Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Issue] xssFiltrationPattern boundary script tag restriction #39384

Open
1 of 5 tasks
m2-assistant bot opened this issue Nov 19, 2024 · 6 comments · May be fixed by #39379
Open
1 of 5 tasks

[Issue] xssFiltrationPattern boundary script tag restriction #39384

m2-assistant bot opened this issue Nov 19, 2024 · 6 comments · May be fixed by #39379
Assignees
Labels
Area: Content Component: Cms Issue: Confirmed Gate 3 Passed. Manual verification of the issue completed. Issue is confirmed Priority: P2 A defect with this priority could have functionality issues which are not to expectations. Progress: PR in progress Reported on 2.4.x Indicates original Magento version for the Issue report. Reproduced on 2.4.x The issue has been reproduced on latest 2.4-develop branch

Comments

@m2-assistant
Copy link

m2-assistant bot commented Nov 19, 2024

This issue is automatically created based on existing pull request: #39379: xssFiltrationPattern boundary script tag restriction


Add script boundary as word

If you have an html like:

<body>
    <p class="product-description">
     hello world product description
    </p>
</body>

The problem is the class: product-description

Manual testing scenarios (*)

  1. Create a CMS Page with content:
<p class="product-description">
     hello world product description
    </p>
  1. Save and see error:
image

Contribution checklist (*)

  • Pull request has a meaningful description of its purpose
  • All commits are accompanied by meaningful commit messages
  • All new or changed code is covered with unit/integration tests (if applicable)
  • README.md files for modified modules are updated and included in the pull request if any README.md predefined sections require an update
  • All automated tests passed successfully (all builds are green)
Copy link
Author

m2-assistant bot commented Nov 19, 2024

Hi @engcom-Bravo. Thank you for working on this issue.
In order to make sure that issue has enough information and ready for development, please read and check the following instruction: 👇

  • 1. Verify that issue has all the required information. (Preconditions, Steps to reproduce, Expected result, Actual result).
  • 2. Verify that issue has a meaningful description and provides enough information to reproduce the issue.
  • 3. Add Area: XXXXX label to the ticket, indicating the functional areas it may be related to.
  • 4. Verify that the issue is reproducible on 2.4-develop branch
    Details- If the issue is reproducible on 2.4-develop branch, please, add the label Reproduced on 2.4.x.
    - If the issue is not reproducible, add your comment that issue is not reproducible and close the issue and stop verification process here!
  • 5. Add label Issue: Confirmed once verification is complete.
  • 6. Make sure that automatic system confirms that report has been added to the backlog.

@m2-community-project m2-community-project bot added the Priority: P2 A defect with this priority could have functionality issues which are not to expectations. label Nov 19, 2024
@engcom-Bravo
Copy link
Contributor

Hi @osrecio,

Thanks for your reporting and collaboration.

We have verified the issue in Latest 2.4-develop instance and we got below result as follows :

Screenshot 2024-11-21 at 11 23 10

We are able to save the page Temporarily but we are getting same error as you mentioned.Is this error only you are referring to Could you please let us know.

Thanks.

@engcom-Bravo engcom-Bravo added the Issue: needs update Additional information is require, waiting for response label Nov 21, 2024
@engcom-Bravo engcom-Bravo moved this from Ready for Confirmation to Needs Update in Issue Confirmation and Triage Board Nov 21, 2024
@osrecio
Copy link
Member

osrecio commented Nov 21, 2024

Hello @engcom-Bravo , you have only warning because the config: cms/wysiwyg/force_valid have the value = 0,

By default is 0 due the config in file: config.xml

But if you change the value to: 1, you will have the error that I show.

Yo can check \Magento\Cms\Model\Wysiwyg\Validator::validate to check it out the behaviour:

@osrecio osrecio added Issue: ready for confirmation Issue: needs update Additional information is require, waiting for response and removed Issue: needs update Additional information is require, waiting for response Issue: ready for confirmation labels Nov 21, 2024
@engcom-Bravo
Copy link
Contributor

Hi @osrecio,

Thanks for your reporting and collaboration.

We have verified the issue in Latest 2.4-develop instance and the issue is reproducible.Kindly refer the screenshots.

Screenshot 2024-11-22 at 11 49 49

While saving the page getting below error :

Content HTML contains restricted elements. Invalid value provided for attribute class

Hence Confirming the issue.

Thanks.

@engcom-Bravo engcom-Bravo added Component: Cms Issue: Confirmed Gate 3 Passed. Manual verification of the issue completed. Issue is confirmed Reproduced on 2.4.x The issue has been reproduced on latest 2.4-develop branch Area: Content and removed Issue: needs update Additional information is require, waiting for response labels Nov 22, 2024
@github-jira-sync-bot
Copy link

✅ Jira issue https://jira.corp.adobe.com/browse/AC-13395 is successfully created for this GitHub issue.

Copy link
Author

m2-assistant bot commented Nov 22, 2024

✅ Confirmed by @engcom-Bravo. Thank you for verifying the issue.
Issue Available: @engcom-Bravo, You will be automatically unassigned. Contributors/Maintainers can claim this issue to continue. To reclaim and continue work, reassign the ticket to yourself.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Area: Content Component: Cms Issue: Confirmed Gate 3 Passed. Manual verification of the issue completed. Issue is confirmed Priority: P2 A defect with this priority could have functionality issues which are not to expectations. Progress: PR in progress Reported on 2.4.x Indicates original Magento version for the Issue report. Reproduced on 2.4.x The issue has been reproduced on latest 2.4-develop branch
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants