From 5ba84515a55cc7957bb2f94ffeb0119565cbd2bd Mon Sep 17 00:00:00 2001
From: ryuring <egashira@catchup.co.jp>
Date: Sun, 1 Oct 2023 12:01:54 +0900
Subject: [PATCH] =?UTF-8?q?=E3=83=96=E3=83=AD=E3=82=B0=E3=82=B3=E3=83=B3?=
 =?UTF-8?q?=E3=83=86=E3=83=B3=E3=83=84=E3=80=81=E3=83=A1=E3=83=BC=E3=83=AB?=
 =?UTF-8?q?=E3=82=B3=E3=83=B3=E3=83=86=E3=83=B3=E3=83=84=E3=81=AE=E5=87=BA?=
 =?UTF-8?q?=E5=8A=9B=E6=99=82=E3=80=81=E8=AA=AC=E6=98=8E=E6=96=87=E3=82=88?=
 =?UTF-8?q?=E3=82=8A=E3=82=B9=E3=82=AF=E3=83=AA=E3=83=97=E3=83=88=E3=82=92?=
 =?UTF-8?q?=E9=99=A4=E5=A4=96?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 plugins/baser-core/src/Utility/BcText.php     | 39 +++++++++++++++
 .../tests/TestCase/Utility/BcTextTest.php     | 48 +++++++++++++++++++
 .../bc-blog/src/View/Helper/BlogHelper.php    |  3 +-
 .../bc-mail/src/View/Helper/MailHelper.php    | 22 +++++----
 4 files changed, 103 insertions(+), 9 deletions(-)
 create mode 100644 plugins/baser-core/src/Utility/BcText.php
 create mode 100644 plugins/baser-core/tests/TestCase/Utility/BcTextTest.php

diff --git a/plugins/baser-core/src/Utility/BcText.php b/plugins/baser-core/src/Utility/BcText.php
new file mode 100644
index 0000000000..61fdd78682
--- /dev/null
+++ b/plugins/baser-core/src/Utility/BcText.php
@@ -0,0 +1,39 @@
+<?php
+/**
+ * baserCMS :  Based Website Development Project <https://basercms.net>
+ * Copyright (c) NPO baser foundation <https://baserfoundation.org/>
+ *
+ * @copyright     Copyright (c) NPO baser foundation
+ * @link          https://basercms.net baserCMS Project
+ * @since         5.0.6
+ * @license       https://basercms.net/license/index.html MIT License
+ */
+
+namespace BaserCore\Utility;
+
+/**
+ * Class BcText
+ */
+class BcText
+{
+
+	/**
+	 * 文字列よりスクリプトタグを除去する
+	 *
+	 * @param string $value
+	 * @return string
+	 */
+	public static function stripScriptTag($value)
+	{
+		$allows = [
+			'a', 'abbr', 'address', 'area', 'b', 'blockquote', 'body', 'br', 'button', 'caption', 'cite', 'code',
+			'col', 'colgroup', 'dd', 'del', 'dfn', 'div', 'dl', 'dt', 'em', 'fieldset', 'form', 'h1', 'h2', 'h3',
+			'h4', 'h5', 'h6', 'hr', 'i', 'iframe', 'img', 'input', 'ins', 'kbd', 'label', 'legend', 'li', 'link',
+			'map', 'meta', 'noscript', 'object', 'ol', 'optgroup', 'option', 'p', 'pre', 'q', 'samp', 'select',
+			'small', 'span', 'strong', 'sub', 'sup', 'table', 'tbody', 'td', 'textarea', 'tfoot', 'th', 'thead',
+			'title', 'tr', 'ul', 'var', 'style'
+		];
+		return strip_tags($value, '<' . implode('><', $allows) . '>');
+	}
+
+}
diff --git a/plugins/baser-core/tests/TestCase/Utility/BcTextTest.php b/plugins/baser-core/tests/TestCase/Utility/BcTextTest.php
new file mode 100644
index 0000000000..fa204dfefb
--- /dev/null
+++ b/plugins/baser-core/tests/TestCase/Utility/BcTextTest.php
@@ -0,0 +1,48 @@
+<?php
+/**
+ * baserCMS :  Based Website Development Project <https://basercms.net>
+ * Copyright (c) NPO baser foundation <https://baserfoundation.org/>
+ *
+ * @copyright     Copyright (c) NPO baser foundation
+ * @link          https://basercms.net baserCMS Project
+ * @since         5.0.6
+ * @license       https://basercms.net/license/index.html MIT License
+ */
+
+namespace BaserCore\Test\TestCase\Utility;
+
+use BaserCore\TestSuite\BcTestCase;
+use BaserCore\Utility\BcText;
+
+/**
+ * Class BcTextTest
+ */
+class BcTextTest extends BcTestCase
+{
+
+	/**
+	 * test stripScriptTag
+	 * @return void
+	 * @dataProvider stripScriptTagDataProvider
+	 */
+	public function testStripScriptTag($content, $expect)
+	{
+		$result = BcText::stripScriptTag($content);
+		$this->assertEquals($expect, $result, 'scriptタグを削除できません。');
+	}
+
+	public function stripScriptTagDataProvider()
+	{
+		return [
+			[
+				'content' => '<script>hoge</script>',
+				'expect' => 'hoge'
+			],
+			[
+				'content' => '<a href="http://hoge.com" class="bca-action">hoge<script>hoge</script></a>',
+				'expect' => '<a href="http://hoge.com" class="bca-action">hogehoge</a>'
+			]
+		];
+	}
+
+}
diff --git a/plugins/bc-blog/src/View/Helper/BlogHelper.php b/plugins/bc-blog/src/View/Helper/BlogHelper.php
index d77f0d749e..789a812808 100755
--- a/plugins/bc-blog/src/View/Helper/BlogHelper.php
+++ b/plugins/bc-blog/src/View/Helper/BlogHelper.php
@@ -19,6 +19,7 @@
 use BaserCore\Service\SitesService;
 use BaserCore\Service\SitesServiceInterface;
 use BaserCore\Utility\BcContainerTrait;
+use BaserCore\Utility\BcText;
 use BaserCore\Utility\BcUtil;
 use BaserCore\View\Helper\BcBaserHelper;
 use BaserCore\View\Helper\BcContentsHelper;
@@ -252,7 +253,7 @@ public function getDescription()
      */
     public function description()
     {
-        echo $this->getDescription();
+        echo BcText::stripScriptTag($this->getDescription());
     }
 
