Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Admin] Do not allow HTML tags for the Product Attribute labels on save #27371

Merged
merged 11 commits into from
Mar 29, 2020
Merged

[Admin] Do not allow HTML tags for the Product Attribute labels on save #27371

merged 11 commits into from
Mar 29, 2020

Conversation

vasilii-b
Copy link

Description (*)

This PR adds changes to prevent the store owner to create product attributes which labels contain HTML tags.

HTML tags can be added to the following fields:

  • Attribute Default Label
  • Manage Labels Tab - attribute labels for each store separately

ℹ️ It doesn't make sense to allow HTML tags since those are escaped at the view level.
E.g.

magento2/app/code/Magento/LayeredNavigation/view/frontend/templates/layer/view.phtml

Line 37 in ac3eb00

<dt role="heading" aria-level="3" class="filter-options-title"><?= $block->escapeHtml(__($filter->getName())) ?></dt>

Desired result

At the moment the store owner tries to save the attribute, the labels validation must happen and error messages shown to the user that HTML tags are not allowed.

Related Pull Requests

N/A

Fixed Issues (if relevant)

N/A

Manual testing scenarios (*)

Without the fix

  1. Log in in the admin area
  2. Go to Stores -> Attributes -> Products
  3. Open an attribute to edit or create a new one
  4. In the "Default label" wite some HTML tags. E.g <span>
  5. In the Manage Labels Tab add the same HTML tag as above in the "Default Store View" field.
  6. Press the "Save attribute" or "Save and Continue Edit" button
  7. See the product has been saved without any warning

Product Attribute can be saved with HTML tags in label
admin-area-attribute-label-with-html-tags
admin-area-attribute-label-with-html-tags-2

With the fix

  1. Log in in the admin area
  2. Go to Stores -> Attributes -> Products
  3. Open an attribute to edit or create a new one
  4. In the "Default label" wite some HTML tags. E.g <span>
  5. In the Manage Labels Tab add the same HTML tag as above in the "Default Store View" field.
  6. Press the "Save attribute" or "Save and Continue Edit" button
  7. See the product has NOT been saved and there are warnings

Desired result: Product Attribute cannot be saved with HTML tags in the label name

Questions or comments

MFTF tests are on the way

Contribution checklist (*)

  • Pull request has a meaningful description of its purpose
  • All commits are accompanied by meaningful commit messages
  • All new or changed code is covered with unit/integration tests (if applicable)
  • All automated tests passed successfully (all builds are green)

@magento-engcom-team magento-engcom-team added Area: Frontend Component: Catalog Component: Eav Release Line: 2.4 Partner: Atwix Pull Request is created by partner Atwix partners-contribution Pull Request is created by Magento Partner labels Mar 20, 2020
@eduard13 eduard13 self-assigned this Mar 20, 2020
eduard13
eduard13 requested changes Mar 20, 2020
View reviewed changes
Copy link
Contributor

@eduard13 eduard13 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @vasilii-b, thank you for your contribution, could you please cover the following improvement by an MFTF test and fix the failing Static Tests?

Thank you.

@vasilii-b
Copy link
Author

Hi @eduard13,
I've added the MFTF test and the fixes for the failed static checks. Waiting now for the next round of tests to finish.
Thank you!

eduard13
eduard13 requested changes Mar 21, 2020
View reviewed changes
Copy link
Contributor

@eduard13 eduard13 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @vasilii-b, thank you for the MFTF coverage, please check the bellow comments. Feel free to reach me if any questions arise.
Thank you.

...Magento/Catalog/Test/Mftf/ActionGroup/SaveProductAttributeWithHtmlTagsInLabelActionGroup.xml Outdated

<actionGroups xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="urn:magento:mftf:Test/etc/actionGroupSchema.xsd">
<actionGroup name="SaveProductAttributeWithHtmlTagsInLabelActionGroup">
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you please split this Action group into 2 separated ones, trying to make Action Groups a much atomic as possible?

  1. AdminSaveProductAttributeActionGroup - so it may be used later in other validation scopes
  2. AssertSeeProductAttributeValidationErrorActionGroup - will validate the presence of the error.

Please check the Best Practices.

app/code/Magento/Catalog/Test/Mftf/Test/AdminProductAttributeLabelDontAllowHtmlTagsTest.xml Outdated
Comment on lines 30 to 31
<actionGroup ref="AdminOpenProductAttributePageActionGroup" stepKey="openProductAttributePage"/>
<click selector="{{AdminProductAttributeGridSection.createNewAttributeBtn}}" stepKey="createNewAttribute"/>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suggest replacing these steps by a separate ActionGroup, that will navigate to NewProductAttributePage.
AdminNavigateToNewProductAttributePageActionGroup, using this page URL ProductAttributePage.

app/code/Magento/Catalog/Test/Mftf/Section/AdminCreateProductAttributeSection.xml Outdated
@@ -50,6 +50,11 @@
<element name="StorefrontPropertiesSectionToggle" type="button" selector="#front_fieldset-wrapper"/>
<element name="visibleOnCatalogPagesOnStorefront" type="select" selector="#is_visible_on_front"/>
</section>
<section name="ManageLabelsSection">
<element name="PageTitle" type="text" selector="//span[text()='Manage Titles (Size, Color, etc.)']" />
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this element is unnecessary as far as we don't use it.

