[MGNLUI-7284] Global field validators configuration Created: 22/Jun/22  Updated: 22/Aug/22  Resolved: 06/Jul/22

Status: Closed
Project: Magnolia UI
Component/s: None
Affects Version/s: 6.2.20
Fix Version/s: 6.2.21

Type: New Feature Priority: Neutral
Reporter: Jonathan Ayala Assignee: Roman Kovařík
Resolution: Done Votes: 0
Labels: VN-Implementation, VN-Testing
Σ Remaining Estimate: Not Specified Remaining Estimate: Not Specified
Σ Time Spent: 5d 7.5h Time Spent: 1d 2.5h
Σ Original Estimate: Not Specified Original Estimate: Not Specified

Attachments: PNG File cannot-save-in-sourcemode.png    
Issue Links:
Cloners
is cloned by MGNLUI-7337 Magnolia 6.3 - Port SafeHtmlValidator... Closed
Problem/Incident
causality
dependency
relation
supersession
Sub-Tasks:
Key
Summary
Type
Status
Assignee
MGNLUI-7319 Provide PR with global validators config Sub-task Completed Roman Kovařík  
MGNLUI-7325 Code rw (global config) Sub-task Completed Adam Siska  
MGNLUI-7326 Preint QA (global config) Sub-task Completed Adam Siska  
MGNLUI-7327 Provide docu PR (global config) Sub-task Completed Roman Kovařík  
MGNLUI-7328 QA Sub-task Completed Quach Hao Thien  
MGNLUI-7329 Code rw (safe-html validator config) Sub-task Completed Roman Kovařík  
MGNLUI-7330 Provide PR for safe-html validator co... Sub-task Completed Sang Ngo Huu  
MGNLUI-7331 Preint QA (safe-html validator config) Sub-task Completed Roman Kovařík  
MGNLUI-7332 File ticket for 6.3 port Sub-task Completed Sang Ngo Huu  
MGNLUI-7333 Docu (safe-html validator config) Sub-task Completed Sang Ngo Huu  
MGNLUI-7335 Docu rw Sub-task Completed Alex Mansell  
Template:
Acceptance criteria:
Empty
Release notes required:
Yes
Date of First Response:
Epic Link: richTextField HTML validation
Sprint: Nucleus 13, Nucleus 14
Story Points: 5
Team: Nucleus

 Description   

Due to the introduction of SafeHtmlValidator in Magnolia 6.2.20, there are validation errors for some tags that are not included in the validator but are needed by the users.

Reproduce

  • Create a new page in demo author (basic template)
  • Add a text and image component
  • Add a link in the rich text field and go to the advanced tab to select left to right orientation (LTR) so the non-included tag is added
  • Save the form

Expected
The dialog is saved

Actual
The dialog is not saved due to validation error: Malicious HTML code found

Notes
The value of allowed tags is hardcoded in SafeHtmlValidatorFactory, it would be good if those were configurable somewhere else so, if needed, users could add new allowed tags. If not possible to be configurable, more tags should be added to the list of allowed attributes (at least those that can be used in default CKEditor configuration)

Workaround
Override the SafeHtmlValidatorFactory on a custom Java module and set the tags you want to use in there as valid HTML tags.
OR
Disable the validator on the richtext-field until the release of 6.2.21

validators:
  allowAny:
    $type: null

Fix
Fixed in Magnolia 6.2.21. See the section on Global Validators.



 Comments   
Comment by Roman Kovařík [ 27/Jun/22 ]

Provide configuration for allowed tags, attributes,... Beside that, default one should be provided too

https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#html-sanitization

For a comprehensive list, check out the DOMPurify allowlist

https://github.com/cure53/DOMPurify/blob/main/src/attrs.jshttps://github.com/cure53/DOMPurify/blob/main/src/attrs.js

Comment by Roman Kovařík [ 04/Jul/22 ]

Script to find JCR properties which would not pass the validation (global config):

workspace = "website"
propertyName = "text"

import info.magnolia.objectfactory.*;
import info.magnolia.ui.field.*;
import info.magnolia.ui.dialog.*;

definition = new SafeHtmlValidatorDefinition()
definition.setErrorMessage("Malicious HTML")
validator = Components.newInstance(SafeHtmlValidatorFactory.class, definition).createValidator();

MgnlContext.getJCRSession(workspace)
.getWorkspace()
.getQueryManager()
.createQuery("select * from [mgnl:component] as t where t." + propertyName + " is not null", "JCR-SQL2")
.execute()
.getNodes()
.each(node -> {
    String html = node.getProperty(propertyName).getString();
    if (validator.apply(html, null).isError()) {
      println(node.path + "/" + propertyName)
      println(html)
      println()
    }
})

 

Comment by Kenton Horton [ 07/Jul/22 ]

Where and how do I set the validators to rich-text field to null?

Comment by Roman Kovařík [ 08/Jul/22 ]

Hi khorton,

The global validators are documented here.

You can remove the richTextField validators like this:

/<light-module-folder>/decorations/ui-framework-core/config.yaml:

defaultFieldValidators:
   info.magnolia.ui.field.RichTextFieldDefinition: !override  

 
Hope that helps

Roman 

Comment by Antony Hutchison [ 11/Aug/22 ]

This appears to remain an issue in 6.2.21. It still rejects straightforward, common, non-malicious markup such as 

<p class="p-large">...</p>

 following an upgrade from 6.2.19 to 6.2.21

Edit: Also 6.2.22. I'm concluding there must be some custom code that triggers this.

Comment by Sang Ngo Huu [ 12/Aug/22 ]

Hi ahutchison,

Attribute class of p tag is not a default one which generated by CKeditor. It can be created by pasting from html script or editing from source mode.

Currently, the validator only supports the tags and attributes are generated by CKEditor. If you have a customized attributes, tags, you have to configure it to global validator by decorating it. (see comment from Roman above)

Please let me know if you have more concerns

Comment by Kenton Horton [ 22/Aug/22 ]

Hey Roman,

I am wanting to remove the RichTextFieldDefinition validation completely. How can I do this?

Basically I am trusting our users and wanting to allow anything to be input into the CKEditor.

Comment by Roman Kovařík [ 22/Aug/22 ]

Hey,

you can either hotfix the default config and remove the validator https://demo.magnolia-cms.com/.magnolia/admincentral#app:resources:edit;/ui-framework-core/config.yaml:edit

Or provide a decoration in your light module as described in this comment: https://jira.magnolia-cms.com/browse/MGNLUI-7284?focusedCommentId=314321&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-314321

Roman

Generated at Mon Feb 12 09:44:47 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.