Merge branch 'rel-11_0' into rel-11_1

RotherOSS · Jan 23, 2025 · 3ae2291 · 3ae2291
2 parents 7374a64 + fe5fc8c
commit 3ae2291
Show file tree

Hide file tree

Showing 4 changed files with 62 additions and 14 deletions.
diff --git a/Kernel/System/HTMLUtils.pm b/Kernel/System/HTMLUtils.pm
@@ -1278,7 +1278,7 @@ sub Safety {
         ],
     );
 
-    # for some reason stype and script are not handled by new()
+    # for some reason the tags 'style' and 'script' are not handled by new()
     $Scrubber->style(1);                                  # style tags should not be filtered by HTML::Parser
     $Scrubber->script( $Param{NoJavaScript} ? 0 : 1 );    # let HTML::Parser filter script tags
 

diff --git a/Kernel/cpan-lib/HTML/Scrubber.pm b/Kernel/cpan-lib/HTML/Scrubber.pm
@@ -126,6 +126,7 @@ sub new {
         _style             => 0,
         _preempt           => 0,
         _ignore_empty_end  => 0,
+        _last_start_tag    => '',
     };
 
     $p->{"\0_s"} = bless $self, $package;
@@ -495,6 +496,10 @@ sub _scrub_str {
     my $outstr = '';
 
     if ( $e eq 'start' ) {
+
+        # remember the last start tag in order to allow special handling based on the current tag
+        $s->{_last_start_tag} = $t;
+
         if ( exists $s->{_rules}->{$t} )    # is there a specific rule
         {
             if ( ref $s->{_rules}->{$t} )    # is it complicated?(not simple;)
@@ -547,8 +552,14 @@ sub _scrub_str {
         $outstr .= $text if $s->{_process};
     }
     elsif ( $e eq 'text' or $e eq 'default' ) {
-        $text =~ s/</&lt;/g;    #https://rt.cpan.org/Public/Ticket/Attachment/83958/10332/scrubber.patch
-        $text =~ s/>/&gt;/g;
+        # See  https://rt.cpan.org/Public/Bug/Display.html?id=2991
+        $text =~ s/</&lt;/g;
+
+        # In style tags we want to preserve the unencoded '>'.
+        # Replacing '>' with '&gt:' breaks CSS which uses the child compbinator
+        if ( $s->{_last_start_tag} ne 'style' ) {
+            $text =~ s/>/&gt;/g;    # see https://rt.cpan.org/Public/Bug/Display.html?id=2991
+        }
 
         $outstr .= $text;
     }

diff --git a/bin/otobo.CheckModules.pl b/bin/otobo.CheckModules.pl
@@ -1400,7 +1400,8 @@ =head1 DESCRIPTION
     if ($DoPrintAllModules) {
         MODULE:
         for my $Module (@NeededModules) {
-            next MODULE if !$Module->{Features};
+            next MODULE unless $Module->{Features};
+
             for my $Feature ( @{ $Module->{Features} } ) {
                 $Features{$Feature}++;
             }
@@ -1481,7 +1482,7 @@ =head1 DESCRIPTION
 sub Check {
     my ( $Module, $Depends, $NoColors ) = @_;
 
-    print "  " x ( $Depends + 1 );
+    print '  ' x ( $Depends + 1 );
     print "o $Module->{Module}";
     my $Length = 33 - ( length( $Module->{Module} ) + ( $Depends * 2 ) );
     print '.' x $Length;
@@ -1520,17 +1521,23 @@ sub Check {
             }
         }
 
-        if ( $Module->{VersionRequired} ) {
+        # There might be a version requirement
+        my $VersionRequired = $ENV{OTOBO_RUNS_UNDER_DOCKER}
+            ?
+            ( $Module->{DockerVersionRequired} // $Module->{VersionRequired} )
+            :
+            $Module->{VersionRequired};
+        if ($VersionRequired) {
 
