magento2: Incorrect validation of html elements in content

Preconditions and environment

oS 2.4.3-p1

Steps to reproduce

Using old style editor (not blocks editor), insert an image from the media library into the content. Wrap that image in an “a” tag. Save the content (product description, CMS page, block it doesn’t matter). Something like this:

<p><a href="/uk/digital-print-design/"><strong><img style="float: left; padding: 0 20px 45px 20px;" title="useful information for digital printing" src="{{media url="wysiwyg/ALP/ICONS/design.png"}}" alt="Useful design information for our calendars" width="60" height="60" /></strong></a></p>

Expected result

Conent is saved without error

Actual result

Following warning displayed:

Temporarily allowed to save HTML value that contains restricted elements. Allowed HTML attributes for tag “a” are: class,width,height,style,alt,title,border,id,data-active-tab,data-appearance,data-autoplay,data-autoplay-speed,data-background-images,data-background-type,data-carousel-mode,data-center-padding,data-content-type,data-element,data-enable-parallax,data-fade,data-grid-size,data-infinite-loop,data-link-type,data-locations,data-overlay-color,data-parallax-speed,data-pb-style,data-same-width,data-show-arrows,data-show-button,data-show-controls,data-show-dots,data-show-overlay,data-slide-name,data-slick-index,data-role,data-product-id,data-price-box,aria-hidden,data-tab-name,data-video-fallback-src,data-video-lazy-load,data-video-loop,data-video-overlay-color,data-video-play-only-visible,data-video-src,href,role,target,tabindex,rel

Additional information

There’s nothing wrong with the HTML - the error is in the validator. Appears it cannot properly validate content that contains {{media}} references. Debuggin the validator I added a little extra so the nodes the query finds can be seen:

image

Inspecting $elem shows this:

image

Somehow the wysiwyg part of the media is being detected as an invalid attibute of the a-tag, which it clearly is not. Nothing at all wrong with the a-tag itself.

This need fixing before you ever think about imposing restictions on what can be included in content. At least get the checks right first!

And while you’re about about, telling us what was found as invalid is far more useful than a long list of what’s allowed with nothing on what caused it.

Release note

Fix content validation so it actually works.

Triage and priority

  • Severity: S0 - Affects critical data or functionality and leaves users without workaround.
  • Severity: S1 - Affects critical data or functionality and forces users to employ a workaround.
  • Severity: S2 - Affects non-critical data or functionality and forces users to employ a workaround.
  • Severity: S3 - Affects non-critical data or functionality and does not force users to employ a workaround.
  • Severity: S4 - Affects aesthetics, professional look and feel, “quality” or “usability”.

About this issue

  • Original URL
  • State: open
  • Created 2 years ago
  • Comments: 44 (1 by maintainers)

Most upvoted comments

Thanks for confirming. When fixing this can you also consider changing what’s reported to attribute(s) found as invalid rather than (or in addition to) reporting a long list of what’s allowed?

+1
adamlavery on Nov 22, 2022
Read more comments on GitHub
← magento2: Incorrect message: Unable to send the cookie. Maximum number of cookies would be exceeded
magento2: indexer_update_all_views invalidates all cache after any inventory stock change →