From 21a6e405c7e09f6b4d4dbbf5c8728e80710eddb5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Adam=20W=C3=B3js?= <adam@wojs.pl>
Date: Wed, 4 Oct 2017 13:16:43 +0200
Subject: [PATCH] Fix EZP-27562: Allow square brackets and percent character in
 RichText link (#2090)

---
 .../Resources/schemas/docbook/docbook.iso.sch      |  6 ++-
 .../Resources/schemas/docbook/docbook.iso.sch.xsl  |  4 +-
 .../RichText/Resources/schemas/docbook/docbook.rng |  2 +-
 .../iso_schematron_skeleton_for_xslt1.xsl          |  6 ++-
 eZ/Publish/Core/FieldType/RichText/Validator.php   |  3 ++
 .../FieldType/RichText/XSLTProcessorFunctions.php  | 30 ++++++++++++
 .../Tests/RichText/XSLTProcessorFunctionsTest.php  | 46 ++++++++++++++++++
 eZ/Publish/Core/FieldType/Tests/RichTextTest.php   | 54 +++++++++++++++++++++-
 8 files changed, 142 insertions(+), 9 deletions(-)
 create mode 100644 eZ/Publish/Core/FieldType/RichText/XSLTProcessorFunctions.php
 create mode 100644 eZ/Publish/Core/FieldType/Tests/RichText/XSLTProcessorFunctionsTest.php

diff --git a/eZ/Publish/Core/FieldType/RichText/Resources/schemas/docbook/docbook.iso.sch b/eZ/Publish/Core/FieldType/RichText/Resources/schemas/docbook/docbook.iso.sch
index 4129880d39..9838425259 100644
--- a/eZ/Publish/Core/FieldType/RichText/Resources/schemas/docbook/docbook.iso.sch
+++ b/eZ/Publish/Core/FieldType/RichText/Resources/schemas/docbook/docbook.iso.sch
@@ -1,6 +1,8 @@
 <?xml version="1.0" encoding="utf-8"?>
 <s:schema xmlns:s="http://purl.oclc.org/dsdl/schematron"
-          xmlns:db="http://docbook.org/ns/docbook">
+          xmlns:db="http://docbook.org/ns/docbook"
+          xmlns:php="http://php.net/xsl"
+          >
   <s:ns prefix="db" uri="http://docbook.org/ns/docbook"/>
   <!--s:pattern name="Glossary 'firstterm' type constraint">
     <s:rule context="db:firstterm[@linkend]">
@@ -250,7 +252,7 @@
   </s:pattern>
   <s:pattern name="Element contents validation">
     <s:rule context="db:link">
-      <s:assert test="not(contains(@*[name()='xlink:href'], 'javascript:') or contains(@*[name()='xlink:href'], 'vbscript:'))" mode="schematron-get-full-path-2">using scripts in links is not allowed</s:assert>
+      <s:assert test="php:function('eZ\Publish\Core\FieldType\RichText\XSLTProcessorFunctions::isValidUrl', string(@*[name()='xlink:href']))" mode="schematron-get-full-path-2">The value must be a valid URL</s:assert>
     </s:rule>
   </s:pattern>
 </s:schema>
diff --git a/eZ/Publish/Core/FieldType/RichText/Resources/schemas/docbook/docbook.iso.sch.xsl b/eZ/Publish/Core/FieldType/RichText/Resources/schemas/docbook/docbook.iso.sch.xsl
index 075885c073..4f9c34fe57 100644
--- a/eZ/Publish/Core/FieldType/RichText/Resources/schemas/docbook/docbook.iso.sch.xsl
+++ b/eZ/Publish/Core/FieldType/RichText/Resources/schemas/docbook/docbook.iso.sch.xsl
@@ -1,5 +1,5 @@
 <?xml version="1.0" standalone="yes"?>
-<axsl:stylesheet xmlns:axsl="http://www.w3.org/1999/XSL/Transform" xmlns:sch="http://www.ascc.net/xml/schematron" xmlns:iso="http://purl.oclc.org/dsdl/schematron" xmlns:db="http://docbook.org/ns/docbook" version="1.0"><!--Implementers: please note that overriding process-prolog or process-root is
+<axsl:stylesheet xmlns:axsl="http://www.w3.org/1999/XSL/Transform" xmlns:sch="http://www.ascc.net/xml/schematron" xmlns:iso="http://purl.oclc.org/dsdl/schematron" xmlns:php="http://php.net/xsl" xmlns:db="http://docbook.org/ns/docbook" version="1.0" extension-element-prefixes="php"><!--Implementers: please note that overriding process-prolog or process-root is
     the preferred method for meta-stylesheets to use where possible. -->
 <axsl:param name="archiveDirParameter"/><axsl:param name="archiveNameParameter"/><axsl:param name="fileNameParameter"/><axsl:param name="fileDirParameter"/>

