Merge pull request #7689 from magento-cia/2.4-bugfixes-052722

Bugfixes

Author: sidolov

app/etc/di.xml

@@ -1973,4 +1973,5 @@
             <argument name="defaultPageSize" xsi:type="number">20</argument>
         </arguments>
     </type>
+    <preference for="Magento\Framework\Filter\Input\PurifierInterface" type="Magento\Framework\Filter\Input\Purifier"/>
 </config>

composer.json

@@ -41,6 +41,7 @@
         "composer/composer": "^1.9 || ^2.0",
         "elasticsearch/elasticsearch": "~7.17.0",
         "guzzlehttp/guzzle": "^7.4.2",
+        "ezyang/htmlpurifier": "^4.14",
         "laminas/laminas-captcha": "^2.12",
         "laminas/laminas-code": "~4.5.0",
         "laminas/laminas-db": "^2.15.0",

composer.lock

@@ -1,21 +1,35 @@
 <?php
 /**
- * Filter for removing malicious code from HTML
- *
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
+declare(strict_types=1);
 
 namespace Magento\Framework\Filter\Input;
 
+use Magento\Framework\App\ObjectManager;
+
 class MaliciousCode implements \Zend_Filter_Interface
 {
+    /**
+     * @var PurifierInterface|null $purifier
+     */
+    private PurifierInterface $purifier;
+
+    /**
+     * @param PurifierInterface|null $purifier
+     */
+    public function __construct(?PurifierInterface $purifier = null)
+    {
+        $this->purifier =  $purifier ?? ObjectManager::getInstance()->get(PurifierInterface::class);
+    }
+
     /**
      * Regular expressions for cutting malicious code
      *
      * @var string[]
      */
-    protected $_expressions = [
+    protected array $_expressions = [
         //comments, must be first
         '/(\/\*.*\*\/)/Us',
         //tabs
@@ -41,15 +55,16 @@ class MaliciousCode implements \Zend_Filter_Interface
      * Filter value
      *
      * @param string|array $value
-     * @return string|array Filtered value
+     * @return string|array
      */
     public function filter($value)
     {
         $replaced = 0;
         do {
             $value = preg_replace($this->_expressions, '', $value, -1, $replaced);
         } while ($replaced !== 0);
-        return  $value;
+
+        return $this->purifier->purify($value);
     }
 
     /**
@@ -58,7 +73,7 @@ public function filter($value)
      * @param string $expression
      * @return $this
      */
-    public function addExpression($expression)
+    public function addExpression(string $expression) :self
     {
         if (!in_array($expression, $this->_expressions)) {
             $this->_expressions[] = $expression;
@@ -72,7 +87,7 @@ public function addExpression($expression)
      * @param array $expressions
      * @return $this
      */
-    public function setExpressions(array $expressions)
+    public function setExpressions(array $expressions) :self
     {
         $this->_expressions = $expressions;
         return $this;

lib/internal/GnuFreeFont/gpl-3.0.txt

@@ -0,0 +1,44 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\Framework\Filter\Input;
+
+use HTMLPurifier;
+use HTMLPurifier_Config;
+use Magento\Framework\App\ObjectManager;
+
+class Purifier implements PurifierInterface
+{
+    public const CACHE_DEFINITION = 'Cache.DefinitionImpl';
+
+    /**
+     * @var HTMLPurifier $purifier
+     */
+    private HTMLPurifier $purifier;
+
+    /**
+     * Purifier Constructor Call
+     */
+    public function __construct()
+    {
+        $config = HTMLPurifier_Config::createDefault();
+        $config->set(self::CACHE_DEFINITION, null);
+
+        $this->purifier = ObjectManager::getInstance()->create(HTMLPurifier::class, ['config' => $config]);
+    }
+
+    /**
+     * Purify Html Content from malicious code
+     *
+     * @param string|array $content
+     * @return string|array
+     */
+    public function purify($content)
+    {
+        return is_array($content) ? $this->purifier->purifyArray($content) : $this->purifier->purify($content);
+    }
+}

lib/internal/Magento/Framework/Filter/Input/MaliciousCode.php

@@ -0,0 +1,19 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\Framework\Filter\Input;
+
+interface PurifierInterface
+{
+    /**
+     * Purify Content from malicious code
+     *
+     * @param string|array $content
+     * @return string|array
+     */
+    public function purify($content);
+}

lib/internal/Magento/Framework/Filter/Input/Purifier.php

@@ -8,16 +8,37 @@
 namespace Magento\Framework\Filter\Test\Unit\Input;
 
 use Magento\Framework\Filter\Input\MaliciousCode;
+use Magento\Framework\Filter\Input\PurifierInterface;
+use Magento\Framework\TestFramework\Unit\Helper\ObjectManager;
+use PHPUnit\Framework\MockObject\MockObject;
 use PHPUnit\Framework\TestCase;
 
 class MaliciousCodeTest extends TestCase
 {
-    /** @var MaliciousCode */
-    protected $filter;
+    /**
+     * @var MockObject|PurifierInterface $purifier
+     */
+    private MockObject $purifier;
+
+    /**
+     * @var MaliciousCode $filter
+     */
+    private MaliciousCode $filter;
 
     protected function setUp(): void
     {
-        $this->filter = new MaliciousCode();
+        $this->purifier = $this->getMockBuilder(PurifierInterface::class)
+            ->disableOriginalConstructor()
+            ->onlyMethods(['purify'])
+            ->getMockForAbstractClass();
+
+        $objectManager = new ObjectManager($this);
+
+        $this->filter = $objectManager->getObject(
+            MaliciousCode::class,
+            ['purifier' => $this->purifier]
+        );
+
         parent::setUp();
     }
 
@@ -28,11 +49,11 @@ protected function setUp(): void
      */
     public function testFilter($input, $expectedOutput)
     {
-        $this->assertEquals(
-            $expectedOutput,
-            $this->filter->filter($input),
-            'Malicious code is not filtered out correctly.'
-        );
+        $this->purifier->expects(self::atLeastOnce())
+            ->method('purify')
+            ->willReturn($expectedOutput);
+
+        self::assertEquals($expectedOutput, $this->filter->filter($input));
     }
 
     /**
@@ -134,6 +155,11 @@ public function filterDataProvider()
     public function testAddExpression()
     {
         $customExpression = '/<\/?(customMalicious).*>/Uis';
+
+        $this->purifier->expects(self::atLeastOnce())
+            ->method('purify')
+            ->willReturn('Custom malicious tag is removed customMalicious');
+
         $this->filter->addExpression($customExpression);
         $this->assertEquals(
             /** Tabs should be filtered out along with custom malicious code */
@@ -151,6 +177,11 @@ public function testAddExpression()
     public function testSetExpression()
     {
         $customExpression = '/<\/?(customMalicious).*>/Uis';
+
+        $this->purifier->expects(self::atLeastOnce())
+            ->method('purify')
+            ->willReturn("Custom \tmalicious tag\t\t is removed customMalicious");
+
         $this->filter->setExpressions([$customExpression]);
         $this->assertEquals(
             /** Tabs should not be filtered out along with custom malicious code */