MAGETWO-57271: Modify escapeHtml function to filter not allowed attributes and tags

Igor Melnikov · Igor Melnikov · commit 59c2c9e8dd89 · 2016-08-30T09:03:37.000-05:00
Modifying function to filter not allowed tags and attributes
diff --git a/lib/internal/Magento/Framework/Escaper.php b/lib/internal/Magento/Framework/Escaper.php
@@ -16,25 +16,81 @@ class Escaper
     private $escaper;
 
     /**
-     * Escape HTML entities
+     * @var \Psr\Log\LoggerInterface
+     */
+    private $logger;
+
+    /**
+     * @var string[]
+     */
+    private $notAllowedTags = ['script', 'img'];
+
+    /**
+     * @var string[]
+     */
+    private $allowedAttributes = ['id', 'class', 'href', 'target', 'title'];
+
+    /**
+     * @var string[]
+     */
+    private $escapeAsUrlAttributes = ['href'];
+
+    /**
+     * Escape string for HTML context, allowedTags will not be escaped
      *
      * @param string|array $data
      * @param array $allowedTags
      * @return string|array
      */
-    public function escapeHtml($data, $allowedTags = null)
+    public function escapeHtml($data, $allowedTags = [])
     {
         if (is_array($data)) {
             $result = [];
             foreach ($data as $item) {
-                $result[] = $this->escapeHtml($item);
+                $result[] = $this->escapeHtml($item, $allowedTags);
             }
         } elseif (strlen($data)) {
             if (is_array($allowedTags) && !empty($allowedTags)) {
-                $allowed = implode('|', $allowedTags);
-                $result = preg_replace('/<([\/\s\r\n]*)(' . $allowed . ')([\/\s\r\n]*)>/si', '##$1$2$3##', $data);
-                $result = htmlspecialchars($result, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8', false);
-                $result = preg_replace('/##([\/\s\r\n]*)(' . $allowed . ')([\/\s\r\n]*)##/si', '<$1$2$3>', $result);
+                $notAllowedTags = array_intersect(
+                    array_map('strtolower', $allowedTags),
+                    $this->notAllowedTags
+                );
+                if (!empty($notAllowedTags)) {
+                    $this->getLogger()->critical(
+                        'The following tag(s) are not allowed: ' . implode(', ', $notAllowedTags)
+                    );
+                    return '';
+                }
+                $wrapperElementId = uniqid();
+                $domDocument = new \DOMDocument('1.0', 'UTF-8');
+                set_error_handler(
+                    /**
+                     * @SuppressWarnings(PHPMD.UnusedFormalParameter)
+                     */
+                    function ($errorNumber, $errorString, $errorFile, $errorLine) {
+                        throw new \Exception($errorString, $errorNumber);
+                    }
+                );
+                $string = mb_convert_encoding($data, 'HTML-ENTITIES', 'UTF-8');
+                try {
+                    $domDocument->loadHTML(
+                        '<html><body id="' . $wrapperElementId . '">' . $string . '</body></html>'
+                    );
+                } catch (\Exception $e) {
+                    restore_error_handler();
+                    $this->getLogger()->critical($e);
+                    return '';
+                }
+                restore_error_handler();
+
+                $this->removeNotAllowedTags($domDocument, $allowedTags);
+                $this->removeNotAllowedAttributes($domDocument);
+                $this->escapeText($domDocument);
+                $this->escapeAttributeValues($domDocument);
+
+                $result = mb_convert_encoding($domDocument->saveHTML(), 'UTF-8', 'HTML-ENTITIES');
+                preg_match('/<body id="' . $wrapperElementId . '">(.+)<\/body><\/html>$/si', $result, $matches);
+                return $matches[1];
             } else {
                 $result = htmlspecialchars($data, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8', false);
             }
@@ -44,6 +100,88 @@ public function escapeHtml($data, $allowedTags = null)
         return $result;
     }
 
