tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-09-28 20:29:15 +02:00
Code Issues Projects Releases Wiki Activity

Merge pull request #7699 from open-sausages/pulls/4/html-in-security-msg

Browse Source 
ENHANCEMENT Allow html in security failure message
This commit is contained in:
Damian Mooyman 2017-12-14 14:30:09 +13:00 committed by GitHub
commit 529e341dbc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
14 changed files with 75 additions and 60 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
src/Core/Injector/Injector.php
View File

@ -426,13 +426,13 @@ class Injector implements ContainerInterface
// to ensure we get cached // to ensure we get cached
$spec['id'] = $id; $spec['id'] = $id;
// We've removed this check because new functionality means that the 'class' field doesn't need to refer // We've removed this check because new functionality means that the 'class' field doesn't need to refer
// specifically to a class anymore - it could be a compound statement, ala SilverStripe's old Object::create // specifically to a class anymore - it could be a compound statement, ala SilverStripe's old Object::create
// functionality // functionality
// //
// if (!class_exists($class)) { // if (!class_exists($class)) {
// throw new Exception("Failed to load '$class' from $file"); // throw new Exception("Failed to load '$class' from $file");
// } // }
// store the specs for now - we lazy load on demand later on. // store the specs for now - we lazy load on demand later on.
$this->specs[$id] = $spec; $this->specs[$id] = $spec;

10
src/Dev/BulkLoader.php
View File

@ -136,11 +136,11 @@ abstract class BulkLoader extends ViewableData
} }
/* /*
* Load the given file via {@link self::processAll()} and {@link self::processRecord()}. * Load the given file via {@link self::processAll()} and {@link self::processRecord()}.
* Optionally truncates (clear) the table before it imports. * Optionally truncates (clear) the table before it imports.
* *
* @return BulkLoader_Result See {@link self::processAll()} * @return BulkLoader_Result See {@link self::processAll()}
*/ */
public function load($filepath) public function load($filepath)
{ {
Environment::increaseTimeLimitTo(3600); Environment::increaseTimeLimitTo(3600);

8
src/Dev/DevelopmentAdmin.php
View File

@ -140,8 +140,8 @@ class DevelopmentAdmin extends Controller
/* /*
* Internal methods * Internal methods
*/ */
/** /**
* @return array of url => description * @return array of url => description
@ -175,8 +175,8 @@ class DevelopmentAdmin extends Controller
/* /*
* Unregistered (hidden) actions * Unregistered (hidden) actions
*/ */
/** /**
* Build the default data, calling requireDefaultRecords on all * Build the default data, calling requireDefaultRecords on all

2
src/Forms/FieldList.php
View File

@ -714,7 +714,7 @@ class FieldList extends ArrayList
$fieldMap[$field->getName()] = $field; $fieldMap[$field->getName()] = $field;
} }
// Iterate through the ordered list of names, building a new array to be put into $this->items. // Iterate through the ordered list of names, building a new array to be put into $this->items.
// While we're doing this, empty out $fieldMap so that we can keep track of leftovers. // While we're doing this, empty out $fieldMap so that we can keep track of leftovers.
// Unrecognised field names are okay; just ignore them // Unrecognised field names are okay; just ignore them
$fields = array(); $fields = array();

24
src/ORM/Connect/DBSchemaManager.php
View File

@ -855,13 +855,13 @@ abstract class DBSchemaManager
/* /*
* This is a lookup table for data types. * This is a lookup table for data types.
* For instance, Postgres uses 'INT', while MySQL uses 'UNSIGNED' * For instance, Postgres uses 'INT', while MySQL uses 'UNSIGNED'
* So this is a DB-specific list of equivilents. * So this is a DB-specific list of equivilents.
* *
* @param string $type * @param string $type
* @return string * @return string
*/ */
abstract public function dbDataType($type); abstract public function dbDataType($type);
/** /**
@ -1116,10 +1116,10 @@ abstract class DBSchemaManager
abstract public function varchar($values); abstract public function varchar($values);
/* /*
* Returns data type for 'year' column * Returns data type for 'year' column
* *
* @param array $values Contains a tokenised list of info about this data type * @param array $values Contains a tokenised list of info about this data type
* @return string * @return string
*/ */
abstract public function year($values); abstract public function year($values);
} }

16
src/ORM/Connect/Database.php
View File

@ -617,14 +617,14 @@ abstract class Database
} }
/* /*
* Determines if the current database connection supports a given list of extensions * Determines if the current database connection supports a given list of extensions
* *
* @param array $extensions List of extensions to check for support of. The key of this array * @param array $extensions List of extensions to check for support of. The key of this array
* will be an extension name, and the value the configuration for that extension. This * will be an extension name, and the value the configuration for that extension. This
* could be one of partitions, tablespaces, or clustering * could be one of partitions, tablespaces, or clustering
* @return boolean Flag indicating support for all of the above * @return boolean Flag indicating support for all of the above
* @todo Write test cases * @todo Write test cases
*/ */
public function supportsExtensions($extensions) public function supportsExtensions($extensions)
{ {
return false; return false;

10
src/ORM/Connect/MySQLSchemaManager.php
View File

@ -614,11 +614,11 @@ class MySQLSchemaManager extends DBSchemaManager
} }
/* /*
* Return the MySQL-proprietary 'Year' datatype * Return the MySQL-proprietary 'Year' datatype
* *
* @param array $values Contains a tokenised list of info about this data type * @param array $values Contains a tokenised list of info about this data type
* @return string * @return string
*/ */
public function year($values) public function year($values)
{ {
return 'year(4)'; return 'year(4)';

