Merge remote-tracking branch 'origin/2.3.7-develop' into HEAD

Author: Mark Berube

app/code/Magento/Catalog/Controller/Adminhtml/Product/Gallery/Upload.php

@@ -11,7 +11,7 @@
 use Magento\Framework\Exception\LocalizedException;
 
 /**
- * Class Upload
+ * Class Upload image(s)
  */
 class Upload extends \Magento\Backend\App\Action implements HttpPostActionInterface
 {
@@ -108,8 +108,10 @@ public function execute()
 
             $result['url'] = $this->productMediaConfig->getTmpMediaUrl($result['file']);
             $result['file'] = $result['file'] . '.tmp';
-        } catch (\Exception $e) {
+        } catch (LocalizedException $e) {
             $result = ['error' => $e->getMessage(), 'errorcode' => $e->getCode()];
+        } catch (\Throwable $e) {
+            $result = ['error' => 'Something went wrong while saving the file(s).', 'errorcode' => 0];
         }
 
         /** @var \Magento\Framework\Controller\Result\Raw $response */

app/code/Magento/Catalog/Model/Attribute/Backend/DefaultBackend.php

@@ -0,0 +1,96 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+declare(strict_types=1);
+
+namespace Magento\Catalog\Model\Attribute\Backend;
+
+use Magento\Catalog\Model\AbstractModel;
+use Magento\Catalog\Model\ResourceModel\Eav\Attribute;
+use Magento\Eav\Model\Entity\Attribute\Backend\DefaultBackend as ParentBackend;
+use Magento\Eav\Model\Entity\Attribute\Exception;
+use Magento\Framework\DataObject;
+use Magento\Framework\Exception\LocalizedException;
+use Magento\Framework\Validation\ValidationException;
+use Magento\Framework\Validator\HTML\WYSIWYGValidatorInterface;
+
+/**
+ * Default backend model for catalog attributes.
+ */
+class DefaultBackend extends ParentBackend
+{
+    /**
+     * @var WYSIWYGValidatorInterface
+     */
+    private $wysiwygValidator;
+
+    /**
+     * @param WYSIWYGValidatorInterface $wysiwygValidator
+     */
+    public function __construct(WYSIWYGValidatorInterface $wysiwygValidator)
+    {
+        $this->wysiwygValidator = $wysiwygValidator;
+    }
+
+    /**
+     * Validate user HTML value.
+     *
+     * @param DataObject $object
+     * @return void
+     * @throws LocalizedException
+     */
+    private function validateHtml(DataObject $object): void
+    {
+        $attribute = $this->getAttribute();
+        $code = $attribute->getAttributeCode();
+        if ($attribute instanceof Attribute && $attribute->getIsHtmlAllowedOnFront()) {
+            $value = $object->getData($code);
+            if ($value
+                && is_string($value)
+                && (!($object instanceof AbstractModel) || $object->getData($code) !== $object->getOrigData($code))
+            ) {
+                try {
+                    $this->wysiwygValidator->validate($object->getData($code));
+                } catch (ValidationException $exception) {
+                    $attributeException = new Exception(
+                        __(
+                            'Using restricted HTML elements for "%1". %2',
+                            $attribute->getName(),
+                            $exception->getMessage()
+                        ),
+                        $exception
+                    );
+                    $attributeException->setAttributeCode($code)->setPart('backend');
+                    throw $attributeException;
+                }
+            }
+        }
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function beforeSave($object)
+    {
+        parent::beforeSave($object);
+        $this->validateHtml($object);
+
+        return $this;
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function validate($object)
+    {
+        $isValid = parent::validate($object);
+        if ($isValid) {
+            $this->validateHtml($object);
+        }
+
+        return $isValid;
+    }
+}

app/code/Magento/Catalog/Model/Product/Gallery/UpdateHandler.php

@@ -34,12 +34,10 @@ protected function processDeletedImages($product, array &$images)
         foreach ($images as &$image) {
             if (!empty($image['removed'])) {
                 if (!empty($image['value_id'])) {
-                    if (preg_match('/\.\.(\\\|\/)/', $image['file'])) {
-                        continue;
-                    }
                     $recordsToDelete[] = $image['value_id'];
                     $catalogPath = $this->mediaConfig->getBaseMediaPath();
-                    $isFile = $this->mediaDirectory->isFile($catalogPath . $image['file']);
+                    $filePath = $this->mediaDirectory->getRelativePath($catalogPath . $image['file']);
+                    $isFile = $this->mediaDirectory->isFile($filePath);
                     // only delete physical files if they are not used by any other products and if this file exist
                     if ($isFile && !($this->resourceModel->countImageUses($image['file']) > 1)) {
                         $filesToDelete[] = ltrim($image['file'], '/');
@@ -116,6 +114,7 @@ protected function extractStoreIds($product)
      *
      * @param array $files
      * @return null
+     * @throws \Magento\Framework\Exception\FileSystemException
      * @since 101.0.0
      */
     protected function removeDeletedImages(array $files)
@@ -125,5 +124,7 @@ protected function removeDeletedImages(array $files)
         foreach ($files as $filePath) {
             $this->mediaDirectory->delete($catalogPath . '/' . $filePath);
         }
+
+        return null;
     }
 }

app/code/Magento/Catalog/Model/ResourceModel/Eav/Attribute.php

@@ -6,7 +6,9 @@
 
 namespace Magento\Catalog\Model\ResourceModel\Eav;
 
