[Task] Added html sanitizer to translations (#15038)

* added sanitizer to translations

* Update models/Translation.php

Co-authored-by: Jacob Dreesen <jacob@hdreesen.de>

* added init value to property

* Update README.md

* removed translation string for `attributes`

* Revert "removed translation string for `attributes`"

This reverts commit 10db8a2.

---------

Co-authored-by: Jacob Dreesen <jacob@hdreesen.de>

bundles/CoreBundle/config/pimcore/default.yaml

@@ -74,6 +74,19 @@ framework:
                     ul: ['class', 'style', 'id']
                     li: ['class', 'style', 'id']
                     ol: ['class', 'style', 'id']
+            pimcore.translation_sanitizer:
+                allow_elements:
+                    span: [ 'class', 'style', 'id' ]
+                    p: [ 'class', 'style', 'id' ]
+                    strong: 'class'
+                    em: 'class'
+                    h1: [ 'class', 'id' ]
+                    h2: [ 'class', 'id' ]
+                    h3: [ 'class', 'id' ]
+                    h4: [ 'class', 'id' ]
+                    h5: [ 'class', 'id' ]
+                    h6: [ 'class', 'id' ]
+                    a: [ 'class', 'id', 'href', 'target', 'title', 'rel' ]
 
 # Twig Configuration
 twig:

bundles/CoreBundle/src/DependencyInjection/Compiler/TranslationSanitizerPass.php

@@ -0,0 +1,32 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * Pimcore
+ *
+ * This source file is available under two different licenses:
+ * - GNU General Public License version 3 (GPLv3)
+ * - Pimcore Commercial License (PCL)
+ * Full copyright and license information is available in
+ * LICENSE.md which is distributed with this source code.
+ *
+ *  @copyright  Copyright (c) Pimcore GmbH (http://www.pimcore.org)
+ *  @license    http://www.pimcore.org/license     GPLv3 and PCL
+ */
+
+namespace Pimcore\Bundle\CoreBundle\DependencyInjection\Compiler;
+
+use Symfony\Component\DependencyInjection\Compiler\CompilerPassInterface;
+use Symfony\Component\DependencyInjection\ContainerBuilder;
+
+/**
+ * @internal
+ */
+final class TranslationSanitizerPass implements CompilerPassInterface
+{
+    public function process(ContainerBuilder $container): void
+    {
+        $container->getDefinition('html_sanitizer.sanitizer.pimcore.translation_sanitizer')->setPublic(true);
+    }
+}

bundles/CoreBundle/src/PimcoreCoreBundle.php

@@ -30,6 +30,7 @@
 use Pimcore\Bundle\CoreBundle\DependencyInjection\Compiler\RoutingLoaderPass;
 use Pimcore\Bundle\CoreBundle\DependencyInjection\Compiler\SerializerPass;
 use Pimcore\Bundle\CoreBundle\DependencyInjection\Compiler\ServiceControllersPass;
+use Pimcore\Bundle\CoreBundle\DependencyInjection\Compiler\TranslationSanitizerPass;
 use Pimcore\Bundle\CoreBundle\DependencyInjection\Compiler\WorkflowPass;
 use Symfony\Component\DependencyInjection\ContainerBuilder;
 use Symfony\Component\DependencyInjection\Extension\ExtensionInterface;
@@ -82,6 +83,7 @@ public function build(ContainerBuilder $container): void
         $container->addCompilerPass(new CacheFallbackPass());
         $container->addCompilerPass(new MessageBusPublicPass());
         $container->addCompilerPass(new HtmlSanitizerPass());
+        $container->addCompilerPass(new TranslationSanitizerPass());
         $container->addCompilerPass(new SerializerPass());
     }
 

doc/23_Installation_and_Upgrade/09_Upgrade_Notes/README.md

@@ -334,6 +334,7 @@ pimcore:
 - [WebDAV] WebDAV url has been changed from `https://YOUR-DOMAIN/admin/asset/webdav` to `https://YOUR-DOMAIN/asset/webdav`
 - [Events] `AdminEvents::ELEMENT_PERMISSION_IS_ALLOWED` has been renamed to `Pimcore\Event\ElementEvents::ELEMENT_PERMISSION_IS_ALLOWED`.
 - [Wysiwyg] Implemented Symfony HTML sanitizer for WYSIWYG editor.
+- [Translations] Added Symfony's html sanitizer to `\Pimcore\Model\Translation\Dao::save` method.
 - [Editable] Removed the `attributes` field from the link editable.
 
 ## 10.6.0

lib/Tool/Text.php

@@ -27,6 +27,8 @@ class Text
 {
     public const PIMCORE_WYSIWYG_SANITIZER_ID = 'html_sanitizer.sanitizer.pimcore.wysiwyg_sanitizer';
 
+    public const PIMCORE_TRANSLATION_SANITIZER_ID = 'html_sanitizer.sanitizer.pimcore.translation_sanitizer';
+
     public static function removeLineBreaks(string $text = ''): string
     {
         $text = str_replace(["\r\n", "\n", "\r", "\t"], ' ', $text);

models/Translation.php

@@ -27,6 +27,7 @@
 use Pimcore\Tool;
 use Pimcore\Translation\TranslationEntriesDumper;
 use Symfony\Component\Filesystem\Filesystem;
+use Symfony\Component\HtmlSanitizer\HtmlSanitizerInterface;
 use Symfony\Component\Translation\Exception\NotFoundResourceException;
 
 /**
@@ -65,6 +66,13 @@ final class Translation extends AbstractModel
      */
     protected ?int $userModification = null;
 
+    protected ?HtmlSanitizerInterface $pimcoreTranslationSanitizer = null;
+
+    public function getTranslationSanitizer(): HtmlSanitizerInterface
+    {
+        return $this->pimcoreTranslationSanitizer ??= \Pimcore::getContainer()->get(Tool\Text::PIMCORE_TRANSLATION_SANITIZER_ID);
+    }
+
     public function getType(): string
     {
         return $this->type ?: 'simple';

models/Translation/Dao.php

@@ -83,6 +83,7 @@ public function save(): void
         $this->createOrUpdateTable();
 
         $this->updateModificationInfos();
+        $sanitizer = $this->model->getTranslationSanitizer();
 
         $editableLanguages = [];
         if ($this->model->getDomain() != Model\Translation::DOMAIN_ADMIN) {
@@ -104,7 +105,7 @@ public function save(): void
                         'key' => $this->model->getKey(),
                         'type' => $this->model->getType(),
                         'language' => $language,
-                        'text' => $text,
+                        'text' => $sanitizer->sanitize($text),
                         'modificationDate' => $this->model->getModificationDate(),
                         'creationDate' => $this->model->getCreationDate(),
                         'userOwner' => $this->model->getUserOwner(),