app/code/Magento/Catalog/Test/Mftf/Section/AdminCreateProductAttributeSection.xml Outdated
@@ -50,6 +50,11 @@
<element name="StorefrontPropertiesSectionToggle" type="button" selector="#front_fieldset-wrapper"/>
<element name="visibleOnCatalogPagesOnStorefront" type="select" selector="#is_visible_on_front"/>
</section>
<section name="ManageLabelsSection">
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you please create a separate Section file, and include it in ProductAttributePage page?

app/code/Magento/Catalog/Test/Mftf/Test/AdminProductAttributeLabelDontAllowHtmlTagsTest.xml Outdated
</annotations>
<before>
<!-- Login as admin -->
<actionGroup ref="LoginAsAdmin" stepKey="loginAsAdmin"/>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LoginAsAdmin is deprecated, please use AdminLoginActionGroup instead.

app/code/Magento/Catalog/Test/Mftf/Test/AdminProductAttributeLabelDontAllowHtmlTagsTest.xml Outdated
<actionGroup ref="AdminLogoutActionGroup" stepKey="logout"/>
</after>

<!-- Go to Stores > Attributes > Product , click "Add New Attribute" -->
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The comments are unnecessary, as the stepKeys should be self explanatory.

Vasilii Burlacu added 2 commits March 22, 2020 10:42
@vasilii-b
Copy link
Author

Thank you very much for the feedback and the suggestions, @eduard13!
The MFTF tests have been updated ✅

@eduard13
Copy link
Contributor

@magento give me test instance

@magento-engcom-team
Copy link
Contributor

Hi @eduard13. Thank you for your request. I'm working on Magento instance for you

@magento-engcom-team
Copy link
Contributor

Hi @eduard13, here is your new Magento instance.
Admin access: https://pr-27371.instances.magento-community.engineering/admin_fc49
Login: 680e91f3 Password: fa15dd10e1f7
Instance will be terminated in up to 3 hours.

eduard13
eduard13 previously approved these changes Mar 23, 2020
View reviewed changes
Copy link
Contributor

@eduard13 eduard13 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the adjustments.
The failing tests aren't related to these changes/

@ghost ghost added the Progress: accept label Mar 26, 2020
slavvka
slavvka requested changes Mar 27, 2020
View reviewed changes
Copy link
Member

@slavvka slavvka left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please resolve the conflict before proceeding with it

@ghost ghost assigned slavvka Mar 27, 2020
@ghost ghost dismissed eduard13’s stale review March 27, 2020 21:38

Pull Request state was updated. Re-review required.

merge remote tracking origin/2.4-develop into admin-area-product-attr…
8cdcbbd 
…ibute-can-save-with-html-tags-in-labels

# Conflicts
# app/code/Magento/Catalog/Test/Mftf/Section/AdminCreateProductAttributeSection.xml
@vasilii-b vasilii-b requested a review from eduard13 March 28, 2020 10:35
eduard13
eduard13 approved these changes Mar 28, 2020
View reviewed changes
Copy link
Contributor

@eduard13 eduard13 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @vasilii-b.

@magento-engcom-team
Copy link
Contributor

Hi @eduard13, thank you for the review.
ENGCOM-7185 has been created to process this Pull Request

@slavvka
Copy link
Member

slavvka commented Mar 28, 2020

@magento run Functional Tests CE, Functional Tests EE, Functional Tests B2B

@magento-engcom-team
Copy link
Contributor

Hi @slavvka, thank you for the review.
ENGCOM-7185 has been created to process this Pull Request

magento-engcom-team pushed a commit that referenced this pull request Mar 29, 2020
@slavvka
ENGCOM-7185: [Admin] Do not allow HTML tags for the Product Attribute…
4f8da50 
… labels on save #27371
@magento-engcom-team magento-engcom-team merged commit e9994f8 into magento:2.4-develop Mar 29, 2020
@m2-assistant
Copy link

m2-assistant bot commented Mar 29, 2020

Hi @vasilii-b, thank you for your contribution!
Please, complete Contribution Survey, it will take less than a minute.
Your feedback will help us to improve contribution process.

@vasilii-b vasilii-b deleted the admin-area-product-attribute-can-save-with-html-tags-in-labels branch March 29, 2020 11:01
@m2-assistant m2-assistant bot mentioned this pull request Aug 17, 2020
Closed
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eduard13 eduard13 eduard13 approved these changes

@slavvka slavvka slavvka approved these changes

Assignees

@slavvka slavvka

@eduard13 eduard13

@engcom-Alfa engcom-Alfa

@engcom-Echo engcom-Echo

Labels
Area: Frontend Auto-Tests: Covered All changes in Pull Request is covered by auto-tests Award: MFTF test coverage Component: Catalog Component: Eav Partner: Atwix Pull Request is created by partner Atwix partners-contribution Pull Request is created by Magento Partner Progress: accept Release Line: 2.4
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@vasilii-b @eduard13 @magento-engcom-team @engcom-Alfa @engcom-Echo @slavvka