Skip to content

Commit 624ee86

Browse files
author
Igor Melnikov
committed
MAGETWO-57271: Modify escapeHtml function to filter not allowed attributes and tags
Modifying function to filter not allowed tags and attributes
1 parent b388809 commit 624ee86

File tree

2 files changed

+14
-10
lines changed

2 files changed

+14
-10
lines changed

lib/internal/Magento/Framework/Escaper.php

Lines changed: 4 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -23,12 +23,12 @@ class Escaper
2323
/**
2424
* @var string[]
2525
*/
26-
private $notAllowedTags = ['script', 'img'];
26+
private $notAllowedTags = ['script', 'img', 'embed', 'iframe', 'video', 'source', 'object', 'audio'];
2727

2828
/**
2929
* @var string[]
3030
*/
31-
private $allowedAttributes = ['id', 'class', 'href', 'target', 'title'];
31+
private $allowedAttributes = ['id', 'class', 'href', 'target', 'title', 'style'];
3232

3333
/**
3434
* @var string[]
@@ -59,7 +59,7 @@ public function escapeHtml($data, $allowedTags = null)
5959
$this->getLogger()->critical(
6060
'The following tag(s) are not allowed: ' . implode(', ', $notAllowedTags)
6161
);
62-
return '';
62+
$allowedTags = array_diff($allowedTags, $this->notAllowedTags);
6363
}
6464
$wrapperElementId = uniqid();
6565
$domDocument = new \DOMDocument('1.0', 'UTF-8');
@@ -76,7 +76,6 @@ function ($errorNumber, $errorString) {
7676
} catch (\Exception $e) {
7777
restore_error_handler();
7878
$this->getLogger()->critical($e);
79-
return $this->escapeHtml($data);
8079
}
8180
restore_error_handler();
8281

@@ -87,7 +86,7 @@ function ($errorNumber, $errorString) {
8786

8887
$result = mb_convert_encoding($domDocument->saveHTML(), 'UTF-8', 'HTML-ENTITIES');
8988
preg_match('/<body id="' . $wrapperElementId . '">(.+)<\/body><\/html>$/si', $result, $matches);
90-
return $matches[1];
89+
return !empty($matches) ? $matches[1] : '';
9190
} else {
9291
$result = htmlspecialchars($data, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8', false);
9392
}

lib/internal/Magento/Framework/Test/Unit/EscaperTest.php

Lines changed: 10 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -219,13 +219,18 @@ public function escapeHtmlDataProvider()
219219
'allowedTags' => ['span', 'b'],
220220
],
221221
'text with non ascii characters' => [
222-
'data' => ['абвгд', 'مثال'],
223-
'expected' => ['абвгд', 'مثال'],
222+
'data' => ['абвгд', 'مثال', '幸福'],
223+
'expected' => ['абвгд', 'مثال', '幸福'],
224224
'allowedTags' => [],
225225
],
226226
'html and body tags' => [
227227
'data' => '<html><body><span>String</span></body></html>',
228-
'expected' => '&lt;html&gt;&lt;body&gt;&lt;span&gt;String&lt;/span&gt;&lt;/body&gt;&lt;/html&gt;',
228+
'expected' => '<span>String</span>',
229+
'allowedTags' => ['span'],
230+
],
231+
'invalid tag' => [
232+
'data' => '<some tag> some text',
233+
'expected' => ' some text',
229234
'allowedTags' => ['span'],
230235
],
231236
];
@@ -239,12 +244,12 @@ public function escapeHtmlInvalidDataProvider()
239244
return [
240245
'text with allowed script tag' => [
241246
'data' => '<span><script>some text in tags</script></span>',
242-
'expected' => '',
247+
'expected' => '<span>some text in tags</span>',
243248
'allowedTags' => ['span', 'script'],
244249
],
245250
'text with invalid html' => [
246251
'data' => '<spa>n id="id1">Some string</span>',
247-
'expected' => '&lt;spa&gt;n id=&quot;id1&quot;&gt;Some string&lt;/span&gt;',
252+
'expected' => 'n id=&quot;id1&quot;&gt;Some string',
248253
'allowedTags' => ['span'],
249254
],
250255
];

0 commit comments

Comments
 (0)