+use Magento\Catalog\Model\Attribute\Backend\DefaultBackend;
 use Magento\Catalog\Model\Attribute\LockValidatorInterface;
+use Magento\Eav\Model\Entity;
 use Magento\Framework\Api\AttributeValueFactory;
 use Magento\Framework\Exception\LocalizedException;
 use Magento\Framework\Stdlib\DateTime\DateTimeFormatterInterface;
@@ -903,4 +905,17 @@ public function setIsFilterableInGrid($isFilterableInGrid)
         $this->setData(self::IS_FILTERABLE_IN_GRID, $isFilterableInGrid);
         return $this;
     }
+
+    /**
+     * @inheritDoc
+     */
+    protected function _getDefaultBackendModel()
+    {
+        $backend = parent::_getDefaultBackendModel();
+        if ($backend === Entity::DEFAULT_BACKEND_MODEL) {
+            $backend = DefaultBackend::class;
+        }
+
+        return $backend;
+    }
 }

app/code/Magento/Catalog/Test/Mftf/ActionGroup/AdminSaveCategoryFormActionGroup.xml

@@ -17,6 +17,7 @@
         <scrollToTopOfPage stepKey="scrollToTopOfTheCategoryPage"/>
         <click selector="{{AdminMainActionsSection.save}}" stepKey="saveCategory"/>
         <waitForElementVisible selector="{{AdminMessagesSection.success}}" stepKey="waitForSuccessMessageAppears"/>
+        <dontSee selector="{{AdminCategoryMessagesSection.saveCategoryWarningMessage}}" stepKey="dontSeeWarningMessage"/>
         <see userInput="You saved the category." selector="{{AdminMessagesSection.success}}" stepKey="assertSuccessMessage"/>
     </actionGroup>
 </actionGroups>

app/code/Magento/Catalog/Test/Mftf/ActionGroup/SaveProductFormActionGroup.xml

@@ -17,6 +17,7 @@
         <waitForElementVisible selector="{{AdminProductFormActionSection.saveButton}}" stepKey="waitForSaveProductButton"/>
         <click selector="{{AdminProductFormActionSection.saveButton}}" stepKey="clickSaveProduct"/>
         <waitForElementVisible selector="{{AdminMessagesSection.success}}" stepKey="waitProductSaveSuccessMessage"/>
+        <dontSee selector="{{AdminProductMessagesSection.saveProductWarningMessage}}" stepKey="dontSeeWarningMessage"/>
         <see selector="{{AdminMessagesSection.success}}" userInput="You saved the product." stepKey="seeSaveConfirmation"/>
     </actionGroup>
 </actionGroups>

app/code/Magento/Catalog/Test/Mftf/Section/AdminCategoryMessagesSection.xml

@@ -11,5 +11,6 @@
     <section name="AdminCategoryMessagesSection">
         <element name="SuccessMessage" type="text" selector=".message-success"/>
         <element name="errorMessage" type="text" selector="//div[@class='message message-error error']"/>
+        <element name="saveCategoryWarningMessage" type="text" selector=".message-warning"/>
     </section>
 </sections>

app/code/Magento/Catalog/Test/Mftf/Section/AdminProductMessagesSection.xml

@@ -11,5 +11,6 @@
     <section name="AdminProductMessagesSection">
         <element name="successMessage" type="text" selector=".message-success"/>
         <element name="errorMessage" type="text" selector=".message.message-error.error"/>
+        <element name="saveProductWarningMessage" type="text" selector=".message-warning"/>
     </section>
 </sections>

app/code/Magento/Catalog/Test/Unit/Model/Attribute/Backend/DefaultBackendTest.php

