From 31e04c84917b66afd94cdda21ac8059ede09f508 Mon Sep 17 00:00:00 2001 From: Saophalkun Ponlu Date: Wed, 13 Dec 2017 17:10:16 +1300 Subject: [PATCH] ENHANCEMENT Allow html in security failure message --- src/Security/Security.php | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/src/Security/Security.php b/src/Security/Security.php index 7cb1ced5c..f29926824 100644 --- a/src/Security/Security.php +++ b/src/Security/Security.php @@ -317,6 +317,15 @@ class Security extends Controller implements TemplateGlobalProvider public static function permissionFailure($controller = null, $messageSet = null) { self::set_ignore_disallowed_actions(true); + $shouldEscapeHtml = function($message) { + if($message instanceof DBField) { + $escapeHtml = $message->config()->escape_type === 'raw'; + } else { + $escapeHtml = true; + } + + return $escapeHtml; + }; if (!$controller && Controller::has_curr()) { $controller = Controller::curr(); @@ -380,7 +389,7 @@ class Security extends Controller implements TemplateGlobalProvider $message = $messageSet['default']; } - static::singleton()->setSessionMessage($message, ValidationResult::TYPE_WARNING); + static::singleton()->setSessionMessage($message, ValidationResult::TYPE_WARNING, $shouldEscapeHtml($message) ? ValidationResult::CAST_TEXT : ValidationResult::CAST_HTML); $request = new HTTPRequest('GET', '/'); if ($controller) { $request->setSession($controller->getRequest()->getSession()); @@ -399,7 +408,13 @@ class Security extends Controller implements TemplateGlobalProvider $message = $messageSet['default']; } - static::singleton()->setSessionMessage($message, ValidationResult::TYPE_WARNING); + static::singleton()->setSessionMessage( + $message, + ValidationResult::TYPE_WARNING, + $shouldEscapeHtml($message) ? + ValidationResult::CAST_TEXT : + ValidationResult::CAST_HTML + ); $controller->getRequest()->getSession()->set("BackURL", $_SERVER['REQUEST_URI']);