BUG Fix message casting for html security messages
This commit is contained in:
Damian Mooyman
parent
529e341dbc
commit
140ed72e2a
|
|
@ -317,14 +317,23 @@ class Security extends Controller implements TemplateGlobalProvider
|
|||
public static function permissionFailure($controller = null, $messageSet = null)
|
||||
{
|
||||
self::set_ignore_disallowed_actions(true);
|
||||
$shouldEscapeHtml = function ($message) {
|
||||
|
||||
// Parse raw message / escape type
|
||||
$parseMessage = function ($message) {
|
||||
if ($message instanceof DBField) {
|
||||
$escapeHtml = $message->config()->escape_type === 'raw';
|
||||
} else {
|
||||
$escapeHtml = true;
|
||||
return [
|
||||
$message->getValue(),
|
||||
$message->config()->get('escape_type') === 'raw'
|
||||
? ValidationResult::CAST_TEXT
|
||||
: ValidationResult::CAST_HTML,
|
||||
];
|
||||
}
|
||||
|
||||
return $escapeHtml;
|
||||
// Default to escaped value
|
||||
return [
|
||||
$message,
|
||||
ValidationResult::CAST_TEXT,
|
||||
];
|
||||
};
|
||||
|
||||
if (!$controller && Controller::has_curr()) {
|
||||
|
|
@ -389,7 +398,8 @@ class Security extends Controller implements TemplateGlobalProvider
|
|||
$message = $messageSet['default'];
|
||||
}
|
||||
|
||||
static::singleton()->setSessionMessage($message, ValidationResult::TYPE_WARNING, $shouldEscapeHtml($message) ? ValidationResult::CAST_TEXT : ValidationResult::CAST_HTML);
|
||||
list($messageText, $messageCast) = $parseMessage($message);
|
||||
static::singleton()->setSessionMessage($messageText, ValidationResult::TYPE_WARNING, $messageCast);
|
||||
$request = new HTTPRequest('GET', '/');
|
||||
if ($controller) {
|
||||
$request->setSession($controller->getRequest()->getSession());
|
||||
|
|
@ -408,13 +418,8 @@ class Security extends Controller implements TemplateGlobalProvider
|
|||
$message = $messageSet['default'];
|
||||
}
|
||||
|
||||
static::singleton()->setSessionMessage(
|
||||
$message,
|
||||
ValidationResult::TYPE_WARNING,
|
||||
$shouldEscapeHtml($message) ?
|
||||
ValidationResult::CAST_TEXT :
|
||||
ValidationResult::CAST_HTML
|
||||
);
|
||||
list($messageText, $messageCast) = $parseMessage($message);
|
||||
static::singleton()->setSessionMessage($messageText, ValidationResult::TYPE_WARNING, $messageCast);
|
||||
|
||||
$controller->getRequest()->getSession()->set("BackURL", $_SERVER['REQUEST_URI']);
|
||||
|
||||
|
|
|
|||
|
|
@ -16,6 +16,7 @@ use SilverStripe\ORM\DataObject;
|
|||
use SilverStripe\ORM\DB;
|
||||
use SilverStripe\ORM\FieldType\DBClassName;
|
||||
use SilverStripe\ORM\FieldType\DBDatetime;
|
||||
use SilverStripe\ORM\FieldType\DBField;
|
||||
use SilverStripe\ORM\ValidationResult;
|
||||
use SilverStripe\Security\LoginAttempt;
|
||||
use SilverStripe\Security\Member;
|
||||
|
|
@ -129,6 +130,26 @@ class SecurityTest extends FunctionalTest
|
|||
$controller->getResponse()->getBody(),
|
||||
"Message set passed to Security::permissionFailure() didn't override Config values"
|
||||
);
|
||||
|
||||
// Test DBField cast messages work
|
||||
Security::permissionFailure(
|
||||
$controller,
|
||||
DBField::create_field('HTMLFragment', '<p>Custom HTML & Message</p>')
|
||||
);
|
||||
$this->assertContains(
|
||||
'<p>Custom HTML & Message</p>',
|
||||
$controller->getResponse()->getBody()
|
||||
);
|
||||
|
||||
// Plain text DBText
|
||||
Security::permissionFailure(
|
||||
$controller,
|
||||
DBField::create_field('Text', 'Safely escaped & message')
|
||||
);
|
||||
$this->assertContains(
|
||||
'Safely escaped & message',
|
||||
$controller->getResponse()->getBody()
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
|
|||
Loading…
Reference in New Issue