@@ -0,0 +1,111 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+declare(strict_types=1);
+
+namespace Magento\Catalog\Test\Unit\Model\Attribute\Backend;
+
+use Magento\Catalog\Model\AbstractModel;
+use Magento\Catalog\Model\Attribute\Backend\DefaultBackend;
+use Magento\Framework\DataObject;
+use Magento\Framework\Validation\ValidationException;
+use Magento\Framework\Validator\HTML\WYSIWYGValidatorInterface;
+use PHPUnit\Framework\TestCase;
+use Magento\Eav\Model\Entity\Attribute as BasicAttribute;
+use Magento\Catalog\Model\ResourceModel\Eav\Attribute;
+use Magento\Eav\Model\Entity\Attribute\Exception as AttributeException;
+
+class DefaultBackendTest extends TestCase
+{
+    /**
+     * Different cases for attribute validation.
+     *
+     * @return array
+     */
+    public function getAttributeConfigurations(): array
+    {
+        return [
+            'basic-attribute' => [true, false, true, 'basic', 'value', false, true, false],
+            'non-html-attribute' => [false, false, false, 'non-html', 'value', false, false, false],
+            'empty-html-attribute' => [false, false, true, 'html', null, false, true, false],
+            'invalid-html-attribute' => [false, false, false, 'html', 'value', false, true, true],
+            'valid-html-attribute' => [false, true, false, 'html', 'value', false, true, false],
+            'changed-invalid-html-attribute' => [false, false, true, 'html', 'value', true, true, true],
+            'changed-valid-html-attribute' => [false, true, true, 'html', 'value', true, true, false]
+        ];
+    }
+
+    /**
+     * Test attribute validation.
+     *
+     * @param bool $isBasic
+     * @param bool $isValidated
+     * @param bool $isCatalogEntity
+     * @param string $code
+     * @param mixed $value
+     * @param bool $isChanged
+     * @param bool $isHtmlAttribute
+     * @param bool $exceptionThrown
+     * @dataProvider getAttributeConfigurations
+     */
+    public function testValidate(
+        bool $isBasic,
+        bool $isValidated,
+        bool $isCatalogEntity,
+        string $code,
+        $value,
+        bool $isChanged,
+        bool $isHtmlAttribute,
+        bool $exceptionThrown
+    ): void {
+        if ($isBasic) {
+            $attributeMock = $this->createMock(BasicAttribute::class);
+        } else {
+            $attributeMock = $this->createMock(Attribute::class);
+            $attributeMock->expects($this->any())
+                ->method('getIsHtmlAllowedOnFront')
+                ->willReturn($isHtmlAttribute);
+        }
+        $attributeMock->expects($this->any())->method('getAttributeCode')->willReturn($code);
+
+        $validatorMock = $this->getMockForAbstractClass(WYSIWYGValidatorInterface::class);
+        if (!$isValidated) {
+            $validatorMock->expects($this->any())
+                ->method('validate')
+                ->willThrowException(new ValidationException(__('HTML is invalid')));
+        } else {
+            $validatorMock->expects($this->any())->method('validate');
+        }
+
+        if ($isCatalogEntity) {
+            $objectMock = $this->createMock(AbstractModel::class);
+            $objectMock->expects($this->any())
+                ->method('getOrigData')
+                ->willReturn($isChanged ? $value .'-OLD' : $value);
+        } else {
+            $objectMock = $this->createMock(DataObject::class);
+        }
+        $objectMock->expects($this->any())->method('getData')->with($code)->willReturn($value);
+
+        $model = new DefaultBackend($validatorMock);
+        $model->setAttribute($attributeMock);
+
+        $actuallyThrownForSave = false;
+        try {
+            $model->beforeSave($objectMock);
+        } catch (AttributeException $exception) {
+            $actuallyThrownForSave = true;
+        }
+        $actuallyThrownForValidate = false;
+        try {
+            $model->validate($objectMock);
+        } catch (AttributeException $exception) {
+            $actuallyThrownForValidate = true;
+        }
+        $this->assertEquals($actuallyThrownForSave, $actuallyThrownForValidate);
+        $this->assertEquals($actuallyThrownForSave, $exceptionThrown);
+    }
+}

app/code/Magento/Catalog/view/base/web/js/product/name.js

@@ -5,18 +5,33 @@
 
 define([
     'Magento_Ui/js/grid/columns/column',
-    'Magento_Catalog/js/product/list/column-status-validator'
-], function (Column, columnStatusValidator) {
+    'Magento_Catalog/js/product/list/column-status-validator',
+    'escaper'
+], function (Column, columnStatusValidator, escaper) {
     'use strict';
 
     return Column.extend({
+        defaults: {
+            allowedTags: ['div', 'span', 'b', 'strong', 'i', 'em', 'u', 'a']
+        },
+
         /**
          * Depends on this option, product name can be shown or hide. Depends on  backend configuration
          *
          * @returns {Boolean}
          */
         isAllowed: function () {
             return columnStatusValidator.isValid(this.source(), 'name', 'show_attributes');
+        },
+
+        /**
+         * Name column.
+         *
+         * @param {String} label
+         * @returns {String}
+         */
+        getNameUnsanitizedHtml: function (label) {
+            return escaper.escapeHtml(label, this.allowedTags);
         }
     });
 });