OXDEV-7182 Add content HTML filter

CHANGELOG.md

@@ -4,6 +4,14 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/)
 and this project adheres to [Semantic Versioning](http://semver.org/).
 
+## [4.0.1] - unreleased
+
+### Fixed
+- Pre-filter CMS content before it is passed to Summernote editor
+
+### Added
+- `HtmlTagRemover` class
+
 ## [4.0.0] - 2024-03-12
 
 ### Changed

composer.json

@@ -30,7 +30,7 @@
     "require-dev": {
         "phpstan/phpstan": "^1.8.11",
         "squizlabs/php_codesniffer": "3.*",
-        "oxid-esales/oxideshop-ce": "dev-b-7.1.x",
+        "oxid-esales/oxideshop-ce": "dev-b-7.1.x-add_content_html_filter-OXDEV-7182",
         "phpunit/phpunit": "^10.4",
         "codeception/codeception": "^5.0",
         "codeception/module-asserts": "^3.0",

src/Service/EditorRenderer.php

@@ -9,6 +9,7 @@
 
 namespace OxidEsales\WysiwygModule\Service;
 
+use OxidEsales\EshopCommunity\Internal\Framework\Templating\HtmlFilter\HtmlFilter;
 use OxidEsales\EshopCommunity\Internal\Framework\Templating\TemplateRendererInterface;
 
 class EditorRenderer implements EditorRendererInterface
@@ -30,7 +31,7 @@ public function render(
             'iEditorWidth' => $this->prepareSize($width),
             'iEditorHeight' => $this->prepareSize($height),
             'sEditorField' => $fieldName,
-            'sEditorValue' => $objectValue,
+            'sEditorValue' => $this->filterContent($objectValue),
             'langabbr' => $this->settingsService->getInterfaceLanguageAbbreviation(),
             'blTextEditorDisabled' => $isEditorDisabled,
             'oViewConf' => $this->settingsService->getActiveViewConfig(),
@@ -52,4 +53,10 @@ private function checkIfOnlyDigitsInValue(string $sizeValue): bool
     {
         return (bool)preg_match("/^\d+$/i", $sizeValue);
     }
+
+    private function filterContent(string $content): string
+    {
+        $filter = new HtmlFilter(new HtmlTagRemover());
+        return $filter->filter($content);
+    }
 }

src/Service/HtmlTagRemover.php

@@ -0,0 +1,25 @@
+<?php
+
+/**
+ * Copyright © OXID eSales AG. All rights reserved.
+ * See LICENSE file for license details.
+ */
+
+declare(strict_types=1);
+
+namespace OxidEsales\WysiwygModule\Service;
+
+use DOMNode;
+use OxidEsales\EshopCommunity\Internal\Framework\Templating\HtmlFilter\HtmlRemoverInterface;
+
+class HtmlTagRemover implements HtmlRemoverInterface
+{
+    public function remove(DOMNode $node): void
+    {
+        $parent = $node->parentNode;
+        while ($node->hasChildNodes()) {
+            $parent->insertBefore($node->lastChild, $node->nextSibling);
+        }
+        $parent->removeChild($node);
+    }
+}

tests/Codeception/Acceptance/TextareaCheckCest.php

@@ -25,4 +25,35 @@ public function productDescriptionTextAreaModified(AcceptanceTester $I): void
 
         $I->seeElementInDOM("#ddoew #editor_oxarticles__oxlongdesc");
     }
+
+    public function contentIsFiltered(AcceptanceTester $I): void
+    {
+        $loadId = 'test_content';
+        $template = "<p>par 1</p><script>var filterTest = 'test';</script><p>par 2</p>";
+
+        $I->haveInDatabase('oxcontents', [
+            'OXID' => md5($loadId),
+            'OXLOADID' => $loadId,
+            'OXCONTENT' => $template,
+            'OXCONTENT_1' => $template,
+            'OXCONTENT_2' => $template,
+            'OXCONTENT_3' => $template,
+        ]);
+
+        $adminPanel = $I->loginAdmin();
+        $adminPanel->openCMSPages();
+
+        $I->selectListFrame();
+        $I->fillField("//input[@name='where[oxcontents][oxloadid]']", $loadId);
+        $I->submitForm('#search', []);
+
+        $I->selectListFrame();
+        $I->click($loadId);
+
+        $I->selectEditFrame();
+        $I->waitForDocumentReadyState();
+
+        $isVarDefined = $I->executeJS("return typeof filterTest !== 'undefined'");
+        $I->assertFalse($isVarDefined);
+    }
 }

