MAGETWO-97671: Invalid action behavior

Author: svitja

app/code/Magento/Email/Block/Adminhtml/Template/Preview.php

@@ -11,6 +11,9 @@
  */
 namespace Magento\Email\Block\Adminhtml\Template;
 
+/**
+ * Email template preview block.
+ */
 class Preview extends \Magento\Backend\Block\Widget
 {
     /**
@@ -49,6 +52,7 @@ public function __construct(
      * Prepare html output
      *
      * @return string
+     * @SuppressWarnings(PHPMD.RequestAwareBlockMethod)
      */
     protected function _toHtml()
     {
@@ -64,8 +68,6 @@ protected function _toHtml()
             $template->setTemplateStyles($this->getRequest()->getParam('styles'));
         }
 
-        $template->setTemplateText($this->_maliciousCode->filter($template->getTemplateText()));
-
         \Magento\Framework\Profiler::start($this->profilerName);
 
         $template->emulateDesign($storeId);
@@ -74,6 +76,7 @@ protected function _toHtml()
             [$template, 'getProcessedTemplate']
         );
         $template->revertDesign();
+        $templateProcessed = $this->_maliciousCode->filter($templateProcessed);
 
         if ($template->isPlain()) {
             $templateProcessed = "<pre>" . htmlspecialchars($templateProcessed) . "</pre>";

app/code/Magento/Email/Controller/Adminhtml/Email/Template/Popup.php

@@ -0,0 +1,49 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+namespace Magento\Email\Controller\Adminhtml\Email\Template;
+
+/**
+ * Rendering popup email template.
+ */
+class Popup extends \Magento\Backend\App\Action
+{
+    /**
+     * @var \Magento\Framework\View\Result\PageFactory
+     */
+    private $resultPageFactory;
+
+    /**
+     * @param \Magento\Backend\App\Action\Context $context
+     * @param \Magento\Framework\View\Result\PageFactory $resultPageFactory
+     */
+    public function __construct(
+        \Magento\Backend\App\Action\Context $context,
+        \Magento\Framework\View\Result\PageFactory $resultPageFactory
+    ) {
+        parent::__construct($context);
+        $this->resultPageFactory = $resultPageFactory;
+    }
+
+    /**
+     * Load the page.
+     *
+     * Load the page defined in view/adminhtml/layout/adminhtml_email_template_popup.xml
+     *
+     * @return \Magento\Framework\View\Result\Page
+     */
+    public function execute()
+    {
+        return $this->resultPageFactory->create();
+    }
+
+    /**
+     * @inheritdoc
+     */
+    protected function _isAllowed()
+    {
+        return $this->_authorization->isAllowed('Magento_Email::template');
+    }
+}

app/code/Magento/Email/Controller/Adminhtml/Email/Template/Preview.php

@@ -6,10 +6,13 @@
  */
 namespace Magento\Email\Controller\Adminhtml\Email\Template;
 
+/**
+ * Rendering email template preview.
+ */
 class Preview extends \Magento\Email\Controller\Adminhtml\Email\Template
 {
     /**
-     * Preview transactional email action
+     * Preview transactional email action.
      *
      * @return void
      */
@@ -19,7 +22,7 @@ public function execute()
             $this->_view->loadLayout();
             $this->_view->getPage()->getConfig()->getTitle()->prepend(__('Email Preview'));
             $this->_view->renderLayout();
-            $this->getResponse()->setHeader('Content-Security-Policy', "script-src 'none'");
+            $this->getResponse()->setHeader('Content-Security-Policy', "script-src 'self'");
         } catch (\Exception $e) {
             $this->messageManager->addError(__('An error occurred. The email template can not be opened for preview.'));
             $this->_redirect('adminhtml/*/');

app/code/Magento/Email/Test/Unit/Block/Adminhtml/Template/PreviewTest.php

@@ -3,11 +3,11 @@
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
-
-// @codingStandardsIgnoreFile
-
 namespace Magento\Email\Test\Unit\Block\Adminhtml\Template;
 
