[ss-2016-015] Fix value / title escaping in CheckboxSetField and OptionsetField

This commit is contained in:
Damian Mooyman 2016-08-03 11:23:17 +12:00
parent fa7f5af861
commit 049cdefacf
6 changed files with 48 additions and 5 deletions

View File

@ -132,11 +132,14 @@ class CheckboxSetField extends OptionsetField {
} }
foreach($source as $value => $item) { foreach($source as $value => $item) {
// Ensure $title is cast for template
if($item instanceof DataObject) { if($item instanceof DataObject) {
$value = $item->ID; $value = $item->ID;
$title = $item->Title; $title = $item->obj('Title');
} else { } elseif ($item instanceof DBField) {
$title = $item; $title = $item;
} else {
$title = DBField::create_field('Text', $item);
} }
$itemID = $this->ID() . '_' . preg_replace('/[^a-zA-Z0-9]/', '', $value); $itemID = $this->ID() . '_' . preg_replace('/[^a-zA-Z0-9]/', '', $value);

View File

@ -62,6 +62,11 @@ class OptionsetField extends DropdownField {
if($source) { if($source) {
foreach($source as $value => $title) { foreach($source as $value => $title) {
// Ensure $title is safely cast
if ( !($title instanceof DBField) ) {
$title = DBField::create_field('Text', $title);
}
$itemID = $this->ID() . '_' . preg_replace('/[^a-zA-Z0-9]/', '', $value); $itemID = $this->ID() . '_' . preg_replace('/[^a-zA-Z0-9]/', '', $value);
$odd = ($odd + 1) % 2; $odd = ($odd + 1) % 2;
$extraClass = $odd ? 'odd' : 'even'; $extraClass = $odd ? 'odd' : 'even';

View File

@ -2,7 +2,7 @@
<% if $Options.Count %> <% if $Options.Count %>
<% loop $Options %> <% loop $Options %>
<li class="$Class"> <li class="$Class">
<input id="$ID" class="checkbox" name="$Name" type="checkbox" value="$Value"<% if $isChecked %> checked="checked"<% end_if %><% if $isDisabled %> disabled="disabled"<% end_if %> /> <input id="$ID" class="checkbox" name="$Name" type="checkbox" value="$Value.ATT"<% if $isChecked %> checked="checked"<% end_if %><% if $isDisabled %> disabled="disabled"<% end_if %> />
<label for="$ID">$Title</label> <label for="$ID">$Title</label>
</li> </li>
<% end_loop %> <% end_loop %>

View File

@ -1,7 +1,7 @@
<ul $AttributesHTML> <ul $AttributesHTML>
<% loop $Options %> <% loop $Options %>
<li class="$Class"> <li class="$Class">
<input id="$ID" class="radio" name="$Name" type="radio" value="$Value"<% if $isChecked %> checked<% end_if %><% if $isDisabled %> disabled<% end_if %> /> <input id="$ID" class="radio" name="$Name" type="radio" value="$Value.ATT"<% if $isChecked %> checked<% end_if %><% if $isDisabled %> disabled<% end_if %> />
<label for="$ID">$Title</label> <label for="$ID">$Title</label>
</li> </li>
<% end_loop %> <% end_loop %>

View File

@ -206,6 +206,27 @@ class CheckboxSetFieldTest extends SapphireTest {
); );
} }
public function testSafelyCast() {
$member = new Member();
$member->FirstName = '<firstname>';
$member->Surname = '<surname>';
$member->write();
$field1 = new CheckboxSetField('Options', 'Options', array(
'one' => 'One',
'two' => 'Two & Three',
'three' => DBField::create_field('HTMLText', 'Four &amp; Five &amp; Six'),
$member
));
$fieldHTML = (string)$field1->Field();
$this->assertContains('One', $fieldHTML);
$this->assertContains('Two &amp; Three', $fieldHTML);
$this->assertNotContains('Two & Three', $fieldHTML);
$this->assertContains('Four &amp; Five &amp; Six', $fieldHTML);
$this->assertNotContains('Four & Five & Six', $fieldHTML);
$this->assertContains('&lt;firstname&gt;', $fieldHTML);
$this->assertNotContains('<firstname>', $fieldHTML);
}
} }
/** /**

View File

@ -63,4 +63,18 @@ class OptionsetFieldTest extends SapphireTest {
preg_match('/Yes/', $field->Field(), $matches); preg_match('/Yes/', $field->Field(), $matches);
$this->assertEquals($matches[0], 'Yes'); $this->assertEquals($matches[0], 'Yes');
} }
public function testSafelyCast() {
$field1 = new OptionsetField('Options', 'Options', array(
1 => 'One',
2 => 'Two & Three',
3 => DBField::create_field('HTMLText', 'Four &amp; Five &amp; Six')
));
$fieldHTML = (string)$field1->Field();
$this->assertContains('One', $fieldHTML);
$this->assertContains('Two &amp; Three', $fieldHTML);
$this->assertNotContains('Two & Three', $fieldHTML);
$this->assertContains('Four &amp; Five &amp; Six', $fieldHTML);
$this->assertNotContains('Four & Five & Six', $fieldHTML);
}
} }