             # Check the required version range.
             # The version range is given in META.json, or cpanfile, style.
             # E.g. '4.0, != 4.043, < 5.000'
             my $Requirements = CPAN::Meta::Requirements->new;
-            $Requirements->add_string_requirement( $Module->{Module} => $Module->{VersionRequired} );
+            $Requirements->add_string_requirement( $Module->{Module} => $VersionRequired );
             my $IsAccepted = $Requirements->accepts_module( $Module->{Module} => $Version );
 
             if ( !$IsAccepted ) {
-                $ErrorMessage .= "Version $Version installed but $Module->{VersionRequired} is required! ";
+                $ErrorMessage .= "Version $Version installed but $VersionRequired is required! ";
                 if ( $Module->{VersionComments} ) {
                     $ErrorMessage .= join "\n", '', $Module->{VersionComments}->@*;
                 }

diff --git a/scripts/test/HTMLUtils/Safety.t b/scripts/test/HTMLUtils/Safety.t
@@ -26,6 +26,7 @@ use Test2::V0;
 
 # OTOBO modules
 use Kernel::System::UnitTest::RegisterOM;    # set up $Kernel::OM
+use Kernel::System::UnitTest::Diff qw(TextEqOrDiff);
 
 # get HTMLUtils object
 my $HTMLUtilsObject = $Kernel::OM->Get('Kernel::System::HTMLUtils');
@@ -662,17 +663,17 @@ END_INPUT
         Result => {
             Output => <<'END_OUTPUT',
 <style type="    text/css">
-div &gt; span {
+div > span {
     width: 200px;
 }
 </style>
 <style type=" text/CSS ">
-div &gt; span {
+div > span {
     width: expression( FormerlyEvilJS() );
 }
 </style>
 <style type="text/css">
-div &gt; span &gt; div {
+div > span > div {
     width: 200px;
 }
 </style>
@@ -933,7 +934,7 @@ for my $Test (@TestsWithDefaultConfig) {
         else {
             ok( !$Result{Replace}, 'not replaced', );
         }
-        is( $Result{String}, $Test->{Result}->{Output}, 'output' );
+        TextEqOrDiff( $Result{String}, $Test->{Result}->{Output}, 'output' );
     };
 }
 
@@ -1166,7 +1167,7 @@ You should be able to continue reading these lessons, however.
         Line => __LINE__,
     },
     {
-        Name   => 'stype with remote background image protocol-relative URL, NoExtSrcLoad',
+        Name   => 'style with remote background image protocol-relative URL, NoExtSrcLoad',
         Input  => '<a href="localhost" style="background-image:url(//localhost:8000/css-background)">localhost</a>',
         Config => {
             NoExtSrcLoad => 1,
@@ -1334,7 +1335,7 @@ for my $Test (@TestsWithExplicitConfig) {
         else {
             ok( !$Result{Replace}, 'not replaced', );
         }
-        is( $Result{String}, $Test->{Result}->{Output}, 'output' );
+        TextEqOrDiff( $Result{String}, $Test->{Result}->{Output}, 'output' );
     };
 }
 
@@ -1438,4 +1439,33 @@ for my $Test (@TestsWithSpecialChars) {
     };
 }
 
+# A test case where the child combinator is used in CSS
+{
+    my $String = <<'END_HTML';
+<html>
+<head>
+  <title>A Meaningful Page Title</title>
+  <style>
+    div > p {
+        background-color: gold;
+        border: 1px solid gray;
+    }
+  </style>
+</head>
+<body>
+  <div><p>gold</p</div>
+  <pre>greater: ></pre>
+<body>
+</html>
+END_HTML
+    my %Result = $HTMLUtilsObject->Safety(
+        String => $String,
+    );
+
+    # all '>' in text content, except style, are replaced by '&gt;'
+    my $ExpectedScrubbedString = $String =~ s/greater: >/greater: &gt;/r;
+
+    TextEqOrDiff( $Result{String}, $ExpectedScrubbedString, 'greater sign encoded' );
+}
+
 done_testing;