tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-06-26 14:39:25 +02:00
Code Issues Projects Releases Wiki Activity

Merge pull request #7699 from open-sausages/pulls/4/html-in-security-msg

Browse Source 
ENHANCEMENT Allow html in security failure message
This commit is contained in:
Damian Mooyman 2017-12-14 14:30:09 +13:00 committed by GitHub
commit 529e341dbc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
14 changed files with 75 additions and 60 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
src/Core/Injector/Injector.php
View File

@ -426,13 +426,13 @@ class Injector implements ContainerInterface
// to ensure we get cached
$spec['id'] = $id;
// We've removed this check because new functionality means that the 'class' field doesn't need to refer
// specifically to a class anymore - it could be a compound statement, ala SilverStripe's old Object::create
// functionality
// We've removed this check because new functionality means that the 'class' field doesn't need to refer
// specifically to a class anymore - it could be a compound statement, ala SilverStripe's old Object::create
// functionality
//
// if (!class_exists($class)) {
// throw new Exception("Failed to load '$class' from $file");
// }
// if (!class_exists($class)) {
// throw new Exception("Failed to load '$class' from $file");
// }
// store the specs for now - we lazy load on demand later on.
$this->specs[$id] = $spec;

10
src/Dev/BulkLoader.php
View File

@ -136,11 +136,11 @@ abstract class BulkLoader extends ViewableData
}
/*
* Load the given file via {@link self::processAll()} and {@link self::processRecord()}.
* Optionally truncates (clear) the table before it imports.
*
* @return BulkLoader_Result See {@link self::processAll()}
*/
* Load the given file via {@link self::processAll()} and {@link self::processRecord()}.
* Optionally truncates (clear) the table before it imports.
*
* @return BulkLoader_Result See {@link self::processAll()}
*/
public function load($filepath)
{
Environment::increaseTimeLimitTo(3600);

8
src/Dev/DevelopmentAdmin.php
View File

@ -140,8 +140,8 @@ class DevelopmentAdmin extends Controller
/*
* Internal methods
*/
* Internal methods
*/
/**
* @return array of url => description
@ -175,8 +175,8 @@ class DevelopmentAdmin extends Controller
/*
* Unregistered (hidden) actions
*/
* Unregistered (hidden) actions
*/
/**
* Build the default data, calling requireDefaultRecords on all

2
src/Forms/FieldList.php
View File

@ -714,7 +714,7 @@ class FieldList extends ArrayList
$fieldMap[$field->getName()] = $field;
}
// Iterate through the ordered list of names, building a new array to be put into $this->items.
// Iterate through the ordered list of names, building a new array to be put into $this->items.
// While we're doing this, empty out $fieldMap so that we can keep track of leftovers.
// Unrecognised field names are okay; just ignore them
$fields = array();

24
src/ORM/Connect/DBSchemaManager.php
View File

@ -855,13 +855,13 @@ abstract class DBSchemaManager
/*
* This is a lookup table for data types.
* For instance, Postgres uses 'INT', while MySQL uses 'UNSIGNED'
* So this is a DB-specific list of equivilents.
*
* @param string $type
* @return string
*/
* This is a lookup table for data types.
* For instance, Postgres uses 'INT', while MySQL uses 'UNSIGNED'
* So this is a DB-specific list of equivilents.
*
* @param string $type
* @return string
*/
abstract public function dbDataType($type);
/**
@ -1116,10 +1116,10 @@ abstract class DBSchemaManager
abstract public function varchar($values);
/*
* Returns data type for 'year' column
*
* @param array $values Contains a tokenised list of info about this data type
* @return string
*/
* Returns data type for 'year' column
*
* @param array $values Contains a tokenised list of info about this data type
* @return string
*/
abstract public function year($values);
}

16
src/ORM/Connect/Database.php
View File

@ -617,14 +617,14 @@ abstract class Database
}
/*
* Determines if the current database connection supports a given list of extensions
*
* @param array $extensions List of extensions to check for support of. The key of this array
* will be an extension name, and the value the configuration for that extension. This
* could be one of partitions, tablespaces, or clustering
* @return boolean Flag indicating support for all of the above
* @todo Write test cases
*/
* Determines if the current database connection supports a given list of extensions
*
* @param array $extensions List of extensions to check for support of. The key of this array
* will be an extension name, and the value the configuration for that extension. This
* could be one of partitions, tablespaces, or clustering
* @return boolean Flag indicating support for all of the above
* @todo Write test cases
*/
public function supportsExtensions($extensions)
{
return false;

