Merged branch '4.6'

alongosz · alongosz · commit d28e2c8baa98 · 2025-10-16T15:23:34.000+02:00
diff --git a/phpstan-baseline.neon b/phpstan-baseline.neon
@@ -175,7 +175,7 @@ parameters:
 			path: src/lib/Configuration/UI/Mapper/CustomTag.php
 
 		-
-			message: '#^Call to an undefined method DOMNode\:\:setAttribute\(\)\.$#'
+			message: '#^Call to an undefined method DOMNameSpaceNode\|DOMNode\:\:setAttribute\(\)\.$#'
 			identifier: method.notFound
 			count: 2
 			path: src/lib/FieldType/RichText/RichTextStorage.php
@@ -283,7 +283,7 @@ parameters:
 			path: src/lib/Persistence/Legacy/RichTextFieldValueConverter.php
 
 		-
-			message: '#^Argument of an invalid type DOMNodeList\<DOMNode\>\|false supplied for foreach, only iterables are supported\.$#'
+			message: '#^Argument of an invalid type DOMNodeList\<DOMNameSpaceNode\|DOMNode\>\|false supplied for foreach, only iterables are supported\.$#'
 			identifier: foreach.nonIterable
 			count: 1
 			path: src/lib/RichText/Converter/Link.php
@@ -295,7 +295,13 @@ parameters:
 			path: src/lib/RichText/Converter/Link.php
 
 		-
-			message: '#^Argument of an invalid type DOMNodeList\<DOMNode\>\|false supplied for foreach, only iterables are supported\.$#'
+			message: '#^Access to an undefined property DOMNameSpaceNode\|DOMNode\:\:\$textContent\.$#'
+			identifier: property.notFound
+			count: 2
+			path: src/lib/RichText/Converter/ProgramListing.php
+
+		-
+			message: '#^Argument of an invalid type DOMNodeList\<DOMNameSpaceNode\|DOMNode\>\|false supplied for foreach, only iterables are supported\.$#'
 			identifier: foreach.nonIterable
 			count: 1
 			path: src/lib/RichText/Converter/ProgramListing.php
@@ -331,19 +337,19 @@ parameters:
 			path: src/lib/RichText/Converter/Render.php
 
 		-
-			message: '#^Cannot access property \$length on DOMNodeList\<DOMNode\>\|false\.$#'
+			message: '#^Cannot access property \$length on DOMNodeList\<DOMNameSpaceNode\|DOMNode\>\|false\.$#'
 			identifier: property.nonObject
 			count: 1
 			path: src/lib/RichText/Converter/Render.php
 
 		-
-			message: '#^Cannot call method item\(\) on DOMNodeList\<DOMNode\>\|false\.$#'
+			message: '#^Cannot call method item\(\) on DOMNodeList\<DOMNameSpaceNode\|DOMNode\>\|false\.$#'
 			identifier: method.nonObject
 			count: 1
 			path: src/lib/RichText/Converter/Render.php
 
 		-
-			message: '#^Parameter \#1 \$configHash of method Ibexa\\FieldTypeRichText\\RichText\\Converter\\Render\:\:extractHash\(\) expects DOMNode, DOMNode\|null given\.$#'
+			message: '#^Parameter \#1 \$configHash of method Ibexa\\FieldTypeRichText\\RichText\\Converter\\Render\:\:extractHash\(\) expects DOMNode, DOMNameSpaceNode\|DOMNode\|null given\.$#'
 			identifier: argument.type
 			count: 1
 			path: src/lib/RichText/Converter/Render.php
@@ -355,7 +361,7 @@ parameters:
 			path: src/lib/RichText/Converter/Render.php
 
 		-
-			message: '#^Argument of an invalid type DOMNodeList\<DOMNode\>\|false supplied for foreach, only iterables are supported\.$#'
+			message: '#^Argument of an invalid type DOMNodeList\<DOMNameSpaceNode\|DOMNode\>\|false supplied for foreach, only iterables are supported\.$#'
 			identifier: foreach.nonIterable
 			count: 1
 			path: src/lib/RichText/Converter/Render/Embed.php
@@ -385,13 +391,13 @@ parameters:
 			path: src/lib/RichText/Converter/Render/Embed.php
 
 		-
-			message: '#^Argument of an invalid type DOMNodeList\<DOMNode\>\|false supplied for foreach, only iterables are supported\.$#'
+			message: '#^Argument of an invalid type DOMNodeList\<DOMNameSpaceNode\|DOMNode\>\|false supplied for foreach, only iterables are supported\.$#'
 			identifier: foreach.nonIterable
 			count: 2
 			path: src/lib/RichText/Converter/Render/Template.php
 
 		-
-			message: '#^Cannot access property \$length on DOMNodeList\<DOMNode\>\|false\.$#'
+			message: '#^Cannot access property \$length on DOMNodeList\<DOMNameSpaceNode\|DOMNode\>\|false\.$#'
 			identifier: property.nonObject
 			count: 1
 			path: src/lib/RichText/Converter/Render/Template.php
@@ -414,14 +420,20 @@ parameters:
 			count: 1
 			path: src/lib/RichText/Converter/Render/Template.php
 
