Merge pull request #7699 from open-sausages/pulls/4/html-in-security-msg

ENHANCEMENT Allow html in security failure message
2024-10-22 14:05:37 +02:00 · 2017-12-14 14:30:09 +13:00 · 2017-12-14 14:30:09 +13:00 · 529e341dbc
commit 529e341dbc
parent 277c129e1e 8b1b9f022b
14 changed files with 75 additions and 60 deletions
--- a/src/Core/Injector/Injector.php
+++ b/src/Core/Injector/Injector.php
@ -426,13 +426,13 @@ class Injector implements ContainerInterface
            // to ensure we get cached
            $spec['id'] = $id;

-//			We've removed this check because new functionality means that the 'class' field doesn't need to refer
-//			specifically to a class anymore - it could be a compound statement, ala SilverStripe's old Object::create
-//			functionality
+//          We've removed this check because new functionality means that the 'class' field doesn't need to refer
+//          specifically to a class anymore - it could be a compound statement, ala SilverStripe's old Object::create
+//          functionality
 //
-//			if (!class_exists($class)) {
-//				throw new Exception("Failed to load '$class' from $file");
-//			}
+//          if (!class_exists($class)) {
+//              throw new Exception("Failed to load '$class' from $file");
+//          }

            // store the specs for now - we lazy load on demand later on.
            $this->specs[$id] = $spec;
--- a/src/Dev/BulkLoader.php
+++ b/src/Dev/BulkLoader.php
@ -136,11 +136,11 @@ abstract class BulkLoader extends ViewableData
    }

    /*
-	 * Load the given file via {@link self::processAll()} and {@link self::processRecord()}.
-	 * Optionally truncates (clear) the table before it imports.
-	 *
-	 * @return BulkLoader_Result See {@link self::processAll()}
-	 */
+     * Load the given file via {@link self::processAll()} and {@link self::processRecord()}.
+     * Optionally truncates (clear) the table before it imports.
+     *
+     * @return BulkLoader_Result See {@link self::processAll()}
+     */
    public function load($filepath)
    {
        Environment::increaseTimeLimitTo(3600);
--- a/src/Dev/DevelopmentAdmin.php
+++ b/src/Dev/DevelopmentAdmin.php
@ -140,8 +140,8 @@ class DevelopmentAdmin extends Controller


    /*
-	 * Internal methods
-	 */
+     * Internal methods
+     */

    /**
     * @return array of url => description
@ -175,8 +175,8 @@ class DevelopmentAdmin extends Controller


    /*
-	 * Unregistered (hidden) actions
-	 */
+     * Unregistered (hidden) actions
+     */

    /**
     * Build the default data, calling requireDefaultRecords on all
--- a/src/Forms/FieldList.php
+++ b/src/Forms/FieldList.php
@ -714,7 +714,7 @@ class FieldList extends ArrayList
            $fieldMap[$field->getName()] = $field;
        }

-        // Iterate through the ordered list	of names, building a new array to be put into $this->items.
+        // Iterate through the ordered list of names, building a new array to be put into $this->items.
        // While we're doing this, empty out $fieldMap so that we can keep track of leftovers.
        // Unrecognised field names are okay; just ignore them
        $fields = array();
--- a/src/ORM/Connect/DBSchemaManager.php
+++ b/src/ORM/Connect/DBSchemaManager.php
@ -855,13 +855,13 @@ abstract class DBSchemaManager


    /*
-	 * This is a lookup table for data types.
-	 * For instance, Postgres uses 'INT', while MySQL uses 'UNSIGNED'
-	 * So this is a DB-specific list of equivilents.
-	 *
-	 * @param string $type
-	 * @return string
-	 */
+     * This is a lookup table for data types.
+     * For instance, Postgres uses 'INT', while MySQL uses 'UNSIGNED'
+     * So this is a DB-specific list of equivilents.
+     *
+     * @param string $type
+     * @return string
+     */
    abstract public function dbDataType($type);

    /**
@ -1116,10 +1116,10 @@ abstract class DBSchemaManager
    abstract public function varchar($values);

    /*
-	 * Returns data type for 'year' column
-	 *
-	 * @param array $values Contains a tokenised list of info about this data type
-	 * @return string
-	 */
+     * Returns data type for 'year' column
+     *
+     * @param array $values Contains a tokenised list of info about this data type
+     * @return string
+     */
    abstract public function year($values);
 }
--- a/src/ORM/Connect/Database.php
+++ b/src/ORM/Connect/Database.php
@ -617,14 +617,14 @@ abstract class Database
    }

    /*
-	 * Determines if the current database connection supports a given list of extensions
-	 *
-	 * @param array $extensions List of extensions to check for support of. The key of this array
-	 * will be an extension name, and the value the configuration for that extension. This
-	 * could be one of partitions, tablespaces, or clustering
-	 * @return boolean Flag indicating support for all of the above
-	 * @todo Write test cases
-	 */
+     * Determines if the current database connection supports a given list of extensions
+     *
+     * @param array $extensions List of extensions to check for support of. The key of this array
+     * will be an extension name, and the value the configuration for that extension. This
+     * could be one of partitions, tablespaces, or clustering
+     * @return boolean Flag indicating support for all of the above
+     * @todo Write test cases
+     */
    public function supportsExtensions($extensions)
    {
        return false;
--- a/src/ORM/Connect/MySQLSchemaManager.php
+++ b/src/ORM/Connect/MySQLSchemaManager.php
@ -614,11 +614,11 @@ class MySQLSchemaManager extends DBSchemaManager
    }