     /**
diff --git a/plugins/bc-mail/src/View/Helper/MailHelper.php b/plugins/bc-mail/src/View/Helper/MailHelper.php
index 59c19d98c8..f17a8c0627 100755
--- a/plugins/bc-mail/src/View/Helper/MailHelper.php
+++ b/plugins/bc-mail/src/View/Helper/MailHelper.php
@@ -12,8 +12,9 @@
 namespace BcMail\View\Helper;
 
 use BaserCore\Utility\BcContainerTrait;
+use BaserCore\Utility\BcText;
 use BaserCore\Utility\BcUtil;
-use BcMail\Service\MailContentsService;
+use BcMail\Model\Entity\MailContent;
 use BcMail\Service\MailContentsServiceInterface;
 use Cake\Core\Configure;
 use Cake\Event\Event;
@@ -43,6 +44,12 @@ class MailHelper extends Helper
      */
     public $helpers = ['BcBaser'];
 
+    /**
+     * 現在のメールコンテンツ
+     * @var MailContent
+     */
+    public $currentMailContent;
+
     /**
      * コンストラクタ
      *
@@ -63,15 +70,15 @@ public function __construct(View $view, array $config = [])
      */
     public function setMailContent($mailContentId = null)
     {
-        if (isset($this->mailContent)) {
+        if (isset($this->currentMailContent)) {
             return;
         }
         if ($mailContentId) {
             $MailContent = ClassRegistry::init('BcMail.MailContent');
             $MailContent->reduceAssociations([]);
-            $this->mailContent = Hash::extract($MailContent->read(null, $mailContentId), 'MailContent');
+            $this->currentMailContent = Hash::extract($MailContent->read(null, $mailContentId), 'MailContent');
         } elseif ($this->_View->get('mailContent')) {
-            $this->mailContent = $this->_View->get('mailContent');
+            $this->currentMailContent = $this->_View->get('mailContent');
         }
     }
 
@@ -149,7 +156,7 @@ public function getMailTemplates($siteId = 1)
      */
     public function getDescription()
     {
-        return $this->mailContent['description'];
+        return $this->currentMailContent->description;
     }
 
     /**
@@ -159,7 +166,7 @@ public function getDescription()
      */
     public function description()
     {
-        echo $this->getDescription();
+        echo BcText::stripScriptTag($this->getDescription());
     }
 
     /**
@@ -169,10 +176,9 @@ public function description()
      */
     public function descriptionExists()
     {
-        if (empty($this->mailContent['description'])) {
+        if (empty($this->currentMailContent->description)) {
             return false;
         }
-
         return true;
     }