Merge pull request #6233 from magento-qwerty/MC-34385

[CIA] Filter fields allowing HTML

Author: dvoskoboinikov

app/code/Magento/Catalog/Model/Attribute/Backend/DefaultBackend.php

@@ -0,0 +1,96 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+declare(strict_types=1);
+
+namespace Magento\Catalog\Model\Attribute\Backend;
+
+use Magento\Catalog\Model\AbstractModel;
+use Magento\Catalog\Model\ResourceModel\Eav\Attribute;
+use Magento\Eav\Model\Entity\Attribute\Backend\DefaultBackend as ParentBackend;
+use Magento\Eav\Model\Entity\Attribute\Exception;
+use Magento\Framework\DataObject;
+use Magento\Framework\Exception\LocalizedException;
+use Magento\Framework\Validation\ValidationException;
+use Magento\Framework\Validator\HTML\WYSIWYGValidatorInterface;
+
+/**
+ * Default backend model for catalog attributes.
+ */
+class DefaultBackend extends ParentBackend
+{
+    /**
+     * @var WYSIWYGValidatorInterface
+     */
+    private $wysiwygValidator;
+
+    /**
+     * @param WYSIWYGValidatorInterface $wysiwygValidator
+     */
+    public function __construct(WYSIWYGValidatorInterface $wysiwygValidator)
+    {
+        $this->wysiwygValidator = $wysiwygValidator;
+    }
+
+    /**
+     * Validate user HTML value.
+     *
+     * @param DataObject $object
+     * @return void
+     * @throws LocalizedException
+     */
+    private function validateHtml(DataObject $object): void
+    {
+        $attribute = $this->getAttribute();
+        $code = $attribute->getAttributeCode();
+        if ($attribute instanceof Attribute && $attribute->getIsHtmlAllowedOnFront()) {
+            $value = $object->getData($code);
+            if ($value
+                && is_string($value)
+                && (!($object instanceof AbstractModel) || $object->getData($code) !== $object->getOrigData($code))
+            ) {
+                try {
+                    $this->wysiwygValidator->validate($object->getData($code));
+                } catch (ValidationException $exception) {
+                    $attributeException = new Exception(
+                        __(
+                            'Using restricted HTML elements for "%1". %2',
+                            $attribute->getName(),
+                            $exception->getMessage()
+                        ),
+                        $exception
+                    );
+                    $attributeException->setAttributeCode($code)->setPart('backend');
+                    throw $attributeException;
+                }
+            }
+        }
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function beforeSave($object)
+    {
+        parent::beforeSave($object);
+        $this->validateHtml($object);
+
+        return $this;
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function validate($object)
+    {
+        $isValid = parent::validate($object);
+        if ($isValid) {
+            $this->validateHtml($object);
+        }
+
+        return $isValid;
+    }
+}

app/code/Magento/Catalog/Model/ResourceModel/Eav/Attribute.php

@@ -6,7 +6,9 @@
 
 namespace Magento\Catalog\Model\ResourceModel\Eav;
 
+use Magento\Catalog\Model\Attribute\Backend\DefaultBackend;
 use Magento\Catalog\Model\Attribute\LockValidatorInterface;
+use Magento\Eav\Model\Entity;
 use Magento\Framework\Api\AttributeValueFactory;
 use Magento\Framework\Stdlib\DateTime\DateTimeFormatterInterface;
 
@@ -902,4 +904,17 @@ public function setIsFilterableInGrid($isFilterableInGrid)
         $this->setData(self::IS_FILTERABLE_IN_GRID, $isFilterableInGrid);
         return $this;
     }
+
+    /**
+     * @inheritDoc
+     */
+    protected function _getDefaultBackendModel()
+    {
+        $backend = parent::_getDefaultBackendModel();
+        if ($backend === Entity::DEFAULT_BACKEND_MODEL) {
+            $backend = DefaultBackend::class;
+        }
+
+        return $backend;
+    }
 }

app/code/Magento/Catalog/Test/Unit/Model/Attribute/Backend/DefaultBackendTest.php

