diff --git a/lib/API/JSON/v1/NewsletterTemplates.php b/lib/API/JSON/v1/NewsletterTemplates.php
index dc58f22458..8dbb59c267 100644
--- a/lib/API/JSON/v1/NewsletterTemplates.php
+++ b/lib/API/JSON/v1/NewsletterTemplates.php
@@ -61,8 +61,10 @@ class NewsletterTemplates extends APIEndpoint {
public function save($data = []) {
ignore_user_abort(true);
- $body = $this->apiDataSanitizer->sanitizeBody(json_decode($data['body'], true));
- $data['body'] = json_encode($body);
+ if (!empty($data['body'])) {
+ $body = $this->apiDataSanitizer->sanitizeBody(json_decode($data['body'], true));
+ $data['body'] = json_encode($body);
+ }
try {
$template = $this->newsletterTemplatesRepository->createOrUpdate($data);
if (!empty($data['categories']) && $data['categories'] === NewsletterTemplatesRepository::RECENTLY_SENT_CATEGORIES) {
diff --git a/lib/Newsletter/ApiDataSanitizer.php b/lib/Newsletter/ApiDataSanitizer.php
index 0787d1256a..0161215328 100644
--- a/lib/Newsletter/ApiDataSanitizer.php
+++ b/lib/Newsletter/ApiDataSanitizer.php
@@ -6,27 +6,24 @@ class ApiDataSanitizer {
/** @var NewsletterHtmlSanitizer */
private $htmlSanitizer;
+ private const SANITIZE_KEY_WHITELIST = [
+ 'text',
+ ];
+
public function __construct(NewsletterHtmlSanitizer $htmlSanitizer) {
$this->htmlSanitizer = $htmlSanitizer;
}
public function sanitizeBody(array $body): array {
foreach ($body as $blockName => $block) {
- $sanitizedBlock = is_array($block) ? $this->sanitizeBlock($block) : $this->htmlSanitizer->sanitize($block);
+ if (is_array($block)) {
+ $sanitizedBlock = $this->sanitizeBody($block);
+ } else {
+ $sanitizedBlock = $block && in_array($blockName, self::SANITIZE_KEY_WHITELIST, true) ? $this->htmlSanitizer->sanitize($block) : $block;
+ }
$body[$blockName] = $sanitizedBlock;
}
return $body;
}
-
- private function sanitizeBlock(array $block): array {
- foreach ($block as $name => $value) {
- if (is_array($value)) {
- $block[$name] = $this->sanitizeBlock($value);
- } else {
- $block[$name] = $value ? $this->htmlSanitizer->sanitize($value) : $value;
- }
- }
- return $block;
- }
}
diff --git a/lib/Newsletter/NewsletterSaveController.php b/lib/Newsletter/NewsletterSaveController.php
index 1e5fdef075..a46b41be21 100644
--- a/lib/Newsletter/NewsletterSaveController.php
+++ b/lib/Newsletter/NewsletterSaveController.php
@@ -107,8 +107,7 @@ class NewsletterSaveController {
if (!empty($data['template_id'])) {
$template = $this->newsletterTemplatesRepository->findOneById($data['template_id']);
if ($template) {
- $body = $this->dataSanitizer->sanitizeBody($template->getBody() ?: []);
- $data['body'] = json_encode($body);
+ $data['body'] = json_encode($template->getBody());
}
}
diff --git a/tests/integration/Newsletter/ApiDataSanitizerTest.php b/tests/integration/Newsletter/ApiDataSanitizerTest.php
index 766a76f233..811ae73a44 100644
--- a/tests/integration/Newsletter/ApiDataSanitizerTest.php
+++ b/tests/integration/Newsletter/ApiDataSanitizerTest.php
@@ -24,9 +24,9 @@ class ApiDataSanitizerTest extends \MailPoetTest {
],
],
[
- 'type' => 'image',
+ 'type' => 'header',
'link' => '',
- 'src' => 'http://some.url/wp-c\'">
ontent/fake-logo.png',
+ 'text' => 'http://some.url/wp-c\'">ontent/fake-logo.png',
],
];
@@ -46,8 +46,8 @@ class ApiDataSanitizerTest extends \MailPoetTest {
expect($block2['type'])->equals('footer');
expect($block2['text'])->equals('Unsubscribe
Add your postal address here!
');
$image = $result[1];
- expect($image['type'])->equals('image');
+ expect($image['type'])->equals('header');
expect($image['link'])->equals('');
- expect($image['src'])->equals('http://some.url/wp-c\'">ontent/fake-logo.png');
+ expect($image['text'])->equals('http://some.url/wp-c\'">ontent/fake-logo.png');
}
}