+/**
+ * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
+ */
 class PreviewTest extends \PHPUnit_Framework_TestCase
 {
     /**
@@ -36,7 +36,7 @@ protected function setUp()
     public function testToHtml($requestParamMap)
     {
         $storeId = 1;
-        $template = $this->getMockBuilder('Magento\Email\Model\Template')
+        $template = $this->getMockBuilder(\Magento\Email\Model\Template::class)
             ->setMethods([
                 'setDesignConfig',
                 'getDesignConfig',
@@ -57,19 +57,19 @@ public function testToHtml($requestParamMap)
             ->willReturn(new \Magento\Framework\DataObject(
                 $designConfigData
             ));
-        $emailFactory = $this->getMock('Magento\Email\Model\TemplateFactory', ['create'], [], '', false);
+        $emailFactory = $this->getMock(\Magento\Email\Model\TemplateFactory::class, ['create'], [], '', false);
         $emailFactory->expects($this->any())
             ->method('create')
             ->willReturn($template);
 
-        $request = $this->getMock('Magento\Framework\App\RequestInterface');
+        $request = $this->getMock(\Magento\Framework\App\RequestInterface::class);
         $request->expects($this->any())->method('getParam')->willReturnMap($requestParamMap);
-        $eventManage = $this->getMock('Magento\Framework\Event\ManagerInterface');
-        $scopeConfig = $this->getMock('Magento\Framework\App\Config\ScopeConfigInterface');
-        $design = $this->getMock('Magento\Framework\View\DesignInterface');
-        $store = $this->getMock('Magento\Store\Model\Store', ['getId', '__wakeup'], [], '', false);
+        $eventManage = $this->getMock(\Magento\Framework\Event\ManagerInterface::class);
+        $scopeConfig = $this->getMock(\Magento\Framework\App\Config\ScopeConfigInterface::class);
+        $design = $this->getMock(\Magento\Framework\View\DesignInterface::class);
+        $store = $this->getMock(\Magento\Store\Model\Store::class, ['getId', '__wakeup'], [], '', false);
         $store->expects($this->any())->method('getId')->willReturn($storeId);
-        $storeManager = $this->getMockBuilder('\Magento\Store\Model\StoreManagerInterface')
+        $storeManager = $this->getMockBuilder(\Magento\Store\Model\StoreManagerInterface::class)
             ->disableOriginalConstructor()
             ->getMock();
         $storeManager->expects($this->atLeastOnce())
@@ -85,9 +85,12 @@ public function testToHtml($requestParamMap)
             ->disableOriginalConstructor()
             ->getMock();
 
-        $context = $this->getMock('Magento\Backend\Block\Template\Context',
+        $context = $this->getMock(
+            \Magento\Backend\Block\Template\Context::class,
             ['getRequest', 'getEventManager', 'getScopeConfig', 'getDesignPackage', 'getStoreManager', 'getAppState'],
-            [], '', false
+            [],
+            '',
+            false
         );
         $context->expects($this->any())->method('getRequest')->willReturn($request);
         $context->expects($this->any())->method('getEventManager')->willReturn($eventManage);
@@ -97,7 +100,7 @@ public function testToHtml($requestParamMap)
         $context->expects($this->once())->method('getAppState')->willReturn($appState);
 
         $maliciousCode = $this->getMock(
-            'Magento\Framework\Filter\Input\MaliciousCode',
+            \Magento\Framework\Filter\Input\MaliciousCode::class,
             ['filter'],
             [],
             '',
@@ -110,7 +113,7 @@ public function testToHtml($requestParamMap)
 
