mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-22 12:05:37 +00:00
Merge pull request #7699 from open-sausages/pulls/4/html-in-security-msg
ENHANCEMENT Allow html in security failure message
This commit is contained in:
commit
529e341dbc
@ -426,13 +426,13 @@ class Injector implements ContainerInterface
|
|||||||
// to ensure we get cached
|
// to ensure we get cached
|
||||||
$spec['id'] = $id;
|
$spec['id'] = $id;
|
||||||
|
|
||||||
// We've removed this check because new functionality means that the 'class' field doesn't need to refer
|
// We've removed this check because new functionality means that the 'class' field doesn't need to refer
|
||||||
// specifically to a class anymore - it could be a compound statement, ala SilverStripe's old Object::create
|
// specifically to a class anymore - it could be a compound statement, ala SilverStripe's old Object::create
|
||||||
// functionality
|
// functionality
|
||||||
//
|
//
|
||||||
// if (!class_exists($class)) {
|
// if (!class_exists($class)) {
|
||||||
// throw new Exception("Failed to load '$class' from $file");
|
// throw new Exception("Failed to load '$class' from $file");
|
||||||
// }
|
// }
|
||||||
|
|
||||||
// store the specs for now - we lazy load on demand later on.
|
// store the specs for now - we lazy load on demand later on.
|
||||||
$this->specs[$id] = $spec;
|
$this->specs[$id] = $spec;
|
||||||
|
@ -136,11 +136,11 @@ abstract class BulkLoader extends ViewableData
|
|||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Load the given file via {@link self::processAll()} and {@link self::processRecord()}.
|
* Load the given file via {@link self::processAll()} and {@link self::processRecord()}.
|
||||||
* Optionally truncates (clear) the table before it imports.
|
* Optionally truncates (clear) the table before it imports.
|
||||||
*
|
*
|
||||||
* @return BulkLoader_Result See {@link self::processAll()}
|
* @return BulkLoader_Result See {@link self::processAll()}
|
||||||
*/
|
*/
|
||||||
public function load($filepath)
|
public function load($filepath)
|
||||||
{
|
{
|
||||||
Environment::increaseTimeLimitTo(3600);
|
Environment::increaseTimeLimitTo(3600);
|
||||||
|
@ -140,8 +140,8 @@ class DevelopmentAdmin extends Controller
|
|||||||
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Internal methods
|
* Internal methods
|
||||||
*/
|
*/
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @return array of url => description
|
* @return array of url => description
|
||||||
@ -175,8 +175,8 @@ class DevelopmentAdmin extends Controller
|
|||||||
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Unregistered (hidden) actions
|
* Unregistered (hidden) actions
|
||||||
*/
|
*/
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Build the default data, calling requireDefaultRecords on all
|
* Build the default data, calling requireDefaultRecords on all
|
||||||
|
@ -714,7 +714,7 @@ class FieldList extends ArrayList
|
|||||||
$fieldMap[$field->getName()] = $field;
|
$fieldMap[$field->getName()] = $field;
|
||||||
}
|
}
|
||||||
|
|
||||||
// Iterate through the ordered list of names, building a new array to be put into $this->items.
|
// Iterate through the ordered list of names, building a new array to be put into $this->items.
|
||||||
// While we're doing this, empty out $fieldMap so that we can keep track of leftovers.
|
// While we're doing this, empty out $fieldMap so that we can keep track of leftovers.
|
||||||
// Unrecognised field names are okay; just ignore them
|
// Unrecognised field names are okay; just ignore them
|
||||||
$fields = array();
|
$fields = array();
|
||||||
|
@ -855,13 +855,13 @@ abstract class DBSchemaManager
|
|||||||
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* This is a lookup table for data types.
|
* This is a lookup table for data types.
|
||||||
* For instance, Postgres uses 'INT', while MySQL uses 'UNSIGNED'
|
* For instance, Postgres uses 'INT', while MySQL uses 'UNSIGNED'
|
||||||
* So this is a DB-specific list of equivilents.
|
* So this is a DB-specific list of equivilents.
