Sanitize stored HTML to prevent XSS

Author: aimeos

composer.json

@@ -8,6 +8,7 @@
 	"minimum-stability": "dev",
 	"require": {
 		"php": "^8.0.11",
+		"ezyang/htmlpurifier": "^4.19",
 		"aimeos/aimeos-core": "dev-master",
 		"aimeos/ai-admin-jqadm": "dev-master",
 		"aimeos/ai-admin-jsonadm": "dev-master",

src/Admin/JQAdm/Cms/Content/Standard.php

@@ -318,10 +318,16 @@ protected function fromArray( \Aimeos\MShop\Cms\Item\Iface $item, array $data )
 
 		foreach( $data as $idx => $entry )
 		{
-			if( trim( $this->val( $entry, 'text.content', '' ) ) === '' ) {
+			if( !( $content = trim( $this->val( $entry, 'text.content', '' ) ) ) ) {
 				continue;
 			}
 
+			$config = \HTMLPurifier_Config::createDefault();
+			$config->set( 'Attr.AllowedFrameTargets', ['_blank', '_self'] );
+
+			$purifier = new \HTMLPurifier( $config );
+			$entry['text.content'] = $purifier->purify( $content );
+
 			$id = $this->val( $entry, 'text.id', '' );
 			$type = $this->val( $entry, 'cms.lists.type', 'default' );