From 3ba59af7c3a517d9abddbee5a538208d80504a8d Mon Sep 17 00:00:00 2001
From: Ryan Hoerr <rhoerr@users.noreply.github.com>
Date: Tue, 12 May 2026 21:13:19 -0400
Subject: [PATCH] Security changes from upstream 1.7.5-p5

---
 .../Validator/IframeSrcAttributeValidator.php | 35 +++++++++++--------
 app/code/Magento/PageBuilder/i18n/en_US.csv   |  1 +
 2 files changed, 21 insertions(+), 15 deletions(-)

diff --git a/app/code/Magento/PageBuilder/Model/Validator/IframeSrcAttributeValidator.php b/app/code/Magento/PageBuilder/Model/Validator/IframeSrcAttributeValidator.php
index 46822607ea7..880739306f4 100644
--- a/app/code/Magento/PageBuilder/Model/Validator/IframeSrcAttributeValidator.php
+++ b/app/code/Magento/PageBuilder/Model/Validator/IframeSrcAttributeValidator.php
@@ -1,7 +1,7 @@
 <?php
 /**
- * Copyright © Magento, Inc. All rights reserved.
- * See COPYING.txt for license details.
+ * Copyright 2020 Adobe
+ * All Rights Reserved.
  */
 
 declare(strict_types=1);
@@ -16,10 +16,15 @@
  */
 class IframeSrcAttributeValidator implements AttributeValidatorInterface
 {
+    /**
+     * @var array
+     */
+    private array $allowedHostsMap;
+
     /**
      * @var string[]
      */
-    private $allowedHosts;
+    private array $allowedHosts;
 
     /**
      * IframeSrcAttributeValidator constructor.
@@ -28,7 +33,9 @@ class IframeSrcAttributeValidator implements AttributeValidatorInterface
      */
     public function __construct(array $allowedHosts)
     {
-        $this->allowedHosts = $allowedHosts;
+        $normalized = array_map('strtolower', $allowedHosts);
+        $this->allowedHosts = $normalized;
+        $this->allowedHostsMap = array_fill_keys($normalized, true);
     }
 
     /**
@@ -36,25 +43,23 @@ public function __construct(array $allowedHosts)
      */
     public function validate(string $tag, string $attributeName, string $value): void
     {
-        if ($tag !== 'iframe' || $attributeName !== 'src') {
+        if ($tag !== 'iframe' || $attributeName !== 'src' || !$this->allowedHosts) {
             return;
         }
 
-        if (mb_strpos($value, 'http') !== 0) {
-            //Relative link
-            return;
-        }
         // phpcs:ignore Magento2.Functions.DiscouragedFunction
         $srcHost = parse_url($value, PHP_URL_HOST);
-        if (!$srcHost || !$this->allowedHosts) {
-            //Either the link is invalid or we do not have the allowed list.
+        if (!$srcHost) {
+            throw new ValidationException(__('Invalid IFRAME source provided'));
+        }
+
+        $srcHost = strtolower($srcHost);
+        if (isset($this->allowedHostsMap[$srcHost])) {
             return;
         }
-        $srcHostLength = mb_strlen($srcHost);
+
         foreach ($this->allowedHosts as $host) {
-            $hostLength = mb_strlen($host);
-            $foundIndex = mb_strpos($srcHost, $host);
-            if ($foundIndex !== false && ($foundIndex + $hostLength) === $srcHostLength) {
+            if (str_ends_with($srcHost, '.' . $host)) {
                 return;
             }
         }
diff --git a/app/code/Magento/PageBuilder/i18n/en_US.csv b/app/code/Magento/PageBuilder/i18n/en_US.csv
index 8b74b5e5537..91ad59cc353 100644
--- a/app/code/Magento/PageBuilder/i18n/en_US.csv
+++ b/app/code/Magento/PageBuilder/i18n/en_US.csv
@@ -323,3 +323,4 @@ OK,OK
 "Save Content as Template","Save Content as Template"
 "Template Name","Template Name"
 "Could not delete the Template: %1","Could not delete the Template: %1"
+"Invalid IFRAME source provided","Invalid IFRAME source provided"