AC-11446: allowed tags updated for CMS content

Author: mrprabhu92

app/design/adminhtml/Magento/backend/i18n/en_US.csv

@@ -548,3 +548,5 @@ Dashboard,Dashboard
 "Store Email Addresses Section","Store Email Addresses Section"
 "Email to a Friend","Email to a Friend"
 "Invalid data type","Invalid data type"
+"Invalid value provided for attribute %1","Invalid value provided for attribute %1"
+

lib/internal/Magento/Framework/Test/Unit/Validator/HTML/ConfigurableWYSIWYGValidatorTest.php

@@ -26,8 +26,8 @@ class ConfigurableWYSIWYGValidatorTest extends TestCase
     public function getConfigurations(): array
     {
         return [
-            'no-html' => [['div'], [], [], 'just text', true, [], []],
-            'allowed-tag' => [['div'], [], [], 'just text and <div>a div</div>', true, [], []],
+            'no-html' => [['div'], [], [], 'just text', false, [], []],
+            'allowed-tag' => [['div'], [], [], 'just text and <div>a div</div>', false, [], []],
             'restricted-tag' => [
                 ['div', 'p'],
                 [],
@@ -165,6 +165,24 @@ public function getConfigurations(): array
                 true,
                 [],
                 ['div' => ['src' => false]]
+            ],
+            'invalid-allowed-tag-attributes' => [
+                ['a'],
+                ['href'],
+                ['a' => ['href']],
+                '<a href="javascript:alert(1)">a</a>',
+                false,
+                [],
+                []
+            ],
+            'allowed-empty-tag' => [
+                [],
+                [],
+                [],
+                '',
+                false,
+                [],
+                []
             ]
         ];
     }
@@ -224,20 +242,23 @@ function (string $givenTag, array $attrs) use ($tag, $allowedAttributes): void {
                 );
             $tagValidatorsMocks[$tag] = [$mock];
         }
-        $validator = new ConfigurableWYSIWYGValidator(
-            $allowedTags,
-            $allowedAttr,
-            $allowedTagAttrs,
-            $attrValidators,
-            $tagValidatorsMocks
-        );
-        $valid = true;
         try {
-            $validator->validate($html);
-        } catch (ValidationException $exception) {
+            $validator = new ConfigurableWYSIWYGValidator(
+                $allowedTags,
+                $allowedAttr,
+                $allowedTagAttrs,
+                $attrValidators,
+                $tagValidatorsMocks
+            );
+            $valid = true;
+            try {
+                $validator->validate($html);
+            } catch (ValidationException $exception) {
+                $valid = false;
+            }
+        } catch (\InvalidArgumentException $exception) {
             $valid = false;
         }
-
         self::assertEquals($isValid, $valid);
     }
 }

lib/internal/Magento/Framework/Validator/HTML/ConfigurableWYSIWYGValidator.php

@@ -15,6 +15,19 @@
  */
 class ConfigurableWYSIWYGValidator implements WYSIWYGValidatorInterface
 {
+    /**
+     * @var string
+     */
+    private static string $xssFiltrationPattern =
+        '/((javascript(\\\\x3a|:|%3A))|(data(\\\\x3a|:|%3A))|(vbscript:)|(script)|(alert\())|'
+        . '((\\\\x6A\\\\x61\\\\x76\\\\x61\\\\x73\\\\x63\\\\x72\\\\x69\\\\x70\\\\x74(\\\\x3a|:|%3A))|'
+        . '(\\\\x64\\\\x61\\\\x74\\\\x61(\\\\x3a|:|%3A)))/i';
+
+    /**
+     * @var string
+     */
+    private static string $contentFiltrationPattern = "/(<body)/i";
+
     /**
      * @var string[]
      */
@@ -84,6 +97,7 @@ public function validate(string $content): void
         $this->validateConfigured($xpath);
         $this->callAttributeValidators($xpath);
         $this->callTagValidators($xpath);
+        $this->validateAttributeValue($xpath);
     }
 
     /**
@@ -96,18 +110,19 @@ public function validate(string $content): void
     private function validateConfigured(\DOMXPath $xpath): void
     {
         //Validating tags
+        $this->allowedTags = array_merge($this->allowedTags, ["body", "html"]);
         $found = $xpath->query(
             '//*['
-                . implode(
-                    ' and ',
-                    array_map(
-                        function (string $tag): string {
-                            return "name() != '$tag'";
-                        },
-                        array_merge($this->allowedTags, ['body', 'html'])
-                    )
+            . implode(
+                ' and ',
+                array_map(
+                    function (string $tag): string {
+                        return "name() != '$tag'";
+                    },
+                    $this->allowedTags
                 )
-                .']'
+            )
+            .']'
         );
         if (count($found)) {
             throw new ValidationException(
@@ -234,12 +249,33 @@ function () use (&$loaded) {
                 $loaded = false;
             }
         );
-        $loaded = $dom->loadHTML("<html><body>$content</body></html>");
+        $matches = [];
+        preg_match_all(self::$contentFiltrationPattern, $content, $matches);
+        $loaded = !(count($matches[0]) > 1) && $dom->loadHTML($content, LIBXML_HTML_NOIMPLIED);
         restore_error_handler();
         if (!$loaded) {
             throw new ValidationException(__('Invalid HTML content provided'));
         }
 
         return $dom;
     }
+
+    /**
+     * Validate values of html attributes
+     *
+     * @param \DOMXPath $xpath
+     * @return void
+     * @throws ValidationException
+     */
+    private function validateAttributeValue(\DOMXPath $xpath): void
+    {
+        $nodes = $xpath->query('//@*');
+        foreach ($nodes as $node) {
+            if (preg_match(self::$xssFiltrationPattern, $node->parentNode->getAttribute($node->nodeName))) {
+                throw new ValidationException(
+                    __('Invalid value provided for attribute %1', $node->nodeName)
+                );
+            }
+        }
+    }
 }