+		-
+			message: '#^Parameter \#1 \$node of method Ibexa\\FieldTypeRichText\\RichText\\Converter\\Render\\Template\:\:getCustomTemplateContent\(\) expects DOMNode, DOMNameSpaceNode\|DOMNode given\.$#'
+			identifier: argument.type
+			count: 1
+			path: src/lib/RichText/Converter/Render/Template.php
+
 		-
 			message: '#^Parameter \#1 \$string of function trim expects string, string\|false given\.$#'
 			identifier: argument.type
 			count: 1
 			path: src/lib/RichText/Converter/Render/Template.php
 
 		-
-			message: '#^Parameter \#3 \$template of method Ibexa\\FieldTypeRichText\\RichText\\Converter\\Render\\Template\:\:processTemplate\(\) expects DOMElement, DOMNode given\.$#'
+			message: '#^Parameter \#3 \$template of method Ibexa\\FieldTypeRichText\\RichText\\Converter\\Render\\Template\:\:processTemplate\(\) expects DOMElement, DOMNameSpaceNode\|DOMNode given\.$#'
 			identifier: argument.type
 			count: 1
 			path: src/lib/RichText/Converter/Render/Template.php
@@ -463,7 +475,7 @@ parameters:
 			path: src/lib/RichText/Exception/InvalidXmlException.php
 
 		-
-			message: '#^Argument of an invalid type DOMNodeList\<DOMNode\>\|false supplied for foreach, only iterables are supported\.$#'
+			message: '#^Argument of an invalid type DOMNodeList\<DOMNameSpaceNode\|DOMNode\>\|false supplied for foreach, only iterables are supported\.$#'
 			identifier: foreach.nonIterable
 			count: 1
 			path: src/lib/RichText/RelationProcessor.php
@@ -475,13 +487,13 @@ parameters:
 			path: src/lib/RichText/TextExtractor/ShortTextExtractor.php
 
 		-
-			message: '#^Argument of an invalid type DOMNodeList\<DOMNode\>\|false supplied for foreach, only iterables are supported\.$#'
+			message: '#^Argument of an invalid type DOMNodeList\<DOMNameSpaceNode\|DOMNode\>\|false supplied for foreach, only iterables are supported\.$#'
 			identifier: foreach.nonIterable
 			count: 1
 			path: src/lib/RichText/Validator/InternalLinkValidator.php
 
 		-
-			message: '#^Argument of an invalid type DOMNodeList\<DOMNode\>\|false supplied for foreach, only iterables are supported\.$#'
+			message: '#^Argument of an invalid type DOMNodeList\<DOMNameSpaceNode\|DOMNode\>\|false supplied for foreach, only iterables are supported\.$#'
 			identifier: foreach.nonIterable
 			count: 1
 			path: src/lib/RichText/Validator/Validator.php
@@ -499,7 +511,7 @@ parameters:
 			path: src/lib/RichText/Validator/Validator.php
 
 		-
-			message: '#^Parameter \#1 \$failedAssert of method Ibexa\\FieldTypeRichText\\RichText\\Validator\\Validator\:\:formatSVRLFailure\(\) expects DOMElement, DOMNode given\.$#'
+			message: '#^Parameter \#1 \$failedAssert of method Ibexa\\FieldTypeRichText\\RichText\\Validator\\Validator\:\:formatSVRLFailure\(\) expects DOMElement, DOMNameSpaceNode\|DOMNode given\.$#'
 			identifier: argument.type
 			count: 1
 			path: src/lib/RichText/Validator/Validator.php
@@ -522,6 +534,18 @@ parameters:
 			count: 2
 			path: src/lib/RichText/Validator/ValidatorDispatcher.php
 
+		-
+			message: '#^Access to an undefined property DOMNameSpaceNode\|DOMNode\:\:\$textContent\.$#'
+			identifier: property.notFound
+			count: 1
+			path: src/lib/RichText/XMLSanitizer.php
+
+		-
+			message: '#^Parameter \#2 \$child of method DOMNode\:\:replaceChild\(\) expects TNode of DOMNode, DOMNameSpaceNode\|DOMNode given\.$#'
+			identifier: argument.type
+			count: 1
+			path: src/lib/RichText/XMLSanitizer.php
+
 		-
 			message: '#^Parameter \#2 \$desc of method Ibexa\\FieldTypeRichText\\Translation\\Extractor\\OnlineEditorCustomAttributesExtractor\:\:createMessage\(\) expects string, int\|string given\.$#'
 			identifier: argument.type
@@ -685,19 +709,19 @@ parameters:
 			path: tests/lib/RichText/Converter/Xslt/BaseTest.php
 
 		-
-			message: '#^Cannot access property \$length on DOMNodeList\<DOMNode\>\|false\.$#'
+			message: '#^Cannot access property \$length on DOMNodeList\<DOMNameSpaceNode\|DOMNode\>\|false\.$#'
 			identifier: property.nonObject
 			count: 1
 			path: tests/lib/RichText/Converter/Xslt/BaseTest.php
 
