From 12a6b357e761f09d818fd0013eb2d85014de79a0 Mon Sep 17 00:00:00 2001 From: Damian Mooyman Date: Wed, 3 Aug 2016 11:23:17 +1200 Subject: [PATCH] [ss-2016-015] Fix value / title escaping in CheckboxSetField and OptionsetField --- forms/CheckboxSetField.php | 7 +++++-- forms/OptionsetField.php | 5 +++++ templates/forms/CheckboxSetField.ss | 4 ++-- templates/forms/OptionsetField.ss | 2 +- tests/forms/CheckboxSetFieldTest.php | 21 +++++++++++++++++++++ tests/forms/OptionsetFieldTest.php | 14 ++++++++++++++ 6 files changed, 48 insertions(+), 5 deletions(-) diff --git a/forms/CheckboxSetField.php b/forms/CheckboxSetField.php index 55eb8cf2b..f1ef4bbaa 100644 --- a/forms/CheckboxSetField.php +++ b/forms/CheckboxSetField.php @@ -132,11 +132,14 @@ class CheckboxSetField extends OptionsetField { } foreach($source as $value => $item) { + // Ensure $title is cast for template if($item instanceof DataObject) { $value = $item->ID; - $title = $item->Title; - } else { + $title = $item->obj('Title'); + } elseif ($item instanceof DBField) { $title = $item; + } else { + $title = DBField::create_field('Text', $item); } $itemID = $this->ID() . '_' . preg_replace('/[^a-zA-Z0-9]/', '', $value); diff --git a/forms/OptionsetField.php b/forms/OptionsetField.php index fb37c075b..9d9aca57b 100644 --- a/forms/OptionsetField.php +++ b/forms/OptionsetField.php @@ -62,6 +62,11 @@ class OptionsetField extends DropdownField { if($source) { foreach($source as $value => $title) { + // Ensure $title is safely cast + if ( !($title instanceof DBField) ) { + $title = DBField::create_field('Text', $title); + } + $itemID = $this->ID() . '_' . preg_replace('/[^a-zA-Z0-9]/', '', $value); $odd = ($odd + 1) % 2; $extraClass = $odd ? 'odd' : 'even'; diff --git a/templates/forms/CheckboxSetField.ss b/templates/forms/CheckboxSetField.ss index f5210733e..1cf6c1195 100644 --- a/templates/forms/CheckboxSetField.ss +++ b/templates/forms/CheckboxSetField.ss @@ -2,9 +2,9 @@ <% if $Options.Count %> <% loop $Options %>
  • - checked="checked"<% end_if %><% if $isDisabled %> disabled="disabled"<% end_if %> /> + checked="checked"<% end_if %><% if $isDisabled %> disabled="disabled"<% end_if %> /> -
  • + <% end_loop %> <% else %>
  • No options available
  • diff --git a/templates/forms/OptionsetField.ss b/templates/forms/OptionsetField.ss index aa3f4cc5e..e01272857 100644 --- a/templates/forms/OptionsetField.ss +++ b/templates/forms/OptionsetField.ss @@ -1,7 +1,7 @@