@@ -79,4 +79,4 @@
 <axsl:template match="db:link" priority="1000" mode="M3"><svrl:fired-rule xmlns:svrl="http://purl.oclc.org/dsdl/svrl" context="db:link"/>

 		<!--ASSERT -->
-<axsl:choose><axsl:when test="not(contains(@*[name()='xlink:href'], 'javascript:') or contains(@*[name()='xlink:href'], 'vbscript:'))"/><axsl:otherwise><svrl:failed-assert xmlns:svrl="http://purl.oclc.org/dsdl/svrl" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:schold="http://www.ascc.net/xml/schematron" test="not(contains(@*[name()='xlink:href'], 'javascript:') or contains(@*[name()='xlink:href'], 'vbscript:'))"><axsl:attribute name="location"><axsl:apply-templates select="." mode="schematron-get-full-path-2"/></axsl:attribute><svrl:text>using scripts in links is not allowed</svrl:text></svrl:failed-assert></axsl:otherwise></axsl:choose><axsl:apply-templates select="*|comment()|processing-instruction()" mode="M3"/></axsl:template><axsl:template match="text()" priority="-1" mode="M3"/><axsl:template match="@*|node()" priority="-2" mode="M3"><axsl:apply-templates select="*|comment()|processing-instruction()" mode="M3"/></axsl:template></axsl:stylesheet>
+<axsl:choose><axsl:when test="php:function('eZ\Publish\Core\FieldType\RichText\XSLTProcessorFunctions::isValidUrl', string(@*[name()='xlink:href']))"/><axsl:otherwise><svrl:failed-assert xmlns:svrl="http://purl.oclc.org/dsdl/svrl" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:schold="http://www.ascc.net/xml/schematron" test="php:function('eZ\Publish\Core\FieldType\RichText\XSLTProcessorFunctions::isValidUrl', string(@*[name()='xlink:href']))"><axsl:attribute name="location"><axsl:apply-templates select="." mode="schematron-get-full-path-2"/></axsl:attribute><svrl:text>The value must be a valid URL</svrl:text></svrl:failed-assert></axsl:otherwise></axsl:choose><axsl:apply-templates select="*|comment()|processing-instruction()" mode="M3"/></axsl:template><axsl:template match="text()" priority="-1" mode="M3"/><axsl:template match="@*|node()" priority="-2" mode="M3"><axsl:apply-templates select="*|comment()|processing-instruction()" mode="M3"/></axsl:template></axsl:stylesheet>
diff --git a/eZ/Publish/Core/FieldType/RichText/Resources/schemas/docbook/docbook.rng b/eZ/Publish/Core/FieldType/RichText/Resources/schemas/docbook/docbook.rng
index 019c84b847..2f34b8b1a8 100644
--- a/eZ/Publish/Core/FieldType/RichText/Resources/schemas/docbook/docbook.rng
+++ b/eZ/Publish/Core/FieldType/RichText/Resources/schemas/docbook/docbook.rng
@@ -203,7 +203,7 @@
   <define name="db.xlink.href.attribute">
     <attribute name="xlink:href">
       <a:documentation>Identifies a link target with a URI</a:documentation>
-      <data type="anyURI"/>
+      <data type="string" />
     </attribute>
   </define>
   <define name="db.xlink.type.attribute">
diff --git a/eZ/Publish/Core/FieldType/RichText/Resources/stylesheets/schematron/iso_schematron_skeleton_for_xslt1.xsl b/eZ/Publish/Core/FieldType/RichText/Resources/stylesheets/schematron/iso_schematron_skeleton_for_xslt1.xsl
index d0114996b1..001b3be00f 100644
--- a/eZ/Publish/Core/FieldType/RichText/Resources/stylesheets/schematron/iso_schematron_skeleton_for_xslt1.xsl
+++ b/eZ/Publish/Core/FieldType/RichText/Resources/stylesheets/schematron/iso_schematron_skeleton_for_xslt1.xsl
@@ -393,13 +393,14 @@
     xmlns:iso="http://purl.oclc.org/dsdl/schematron"
     xmlns:exsl="http://exslt.org/common"
     xmlns:msxsl="urn:schemas-microsoft-com:xslt"
-    extension-element-prefixes="exsl  msxsl"
+    xmlns:php="http://php.net/xsl"
+    extension-element-prefixes="exsl msxsl"
    >
 <!-- This program implements ISO Schematron, except for abstract patterns which require a preprocess. -->


 <xsl:namespace-alias stylesheet-prefix="axsl" result-prefix="xsl"/>
-
+<xsl:namespace-alias stylesheet-prefix="php" result-prefix="php"/>