    /*
-	 * Return the MySQL-proprietary 'Year' datatype
-	 *
-	 * @param array $values Contains a tokenised list of info about this data type
-	 * @return string
-	 */
+     * Return the MySQL-proprietary 'Year' datatype
+     *
+     * @param array $values Contains a tokenised list of info about this data type
+     * @return string
+     */
    public function year($values)
    {
        return 'year(4)';
--- a/src/ORM/DataObject.php
+++ b/src/ORM/DataObject.php
@ -3413,8 +3413,8 @@ class DataObject extends ViewableData implements DataObjectInterface, i18nEntity
    }

    /*
-	 * @ignore
-	 */
+     * @ignore
+     */
    private static $subclass_access = true;

    /**
--- a/src/Security/Security.php
+++ b/src/Security/Security.php
@ -317,6 +317,15 @@ class Security extends Controller implements TemplateGlobalProvider
    public static function permissionFailure($controller = null, $messageSet = null)
    {
        self::set_ignore_disallowed_actions(true);
+        $shouldEscapeHtml = function ($message) {
+            if ($message instanceof DBField) {
+                $escapeHtml = $message->config()->escape_type === 'raw';
+            } else {
+                $escapeHtml = true;
+            }
+
+            return $escapeHtml;
+        };

        if (!$controller && Controller::has_curr()) {
            $controller = Controller::curr();
@ -380,7 +389,7 @@ class Security extends Controller implements TemplateGlobalProvider
                $message = $messageSet['default'];
            }

-            static::singleton()->setSessionMessage($message, ValidationResult::TYPE_WARNING);
+            static::singleton()->setSessionMessage($message, ValidationResult::TYPE_WARNING, $shouldEscapeHtml($message) ? ValidationResult::CAST_TEXT : ValidationResult::CAST_HTML);
            $request = new HTTPRequest('GET', '/');
            if ($controller) {
                $request->setSession($controller->getRequest()->getSession());
@ -399,7 +408,13 @@ class Security extends Controller implements TemplateGlobalProvider
            $message = $messageSet['default'];
        }

-        static::singleton()->setSessionMessage($message, ValidationResult::TYPE_WARNING);
+        static::singleton()->setSessionMessage(
+            $message,
+            ValidationResult::TYPE_WARNING,
+            $shouldEscapeHtml($message) ?
+                ValidationResult::CAST_TEXT :
+                ValidationResult::CAST_HTML
+        );

        $controller->getRequest()->getSession()->set("BackURL", $_SERVER['REQUEST_URI']);

--- a/tests/behat/src/CmsFormsContext.php
+++ b/tests/behat/src/CmsFormsContext.php
@ -241,11 +241,11 @@ JS;
    }

    /*
-	 * @example Given the CMS settings has the following data
-	 *	| Title | My site title |
-	 *	| Theme | My site theme |
-	 * @Given /^the CMS settings have the following data$/
-	 */
+     * @example Given the CMS settings has the following data
+     *  | Title | My site title |
+     *  | Theme | My site theme |
+     * @Given /^the CMS settings have the following data$/
+     */
    public function theCmsSettingsHasData(TableNode $fieldsTable)
    {
        $fields = $fieldsTable->getRowsHash();
--- a/tests/php/Control/ControllerTest.php
+++ b/tests/php/Control/ControllerTest.php
@ -390,8 +390,8 @@ class ControllerTest extends FunctionalTest
            'Numeric actions do not slip through.'
        );
        //$this->assertFalse(
-        //	$controller->hasAction('lowercase_permission'),
-        //	'Lowercase permission does not slip through.'
+        //  $controller->hasAction('lowercase_permission'),
+        //  'Lowercase permission does not slip through.'
        //);
        $this->assertFalse(
            $controller->hasAction('undefined'),
--- a/tests/php/Dev/CsvBulkLoaderTest.php
+++ b/tests/php/Dev/CsvBulkLoaderTest.php
@ -230,7 +230,7 @@ class CsvBulkLoaderTest extends SapphireTest

        // null values are valid imported
        // $this->assertEquals($player->Biography, 'He\'s a good guy',
-        //	'Test retaining of previous information on duplicate when overwriting with blank field');
+        //  'Test retaining of previous information on duplicate when overwriting with blank field');
    }

    public function testLoadWithCustomImportMethods()
--- a/tests/php/Forms/ListboxFieldTest.php
+++ b/tests/php/Forms/ListboxFieldTest.php
@ -226,11 +226,11 @@ class ListboxFieldTest extends SapphireTest
         * @todo re-enable these tests when field validation is removed from {@link ListboxField::setValue()} and moved
         * to the {@link ListboxField::validate()} function
         */
-        //		$field->setValue(4);
-        //		$this->assertFalse(
-        //			$field->validate($validator),
-        //			'Field does not validate values outside of source map'
-        //		);
+        //      $field->setValue(4);
+        //      $this->assertFalse(
+        //          $field->validate($validator),
+        //          'Field does not validate values outside of source map'
+        //      );
        $field->setValue(
            false,
            new ArrayData(
--- a/tests/php/View/SSViewerTest.php
+++ b/tests/php/View/SSViewerTest.php
@ -1775,8 +1775,8 @@ EOC;
        $this->assertContains($code, $result);
        // TODO Fix inline links in PHP mode
        // $this->assertContains(
-        // 	'<a class="inline" href="<?php echo str_replace(',
-        // 	$result
+        //  '<a class="inline" href="<?php echo str_replace(',
+        //  $result
        // );
        $this->assertContains(
            '<svg><use xlink:href="#sprite"></use></svg>',