From 581fd67d2c18d578ea51381695ef5ff065cb3b3f Mon Sep 17 00:00:00 2001
From: Kentaro Ohkouchi <nanasess@fsm.ne.jp>
Date: Fri, 8 Jul 2022 16:24:47 +0900
Subject: [PATCH] =?UTF-8?q?=E3=83=95=E3=83=AA=E3=83=BC=E3=82=A8=E3=83=AA?=
 =?UTF-8?q?=E3=82=A2=E3=81=AEpurify=E6=BC=8F=E3=82=8C=E3=82=92=E4=BF=AE?=
 =?UTF-8?q?=E6=AD=A3?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../template/default/Product/detail.twig      |  2 +-
 .../Tests/Web/ProductControllerTest.php       | 44 +++++++++++++++++++
 2 files changed, 45 insertions(+), 1 deletion(-)

diff --git a/src/Eccube/Resource/template/default/Product/detail.twig b/src/Eccube/Resource/template/default/Product/detail.twig
index 02506be2e47..5504694a759 100755
--- a/src/Eccube/Resource/template/default/Product/detail.twig
+++ b/src/Eccube/Resource/template/default/Product/detail.twig
@@ -405,7 +405,7 @@ file that was distributed with this source code.
         </div>
         {% if Product.freearea %}
              <div class="ec-productRole__description">
-                 {{ include(template_from_string(Product.freearea)) }}
+                 {{ include(template_from_string(Product.freearea|purify)) }}
             </div>
         {% endif %}
     </div>
diff --git a/tests/Eccube/Tests/Web/ProductControllerTest.php b/tests/Eccube/Tests/Web/ProductControllerTest.php
index a146acd15f6..cc7c85971a7 100644
--- a/tests/Eccube/Tests/Web/ProductControllerTest.php
+++ b/tests/Eccube/Tests/Web/ProductControllerTest.php
@@ -467,4 +467,48 @@ public function testFeaturedNewsXSSAttackPreventionDetailPage()
         $this->assertStringNotContainsString("<script>alert('XSS Attack')</script>", $testNewsArea->outerHtml());
     }
 
+    /**
+     * 商品詳細画面(フリーエリア)で
+     * 危険なXSS htmlインジェクションが削除されたことを確認するテスト
+     * 下記のものをチェックします。
+     *     ・ ID属性の追加
+     *     ・ <script> スクリプトインジェクション
+     *
+     * @see https://github.com/EC-CUBE/ec-cube/issues/5372
+     * @return void
+     */
+    public function testFeaturedNewsXSSAttackPreventionDetailPageWithFreearea()
+    {
+        $Product = $this->createProduct('Product out of stock', 1);
+        $Product->setFreeArea("<div id='dangerous-id' class='safe_to_use_class'>
+                    <p>商品説明分テスト＃１</p>
+                    <script>alert('XSS Attack')</script>
+                    <a href='https://www.google.com'>safe html</a>
+                </div>");
+        $this->entityManager->flush();
+
+        // 1つの新着情報を保存した後にホームページにアクセスする。
+        // Request Homepage after saving a single news item
+        $crawler = $this->client->request('GET', $this->generateUrl('product_detail', ['id' => $Product->getId()], UrlGeneratorInterface::ABSOLUTE_URL));
+        $this->assertEquals(200, $this->client->getResponse()->getStatusCode());
+
+        // <div>タグから危険なid属性が削除されていることを確認する。
+        // Find that dangerous id attributes are removed from <div> tags.
+        $testNewsArea_notFoundTest = $crawler->filter('#dangerous-id');
+        $this->assertEquals(0, $testNewsArea_notFoundTest->count());
+
+        // 安全なclass属性が出力されているかどうかを確認する。
+        // Find if classes (which are safe) have been outputted
+        $testNewsArea = $crawler->filter('.safe_to_use_class');
+        $this->assertEquals(1, $testNewsArea->count());
+
+        // 安全なHTMLが存在するかどうかを確認する
+        // Find if the safe HTML exists
+        $this->assertStringContainsString('<p>商品説明分テスト＃１</p>', $testNewsArea->outerHtml());
+        $this->assertStringContainsString('<a href="https://www.google.com">safe html</a>', $testNewsArea->outerHtml());
+
+        // 安全でないスクリプトが存在しないかどうかを確認する
+        // Find if the unsafe script does not exist
+        $this->assertStringNotContainsString("<script>alert('XSS Attack')</script>", $testNewsArea->outerHtml());
+    }
 }