 <!-- Category: top-level-element -->
 <xsl:output method="xml" omit-xml-declaration="no" standalone="yes"  indent="yes"/>
@@ -569,6 +570,7 @@
 </xsl:template>

 <xsl:template match="*" mode="stylesheetbody">
+    <xsl:attribute name="extension-element-prefixes">php</xsl:attribute>
   <!--xsl:template name="stylesheetbody"-->
     <xsl:comment>Implementers: please note that overriding process-prolog or process-root is
     the preferred method for meta-stylesheets to use where possible. </xsl:comment><xsl:text>&#10;</xsl:text>
diff --git a/eZ/Publish/Core/FieldType/RichText/Validator.php b/eZ/Publish/Core/FieldType/RichText/Validator.php
index c10c778455..d598462a34 100644
--- a/eZ/Publish/Core/FieldType/RichText/Validator.php
+++ b/eZ/Publish/Core/FieldType/RichText/Validator.php
@@ -119,6 +119,9 @@ protected function schematronValidate(DOMDocument $document, $filename)
     {
         $stylesheet = $this->loadFile($filename);
         $xsltProcessor = new XSLTProcessor();
+        $xsltProcessor->registerPHPFunctions([
+            'eZ\Publish\Core\FieldType\RichText\XSLTProcessorFunctions::isValidUrl',
+        ]);
         $xsltProcessor->importStyleSheet($stylesheet);

