Froala feature flag - disabled by default

[escopecz]

Q	A
Bug fix? (use the a.b branch)	[security precaution]
New feature/enhancement? (use the a.x branch)	[ ]
Deprecations?	[ ]
BC breaks? (use the c.x branch)	[y]
Automated tests included?	[ ]
Related user documentation PR URL	mautic/mautic-documentation#...
Related developer documentation PR URL	mautic/developer-documentation#...
Issue(s) addressed	Fixes https://mautic.atlassian.net/browse/TPROD-441

Description:

The Froala Javascript library Mautic use has several security vulnerabilities reported:

https://security.snyk.io/package/npm/froala-editor/2.4.2

It's used in the legacy builder but it seems that many community members are still using it:

https://forum.mautic.org/t/is-anyone-still-using-the-legacy-email-and-page-builder/27819

So the solution in between that will disable this vulnerable library for Mautic 5 but allows users to enable it if they need it and are fine with the security risks is to add a new feature flag (= configuration option). This feature flag is OFF by default so all Mautic administrators must enable it and agree with the downsides.

If the GrapesJS builder plugin is disabled and a Mautic user tries to open the legacy builder, they get this warning with instructions about what to do:

Apart from making Mautic 5 a bit safer, it will also help with performance.

With Froala enabled:

With Froala disabled:

This feature flag will save 1.6 MB off of the Mautic administration page load. Saved 27% of loaded size and the loading is 11% faster than before.

The savings will be greater when we remove the Froala library completely. The CSS/LESS files are baked into the library.css file and cannot be easily extracted. So those are still loading all the time.

Steps to test this PR:

1. Open this PR on Gitpod or pull down for testing locally (see docs on testing PRs here)
2. Disable the GrapesJS plugin so the email and page builders would use the legacy builder.
3. Open JS console in your browser dev tools to see if there are any JS errors.
4. Try to open the legacy builder. <<< You should get the warning.
5. Go to Global configuration, System settings and enable the Froala library.
6. Open the legacy builder now. <<< The builder works correctly.

[codecov]

Codecov Report

Merging #12416 (ede9522) into 5.x (0d5b22e) will decrease coverage by 0.03%.
The diff coverage is 62.50%.

@@             Coverage Diff              @@
##                5.x   #12416      +/-   ##
============================================
- Coverage     56.32%   56.30%   -0.03%     
- Complexity    35185    35187       +2     
============================================
  Files          2210     2210              
  Lines        105570   105572       +2     
============================================
- Hits          59463    59440      -23     
- Misses        46107    46132      +25     

Impacted Files	Coverage Δ
...bundles/EmailBundle/Controller/EmailController.php	27.54% <25.00%> (ø)
...p/bundles/PageBundle/Controller/PageController.php	33.98% <25.00%> (ø)
...s/CoreBundle/Controller/BuilderControllerTrait.php	100.00% <100.00%> (ø)
app/bundles/CoreBundle/Form/Type/ConfigType.php	100.00% <100.00%> (ø)
...undles/CoreBundle/Helper/AssetGenerationHelper.php	56.37% <100.00%> (-0.58%)	⬇️
...pp/bundles/CoreBundle/Twig/Helper/AssetsHelper.php	73.38% <100.00%> (-8.93%)	⬇️

[mabumusa1]

Warning Message show

Warning for enabling is showing

Afterwards it loads normally

[mabumusa1]

Good to go, since this Froala has changed their license model, there is nothing much to do except using it.