|
||||||
*
|
*
|
||||||
* @param string $type
|
* @param string $type
|
||||||
* @return string
|
* @return string
|
||||||
*/
|
*/
|
||||||
abstract public function dbDataType($type);
|
abstract public function dbDataType($type);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -1116,10 +1116,10 @@ abstract class DBSchemaManager
|
|||||||
abstract public function varchar($values);
|
abstract public function varchar($values);
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Returns data type for 'year' column
|
* Returns data type for 'year' column
|
||||||
*
|
*
|
||||||
* @param array $values Contains a tokenised list of info about this data type
|
* @param array $values Contains a tokenised list of info about this data type
|
||||||
* @return string
|
* @return string
|
||||||
*/
|
*/
|
||||||
abstract public function year($values);
|
abstract public function year($values);
|
||||||
}
|
}
|
||||||
|
@ -617,14 +617,14 @@ abstract class Database
|
|||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Determines if the current database connection supports a given list of extensions
|
* Determines if the current database connection supports a given list of extensions
|
||||||
*
|
*
|
||||||
* @param array $extensions List of extensions to check for support of. The key of this array
|
* @param array $extensions List of extensions to check for support of. The key of this array
|
||||||
* will be an extension name, and the value the configuration for that extension. This
|
* will be an extension name, and the value the configuration for that extension. This
|
||||||
* could be one of partitions, tablespaces, or clustering
|
* could be one of partitions, tablespaces, or clustering
|
||||||
* @return boolean Flag indicating support for all of the above
|
* @return boolean Flag indicating support for all of the above
|
||||||
* @todo Write test cases
|
* @todo Write test cases
|
||||||
*/
|
*/
|
||||||
public function supportsExtensions($extensions)
|
public function supportsExtensions($extensions)
|
||||||
{
|
{
|
||||||
return false;
|
return false;
|
||||||
|
@ -614,11 +614,11 @@ class MySQLSchemaManager extends DBSchemaManager
|
|||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Return the MySQL-proprietary 'Year' datatype
|
* Return the MySQL-proprietary 'Year' datatype
|
||||||
*
|
*
|
||||||
* @param array $values Contains a tokenised list of info about this data type
|
* @param array $values Contains a tokenised list of info about this data type
|
||||||
* @return string
|
* @return string
|
||||||
*/
|
*/
|
||||||
public function year($values)
|
public function year($values)
|
||||||
{
|
{
|
||||||
return 'year(4)';
|
return 'year(4)';
|
||||||
|
@ -3413,8 +3413,8 @@ class DataObject extends ViewableData implements DataObjectInterface, i18nEntity
|
|||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* @ignore
|
* @ignore
|
||||||
*/
|
*/
|
||||||
private static $subclass_access = true;
|
private static $subclass_access = true;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -317,6 +317,15 @@ class Security extends Controller implements TemplateGlobalProvider
|
|||||||
public static function permissionFailure($controller = null, $messageSet = null)
|
public static function permissionFailure($controller = null, $messageSet = null)
|
||||||
{
|
{
|
||||||
self::set_ignore_disallowed_actions(true);
|
self::set_ignore_disallowed_actions(true);
|
||||||
|
$shouldEscapeHtml = function ($message) {
|
||||||
|
if ($message instanceof DBField) {
|
||||||
|
$escapeHtml = $message->config()->escape_type === 'raw';
|
||||||
|
} else {
|
||||||
|
$escapeHtml = true;
|
||||||
|
}
|
||||||
|
|
||||||
|
return $escapeHtml;
|
||||||
|
};
|
||||||
|
|
||||||
if (!$controller && Controller::has_curr()) {
|
if (!$controller && Controller::has_curr()) {
|
||||||
$controller = Controller::curr();
|
$controller = Controller::curr();
|
||||||
@ -380,7 +389,7 @@ class Security extends Controller implements TemplateGlobalProvider
|
|||||||
$message = $messageSet['default'];
|
$message = $messageSet['default'];
|
||||||
}
|
}
|
||||||
|
|
||||||
static::singleton()->setSessionMessage($message, ValidationResult::TYPE_WARNING);
|
static::singleton()->setSessionMessage($message, ValidationResult::TYPE_WARNING, $shouldEscapeHtml($message) ? ValidationResult::CAST_TEXT : ValidationResult::CAST_HTML);
|
||||||
$request = new HTTPRequest('GET', '/');
|
$request = new HTTPRequest('GET', '/');
|
||||||
if ($controller) {
|
if ($controller) {
|
||||||
$request->setSession($controller->getRequest()->getSession());
|
$request->setSession($controller->getRequest()->getSession());
|
||||||
@ -399,7 +408,13 @@ class Security extends Controller implements TemplateGlobalProvider
|
|||||||
$message = $messageSet['default'];
|
$message = $messageSet['default'];
|
||||||
}
|
}
|
||||||
|
|
||||||
static::singleton()->setSessionMessage($message, ValidationResult::TYPE_WARNING);
|
static::singleton()->setSessionMessage(
|
||||||
|
$message,
|
||||||
|
ValidationResult::TYPE_WARNING,
|
||||||
|
$shouldEscapeHtml($message) ?
