🔃 [Magento Community Engineering] Community Contributions

Accepted Community Pull Requests:
 - #27371: [Admin] Do not allow HTML tags for the Product Attribute labels on save (by @vasilii-b)

Author: magento-engcom-team

app/code/Magento/Catalog/Test/Mftf/ActionGroup/AdminFillProductAttributeDefaultStoreViewActionGroup.xml

@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ /**
+  * Copyright © Magento, Inc. All rights reserved.
+  * See COPYING.txt for license details.
+  */
+-->
+<actionGroups xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+              xsi:noNamespaceSchemaLocation="urn:magento:mftf:Test/etc/actionGroupSchema.xsd">
+    <actionGroup name="AdminFillProductAttributeDefaultStoreViewActionGroup">
+        <arguments>
+            <argument name="value" type="string"/>
+        </arguments>
+        <fillField selector="{{AdminProductAttributeManageLabelsSection.DefaultStoreLabel}}" userInput="{{value}}" stepKey="fillDefaultStoreViewLabel"/>
+    </actionGroup>
+</actionGroups>

app/code/Magento/Catalog/Test/Mftf/ActionGroup/AdminNavigateToNewProductAttributePageActionGroup.xml

@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ /**
+  * Copyright © Magento, Inc. All rights reserved.
+  * See COPYING.txt for license details.
+  */
+-->
+
+<actionGroups xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+              xsi:noNamespaceSchemaLocation="urn:magento:mftf:Test/etc/actionGroupSchema.xsd">
+    <actionGroup name="AdminNavigateToNewProductAttributePageActionGroup">
+        <annotations>
+            <description>Go to the create new product attribute page</description>
+        </annotations>
+
+        <amOnPage url="{{ProductAttributePage.url}}" stepKey="goToNewProductAttributePage"/>
+        <waitForPageLoad stepKey="waitForAttributePageLoad"/>
+    </actionGroup>
+</actionGroups>

app/code/Magento/Catalog/Test/Mftf/ActionGroup/AdminProductAttributePageSwitchTabActionGroup.xml

@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ /**
+  * Copyright © Magento, Inc. All rights reserved.
+  * See COPYING.txt for license details.
+  */
+-->
+
+<actionGroups xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+              xsi:noNamespaceSchemaLocation="urn:magento:mftf:Test/etc/actionGroupSchema.xsd">
+    <actionGroup name="AdminProductAttributePageSwitchTabActionGroup">
+        <annotations>
+            <description>Switches the active tab on the Product Attribute New/Edit Page</description>
+        </annotations>
+        <arguments>
+            <argument name="tabName" type="string"/>
+        </arguments>
+
+        <click selector="{{AdminEditProductAttributesSection.tabButton(tabName)}}" stepKey="changeProductAttributeActiveTab"/>
+    </actionGroup>
+</actionGroups>

app/code/Magento/Catalog/Test/Mftf/ActionGroup/AdminSaveProductAttributeActionGroup.xml

@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ /**
+  * Copyright © Magento, Inc. All rights reserved.
+  * See COPYING.txt for license details.
+  */
+-->
+
+<actionGroups xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+              xsi:noNamespaceSchemaLocation="urn:magento:mftf:Test/etc/actionGroupSchema.xsd">
+    <actionGroup name="AdminSaveProductAttributeActionGroup">
+        <annotations>
+            <description>Clicks on Save button to save the attribute.</description>
+        </annotations>
+
+        <waitForElementVisible selector="{{AttributePropertiesSection.Save}}" stepKey="waitForSaveButton"/>
+        <click selector="{{AttributePropertiesSection.Save}}" stepKey="clickSaveButton"/>
+        <waitForPageLoad stepKey="waitForAttributeToSave"/>
+    </actionGroup>
+</actionGroups>

app/code/Magento/Catalog/Test/Mftf/ActionGroup/AssertSeeProductAttributeValidationErrorOnManageLabelsTabActionGroup.xml

@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ /**
+  * Copyright © Magento, Inc. All rights reserved.
+  * See COPYING.txt for license details.
+  */
+-->
+
+<actionGroups xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+              xsi:noNamespaceSchemaLocation="urn:magento:mftf:Test/etc/actionGroupSchema.xsd">
+    <actionGroup name="AssertSeeProductAttributeValidationErrorOnManageLabelsTabActionGroup">
+        <annotations>
+            <description>Check whenever the validation error is present for the product attribute in the "Manage Labels" Tab</description>
+        </annotations>
+
+        <arguments>
+            <argument name="message" type="string"/>
+        </arguments>
+
+        <see userInput="{{message}}" selector="{{AdminProductAttributeManageLabelsSection.attributeStoreLabelValidationError}}" stepKey="seeValidationMessage"/>
+    </actionGroup>
+</actionGroups>

app/code/Magento/Catalog/Test/Mftf/ActionGroup/AssertSeeProductAttributeValidationErrorOnPropertiesTabActionGroup.xml