 		-
-			message: '#^Cannot access property \$parentNode on DOMNode\|null\.$#'
+			message: '#^Cannot access property \$parentNode on DOMNameSpaceNode\|DOMNode\|null\.$#'
 			identifier: property.nonObject
 			count: 1
 			path: tests/lib/RichText/Converter/Xslt/BaseTest.php
 
 		-
-			message: '#^Cannot call method item\(\) on DOMNodeList\<DOMNode\>\|false\.$#'
+			message: '#^Cannot call method item\(\) on DOMNodeList\<DOMNameSpaceNode\|DOMNode\>\|false\.$#'
 			identifier: method.nonObject
 			count: 2
 			path: tests/lib/RichText/Converter/Xslt/BaseTest.php
diff --git a/src/bundle/Resources/public/js/CKEditor/custom-tags/block-custom-tag/custom-tag-editing.js b/src/bundle/Resources/public/js/CKEditor/custom-tags/block-custom-tag/custom-tag-editing.js
@@ -2,6 +2,9 @@ import { Plugin, Widget, toWidget, toWidgetEditable } from 'ckeditor5';
 
 import IbexaCustomTagCommand from './custom-tag-command';
 
+const { escapeHTML, escapeHTMLAttribute } = window.ibexa.helpers.text;
+const { dangerouslySetInnerHTML } = window.ibexa.helpers.dom;
+
 class IbexaCustomTagEditing extends Plugin {
     static get requires() {
         return [Widget];
@@ -66,18 +69,18 @@ class IbexaCustomTagEditing extends Plugin {
                 const config = downcastWriter.createUIElement('span', { 'data-ezelement': 'ezconfig' }, function (domDocument) {
                     const domElement = this.toDomElement(domDocument);
 
-                    domElement.innerHTML = Object.entries(values).reduce((total, [attribute, value]) => {
-                        // Escaping
-                        // <script>alert("Hello! I am a script!");</script> --> &lt;script&gt;alert("Hello! I am a script!");&lt;/script&gt;
-                        const stringTempNode = domDocument.createElement('div');
-                        stringTempNode.appendChild(domDocument.createTextNode(value !== null ? value : ''));
-                        const attributeValue = stringTempNode.innerHTML;
+                    const attributesHTMLCode = Object.entries(values).reduce((total, [attributeName, value]) => {
+                        const attributeValue = value ?? '';
+                        const attributeValueEscaped = escapeHTML(attributeValue);
+                        const attributeNameAttributeEscaped = escapeHTMLAttribute(attributeName);
 
-                        const ezvalue = `<span data-ezelement="ezvalue" data-ezvalue-key="${attribute}">${attributeValue}</span>`;
+                        const ezvalue = `<span data-ezelement="ezvalue" data-ezvalue-key="${attributeNameAttributeEscaped}">${attributeValueEscaped}</span>`;
 
                         return `${total}${ezvalue}`;
                     }, '');
 
+                    dangerouslySetInnerHTML(domElement, attributesHTMLCode);
+
                     return domElement;
                 });
 
diff --git a/src/bundle/Resources/public/js/CKEditor/custom-tags/inline-custom-tag/inline-custom-tag-editing.js b/src/bundle/Resources/public/js/CKEditor/custom-tags/inline-custom-tag/inline-custom-tag-editing.js
@@ -2,6 +2,9 @@ import { Plugin, Widget, toWidget } from 'ckeditor5';
 
 import IbexaInlineCustomTagCommand from './inline-custom-tag-command';
 
+const { escapeHTML, escapeHTMLAttribute } = window.ibexa.helpers.text;
+const { dangerouslySetInnerHTML } = window.ibexa.helpers.dom;
+
 class IbexaInlineCustomTagEditing extends Plugin {
     static get requires() {
         return [Widget];
@@ -51,13 +54,17 @@ class IbexaInlineCustomTagEditing extends Plugin {
                 const config = downcastWriter.createUIElement('span', { 'data-ezelement': 'ezconfig' }, function (domDocument) {
                     const domElement = this.toDomElement(domDocument);
 
-                    domElement.innerHTML = Object.entries(values).reduce((total, [attribute, value]) => {
+                    const attributesHTMLCode = Object.entries(values).reduce((total, [attributeName, value]) => {
                         const attributeValue = value ?? '';
-                        const ezvalue = `<span data-ezelement="ezvalue" data-ezvalue-key="${attribute}">${attributeValue}</span>`;
+                        const attributeValueEscaped = escapeHTML(attributeValue);
+                        const attributeNameAttributeEscaped = escapeHTMLAttribute(attributeName);
+                        const ezvalue = `<span data-ezelement="ezvalue" data-ezvalue-key="${attributeNameAttributeEscaped}">${attributeValueEscaped}</span>`;
 
                         return `${total}${ezvalue}`;
                     }, '');
 
+                    dangerouslySetInnerHTML(domElement, attributesHTMLCode);
+
                     return domElement;
                 });
 