|
||||||
|
ValidationResult::CAST_TEXT :
|
||||||
|
ValidationResult::CAST_HTML
|
||||||
|
);
|
||||||
|
|
||||||
$controller->getRequest()->getSession()->set("BackURL", $_SERVER['REQUEST_URI']);
|
$controller->getRequest()->getSession()->set("BackURL", $_SERVER['REQUEST_URI']);
|
||||||
|
|
||||||
|
@ -241,11 +241,11 @@ JS;
|
|||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* @example Given the CMS settings has the following data
|
* @example Given the CMS settings has the following data
|
||||||
* | Title | My site title |
|
* | Title | My site title |
|
||||||
* | Theme | My site theme |
|
* | Theme | My site theme |
|
||||||
* @Given /^the CMS settings have the following data$/
|
* @Given /^the CMS settings have the following data$/
|
||||||
*/
|
*/
|
||||||
public function theCmsSettingsHasData(TableNode $fieldsTable)
|
public function theCmsSettingsHasData(TableNode $fieldsTable)
|
||||||
{
|
{
|
||||||
$fields = $fieldsTable->getRowsHash();
|
$fields = $fieldsTable->getRowsHash();
|
||||||
|
@ -390,8 +390,8 @@ class ControllerTest extends FunctionalTest
|
|||||||
'Numeric actions do not slip through.'
|
'Numeric actions do not slip through.'
|
||||||
);
|
);
|
||||||
//$this->assertFalse(
|
//$this->assertFalse(
|
||||||
// $controller->hasAction('lowercase_permission'),
|
// $controller->hasAction('lowercase_permission'),
|
||||||
// 'Lowercase permission does not slip through.'
|
// 'Lowercase permission does not slip through.'
|
||||||
//);
|
//);
|
||||||
$this->assertFalse(
|
$this->assertFalse(
|
||||||
$controller->hasAction('undefined'),
|
$controller->hasAction('undefined'),
|
||||||
|
@ -230,7 +230,7 @@ class CsvBulkLoaderTest extends SapphireTest
|
|||||||
|
|
||||||
// null values are valid imported
|
// null values are valid imported
|
||||||
// $this->assertEquals($player->Biography, 'He\'s a good guy',
|
// $this->assertEquals($player->Biography, 'He\'s a good guy',
|
||||||
// 'Test retaining of previous information on duplicate when overwriting with blank field');
|
// 'Test retaining of previous information on duplicate when overwriting with blank field');
|
||||||
}
|
}
|
||||||
|
|
||||||
public function testLoadWithCustomImportMethods()
|
public function testLoadWithCustomImportMethods()
|
||||||
|
@ -226,11 +226,11 @@ class ListboxFieldTest extends SapphireTest
|
|||||||
* @todo re-enable these tests when field validation is removed from {@link ListboxField::setValue()} and moved
|
* @todo re-enable these tests when field validation is removed from {@link ListboxField::setValue()} and moved
|
||||||
* to the {@link ListboxField::validate()} function
|
* to the {@link ListboxField::validate()} function
|
||||||
*/
|
*/
|
||||||
// $field->setValue(4);
|
// $field->setValue(4);
|
||||||
// $this->assertFalse(
|
// $this->assertFalse(
|
||||||
// $field->validate($validator),
|
// $field->validate($validator),
|
||||||
// 'Field does not validate values outside of source map'
|
// 'Field does not validate values outside of source map'
|
||||||
// );
|
// );
|
||||||
$field->setValue(
|
$field->setValue(
|
||||||
false,
|
false,
|
||||||
new ArrayData(
|
new ArrayData(
|
||||||
|
@ -1775,8 +1775,8 @@ EOC;
|
|||||||
$this->assertContains($code, $result);
|
$this->assertContains($code, $result);
|
||||||
// TODO Fix inline links in PHP mode
|
// TODO Fix inline links in PHP mode
|
||||||
// $this->assertContains(
|
// $this->assertContains(
|
||||||
// '<a class="inline" href="<?php echo str_replace(',
|
// '<a class="inline" href="<?php echo str_replace(',
|
||||||
// $result
|
// $result
|
||||||
// );
|
// );
|
||||||
$this->assertContains(
|
$this->assertContains(
|
||||||
'<svg><use xlink:href="#sprite"></use></svg>',
|
'<svg><use xlink:href="#sprite"></use></svg>',
|
||||||
|
Loading…
x
Reference in New Issue
Block a user