Restore html validation approach and enable it on Mostly Static Pages…

… (CFM-62) (#297)
COmanage · Feb 14, 2025 · ee254e8 · ee254e8
1 parent e98eaa7
commit ee254e8
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 23 deletions.
diff --git a/app/src/Lib/Traits/ValidationTrait.php b/app/src/Lib/Traits/ValidationTrait.php
@@ -33,8 +33,6 @@
 use Cake\Database\Schema\TableSchemaInterface;
 use Cake\ORM\TableRegistry;
 use Cake\Validation\Validator;
-use Symfony\Component\HtmlSanitizer\HtmlSanitizer;
-use Symfony\Component\HtmlSanitizer\HtmlSanitizerConfig;
 
 trait ValidationTrait {
   /**
@@ -240,28 +238,14 @@ public function validateInput($value, array $context) {
     if(!empty($context['type'])) {
       switch($context['type']) {
         case 'html':
-          // We are accepting HTML input. Pass it through the Symfony HTML Sanitizer to
-          // disallow dom elements like <script> and <style>.
-          $htmlSanitizer = new HtmlSanitizer(
-            // Allow all elements from the W3C Sanitizer API. This is more permissive than "allowSafeElements()".
-            // See: https://github.com/symfony/symfony/blob/7.2/src/Symfony/Component/HtmlSanitizer/Reference/W3CReference.php
-            (new HtmlSanitizerConfig())->allowStaticElements()
-          );
-          $sanitizedValue = $htmlSanitizer->sanitize($value);
-
-          // Compare $value and $sanitizedValue to see if anything changed. Because white space and closing slashes
-          // can be significantly altered during sanitization, normalize the strings prior to comparison.
-          // (Unfortunately, the HtmlSanitizer does not generate a report on what it changed, which would be better.)
-          $valueNormalized = preg_replace(['/\s+/','/\//'], '', $value);
-          $sanitizedValueNormalized = preg_replace(['/\s+/','/\//'], '', $sanitizedValue);
-          // XXX Note: stripping forward slashes allows us to ignore the differences between <br> and <br/>
-          // (for example), but it also allows malformed tags such as <br////> or <div/></div> to get through.
-
-          if($valueNormalized !== $sanitizedValueNormalized) {
-            // Disallowed HTML is in the input, so throw an error.
+          // We are accepting HTML input. We will mostly pass it all through and ensure
+          // properly sanitized output. However, we can do some very rudimentary checking for script tags.
+          // (An informational note should be placed below these fields as well.)
+          $lowercaseVal = strtolower($value);
+          if(str_contains($lowercaseVal, '<script')) {
+            // Disallowed HTML is in the input, so warn the user.
             return __d('error', 'input.invalid.html');
           }
-
           return true;
         default:
           // We use h() (htmlspecialchars) for consistency with the views.

diff --git a/app/src/Model/Table/MostlyStaticPagesTable.php b/app/src/Model/Table/MostlyStaticPagesTable.php
@@ -336,7 +336,7 @@ public function validationDefault(Validator $validator): Validator {
     $validator->notEmptyString('context');
 
     $validator->add('body', [
-      'filter'  => ['rule'     => ['validateInput'],
+      'filter'  => ['rule'     => ['validateInput',['type' => 'html']],
                     'provider' => 'table']
     ]);
     $validator->allowEmptyString('body');