tests/Unit/Service/EditorRendererTest.php

@@ -13,6 +13,7 @@
 use OxidEsales\EshopCommunity\Internal\Framework\Templating\TemplateRendererInterface;
 use OxidEsales\WysiwygModule\Service\EditorRenderer;
 use OxidEsales\WysiwygModule\Service\SettingsInterface;
+use PHPUnit\Framework\Attributes\DataProvider;
 use PHPUnit\Framework\TestCase;
 
 class EditorRendererTest extends TestCase
@@ -197,7 +198,51 @@ public function testRenderCalledWithActiveViewConfig(): void
         $sut->render('any', 'any', 'any', 'any');
     }
 
-    public function getSut(
+    #[DataProvider('filterTemplateProvider')]
+    public function testFilterContent(string $template, string $expectedTemplate): void
+    {
+        $templateRendererSpy = $this->createMock(TemplateRendererInterface::class);
+        $templateRendererSpy
+            ->expects($this->once())
+            ->method('renderTemplate')
+            ->with(
+                '@ddoewysiwyg/ddoewysiwyg',
+                $this->callback(function ($context) use ($expectedTemplate) {
+                    return $expectedTemplate == $context['sEditorValue'];
+                })
+            );
+
+        $sut = $this->getSut($templateRendererSpy);
+        $sut->render('any', 'any', $template, 'any');
+    }
+
+    public static function filterTemplateProvider(): array
+    {
+        return [
+            [
+                'template' => 'plain template',
+                'expectedTemplate' => 'plain template',
+            ],
+            [
+                'template' => '<div>template</div>',
+                'expectedTemplate' => '<div>template</div>',
+            ],
+            [
+                'template' => '<p>par 1</p><script>//js1</script><p>par 2</p>',
+                'expectedTemplate' => '<p>par 1</p>//js1<p>par 2</p>',
+            ],
+            [
+                'template' => '<script>//js1</script><script>//js2</script>',
+                'expectedTemplate' => '//js1//js2',
+            ],
+            [
+                'template' => '<p>par 1</p><script src="app.js"/><p>par 2</p>',
+                'expectedTemplate' => '<p>par 1</p><p>par 2</p>',
+            ],
+        ];
+    }
+
+    private function getSut(
         TemplateRendererInterface $templateRenderer = null,
         SettingsInterface $settingsService = null,
     ): EditorRenderer {

tests/Unit/Service/HtmlTagRemoverTest.php

@@ -0,0 +1,54 @@
+<?php
+
+/**
+ * Copyright © OXID eSales AG. All rights reserved.
+ * See LICENSE file for license details.
+ */
+
+declare(strict_types=1);
+
+namespace OxidEsales\WysiwygModule\Tests\Unit\Service;
+
+use DOMDocument;
+use OxidEsales\WysiwygModule\Service\HtmlTagRemover;
+use PHPUnit\Framework\Attributes\DataProvider;
+use PHPUnit\Framework\Attributes\Test;
+use PHPUnit\Framework\TestCase;
+
+class HtmlTagRemoverTest extends TestCase
+{
+    #[Test]
+    #[DataProvider('htmlProvider')]
+    public function remove(string $node, string $html, string $expectedHtml): void
+    {
+        $doc = new DOMDocument();
+        $doc->loadHTML($html, LIBXML_HTML_NOIMPLIED | LIBXML_HTML_NODEFDTD);
+        $node = $doc->getElementsByTagName($node)->item(0);
+
+        $remover = new HtmlTagRemover();
+        $remover->remove($node);
+
+        $this->assertEquals($expectedHtml, rtrim($doc->saveHTML()));
+    }
+
+    public static function htmlProvider(): array
+    {
+        return [
+            [
+                'node' => 'span',
+                'html' => '<div><span>content</span></div>',
+                'expectedHtml' => '<div>content</div>',
+            ],
+            [
+                'node' => 'script',
+                'html' => '<div><script>//content</script></div>',
+                'expectedHtml' => '<div>//content</div>',
+            ],
+            [
+            'node' => 'script',
+            'html' => '<div><script src="app.js"/></div>',
+            'expectedHtml' => '<div></div>',
+            ],
+        ];
+    }
+}