Issue #2971692 by claudiu.cristea, jphelan, opdavies, Abdelrahman Amer,...

Issue #2971692 by claudiu.cristea, jphelan, opdavies, Abdelrahman Amer, sagesolutions, zaryab_drupal, zenimagine, jaypan, alternativo, herved, dxvargas, hoporr: Email notifications contain HTML tags

Issue #2971692 by claudiu.cristea, jphelan, opdavies, Abdelrahman Amer,...
c496aa62 · Claudiu Cristea · 24cc476d · c496aa62 · c496aa62 · c496aa62
Commit c496aa62 authored 3 months ago by Claudiu Cristea
--- a/.cspell-project-words.txt
+++ b/.cspell-project-words.txt
@@ -6,6 +6,7 @@ privatemessagenotification

 # Third-party technologies
 Blackfire
+mailsystem
 xhprof

 # Contributor names and usernames
@@ -27,3 +28,6 @@ edutrul
 heddn
 phjou
 sylchuk
+
+# Test strings
+Aerosmith
--- a/.ddev/config.contrib.yaml
+++ b/.ddev/config.contrib.yaml
@@ -2,7 +2,7 @@
 ## Command provided by https://github.com/ddev/ddev-drupal-contrib
 web_environment:
  # If desired, override to a different version of Drupal core in via the project's DDEV config
-  - DRUPAL_CORE=^10
+  - DRUPAL_CORE=^11
  - SIMPLETEST_DB=mysql://db:db@db/db
  - SIMPLETEST_BASE_URL=http://web
  - BROWSERTEST_OUTPUT_DIRECTORY=/tmp

--- a/composer.json
+++ b/composer.json
@@ -23,9 +23,11 @@
    },
    "require-dev": {
        "drupal/rules": "^4.0",
-        "drush/drush": "^12.5 || ^13"
+        "drupal/symfony_mailer_lite": "^2.0",
+        "drush/drush": "^12.5 || ^13.3"
    },
    "config": {
+        "sort-packages": true,
        "allow-plugins": {
            "php-http/discovery": true,
            "tbachert/spi": true

--- a/modules/private_message_notify/private_message_notify.module
+++ b/modules/private_message_notify/private_message_notify.module
@@ -3,10 +3,6 @@
 /**
 * @file
 * Primary module hooks for Private Message Notify module.
- *
- * @DCG
- * This file is no longer required in Drupal 8.
- * @see https://www.drupal.org/node/2217931
 */

 use Drupal\private_message\Entity\PrivateMessageInterface;