+    /**
+     * Remove not allowed tags
+     *
+     * @param \DOMDocument $domDocument
+     * @param string[] $allowedTags
+     * @return void
+     */
+    private function removeNotAllowedTags(\DOMDocument $domDocument, array $allowedTags)
+    {
+        $xpath = new \DOMXPath($domDocument);
+        $nodes = $xpath->query('//node()[name() != \''
+            . implode('\' and name() != \'', array_merge($allowedTags, ['html', 'body'])) . '\']');
+        foreach ($nodes as $node) {
+            if ($node->nodeName != '#text' && $node->nodeName != '#comment') {
+                $node->parentNode->replaceChild($domDocument->createTextNode($node->textContent), $node);
+            }
+        }
+    }
+
+    /**
+     * Remove not allowed attributes
+     *
+     * @param \DOMDocument $domDocument
+     * @return void
+     */
+    private function removeNotAllowedAttributes(\DOMDocument $domDocument)
+    {
+        $xpath = new \DOMXPath($domDocument);
+        $nodes = $xpath->query(
+            '//@*[name() != \'' . implode('\' and name() != \'', $this->allowedAttributes) . '\']'
+        );
+        foreach ($nodes as $node) {
+            $node->parentNode->removeAttribute($node->nodeName);
+        }
+    }
+
+    /**
+     * Escape text
+     *
+     * @param \DOMDocument $domDocument
+     * @return void
+     */
+    private function escapeText(\DOMDocument $domDocument)
+    {
+        $xpath = new \DOMXPath($domDocument);
+        $nodes = $xpath->query('//text()');
+        foreach ($nodes as $node) {
+            $node->textContent = $this->escapeHtml($node->textContent);
+        }
+    }
+
+    /**
+     * Escape attribute values
+     *
+     * @param \DOMDocument $domDocument
+     * @return void
+     */
+    private function escapeAttributeValues(\DOMDocument $domDocument)
+    {
+        $xpath = new \DOMXPath($domDocument);
+        $nodes = $xpath->query('//@*');
+        foreach ($nodes as $node) {
+            $value = $this->escapeAttributeValue(
+                $node->nodeName,
+                $node->parentNode->getAttribute($node->nodeName)
+            );
+            $node->parentNode->setAttribute($node->nodeName, $value);
+        }
+    }
+
+    /**
+     * Escape attribute value using escapeHtml or escapeUrl
+     *
+     * @param string $name
+     * @param string $value
+     * @return string
+     */
+    private function escapeAttributeValue($name, $value)
+    {
+        return in_array($name, $this->escapeAsUrlAttributes) ? $this->escapeUrl($value) : $this->escapeHtml($value);
+    }
+
     /**
      * Escape a string for the HTML attribute context
      *
@@ -172,4 +310,19 @@ private function getEscaper()
         }
         return $this->escaper;
     }
+
+    /**
+     * Get logger
+     *
+     * @return \Psr\Log\LoggerInterface
+     * @deprecated
+     */
+    private function getLogger()
+    {
+        if ($this->logger == null) {
+            $this->logger = \Magento\Framework\App\ObjectManager::getInstance()
+                ->get(\Psr\Log\LoggerInterface::class);
+        }
+        return $this->logger;
+    }
 }
diff --git a/lib/internal/Magento/Framework/Test/Unit/EscaperTest.php b/lib/internal/Magento/Framework/Test/Unit/EscaperTest.php
@@ -23,20 +23,42 @@ class EscaperTest extends \PHPUnit_Framework_TestCase
      */
     private $zendEscaper;
 
+    /**
+     * @var \Psr\Log\LoggerInterface
+     */
+    private $loggerMock;
+
     protected function setUp()
     {
         $this->_escaper = new Escaper();
         $this->zendEscaper = new \Magento\Framework\ZendEscaper();
+        $this->loggerMock = $this->getMockForAbstractClass(\Psr\Log\LoggerInterface::class);
         $objectManagerHelper = new ObjectManager($this);
         $objectManagerHelper->setBackwardCompatibleProperty($this->_escaper, 'escaper', $this->zendEscaper);
+        $objectManagerHelper->setBackwardCompatibleProperty($this->_escaper, 'logger', $this->loggerMock);
     }
 