         $result = $xsltProcessor->transformToDoc($document);
diff --git a/eZ/Publish/Core/FieldType/RichText/XSLTProcessorFunctions.php b/eZ/Publish/Core/FieldType/RichText/XSLTProcessorFunctions.php
new file mode 100644
index 0000000000..a20b84340a
--- /dev/null
+++ b/eZ/Publish/Core/FieldType/RichText/XSLTProcessorFunctions.php
@@ -0,0 +1,30 @@
+<?php
+/**
+ * This file is part of the eZ Publish Kernel package.
+ *
+ * @copyright Copyright (C) eZ Systems AS. All rights reserved.
+ * @license For full copyright and license information view LICENSE file distributed with this source code.
+ */
+namespace eZ\Publish\Core\FieldType\RichText;
+
+/**
+ * Helper functions available in XSL documents.
+ */
+class XSLTProcessorFunctions
+{
+    const URL_PATTERN = '%^((ezlocation|ezurl|ezcontent):\/\/\d+(#[^\s]+)?)|(#[^\s]+)|(?:(?:https?|ftps?)://)(?:\S+(?::\S*)?@|\d{1,3}(?:\.\d{1,3}){3}|(?:(?:[a-z\d\x{00a1}-\x{ffff}]+-?)*[a-z\d\x{00a1}-\x{ffff}]+)(?:\.(?:[a-z\d\x{00a1}-\x{ffff}]+-?)*[a-z\d\x{00a1}-\x{ffff}]+)*(?:\.[a-z\x{00a1}-\x{ffff}]{2,6}))(?::\d+)?(?:[^\s]*)?$%iu';
+
+    /**
+     * Return true if URL is valid.
+     *
+     * Validates URL link using the diegoperini regex found at https://mathiasbynens.be/demo/url-regex
+     * aka. https://gist.github.com/dperini/729294#gistcomment-15527
+     *
+     * @param string $value
+     * @return bool
+     */
+    public static function isValidUrl($value)
+    {
+        return (bool)preg_match(self::URL_PATTERN, $value);
+    }
+}
diff --git a/eZ/Publish/Core/FieldType/Tests/RichText/XSLTProcessorFunctionsTest.php b/eZ/Publish/Core/FieldType/Tests/RichText/XSLTProcessorFunctionsTest.php
new file mode 100644
index 0000000000..dc35c0caf7
--- /dev/null
+++ b/eZ/Publish/Core/FieldType/Tests/RichText/XSLTProcessorFunctionsTest.php
@@ -0,0 +1,46 @@
+<?php
+
+namespace eZ\Publish\Core\FieldType\Tests\RichText;
+
+use eZ\Publish\Core\FieldType\RichText\XSLTProcessorFunctions;
+use PHPUnit\Framework\TestCase;
+
+class XSLTProcessorFunctionsTest extends TestCase
+{
+    /**
+     * @dataProvider providerForIsValidUrl
+     */
+    public function testIsValidUrl($url, $expected)
+    {
+        $this->assertEquals($expected, XSLTProcessorFunctions::isValidUrl($url));
+    }
+
+    public function providerForIsValidUrl()
+    {
+        return [
+            ['http://example.url', true],
+            ['https://example.url', true],
+            ['http://192.168.56.101/segment#/fragment%20url', true],
+            ['http://example.url/segment', true],
+            ['http://user:password@example.url:8001/', true],
+            ['http://example.url?with[square]=brackets', true],
+            ['http://example.url?with=value%20with%20spaces', true],
+            ['http://example.url#fragment', true],
+            ['http://example.url.with.#fragment', true],
+            ['ftp://example.com/pub/file.txt', true],
+            ['ftp://user:password@example.com/pub/file.txt', true],
+            ['ftps://example.com/pub/file.txt', true],
+            ['ftps://user:password@example.com/pub/file.txt', true],
+            ['#fragment', true],
+            ['ezlocation://72', true],
+            ['ezlocation://72#fragment', true],
+            ['ezcontent://70', true],
+            ['ezcontent://72#fragment', true],
+            ["javascript:alert('BOOM!')", false],
+            ["vbscript:alert('BOOM!')", false],
+            ['Simple text', false],
+            ['script&gt;', false],
+            ["<script>alert('boom');</script>", false],
+        ];
+    }
+}
diff --git a/eZ/Publish/Core/FieldType/Tests/RichTextTest.php b/eZ/Publish/Core/FieldType/Tests/RichTextTest.php
index c3eb709551..e5ec7bf966 100644
--- a/eZ/Publish/Core/FieldType/Tests/RichTextTest.php
+++ b/eZ/Publish/Core/FieldType/Tests/RichTextTest.php
@@ -208,7 +208,7 @@ public function providerForTestValidate()
                 array(
                     new ValidationError(
                         "Validation of XML content failed:\n" .
-                        '/section/para/link: using scripts in links is not allowed'
+                        '/section/para/link: The value must be a valid URL'
                     ),
                 ),
             ),
@@ -220,7 +220,7 @@ public function providerForTestValidate()
                 array(
                     new ValidationError(
                         "Validation of XML content failed:\n" .
-                        '/section/para/link: using scripts in links is not allowed'
+                        '/section/para/link: The value must be a valid URL'
                     ),
                 ),
             ),
@@ -231,6 +231,56 @@ public function providerForTestValidate()
 </section>',
                 array(),
             ),
+            array(
+                '<?xml version="1.0" encoding="UTF-8"?>
+<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:ezxhtml="http://ez.no/xmlns/ezpublish/docbook/xhtml" xmlns:ezcustom="http://ez.no/xmlns/ezpublish/docbook/custom" version="5.0-variant ezpublish-1.0">
+  <para><link xlink:href="http://example.url?with[square]=brackets">link</link></para>
+</section>',
+                array(),
+            ),
+            array(
+                '<?xml version="1.0" encoding="UTF-8"?>
+<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:ezxhtml="http://ez.no/xmlns/ezpublish/docbook/xhtml" xmlns:ezcustom="http://ez.no/xmlns/ezpublish/docbook/custom" version="5.0-variant ezpublish-1.0">
+  <para><link xlink:href="http://example.url?with=value%20with%20spaces">link</link></para>
+</section>',
+                array(),
+            ),
+            array(
+                '<?xml version="1.0" encoding="UTF-8"?>
+<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:ezxhtml="http://ez.no/xmlns/ezpublish/docbook/xhtml" xmlns:ezcustom="http://ez.no/xmlns/ezpublish/docbook/custom" version="5.0-variant ezpublish-1.0">
+  <para><link xlink:href="script&gt;">injected &gt;</link></para>
+</section>',
+                array(
+                    new ValidationError(
+                        "Validation of XML content failed:\n" .
+                        '/section/para/link: The value must be a valid URL'
+                    ),
+                ),
+            ),
+            array(
+                '<?xml version="1.0" encoding="UTF-8"?>
+<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:ezxhtml="http://ez.no/xmlns/ezpublish/docbook/xhtml" xmlns:ezcustom="http://ez.no/xmlns/ezpublish/docbook/custom" version="5.0-variant ezpublish-1.0">
+  <para><link xlink:href="&lt;script">injected &lt;</link></para>
+</section>',
+                array(
+                    new ValidationError(
+                        "Validation of XML content failed:\n" .
+                        '/section/para/link: The value must be a valid URL'
+                    ),
+                ),
+            ),
+            array(
+                '<?xml version="1.0" encoding="UTF-8"?>
+<section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:ezxhtml="http://ez.no/xmlns/ezpublish/docbook/xhtml" xmlns:ezcustom="http://ez.no/xmlns/ezpublish/docbook/custom" version="5.0-variant ezpublish-1.0">
+  <para><link xlink:href="&quot;script">injected &quot;</link></para>
+</section>',
+                array(
+                    new ValidationError(
+                        "Validation of XML content failed:\n" .
+                        '/section/para/link: The value must be a valid URL'
+                    ),
+                ),
+            ),
         );
     }