Skip to content

Update HtmlFilter.php DOM Text Interpreted As HTML #879

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

Update HtmlFilter.php DOM Text Interpreted As HTML #879

wants to merge 2 commits into from

Conversation

@Shivam7-1
Copy link

@Shivam7-1 Shivam7-1 commented Dec 19, 2024
edited
Loading

Description
Here innerText can be used it will avoid the risk of HTML injection, as these properties automatically escape any HTML special characters in the provided text. This helps prevent cross-site scripting (XSS) vulnerabilities by treating the input as plain text rather than interpreted HTML.

Checklist

  • Pull request has a meaningful description of its purpose
  • All commits are accompanied by meaningful commit messages
  • All new or changed code is covered with unit/integration tests (if applicable)
  • README.md files for modified modules are updated and included in the pull request if any README.md predefined sections require an update
  • All automated tests passed successfully (all builds are green)

@Shivam7-1
Copy link
Author

Shivam7-1 commented Dec 19, 2024

Hii @engcom-Hotel Could You Please Take a look and Review Here in this PR ?
Thanks

@Shivam7-1
Copy link
Author

Shivam7-1 commented Dec 19, 2024

@magento run all tests

engcom-Hotel
engcom-Hotel requested changes Jan 6, 2025
View reviewed changes
Copy link
Collaborator

@engcom-Hotel engcom-Hotel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello @Shivam7-1,

Please refer to the below review comment.

Thanks

app/code/Magento/PageBuilder/Model/Stage/HtmlFilter.php
private function getChildrenInnerHtml(\DOMElement $element): string
{
$innerHTML = '';
$innerText = '';
Copy link
Collaborator

@engcom-Hotel engcom-Hotel Jan 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please elaborate on the purpose of this change.

Also as I can see here you are just changing the variable name. If that is so then please update the same in line number 115 and 118:

magento2-page-builder/app/code/Magento/PageBuilder/Model/Stage/HtmlFilter.php

Line 115 in 1a52ef4

$innerHTML .= $ownerDocument->saveXML($child);

magento2-page-builder/app/code/Magento/PageBuilder/Model/Stage/HtmlFilter.php

Line 118 in 1a52ef4

return $innerHTML;

Copy link
Author

@Shivam7-1 Shivam7-1 Jan 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hii @engcom-Hotel Thanks For Reviewing Yes done this changes

Copy link
Collaborator

@engcom-Hotel engcom-Hotel Jan 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also please help us with the purpose of this PR. In the actual codebase we are not using the innerHTML property, here $innerHTML is used as a variable. So this change doesn’t make any sense to me.

Please correct me if I am wrong.

@Shivam7-1 Shivam7-1 requested a review from engcom-Hotel January 6, 2025 11:41
engcom-Hotel
engcom-Hotel requested changes Jan 6, 2025
View reviewed changes
app/code/Magento/PageBuilder/Model/Stage/HtmlFilter.php
private function getChildrenInnerHtml(\DOMElement $element): string
{
$innerHTML = '';
$innerText = '';
Copy link
Collaborator

@engcom-Hotel engcom-Hotel Jan 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also please help us with the purpose of this PR. In the actual codebase we are not using the innerHTML property, here $innerHTML is used as a variable. So this change doesn’t make any sense to me.

Please correct me if I am wrong.

@Shivam7-1
Copy link
Author

Shivam7-1 commented Jan 7, 2025

Hii @engcom-Hotel Thank you for the feedback. You’re correct that $innerHTML is just a variable and not the innerHTML property. I got Confused here by the name so it's not required here I think

@engcom-Hotel
Copy link
Collaborator

engcom-Hotel commented Jan 8, 2025
edited
Loading

Thanks @Shivam7-1, We are closing this PR as per your last comment.

Hii @engcom-Hotel Thank you for the feedback. You’re correct that $innerHTML is just a variable and not the innerHTML property. I got Confused here by the name so it's not required here I think

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@engcom-Hotel engcom-Hotel engcom-Hotel requested changes

Assignees

@engcom-Hotel engcom-Hotel

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Shivam7-1 @engcom-Hotel