         /** @var \Magento\Email\Block\Adminhtml\Template\Preview $preview */
         $preview = $this->objectManagerHelper->getObject(
-            'Magento\Email\Block\Adminhtml\Template\Preview',
+            \Magento\Email\Block\Adminhtml\Template\Preview::class,
             [
                 'context' => $context,
                 'maliciousCode' => $maliciousCode,
@@ -129,16 +132,6 @@ public function toHtmlDataProvider()
     {
         return [
             ['data 1' => [
-                ['type', null, ''],
-                ['text', null, sprintf('<javascript>%s</javascript>', self::MALICIOUS_TEXT)],
-                ['styles', null, ''],
-            ]],
-            ['data 2' => [
-                ['type', null, ''],
-                ['text', null, sprintf('<iframe>%s</iframe>', self::MALICIOUS_TEXT)],
-                ['styles', null, ''],
-            ]],
-            ['data 3' => [
                 ['type', null, ''],
                 ['text', null, self::MALICIOUS_TEXT],
                 ['styles', null, ''],

app/code/Magento/Email/Test/Unit/Controller/Adminhtml/Email/Template/PreviewTest.php

@@ -0,0 +1,134 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+namespace Magento\Email\Test\Unit\Controller\Adminhtml\Email\Template;
+
+use Magento\Email\Controller\Adminhtml\Email\Template\Preview;
+use Magento\Framework\App\Action\Context;
+use Magento\Framework\App\RequestInterface;
+use Magento\Framework\App\View;
+use Magento\Framework\Registry;
+use Magento\Framework\TestFramework\Unit\Helper\ObjectManager;
+use Magento\Framework\View\Config;
+use Magento\Framework\View\Page\Title;
+use Magento\Framework\View\Result\Page;
+
+/**
+ * Preview Test.
+ */
+class PreviewTest extends \PHPUnit_Framework_TestCase
+{
+    /**
+     * @var Preview
+     */
+    protected $object;
+
+    /**
+     * @var Context
+     */
+    protected $context;
+
+    /**
+     * @var Registry|\PHPUnit_Framework_MockObject_MockObject
+     */
+    protected $coreRegistryMock;
+
+    /**
+     * @var View|\PHPUnit_Framework_MockObject_MockObject
+     */
+    protected $viewMock;
+
+    /**
+     * @var RequestInterface|\PHPUnit_Framework_MockObject_MockObject
+     */
+    protected $requestMock;
+
+    /**
+     * @var Page|\PHPUnit_Framework_MockObject_MockObject
+     */
+    protected $pageMock;
+
+    /**
+     * @var Config|\PHPUnit_Framework_MockObject_MockObject
+     */
+    protected $pageConfigMock;
+
+    /**
+     * @var Title|\PHPUnit_Framework_MockObject_MockObject
+     */
+    protected $pageTitleMock;
+
+    /**
+     * @var \Magento\Framework\App\ResponseInterface|\PHPUnit_Framework_MockObject_MockObject
+     */
+    protected $responseMock;
+
+    protected function setUp()
+    {
+        $objectManager = new ObjectManager($this);
+
+        $this->coreRegistryMock = $this->getMockBuilder(\Magento\Framework\Registry::class)
+            ->disableOriginalConstructor()
+            ->getMock();
+        $this->viewMock = $this->getMockBuilder(\Magento\Framework\App\View::class)
+            ->disableOriginalConstructor()
+            ->getMock();
+        $this->requestMock = $this->getMockBuilder(\Magento\Framework\App\RequestInterface::class)
+            ->getMock();
+        $this->pageMock = $this->getMockBuilder(\Magento\Framework\View\Result\Page::class)
+            ->disableOriginalConstructor()
+            ->setMethods(['getConfig'])
+            ->getMock();
+        $this->pageConfigMock = $this->getMockBuilder(\Magento\Framework\View\Page\Config::class)
+            ->setMethods(['getTitle'])
+            ->disableOriginalConstructor()
+            ->getMock();
+        $this->pageTitleMock = $this->getMockBuilder(\Magento\Framework\View\Page\Title::class)
+            ->setMethods(['prepend'])
+            ->disableOriginalConstructor()
+            ->getMock();
+
+        $this->responseMock = $this->getMockBuilder(\Magento\Framework\App\ResponseInterface::class)
+            ->setMethods(['setHeader'])
+            ->getMockForAbstractClass();
+
+        $this->context = $objectManager->getObject(
+            \Magento\Backend\App\Action\Context::class,
+            [
+                'request' => $this->requestMock,
+                'view' => $this->viewMock,
+                'response' => $this->responseMock
+            ]
+        );
+        $this->object = $objectManager->getObject(
+            \Magento\Email\Controller\Adminhtml\Email\Template\Preview::class,
+            [
+                'context' => $this->context,
+                'coreRegistry' => $this->coreRegistryMock,
+            ]
+        );
+    }
+
+    public function testExecute()
+    {
+        $this->viewMock->expects($this->once())
+            ->method('getPage')
+            ->willReturn($this->pageMock);
+        $this->pageMock->expects($this->once())
+            ->method('getConfig')
+            ->willReturn($this->pageConfigMock);
+        $this->pageConfigMock->expects($this->once())
+            ->method('getTitle')
+            ->willReturn($this->pageTitleMock);
+        $this->pageTitleMock->expects($this->once())
+            ->method('prepend')
+            ->willReturnSelf();
+        $this->responseMock->expects($this->once())
+            ->method('setHeader')
+            ->with('Content-Security-Policy', "script-src 'self'");
+
+        $this->assertNull($this->object->execute());
+    }
+}

