Merge remote-tracking branch 'origin/AC-12730' into spartans_pr_10122025

Author: glo60612

app/code/Magento/Wishlist/Controller/Index/Send.php

@@ -94,6 +94,11 @@ class Send extends \Magento\Wishlist\Controller\AbstractIndex implements Action\
      */
     private $captchaStringResolver;
 
+    /**
+     * @var \Magento\Wishlist\Model\Validator\MessageValidator
+     */
+    private $messageValidator;
+
     /**
      * @param Action\Context $context
      * @param \Magento\Framework\Data\Form\FormKey\Validator $formKeyValidator
@@ -109,6 +114,7 @@ class Send extends \Magento\Wishlist\Controller\AbstractIndex implements Action\
      * @param CaptchaHelper|null $captchaHelper
      * @param CaptchaStringResolver|null $captchaStringResolver
      * @param Escaper|null $escaper
+     * @param \Magento\Wishlist\Model\Validator\MessageValidator|null $messageValidator
      * @SuppressWarnings(PHPMD.ExcessiveParameterList)
      */
     public function __construct(
@@ -125,7 +131,8 @@ public function __construct(
         StoreManagerInterface $storeManager,
         ?CaptchaHelper $captchaHelper = null,
         ?CaptchaStringResolver $captchaStringResolver = null,
-        ?Escaper $escaper = null
+        ?Escaper $escaper = null,
+        ?\Magento\Wishlist\Model\Validator\MessageValidator $messageValidator = null
     ) {
         $this->_formKeyValidator = $formKeyValidator;
         $this->_customerSession = $customerSession;
@@ -144,6 +151,9 @@ public function __construct(
         $this->escaper = $escaper ?? ObjectManager::getInstance()->get(
             Escaper::class
         );
+        $this->messageValidator = $messageValidator ?? ObjectManager::getInstance()->get(
+            \Magento\Wishlist\Model\Validator\MessageValidator::class
+        );
         parent::__construct($context);
     }
 
@@ -193,6 +203,11 @@ public function execute()
 
         $error = false;
         $message = (string)$this->getRequest()->getPost('message');
+
+        if (!$this->messageValidator->isValid($message)) {
+            $error = __('Invalid content detected in message. Please remove any special codes or scripts.');
+        }
+
         if (strlen($message) > $textLimit) {
             $error = __('Message length must not exceed %1 symbols', $textLimit);
         } else {

app/code/Magento/Wishlist/Model/Validator/MessageValidator.php

@@ -0,0 +1,63 @@
+<?php
+/**
+ * Copyright 2025 Adobe
+ * All Rights Reserved.
+ */
+declare(strict_types=1);
+
+namespace Magento\Wishlist\Model\Validator;
+
+use Magento\Framework\Validator\AbstractValidator;
+
+/**
+ * Wishlist message validator with strict content rules.
+ */
+class MessageValidator extends AbstractValidator
+{
+    /**
+     * Patterns that indicate template injection or code execution attempts.
+     */
+    private const FORBIDDEN_PATTERNS = [
+        // Template directives
+        '/\{\{.*?\}\}/s',
+        '/\{%.*?%\}/s',
+    
+        // Server-side code execution
+        '/<\?/i',
+
+        // Template filter/processor access (Magento-specific)
+        '/\bthis\s*\.\s*get\w+/i',
+        '/TemplateFilter|FilterCallback/i',
+    ];
+
+    /**
+     * Validates the message against allowed patterns.
+     *
+     * @param mixed $value
+     * @return bool
+     */
+    public function isValid($value): bool
+    {
+        if (!is_string($value) || trim($value) === '') {
+            return true;
+        }
+
+        // Decode URL encoding to catch obfuscation
+        $decoded = urldecode($value);
+
+        // Remove newlines/carriage returns that might be used for obfuscation
+        $normalized = preg_replace('/[\r\n\t]+/', ' ', $decoded);
+
+        // Check for suspicious patterns in both decoded and normalized versions
+        foreach (self::FORBIDDEN_PATTERNS as $pattern) {
+            if (preg_match($pattern, $decoded) || preg_match($pattern, $normalized)) {
+                $this->_addMessages([
+                    'Invalid content detected in message. Code and system commands are not allowed.'
+                ]);
+                return false;
+            }
+        }
+
+        return true;
+    }
+}