4
src/ORM/DataObject.php
View File

@ -3413,8 +3413,8 @@ class DataObject extends ViewableData implements DataObjectInterface, i18nEntity
} }
/* /*
* @ignore * @ignore
*/ */
private static $subclass_access = true; private static $subclass_access = true;
/** /**

19
src/Security/Security.php
View File

@ -317,6 +317,15 @@ class Security extends Controller implements TemplateGlobalProvider
public static function permissionFailure($controller = null, $messageSet = null) public static function permissionFailure($controller = null, $messageSet = null)
{ {
self::set_ignore_disallowed_actions(true); self::set_ignore_disallowed_actions(true);
$shouldEscapeHtml = function ($message) {
if ($message instanceof DBField) {
$escapeHtml = $message->config()->escape_type === 'raw';
} else {
$escapeHtml = true;
}
return $escapeHtml;
};
if (!$controller && Controller::has_curr()) { if (!$controller && Controller::has_curr()) {
$controller = Controller::curr(); $controller = Controller::curr();
@ -380,7 +389,7 @@ class Security extends Controller implements TemplateGlobalProvider
$message = $messageSet['default']; $message = $messageSet['default'];
} }
static::singleton()->setSessionMessage($message, ValidationResult::TYPE_WARNING); static::singleton()->setSessionMessage($message, ValidationResult::TYPE_WARNING, $shouldEscapeHtml($message) ? ValidationResult::CAST_TEXT : ValidationResult::CAST_HTML);
$request = new HTTPRequest('GET', '/'); $request = new HTTPRequest('GET', '/');
if ($controller) { if ($controller) {
$request->setSession($controller->getRequest()->getSession()); $request->setSession($controller->getRequest()->getSession());
@ -399,7 +408,13 @@ class Security extends Controller implements TemplateGlobalProvider
$message = $messageSet['default']; $message = $messageSet['default'];
} }
static::singleton()->setSessionMessage($message, ValidationResult::TYPE_WARNING); static::singleton()->setSessionMessage(
$message,
ValidationResult::TYPE_WARNING,
$shouldEscapeHtml($message) ?
ValidationResult::CAST_TEXT :
ValidationResult::CAST_HTML
);
$controller->getRequest()->getSession()->set("BackURL", $_SERVER['REQUEST_URI']); $controller->getRequest()->getSession()->set("BackURL", $_SERVER['REQUEST_URI']);

10
tests/behat/src/CmsFormsContext.php
View File

@ -241,11 +241,11 @@ JS;
} }
/* /*
* @example Given the CMS settings has the following data * @example Given the CMS settings has the following data
* | Title | My site title | * | Title | My site title |
* | Theme | My site theme | * | Theme | My site theme |
* @Given /^the CMS settings have the following data$/ * @Given /^the CMS settings have the following data$/
*/ */
public function theCmsSettingsHasData(TableNode $fieldsTable) public function theCmsSettingsHasData(TableNode $fieldsTable)
{ {
$fields = $fieldsTable->getRowsHash(); $fields = $fieldsTable->getRowsHash();

4
tests/php/Control/ControllerTest.php
View File

@ -390,8 +390,8 @@ class ControllerTest extends FunctionalTest
'Numeric actions do not slip through.' 'Numeric actions do not slip through.'
); );
//$this->assertFalse( //$this->assertFalse(
// $controller->hasAction('lowercase_permission'), // $controller->hasAction('lowercase_permission'),
// 'Lowercase permission does not slip through.' // 'Lowercase permission does not slip through.'
//); //);
$this->assertFalse( $this->assertFalse(
$controller->hasAction('undefined'), $controller->hasAction('undefined'),

2
tests/php/Dev/CsvBulkLoaderTest.php
View File

@ -230,7 +230,7 @@ class CsvBulkLoaderTest extends SapphireTest
// null values are valid imported // null values are valid imported
// $this->assertEquals($player->Biography, 'He\'s a good guy', // $this->assertEquals($player->Biography, 'He\'s a good guy',
// 'Test retaining of previous information on duplicate when overwriting with blank field'); // 'Test retaining of previous information on duplicate when overwriting with blank field');
} }
public function testLoadWithCustomImportMethods() public function testLoadWithCustomImportMethods()

10
tests/php/Forms/ListboxFieldTest.php
View File

@ -226,11 +226,11 @@ class ListboxFieldTest extends SapphireTest
* @todo re-enable these tests when field validation is removed from {@link ListboxField::setValue()} and moved * @todo re-enable these tests when field validation is removed from {@link ListboxField::setValue()} and moved
* to the {@link ListboxField::validate()} function * to the {@link ListboxField::validate()} function
*/ */
// $field->setValue(4); // $field->setValue(4);
// $this->assertFalse( // $this->assertFalse(
// $field->validate($validator), // $field->validate($validator),
// 'Field does not validate values outside of source map' // 'Field does not validate values outside of source map'
// ); // );
$field->setValue( $field->setValue(
false, false,
new ArrayData( new ArrayData(

4
tests/php/View/SSViewerTest.php
View File

@ -1775,8 +1775,8 @@ EOC;
$this->assertContains($code, $result); $this->assertContains($code, $result);
// TODO Fix inline links in PHP mode // TODO Fix inline links in PHP mode
// $this->assertContains( // $this->assertContains(
// '<a class="inline" href="<?php echo str_replace(', // '<a class="inline" href="<?php echo str_replace(',
// $result // $result
// ); // );
$this->assertContains( $this->assertContains(
'<svg><use xlink:href="#sprite"></use></svg>', '<svg><use xlink:href="#sprite"></use></svg>',