AC-9986: wysiwyg editor content validation

mrprabhu92 · mrprabhu92 · commit 020455515a59 · 2024-08-09T21:14:31.000+05:30
diff --git a/app/design/adminhtml/Magento/backend/i18n/en_US.csv b/app/design/adminhtml/Magento/backend/i18n/en_US.csv
@@ -548,3 +548,5 @@ Dashboard,Dashboard
 "Store Email Addresses Section","Store Email Addresses Section"
 "Email to a Friend","Email to a Friend"
 "Invalid data type","Invalid data type"
+"Invalid value provided for attribute %1","Invalid value provided for attribute %1"
+
diff --git a/lib/internal/Magento/Framework/Test/Unit/Validator/HTML/ConfigurableWYSIWYGValidatorTest.php b/lib/internal/Magento/Framework/Test/Unit/Validator/HTML/ConfigurableWYSIWYGValidatorTest.php
@@ -165,6 +165,24 @@ public function getConfigurations(): array
                 true,
                 [],
                 ['div' => ['src' => false]]
+            ],
+            'invalid-allowed-tag-attributes' => [
+                ['a'],
+                ['href'],
+                ['a' => ['href']],
+                '<a href="javascript:alert(1)">a</a>',
+                false,
+                [],
+                []
+            ],
+            'allowed-empty-tag' => [
+                [],
+                [],
+                [],
+                '',
+                false,
+                [],
+                []
             ]
         ];
     }
@@ -224,20 +242,23 @@ function (string $givenTag, array $attrs) use ($tag, $allowedAttributes): void {
                 );
             $tagValidatorsMocks[$tag] = [$mock];
         }
-        $validator = new ConfigurableWYSIWYGValidator(
-            $allowedTags,
-            $allowedAttr,
-            $allowedTagAttrs,
-            $attrValidators,
-            $tagValidatorsMocks
-        );
-        $valid = true;
         try {
-            $validator->validate($html);
-        } catch (ValidationException $exception) {
+            $validator = new ConfigurableWYSIWYGValidator(
+                $allowedTags,
+                $allowedAttr,
+                $allowedTagAttrs,
+                $attrValidators,
+                $tagValidatorsMocks
+            );
+            $valid = true;
+            try {
+                $validator->validate($html);
+            } catch (ValidationException $exception) {
+                $valid = false;
+            }
+        } catch (\InvalidArgumentException $exception) {
             $valid = false;
         }
-
         self::assertEquals($isValid, $valid);
     }
 }
diff --git a/lib/internal/Magento/Framework/Validator/HTML/ConfigurableWYSIWYGValidator.php b/lib/internal/Magento/Framework/Validator/HTML/ConfigurableWYSIWYGValidator.php
@@ -15,6 +15,14 @@
  */
 class ConfigurableWYSIWYGValidator implements WYSIWYGValidatorInterface
 {
+    /**
+     * @var string
+     */
+    private static string $xssFiltrationPattern =
+        '/((javascript(\\\\x3a|:|%3A))|(data(\\\\x3a|:|%3A))|(vbscript:)|(script)|(alert\())|'
+        . '((\\\\x6A\\\\x61\\\\x76\\\\x61\\\\x73\\\\x63\\\\x72\\\\x69\\\\x70\\\\x74(\\\\x3a|:|%3A))|'
+        . '(\\\\x64\\\\x61\\\\x74\\\\x61(\\\\x3a|:|%3A)))/i';
+
     /**
      * @var string[]
      */
@@ -84,6 +92,7 @@ public function validate(string $content): void
         $this->validateConfigured($xpath);
         $this->callAttributeValidators($xpath);
         $this->callTagValidators($xpath);
+        $this->validateAttributeValue($xpath);
     }
 
     /**
@@ -98,16 +107,16 @@ private function validateConfigured(\DOMXPath $xpath): void
         //Validating tags
         $found = $xpath->query(
             '//*['
-                . implode(
-                    ' and ',
-                    array_map(
-                        function (string $tag): string {
-                            return "name() != '$tag'";
-                        },
-                        array_merge($this->allowedTags, ['body', 'html'])
-                    )
+            . implode(
+                ' and ',
+                array_map(
+                    function (string $tag): string {
+                        return "name() != '$tag'";
+                    },
+                    array_merge($this->allowedTags, ['body', 'html'])
                 )
-                .']'
+            )
+            .']'
         );
         if (count($found)) {
             throw new ValidationException(
@@ -242,4 +251,23 @@ function () use (&$loaded) {
 
         return $dom;
     }
+
+    /**
+     * Validate values of html attributes
+     *
+     * @param \DOMXPath $xpath
+     * @return void
+     * @throws ValidationException
+     */
+    private function validateAttributeValue(\DOMXPath $xpath): void
+    {
+        $nodes = $xpath->query('//@*');
+        foreach ($nodes as $node) {
+            if (preg_match(self::$xssFiltrationPattern, $node->parentNode->getAttribute($node->nodeName))) {
+                throw new ValidationException(
+                    __('Invalid value provided for attribute %1', $node->nodeName)
+                );
+            }
+        }
+    }
 }
