Merge pull request #9251 from magento-cia/cia-2.4.8-beta1-develop-bugfix-09072024

pawan-adobe-security · web-flow · commit 2bffa45ceb47 · 2024-09-09T15:38:05.000+05:30
Cia 2.4.8 beta1 develop bugfix 09072024
diff --git a/lib/internal/Magento/Framework/Test/Unit/Validator/HTML/ConfigurableWYSIWYGValidatorTest.php b/lib/internal/Magento/Framework/Test/Unit/Validator/HTML/ConfigurableWYSIWYGValidatorTest.php
@@ -26,8 +26,8 @@ class ConfigurableWYSIWYGValidatorTest extends TestCase
     public static function getConfigurations(): array
     {
         return [
-            'no-html' => [['div'], [], [], 'just text', true, [], []],
-            'allowed-tag' => [['div'], [], [], 'just text and <div>a div</div>', true, [], []],
+            'no-html' => [['div'], [], [], 'just text', false, [], []],
+            'allowed-tag' => [['div'], [], [], 'just text and <div>a div</div>', false, [], []],
             'restricted-tag' => [
                 ['div', 'p'],
                 [],
diff --git a/lib/internal/Magento/Framework/Validator/HTML/ConfigurableWYSIWYGValidator.php b/lib/internal/Magento/Framework/Validator/HTML/ConfigurableWYSIWYGValidator.php
@@ -23,6 +23,11 @@ class ConfigurableWYSIWYGValidator implements WYSIWYGValidatorInterface
         . '((\\\\x6A\\\\x61\\\\x76\\\\x61\\\\x73\\\\x63\\\\x72\\\\x69\\\\x70\\\\x74(\\\\x3a|:|%3A))|'
         . '(\\\\x64\\\\x61\\\\x74\\\\x61(\\\\x3a|:|%3A)))/i';
 
+    /**
+     * @var string
+     */
+    private static string $contentFiltrationPattern = "/(<body)/i";
+
     /**
      * @var string[]
      */
@@ -105,6 +110,7 @@ public function validate(string $content): void
     private function validateConfigured(\DOMXPath $xpath): void
     {
         //Validating tags
+        $this->allowedTags = array_merge($this->allowedTags, ["body", "html"]);
         $found = $xpath->query(
             '//*['
             . implode(
@@ -113,7 +119,7 @@ private function validateConfigured(\DOMXPath $xpath): void
                     function (string $tag): string {
                         return "name() != '$tag'";
                     },
-                    array_merge($this->allowedTags, ['body', 'html'])
+                    $this->allowedTags
                 )
             )
             .']'
@@ -243,7 +249,9 @@ function () use (&$loaded) {
                 $loaded = false;
             }
         );
-        $loaded = $dom->loadHTML("<html><body>$content</body></html>");
+        $matches = [];
+        preg_match_all(self::$contentFiltrationPattern, $content, $matches);
+        $loaded = !(count($matches[0]) > 1) && $dom->loadHTML($content, LIBXML_HTML_NOIMPLIED);
         restore_error_handler();
         if (!$loaded) {
             throw new ValidationException(__('Invalid HTML content provided'));