--- a/modules/private_message_notify/private_message_notify.services.yml
+++ b/modules/private_message_notify/private_message_notify.services.yml
-parameters:
-  private_message_notify.notifier.class: 'Drupal\private_message_notify\Service\PrivateMessageNotifier'
-
 services:
  private_message_notify.notifier:
-    class: '%private_message_notify.notifier.class%'
+    class: Drupal\private_message_notify\Service\PrivateMessageNotifier
    arguments:
      - '@private_message.service'
      - '@current_user'
@@ -12,3 +9,4 @@ services:
      - '@entity_type.manager'
      - '@message_notify.sender'
      - '@module_handler'
+      - '@logger.factory'
--- a/modules/private_message_notify/tests/modules/private_message_notify_test/private_message_notify_test.info.yml
+++ b/modules/private_message_notify/tests/modules/private_message_notify_test/private_message_notify_test.info.yml
+type: module
+name: Private Message Notify Test
+package: Testing
+core_version_requirement: ^9.3 || ^10 || ^11
+dependencies:
+  - private_message:private_message_notify
--- a/modules/private_message_notify/tests/modules/private_message_notify_test/private_message_notify_test.module
+++ b/modules/private_message_notify/tests/modules/private_message_notify_test/private_message_notify_test.module
+<?php
+
+/**
+ * @file
+ * Hook implementations for Private Message Notify Test module.
+ */
+
+declare(strict_types=1);
+
+/**
+ * Implements hook_mail_alter().
+ */
+function private_message_notify_test_mail_alter(array &$message): void {
+  if ($message['module'] === 'message_notify' && $message['key'] === 'private_message_notification') {
+    $message['headers']['Content-Type'] = 'text/html';
+  }
+}
--- a/modules/private_message_notify/tests/src/Kernel/PrivateMessageNotifierTest.php
+++ b/modules/private_message_notify/tests/src/Kernel/PrivateMessageNotifierTest.php
+<?php
+
+declare(strict_types=1);
+
+namespace Drupal\Tests\private_message_notify\Kernel;
+
+use Drupal\Core\Test\AssertMailTrait;
+use Drupal\KernelTests\KernelTestBase;
+use Drupal\Tests\private_message\Traits\PrivateMessageTestTrait;
+use Drupal\filter\Entity\FilterFormat;
+use Drupal\message\Entity\MessageTemplate;
+use Drupal\message\MessageTemplateInterface;
+use Drupal\private_message\Entity\PrivateMessage;
+use Drupal\private_message\Entity\PrivateMessageThread;
+
+/**
+ * @coversDefaultClass \Drupal\private_message_notify\Service\PrivateMessageNotifier
+ * @group private_message
+ */
+class PrivateMessageNotifierTest extends KernelTestBase {
+
+  use AssertMailTrait;
+  use PrivateMessageTestTrait;
+
+  /**
+   * {@inheritdoc}
+   */
+  protected static $modules = [
+    'field',
+    'filter',
+    'mailsystem',
+    'message',
+    'message_notify',
+    'private_message',
+    'private_message_notify',
+    'private_message_notify_test',
+    'symfony_mailer_lite',
+    'system',
+    'text',
+    'user',
+  ];
+
+  /**
+   * {@inheritdoc}
+   */
+  protected function setUp(): void {
+    parent::setUp();
+
+    $this->config('system.site')->set('name', 'Aerosmith')->save();
+
+    // Theme us needed for mail body rendering.
+    $this->container->get('theme_installer')->install(['stark']);
+    $this->config('system.theme')
+      ->set('admin', 'stark')
+      ->set('default', 'stark')
+      ->save();
+
+    $this->installEntitySchema('user');
+    $this->installSchema('user', ['users_data']);
+    $this->createTestingUsers();
+
+    $this->installEntitySchema('message');
+    $this->installEntitySchema('private_message_thread');
+    $this->installEntitySchema('private_message');
+    $this->installSchema('private_message', ['pm_thread_history']);
+
+    $this->installConfig([
+      'filter',
+      'message',
+      'message_notify',
+      'private_message_notify',
+    ]);
+
+    // Enable notifications.
+    $this->config('private_message.settings')
+      ->set('enable_notifications', TRUE)
+      ->set('notify_by_default', TRUE)
+      ->save();
+
+    // Use rich HTML in email body.
+    FilterFormat::create([
+      'format' => 'basic_html',
+      'name' => 'Basic HTML',
+      'filters' => [
+        'filter_html' => [
+          'status' => 1,
+          'settings' => [
+            'allowed_html' => '<p> <strong>',
+          ],
+        ],
+      ],
+    ])->save();
+    $messageTemplate = MessageTemplate::load('private_message_notification');
+    assert($messageTemplate instanceof MessageTemplateInterface);
+    $text = $messageTemplate->get('text');
+    $text[1]['format'] = 'basic_html';
+    $messageTemplate->set('text', $text)->save();
+
+    $this->config('mailsystem.settings')
+      ->set('theme', 'stark')
+      ->set('defaults', [
+        'sender' => 'test_mail_collector',
+        'formatter' => 'symfony_mailer_lite',
+      ])->save();
+  }
+
+  /**
+   * @covers ::notify
+   * @covers \private_message_tokens
+   */
+  public function testEmailMarkup(): void {
+    $thread = PrivateMessageThread::create([
+      'members' => [$this->users['a'], $this->users['b']],
+      'private_messages' => [],
+    ]);
+
+    $privateMessage = PrivateMessage::create([
+      'owner' => $this->users['a'],
+      'message' => [
+        'value' => "<p><strong>Janie</strong>'s Got a Gun</p><script type=\"Danger!\"></script>",
+        'format' => 'basic_html',
+      ],
+    ]);
+
+    // Create a new.
+    $this->container->get('private_message.thread_manager')
+      ->saveThread($privateMessage, $thread->getMembers(), $thread);
+
+    foreach ($this->getMails() as $mail) {
+      if ($mail['module'] !== 'message_notify' || $mail['key'] !== 'private_message_notification') {
+        continue;
+      }
+
+      $this->assertSame('Private message at Aerosmith', $mail['subject']);
+
+      // Cast from MarkupInterface to string.
+      $body = (string) $mail['body'];
+
+      $this->assertStringContainsString("<p><strong>Janie</strong>'s Got a Gun</p>",
+        $body);
+      // .No encoded HTML.
+      $this->assertStringNotContainsString('&lt;', $body);
+      $this->assertStringNotContainsString('&gt;', $body);
+      // Dangerous tags are stripped out.
+      $this->assertStringNotContainsString('Danger!', $body);
+      $this->assertStringNotContainsString('<script', $body);
+      $this->assertStringNotContainsString('</script>', $body);
+    }
+  }
+
+}
--- a/private_message.services.yml
+++ b/private_message.services.yml
-parameters:
-  private_message.mapper.class: 'Drupal\private_message\Mapper\PrivateMessageMapper'
-  private_message.service.class: 'Drupal\private_message\Service\PrivateMessageService'
-  private_message.ban_manager.class: 'Drupal\private_message\Service\PrivateMessageBanManager'
-  cache_context.private_message_thread.class: 'Drupal\private_message\Cache\Context\PrivateMessageThreadCacheContext'
-  private_message.thread_manager.class: 'Drupal\private_message\Service\PrivateMessageThreadManager'
-  private_message.private_message_config_form_manager.class: 'Drupal\private_message\PluginManager\PrivateMessageConfigFormManager'
-
 services:
  private_message.mapper:
-    class: '%private_message.mapper.class%'
+    class: Drupal\private_message\Mapper\PrivateMessageMapper
    arguments:
      - '@database'
      - '@current_user'