@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ /**
+  * Copyright © Magento, Inc. All rights reserved.
+  * See COPYING.txt for license details.
+  */
+-->
+
+<actionGroups xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+              xsi:noNamespaceSchemaLocation="urn:magento:mftf:Test/etc/actionGroupSchema.xsd">
+    <actionGroup name="AssertSeeProductAttributeValidationErrorOnPropertiesTabActionGroup">
+        <annotations>
+            <description>Check whenever the validation error is present for the product attribute in the "Properties" Tab</description>
+        </annotations>
+
+        <arguments>
+            <argument name="message" type="string"/>
+        </arguments>
+
+        <see userInput="{{message}}" selector="{{AttributePropertiesSection.attributeLabelValidationError}}" stepKey="seeValidationMessage"/>
+    </actionGroup>
+</actionGroups>

app/code/Magento/Catalog/Test/Mftf/Data/ProductAttributeData.xml

@@ -402,6 +402,11 @@
         <data key="frontend_label">Size</data>
         <data key="attribute_code" unique="suffix">size_attr</data>
     </entity>
+    <entity name="productAttributeWithHtmlTagsInLabel" extends="newProductAttribute" type="ProductAttribute">
+        <data key="default_label" unique="suffix">Attribute Default label &lt;span&gt;</data>
+        <data key="default_store_label" unique="suffix">Attribute Store label &lt;span&gt; </data>
+        <data key="frontend_input">text</data>
+    </entity>
     <!-- Product attribute from file "export_import_configurable_product.csv" -->
     <entity name="ProductAttributeWithTwoOptionsForExportImport" extends="productAttributeDropdownTwoOptions" type="ProductAttribute">
         <data key="attribute_code">attribute</data>

app/code/Magento/Catalog/Test/Mftf/Page/AdminProductAttributeFormPage.xml

@@ -9,5 +9,6 @@
         xsi:noNamespaceSchemaLocation="urn:magento:mftf:Page/etc/PageObject.xsd">
     <page name="ProductAttributePage" url="catalog/product_attribute/new/" area="admin" module="Catalog">
         <section name="AdminCreateProductAttributeSection"/>
+        <section name="AdminProductAttributeManageLabelsSection"/>
     </page>
 </pages>

app/code/Magento/Catalog/Test/Mftf/Section/AdminCreateProductAttributeSection/AttributePropertiesSection.xml

@@ -29,5 +29,6 @@
         <element name="dropdownNthOptionAdmin" type="textarea" selector="tbody[data-role='options-container'] tr:nth-child({{var}}) td:nth-child(3) input" parameterized="true"/>
         <element name="dropdownNthOptionDefaultStoreView" type="textarea" selector="tbody[data-role='options-container'] tr:nth-child({{var}}) td:nth-child(4) input" parameterized="true"/>
         <element name="dropdownNthOptionDelete" type="button" selector="tbody[data-role='options-container'] tr:nth-child({{var}}) button[title='Delete']" parameterized="true"/>
+        <element name="attributeLabelValidationError" type="text" selector=".field-attribute_label .mage-error"/>
     </section>
 </sections>

app/code/Magento/Catalog/Test/Mftf/Section/AdminEditProductAttributesSection.xml

@@ -22,5 +22,6 @@
         <element name="ProductDataMayBeLostConfirmButton" type="button" selector="//aside[contains(@class,'_show')]//button[.='Change Input Type']"/>
         <element name="defaultLabel" type="text" selector="//td[contains(text(), '{{attributeName}}')]/following-sibling::td[contains(@class, 'col-frontend_label')]" parameterized="true"/>
         <element name="formByStoreId" type="block" selector="//form[contains(@action,'store/{{store_id}}')]" parameterized="true"/>
+        <element name="tabButton" type="text" selector="#product_attribute_tabs a[title='{{tabName}}']" parameterized="true"/>
     </section>
 </sections>

app/code/Magento/Catalog/Test/Mftf/Section/AdminProductAttributeManageLabelsSection.xml

@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ /**
+  * Copyright © Magento, Inc. All rights reserved.
+  * See COPYING.txt for license details.
+  */
+-->
+
+<sections xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xsi:noNamespaceSchemaLocation="urn:magento:mftf:Page/etc/SectionObject.xsd">
+    <section name="AdminProductAttributeManageLabelsSection">
+        <element name="DefaultStoreLabel" type="input" selector="#attribute-labels-table [name='frontend_label[1]']"/>
+        <element name="attributeStoreLabelValidationError" type="text" selector="#attribute-labels-table .mage-error"/>
+    </section>
+</sections>

app/code/Magento/Catalog/Test/Mftf/Test/AdminProductAttributeLabelDontAllowHtmlTagsTest.xml