@@ -0,0 +1,111 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+declare(strict_types=1);
+
+namespace Magento\Catalog\Test\Unit\Model\Attribute\Backend;
+
+use Magento\Catalog\Model\AbstractModel;
+use Magento\Catalog\Model\Attribute\Backend\DefaultBackend;
+use Magento\Framework\DataObject;
+use Magento\Framework\Validation\ValidationException;
+use Magento\Framework\Validator\HTML\WYSIWYGValidatorInterface;
+use PHPUnit\Framework\TestCase;
+use Magento\Eav\Model\Entity\Attribute as BasicAttribute;
+use Magento\Catalog\Model\ResourceModel\Eav\Attribute;
+use Magento\Eav\Model\Entity\Attribute\Exception as AttributeException;
+
+class DefaultBackendTest extends TestCase
+{
+    /**
+     * Different cases for attribute validation.
+     *
+     * @return array
+     */
+    public function getAttributeConfigurations(): array
+    {
+        return [
+            'basic-attribute' => [true, false, true, 'basic', 'value', false, true, false],
+            'non-html-attribute' => [false, false, false, 'non-html', 'value', false, false, false],
+            'empty-html-attribute' => [false, false, true, 'html', null, false, true, false],
+            'invalid-html-attribute' => [false, false, false, 'html', 'value', false, true, true],
+            'valid-html-attribute' => [false, true, false, 'html', 'value', false, true, false],
+            'changed-invalid-html-attribute' => [false, false, true, 'html', 'value', true, true, true],
+            'changed-valid-html-attribute' => [false, true, true, 'html', 'value', true, true, false]
+        ];
+    }
+
+    /**
+     * Test attribute validation.
+     *
+     * @param bool $isBasic
+     * @param bool $isValidated
+     * @param bool $isCatalogEntity
+     * @param string $code
+     * @param mixed $value
+     * @param bool $isChanged
+     * @param bool $isHtmlAttribute
+     * @param bool $exceptionThrown
+     * @dataProvider getAttributeConfigurations
+     */
+    public function testValidate(
+        bool $isBasic,
+        bool $isValidated,
+        bool $isCatalogEntity,
+        string $code,
+        $value,
+        bool $isChanged,
+        bool $isHtmlAttribute,
+        bool $exceptionThrown
+    ): void {
+        if ($isBasic) {
+            $attributeMock = $this->createMock(BasicAttribute::class);
+        } else {
+            $attributeMock = $this->createMock(Attribute::class);
+            $attributeMock->expects($this->any())
+                ->method('getIsHtmlAllowedOnFront')
+                ->willReturn($isHtmlAttribute);
+        }
+        $attributeMock->expects($this->any())->method('getAttributeCode')->willReturn($code);
+
+        $validatorMock = $this->getMockForAbstractClass(WYSIWYGValidatorInterface::class);
+        if (!$isValidated) {
+            $validatorMock->expects($this->any())
+                ->method('validate')
+                ->willThrowException(new ValidationException(__('HTML is invalid')));
+        } else {
+            $validatorMock->expects($this->any())->method('validate');
+        }
+
+        if ($isCatalogEntity) {
+            $objectMock = $this->createMock(AbstractModel::class);
+            $objectMock->expects($this->any())
+                ->method('getOrigData')
+                ->willReturn($isChanged ? $value .'-OLD' : $value);
+        } else {
+            $objectMock = $this->createMock(DataObject::class);
+        }
+        $objectMock->expects($this->any())->method('getData')->with($code)->willReturn($value);
+
+        $model = new DefaultBackend($validatorMock);
+        $model->setAttribute($attributeMock);
+
+        $actuallyThrownForSave = false;
+        try {
+            $model->beforeSave($objectMock);
+        } catch (AttributeException $exception) {
+            $actuallyThrownForSave = true;
+        }
+        $actuallyThrownForValidate = false;
+        try {
+            $model->validate($objectMock);
+        } catch (AttributeException $exception) {
+            $actuallyThrownForValidate = true;
+        }
+        $this->assertEquals($actuallyThrownForSave, $actuallyThrownForValidate);
+        $this->assertEquals($actuallyThrownForSave, $exceptionThrown);
+    }
+}