     /**
      * @covers \Magento\Framework\Escaper::escapeHtml
      * @dataProvider escapeHtmlDataProvider
      */
-    public function testEscapeHtml($data, $expected, $allowedTags = null)
+    public function testEscapeHtml($data, $expected, $allowedTags = [])
+    {
+        $actual = $this->_escaper->escapeHtml($data, $allowedTags);
+        $this->assertEquals($expected, $actual);
+    }
+
+    /**
+     * @covers \Magento\Framework\Escaper::escapeHtml
+     */
+    public function testEscapeHtmlWithInvalidData()
     {
+        $data = '<span><script>some text in tags</script></span>';
+        $expected = '';
+        $allowedTags = ['script', 'span'];
+        $this->loggerMock->expects($this->once())
+            ->method('critical')
+            ->with('The following tag(s) can not be used in the translation: script');
         $actual = $this->_escaper->escapeHtml($data, $allowedTags);
         $this->assertEquals($expected, $actual);
     }
@@ -47,22 +69,64 @@ public function testEscapeHtml($data, $expected, $allowedTags = null)
     public function escapeHtmlDataProvider()
     {
         return [
-            'array data' => [
+            'array -> [text with no tags, text with no allowed tags]' => [
                 'data' => ['one', '<two>three</two>'],
                 'expected' => ['one', '&lt;two&gt;three&lt;/two&gt;'],
-                null,
             ],
-            'string data conversion' => [
-                'data' => '<two>three</two>',
-                'expected' => '&lt;two&gt;three&lt;/two&gt;',
-                null,
+            'text with special characters' => [
+                'data' => '&<>"\'&amp;&lt;&gt;&quot;&#039;&#9;',
+                'expected' => '&amp;&lt;&gt;&quot;&#039;&amp;&lt;&gt;&quot;&#039;&#9;'
+            ],
+            'text with multiple allowed tags, includes self closing tag' => [
+                'data' => '<span>some text in tags<br /></span>',
+                'expected' => '<span>some text in tags<br></span>',
+                'allowedTags' => ['span', 'br'],
             ],
-            'string data no conversion' => ['data' => 'one', 'expected' => 'one'],
-            'string data with allowed tags' => [
-                'data' => '<span><b>some text in tags</b></span>',
-                'expected' => '<span><b>some text in tags</b></span>',
+            'text with multiple allowed tags and allowed attribute in double quotes' => [
+                'data' => 'Only <span id="sku_max_allowed"><b>2</b></span> in stock',
+                'expected' => 'Only <span id="sku_max_allowed"><b>2</b></span> in stock',
                 'allowedTags' => ['span', 'b'],
-            ]
+            ],
+            'text with multiple allowed tags and allowed attribute in single quotes' => [
+                'data' => 'Only <span id=\'sku_max_allowed\'><b>2</b></span> in stock',
+                'expected' => 'Only <span id="sku_max_allowed"><b>2</b></span> in stock',
+                'allowedTags' => ['span', 'b'],
+            ],
+            'text with multiple allowed tags with allowed attribute' => [
+                'data' => 'Only registered users can write reviews. Please <a href="%1">Sign in</a> or <a href="%2">create an account</a>',
+                'expected' => 'Only registered users can write reviews. Please <a href="%1">Sign in</a> or <a href="%2">create an account</a>',
+                'allowedTags' => ['a'],
+            ],
+            'text with not allowed attribute in single quotes' => [
+                'data' => 'Only <span type=\'1\'><b>2</b></span> in stock',
+                'expected' => 'Only <span><b>2</b></span> in stock',
+                'allowedTags' => ['span', 'b'],
+            ],
+            'text with allowed and not allowed tags' => [
+                'data' => 'Only registered users can write reviews. Please <a href="%1">Sign in<span>three</span></a> or <a href="%2"><span id="action">create an account</span></a>',
+                'expected' => 'Only registered users can write reviews. Please <a href="%1">Sign inthree</a> or <a href="%2">create an account</a>',
+                'allowedTags' => ['a'],
+            ],
+            'text with allowed and not allowed tags, with allowed and not allowed attributes' => [
+                'data' => 'Some test <span>text in span tag</span> <strong>text in strong tag</strong> <a type="some-type" href="http://domain.com/" onclick="alert(1)">Click here</a><script>alert(1)</script>',
+                'expected' => 'Some test <span>text in span tag</span> text in strong tag <a href="http://domain.com/">Click here</a>alert(1)',
+                'allowedTags' => ['a', 'span'],
+            ],
+            'text with html comment' => [
+                'data' => 'Only <span><b>2</b></span> in stock <!-- HTML COMMENT -->',
+                'expected' => 'Only <span><b>2</b></span> in stock <!-- HTML COMMENT -->',
+                'allowedTags' => ['span', 'b'],
+            ],
+            'text with non ascii characters' => [
+                'data' => ['абвгд', 'مثال'],
+                'expected' => ['абвгд', 'مثال'],
+                'allowedTags' => [],
+            ],
+            'html and body tags' => [
+                'data' => '<html><body><span>String</span></body></html>',
+                'expected' => '',
+                'allowedTags' => ['span'],
+            ],
         ];
     }
 
