ENHANCEMENT XMLDataFormatter::convertDataObjectWithoutHeader() now escapes HTML fields using CDATA (thanks random-value!)

MINOR Added unit test for XMLDataFormatter::convertDataObjectWithoutHeader()


git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@115229 467b73ca-7a2a-4603-9d3b-597d59a354a9

api/XMLDataFormatter.php

@@ -39,8 +39,7 @@ class XMLDataFormatter extends DataFormatter {
 		
 		return "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n" . $this->convertDataObjectWithoutHeader($obj, $fields);
 	}
-		
-		
+
 	public function convertDataObjectWithoutHeader(DataObject $obj, $fields = null, $relations = null) {
 		$className = $obj->class;
 		$id = $obj->ID;
@@ -57,7 +56,13 @@ class XMLDataFormatter extends DataFormatter {
 			if(is_object($fieldValue) && is_subclass_of($fieldValue, 'Object') && $fieldValue->hasMethod('toXML')) {
 				$xml .= $fieldValue->toXML();
 			} else {
-				$xml .= "<$fieldName>" . Convert::raw2xml($fieldValue) . "</$fieldName>\n";
+				if('HTMLText' == $fieldType) {
+					// Escape HTML values using CDATA
+					$fieldValue = sprintf('<![CDATA[%s]]>', str_replace(']]>', ']]]]><![CDATA[>', $fieldValue));
+				} else {
+					$fieldValue = Convert::raw2xml($fieldValue);
+				}
+				$xml .= "<$fieldName>$fieldValue</$fieldName>\n";
 			}
 		}
 	

tests/api/XMLDataFormatterTest.php

@@ -0,0 +1,40 @@
+<?php
+class XMLDataFormatterTest extends SapphireTest {
+
+	public static $fixture_file = 'sapphire/tests/api/XMLDataFormatterTest.yml';
+
+	protected $extraDataObjects = array(
+		'XMLDataFormatterTest_DataObject'
+	);
+
+	public function testConvertDataObjectWithoutHeader() {
+		$formatter = new XMLDataFormatter();
+		$obj = $this->objFromFixture('XMLDataFormatterTest_DataObject', 'test-do');
+		$xml = new SimpleXMLElement('<?xml version="1.0"?>' . $formatter->convertDataObjectWithoutHeader($obj));
+		$this->assertEquals(
+			Director::absoluteBaseURL() . sprintf('api/v1/XMLDataFormatterTest_DataObject/%d.xml', $obj->ID),
+			(string) $xml['href']
+		);
+		$this->assertEquals('Test DataObject', (string) $xml->Name);
+		$this->assertEquals('Test Company', (string) $xml->Company);
+		$this->assertEquals($obj->ID, (int) $xml->ID);
+		$this->assertEquals(
+			'<Content><![CDATA[<a href="http://mysite.com">mysite.com</a> is a link in this HTML content. <![CDATA[this is some nested CDATA]]]]><![CDATA[>]]></Content>',
+			$xml->Content->asXML()
+		);
+		$this->assertEquals(
+			'<a href="http://mysite.com">mysite.com</a> is a link in this HTML content. <![CDATA[this is some nested CDATA]]>',
+			(string) $xml->Content
+		);
+	}
+
+}
+class XMLDataFormatterTest_DataObject extends DataObject implements TestOnly {
+
+	public static $db = array(
+		'Name' => 'Varchar(50)',
+		'Company' => 'Varchar(50)',
+		'Content' => 'HTMLText'
+	);
+
+}

tests/api/XMLDataFormatterTest.yml

@@ -0,0 +1,5 @@
+XMLDataFormatterTest_DataObject:
+   test-do:
+      Name: Test DataObject
+      Company: Test Company
+      Content: <a href="http://mysite.com">mysite.com</a> is a link in this HTML content. <![CDATA[this is some nested CDATA]]>