app/code/Magento/Cms/Command/WysiwygRestrictCommand.php

@@ -0,0 +1,72 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+declare(strict_types=1);
+
+namespace Magento\Cms\Command;
+
+use Magento\Cms\Model\Wysiwyg\Validator;
+use Symfony\Component\Console\Command\Command;
+use Symfony\Component\Console\Input\InputArgument;
+use Symfony\Component\Console\Input\InputInterface;
+use Symfony\Component\Console\Output\OutputInterface;
+use Magento\Framework\App\Config\ConfigResource\ConfigInterface as ConfigWriter;
+use Magento\Framework\App\Cache\TypeListInterface as Cache;
+
+/**
+ * Command to toggle WYSIWYG content validation on/off.
+ */
+class WysiwygRestrictCommand extends Command
+{
+    /**
+     * @var ConfigWriter
+     */
+    private $configWriter;
+
+    /**
+     * @var Cache
+     */
+    private $cache;
+
+    /**
+     * @param ConfigWriter $configWriter
+     * @param Cache $cache
+     */
+    public function __construct(ConfigWriter $configWriter, Cache $cache)
+    {
+        parent::__construct();
+
+        $this->configWriter = $configWriter;
+        $this->cache = $cache;
+    }
+
+    /**
+     * @inheritDoc
+     */
+    protected function configure()
+    {
+        $this->setName('cms:wysiwyg:restrict');
+        $this->setDescription('Set whether to enforce user HTML content validation or show a warning instead');
+        $this->setDefinition([new InputArgument('restrict', InputArgument::REQUIRED, 'y\n')]);
+
+        parent::configure();
+    }
+
+    /**
+     * @inheritDoc
+     */
+    protected function execute(InputInterface $input, OutputInterface $output)
+    {
+        $restrictArg = mb_strtolower((string)$input->getArgument('restrict'));
+        $restrict = $restrictArg === 'y' ? '1' : '0';
+        $this->configWriter->saveConfig(Validator::CONFIG_PATH_THROW_EXCEPTION, $restrict);
+        $this->cache->cleanType('config');
+
+        $output->writeln('HTML user content validation is now ' .($restrictArg === 'y' ? 'enforced' : 'suggested'));
+
+        return 0;
+    }
+}

app/code/Magento/Cms/Model/Block.php

@@ -6,8 +6,15 @@
 namespace Magento\Cms\Model;
 
 use Magento\Cms\Api\Data\BlockInterface;
+use Magento\Framework\App\ObjectManager;
 use Magento\Framework\DataObject\IdentityInterface;
 use Magento\Framework\Model\AbstractModel;
+use Magento\Framework\Validation\ValidationException;
+use Magento\Framework\Validator\HTML\WYSIWYGValidatorInterface;
+use Magento\Framework\Model\Context;
+use Magento\Framework\Registry;
+use Magento\Framework\Model\ResourceModel\AbstractResource;
+use Magento\Framework\Data\Collection\AbstractDb;
 
 /**
  * CMS block model
@@ -40,6 +47,32 @@ class Block extends AbstractModel implements BlockInterface, IdentityInterface
      */
     protected $_eventPrefix = 'cms_block';
 
+    /**
+     * @var WYSIWYGValidatorInterface
+     */
+    private $wysiwygValidator;
+
+    /**
+     * @param Context $context
+     * @param Registry $registry
+     * @param AbstractResource|null $resource
+     * @param AbstractDb|null $resourceCollection
+     * @param array $data
+     * @param WYSIWYGValidatorInterface|null $wysiwygValidator
+     */
+    public function __construct(
+        Context $context,
+        Registry $registry,
+        AbstractResource $resource = null,
+        AbstractDb $resourceCollection = null,
+        array $data = [],
+        ?WYSIWYGValidatorInterface $wysiwygValidator = null
+    ) {
+        parent::__construct($context, $registry, $resource, $resourceCollection, $data);
+        $this->wysiwygValidator = $wysiwygValidator
+            ?? ObjectManager::getInstance()->get(WYSIWYGValidatorInterface::class);
+    }
+
     /**
      * Construct.
      *
@@ -63,12 +96,26 @@ public function beforeSave()
         }
 
         $needle = 'block_id="' . $this->getId() . '"';
-        if (false == strstr($this->getContent(), (string) $needle)) {
-            return parent::beforeSave();
+        if (strstr($this->getContent(), (string) $needle) !== false) {
+            throw new \Magento\Framework\Exception\LocalizedException(
+                __('Make sure that static block content does not reference the block itself.')
+            );
         }
-        throw new \Magento\Framework\Exception\LocalizedException(
-            __('Make sure that static block content does not reference the block itself.')
-        );
+        parent::beforeSave();
+
+        //Validating HTML content.
+        if ($this->getContent() && $this->getContent() !== $this->getOrigData(self::CONTENT)) {
+            try {
+                $this->wysiwygValidator->validate($this->getContent());
+            } catch (ValidationException $exception) {
+                throw new ValidationException(
+                    __('Content field contains restricted HTML elements. %1', $exception->getMessage()),
+                    $exception
+                );
+            }
+        }
+
+        return $this;
     }
 
     /**