@@ -0,0 +1,56 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ /**
+  * Copyright © Magento, Inc. All rights reserved.
+  * See COPYING.txt for license details.
+  */
+-->
+
+<tests xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:noNamespaceSchemaLocation="urn:magento:mftf:Test/etc/testSchema.xsd">
+    <test name="AdminProductAttributeLabelDontAllowHtmlTagsTest">
+        <annotations>
+            <features value="Catalog"/>
+            <stories value="Product Attribute label must not contain HTML tags"/>
+            <title value="Product Attribute label musts not contain HTML tags"/>
+            <description value="Test whenever HTML tags are allowed for a product attribute label"/>
+            <severity value="CRITICAL"/>
+            <group value="catalog"/>
+        </annotations>
+        <before>
+            <actionGroup ref="AdminLoginActionGroup" stepKey="loginAsAdmin"/>
+        </before>
+        <after>
+            <actionGroup ref="AdminLogoutActionGroup" stepKey="logoutAdmin"/>
+        </after>
+
+        <actionGroup ref="AdminNavigateToNewProductAttributePageActionGroup" stepKey="openProductAttributePage"/>
+
+        <actionGroup ref="AdminFillProductAttributePropertiesActionGroup" stepKey="fillAttributeDefaultLabel">
+            <argument name="attributeName" value="{{productAttributeWithHtmlTagsInLabel.default_label}}"/>
+            <argument name="attributeType" value="{{productAttributeWithHtmlTagsInLabel.frontend_input}}" />
+        </actionGroup>
+
+        <actionGroup ref="AdminProductAttributePageSwitchTabActionGroup" stepKey="makeManageLabelsTabActive">
+            <argument name="tabName" value="Manage Labels"/>
+        </actionGroup>
+
+        <actionGroup ref="AdminFillProductAttributeDefaultStoreViewActionGroup" stepKey="fillAttributeDefaultStoreViewLabel">
+            <argument name="value" value="{{productAttributeWithHtmlTagsInLabel.default_store_label}}"/>
+        </actionGroup>
+
+        <actionGroup ref="AdminSaveProductAttributeActionGroup" stepKey="saveAttribute"/>
+
+        <actionGroup ref="AssertSeeProductAttributeValidationErrorOnManageLabelsTabActionGroup" stepKey="validateAttributeStoreViewLabelForHtmlTags">
+            <argument name="message" value="HTML tags are not allowed"/>
+        </actionGroup>
+
+        <actionGroup ref="AdminProductAttributePageSwitchTabActionGroup" stepKey="makePropertiesTabActive">
+            <argument name="tabName" value="Properties"/>
+        </actionGroup>
+
+        <actionGroup ref="AssertSeeProductAttributeValidationErrorOnPropertiesTabActionGroup" stepKey="validateAttributeLabelForHtmlTags">
+            <argument name="message" value="HTML tags are not allowed"/>
+        </actionGroup>
+    </test>
+</tests>

app/code/Magento/Catalog/view/adminhtml/templates/catalog/product/attribute/labels.phtml

@@ -19,21 +19,23 @@
                 <table class="admin__control-table" id="attribute-labels-table">
                     <thead>
                     <tr>
-                        <?php foreach ($block->getStores() as $_store) :?>
+                        <?php foreach ($block->getStores() as $_store): ?>
                             <th class="col-store-view"><?= $block->escapeHtml($_store->getName()) ?></th>
                         <?php endforeach; ?>
                     </tr>
                     </thead>
                     <tbody>
                     <tr>
                         <?php $_labels = $block->getLabelValues() ?>
-                        <?php foreach ($block->getStores() as $_store) :?>
+                        <?php foreach ($block->getStores() as $_store): ?>
                             <td class="col-store-view">
-                                <input class="input-text<?php if ($_store->getId() == \Magento\Store\Model\Store::DEFAULT_STORE_ID) :?> required-option<?php endif; ?>"
+                                <?php $isRequired = $_store->getId() == \Magento\Store\Model\Store::DEFAULT_STORE_ID; ?>
+                                <?php $isRequiredClass = $isRequired ? 'required-option' : ''; ?>
+                                <input class="input-text validate-no-html-tags <?= /* @noEscape */ $isRequiredClass ?>"
                                        type="text"
                                        name="frontend_label[<?= $block->escapeHtmlAttr($_store->getId()) ?>]"
                                        value="<?= $block->escapeHtmlAttr($_labels[$_store->getId()]) ?>"
-                                    <?php if ($block->getReadOnly()) :?>
+                                    <?php if ($block->getReadOnly()): ?>
                                         disabled="disabled"
                                     <?php endif;?>/>
                             </td>

app/code/Magento/Catalog/view/adminhtml/ui_component/product_attribute_add_form.xml

@@ -63,6 +63,7 @@
                 <required>true</required>
                 <validation>
                     <rule name="required-entry" xsi:type="boolean">true</rule>
+                    <rule name="validate-no-html-tags" xsi:type="boolean">true</rule>
                 </validation>
                 <dataType>string</dataType>
                 <label translate="true">Attribute Label</label>

app/code/Magento/Eav/Block/Adminhtml/Attribute/Edit/Main/AbstractMain.php

@@ -130,7 +130,8 @@ protected function _prepareForm()
                 'label' => __('Default Label'),
                 'title' => __('Default label'),
                 'required' => true,
-                'value' => is_array($labels) ? $labels[0] : $labels
+                'value' => is_array($labels) ? $labels[0] : $labels,
+                'class' => 'validate-no-html-tags',
             ]
         );
 
@@ -282,7 +283,8 @@ protected function _initFormValues()
      * Adding js block to the end of this block
      *
      * @param string $html
-     * @return  string
+     *
+     * @return string
      */
     protected function _afterToHtml($html)
     {