  private_message.service:
-    class: '%private_message.service.class%'
+    class: Drupal\private_message\Service\PrivateMessageService
    arguments:
      - '@private_message.mapper'
      - '@current_user'
@@ -25,7 +17,7 @@ services:
      - '@datetime.time'

  private_message.ban_manager:
-    class: '%private_message.ban_manager.class%'
+    class: Drupal\private_message\Service\PrivateMessageBanManager
    arguments:
      - '@current_user'
      - '@entity_type.manager'
@@ -33,25 +25,17 @@ services:
      - '@messenger'

  cache_context.private_message_thread:
-    class: '%cache_context.private_message_thread.class%'
+    class: Drupal\private_message\Cache\Context\PrivateMessageThreadCacheContext
    arguments:
      - '@current_route_match'
    tags:
      - { name: cache.context }

  private_message.thread_manager:
-    class: '%private_message.thread_manager.class%'
+    class: Drupal\private_message\Service\PrivateMessageThreadManager
    arguments:
      - '@private_message.service'

  private_message.private_message_config_form_manager:
-    class: '%private_message.private_message_config_form_manager.class%'
+    class: Drupal\private_message\PluginManager\PrivateMessageConfigFormManager
    parent: default_plugin_manager
-
-  private_message.commands:
-    class: \Drupal\private_message\Drush\Commands\PrivateMessageCommands
-    arguments:
-      - '@private_message.service'
-      - '@entity_type.manager'
-    tags:
-      - { name: drush.command }
--- a/private_message.tokens.inc
+++ b/private_message.tokens.inc
@@ -116,7 +116,7 @@ function private_message_tokens($type, $tokens, array $data, array $options, Bub
          break;

        case 'message':
-          $replacements[$original] = $private_message->getMessage();
+          $replacements[$original] = $private_message->get('message')->processed;
          break;

        case 'author-name':