10
src/ORM/Connect/MySQLSchemaManager.php
View File

@ -614,11 +614,11 @@ class MySQLSchemaManager extends DBSchemaManager
}
/*
* Return the MySQL-proprietary 'Year' datatype
*
* @param array $values Contains a tokenised list of info about this data type
* @return string
*/
* Return the MySQL-proprietary 'Year' datatype
*
* @param array $values Contains a tokenised list of info about this data type
* @return string
*/
public function year($values)
{
return 'year(4)';

4
src/ORM/DataObject.php
View File

@ -3413,8 +3413,8 @@ class DataObject extends ViewableData implements DataObjectInterface, i18nEntity
}
/*
* @ignore
*/
* @ignore
*/
private static $subclass_access = true;
/**

19
src/Security/Security.php
View File

@ -317,6 +317,15 @@ class Security extends Controller implements TemplateGlobalProvider
public static function permissionFailure($controller = null, $messageSet = null)
{
self::set_ignore_disallowed_actions(true);
$shouldEscapeHtml = function ($message) {
if ($message instanceof DBField) {
$escapeHtml = $message->config()->escape_type === 'raw';
} else {
$escapeHtml = true;
}
return $escapeHtml;
};
if (!$controller && Controller::has_curr()) {
$controller = Controller::curr();
@ -380,7 +389,7 @@ class Security extends Controller implements TemplateGlobalProvider
$message = $messageSet['default'];
}
static::singleton()->setSessionMessage($message, ValidationResult::TYPE_WARNING);
static::singleton()->setSessionMessage($message, ValidationResult::TYPE_WARNING, $shouldEscapeHtml($message) ? ValidationResult::CAST_TEXT : ValidationResult::CAST_HTML);
$request = new HTTPRequest('GET', '/');
if ($controller) {
$request->setSession($controller->getRequest()->getSession());
@ -399,7 +408,13 @@ class Security extends Controller implements TemplateGlobalProvider
$message = $messageSet['default'];
}
static::singleton()->setSessionMessage($message, ValidationResult::TYPE_WARNING);
static::singleton()->setSessionMessage(
$message,
ValidationResult::TYPE_WARNING,
$shouldEscapeHtml($message) ?
ValidationResult::CAST_TEXT :
ValidationResult::CAST_HTML
);
$controller->getRequest()->getSession()->set("BackURL", $_SERVER['REQUEST_URI']);

10
tests/behat/src/CmsFormsContext.php
View File

@ -241,11 +241,11 @@ JS;
}
/*
* @example Given the CMS settings has the following data
* | Title | My site title |
* | Theme | My site theme |
* @Given /^the CMS settings have the following data$/
*/
* @example Given the CMS settings has the following data
* | Title | My site title |
* | Theme | My site theme |
* @Given /^the CMS settings have the following data$/
*/
public function theCmsSettingsHasData(TableNode $fieldsTable)
{
$fields = $fieldsTable->getRowsHash();

4
tests/php/Control/ControllerTest.php
View File

@ -390,8 +390,8 @@ class ControllerTest extends FunctionalTest
'Numeric actions do not slip through.'
);
//$this->assertFalse(
// $controller->hasAction('lowercase_permission'),
// 'Lowercase permission does not slip through.'
// $controller->hasAction('lowercase_permission'),
// 'Lowercase permission does not slip through.'
//);
$this->assertFalse(
$controller->hasAction('undefined'),

2
tests/php/Dev/CsvBulkLoaderTest.php
View File

@ -230,7 +230,7 @@ class CsvBulkLoaderTest extends SapphireTest
// null values are valid imported
// $this->assertEquals($player->Biography, 'He\'s a good guy',
// 'Test retaining of previous information on duplicate when overwriting with blank field');
// 'Test retaining of previous information on duplicate when overwriting with blank field');
}
public function testLoadWithCustomImportMethods()

10
tests/php/Forms/ListboxFieldTest.php
View File

@ -226,11 +226,11 @@ class ListboxFieldTest extends SapphireTest
* @todo re-enable these tests when field validation is removed from {@link ListboxField::setValue()} and moved
* to the {@link ListboxField::validate()} function
*/
// $field->setValue(4);
// $this->assertFalse(
// $field->validate($validator),
// 'Field does not validate values outside of source map'
// );
// $field->setValue(4);
// $this->assertFalse(
// $field->validate($validator),
// 'Field does not validate values outside of source map'
// );
$field->setValue(
false,
new ArrayData(

4
tests/php/View/SSViewerTest.php
View File

@ -1775,8 +1775,8 @@ EOC;
$this->assertContains($code, $result);
// TODO Fix inline links in PHP mode
// $this->assertContains(
// '<a class="inline" href="<?php echo str_replace(',
// $result
// '<a class="inline" href="<?php echo str_replace(',
// $result
// );
$this->assertContains(
'<svg><use xlink:href="#sprite"></use></svg>',