . " {";
+                $output .= $selector . ' {';
                 $output .= $this->cssFromArray($body);
-                $output .= "}";
+                $output .= '}';
             } else {
-                $output .= $selector . ': ' . $body . ";";
+                $output .= $selector . ': ' . $body . ';';
             }
         }
         return $output;
@@ -173,9 +248,9 @@ private function getMobileMediaQuery() : ?string
             'breakpoints/mobile/conditions'
         );
         if ($breakpoints && count($breakpoints) > 0) {
-            $mobileBreakpoint = "@media only screen ";
+            $mobileBreakpoint = '@media only screen ';
             foreach ($breakpoints as $key => $value) {
-                $mobileBreakpoint .= "and (" . $key . ": " . $value . ") ";
+                $mobileBreakpoint .= 'and (' . $key . ': ' . $value . ') ';
             }
             return rtrim($mobileBreakpoint);
         }

app/code/Magento/PageBuilder/Test/Mftf/Section/PageBuilderBlockSection.xml

@@ -9,7 +9,7 @@
 <sections xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:noNamespaceSchemaLocation="urn:magento:mftf:Page/etc/SectionObject.xsd">
     <section name="BlockOnStage">
-        <element name="html" type="text" selector="((//div[contains(@class,'pagebuilder-block')])[{{arg1}}]//div[contains(@data-bind,'html: data.main.html')])[{{arg2}}]//a[contains(@class,'pagebuilder-button-primary')]" parameterized="true"/>
+        <element name="html" type="text" selector="((//div[contains(@class,'pagebuilder-block')])[{{arg1}}]//div[contains(@data-bind,'html: data.main.html')])[{{arg2}}]//div[contains(@class,'placeholder-html-code')]" parameterized="true"/>
         <element name="status" type="text" selector="((//div[contains(@class,'pagebuilder-block')])[{{arg1}}]//span[contains(@class,'placeholder') and text()='{{arg}}'])" parameterized="true"/>
         <element name="deleted" type="text" selector="((//div[contains(@class,'pagebuilder-block')])[{{arg1}}]//span[contains(@class,'placeholder') and contains(text(),'Block with ID: {{arg}} doesn')])" parameterized="true"/>
         <element name="title" type="text" selector="(//div[contains(@class,'pagebuilder-block')])[{{arg1}}]//div[contains(@class,'pagebuilder-options-wrapper')]//div[contains(@class,'option-title') and text()='{{arg}}']" parameterized="true"/>

app/code/Magento/PageBuilder/Test/Mftf/Test/AdminPageBuilderBlockTest.xml

@@ -172,7 +172,7 @@
         <comment userInput="Validate stage after updating block" stepKey="validateStage2" />
         <actionGroup ref="switchToPageBuilderStage" stepKey="switchToPageBuilderStage"/>
         <waitForElementVisible selector="{{HtmlOnStage.base('1')}}" stepKey="waitForHtmlBaseStage1"/>
-        <waitForElementVisible selector="{{BlockOnStage.html('1', '1')}}" stepKey="waitForHtmlStage1"/>
+        <see selector="{{BlockOnStage.html('1', '1')}}" userInput="{{PageBuilderHtmlPropertyButton.value}}" stepKey="waitForHtmlStage1"/>
         <actionGroup ref="ClearCacheActionGroup" stepKey="clearMagentoCache"/>
         <!-- Validate Storefront -->
         <comment userInput="Validate storefront after updating block" stepKey="validateStorefront2" />

app/code/Magento/PageBuilder/view/adminhtml/pagebuilder/content_type/html.xml

@@ -34,7 +34,7 @@
                         <style name="padding" storage_key="margins_and_padding" reader="Magento_PageBuilder/js/property/paddings" converter="Magento_PageBuilder/js/converter/style/paddings"/>
                         <attribute name="name" source="data-role"/>
                         <attribute name="appearance" source="data-appearance"/>
-                        <html name="html"/>
+                        <html name="html" converter="Magento_PageBuilder/js/converter/html/decode"/>
                         <css name="css_classes"/>
                     </element>
                 </elements>

app/code/Magento/PageBuilder/view/adminhtml/ui_component/pagebuilder_html_form.xml

@@ -88,6 +88,7 @@
                 <dataScope>html</dataScope>
                 <dataType>text</dataType>
                 <placeholder translate="true">Enter HTML, CSS or JavaScript code</placeholder>
+                <notice translate="true">HTML code must be valid, all CSS &amp; JavaScript must be wrapped in their HTML elements.</notice>
             </settings>
         </field>
     </fieldset>