app/code/Magento/Email/view/adminhtml/layout/adminhtml_email_template_popup.xml

@@ -0,0 +1,14 @@
+<?xml version="1.0"?>
+<!--
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+-->
+<layout xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="urn:magento:framework:View/Layout/etc/layout_generic.xsd">
+    <container name="root">
+        <block class="Magento\Framework\View\Element\Template" name="page.block" template="Magento_Email::template/preview.phtml">
+            <block class="Magento\Email\Block\Adminhtml\Template\Preview" name="content" as="content"/>
+        </block>
+    </container>
+</layout>

app/code/Magento/Email/view/adminhtml/layout/adminhtml_email_template_preview.xml

@@ -7,10 +7,12 @@
 -->
 <page xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" layout="admin-1column" xsi:noNamespaceSchemaLocation="urn:magento:framework:View/Layout/etc/page_configuration.xsd">
     <body>
-        <referenceContainer name="page.content">
-            <block name="preview.page.content" class="Magento\Framework\View\Element\Template" template="Magento_Email::template/preview.phtml">
-                <block class="Magento\Email\Block\Adminhtml\Template\Preview" name="content" as="content"/>
-            </block>
+        <attribute name="id" value="html-body"/>
+        <attribute name="class" value="preview-window"/>
+        <referenceContainer name="backend.page" remove="true"/>
+        <referenceContainer name="menu.wrapper" remove="true"/>
+        <referenceContainer name="root">
+            <block name="preview.page.content" class="Magento\Backend\Block\Page" template="Magento_Email::preview/iframeswitcher.phtml"/>
         </referenceContainer>
     </body>
 </page>

app/code/Magento/Email/view/adminhtml/templates/preview/iframeswitcher.phtml

@@ -0,0 +1,19 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+/** @var \Magento\Backend\Block\Page $block */
+?>
+<div id="preview" class="cms-revision-preview">
+    <iframe
+            name="preview_iframe"
+            id="preview_iframe"
+            frameborder="0"
+            title="<?php echo $block->escapeHtml(__('Preview')) ?>"
+            width="100%"
+            sandbox="allow-scripts allow-forms allow-pointer-lock"
+            src="<?php echo $block->escapeUrl($block->getUrl('*/*/popup', ['_current' => true])) ?>"
+    />
+</div>