mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-22 14:05:37 +02:00
[SS-2016-010] FIX Cast FormField values as Text to prevent readonly fields embeding rogue HTML
This commit is contained in:
Daniel Hensby
parent
c914dde7d1
commit
61e4055bdb
@ -157,6 +157,14 @@ class FormField extends RequestHandler {
|
||||
*/
|
||||
protected $attributes = array();
|
||||
|
||||
/**
|
||||
* @config
|
||||
* @var array
|
||||
*/
|
||||
private static $casting = array(
|
||||
'Value' => 'Text',
|
||||
);
|
||||
|
||||
/**
|
||||
* Takes a field name and converts camelcase to spaced words. Also resolves combined field
|
||||
* names with dot syntax to spaced words.
|
||||
|
||||
@ -26,6 +26,14 @@ class HtmlEditorField extends TextareaField {
|
||||
*/
|
||||
private static $sanitise_server_side = false;
|
||||
|
||||
/**
|
||||
* @config
|
||||
* @var array
|
||||
*/
|
||||
private static $casting = array(
|
||||
'Value' => 'HTMLText',
|
||||
);
|
||||
|
||||
protected $rows = 30;
|
||||
|
||||
/**
|
||||
|
||||
@ -49,10 +49,24 @@ class ReadonlyField extends FormField {
|
||||
}
|
||||
|
||||
public function Value() {
|
||||
if($this->value) return $this->dontEscape ? $this->value : Convert::raw2xml($this->value);
|
||||
if($this->value) return $this->value;
|
||||
else return '<i>(' . _t('FormField.NONE', 'none') . ')</i>';
|
||||
}
|
||||
|
||||
/**
|
||||
* This is a legacy fix to ensure that the `dontEscape` flag has an impact on readonly fields
|
||||
* now that we've moved to casting template values more rigidly
|
||||
*
|
||||
* @param string $field
|
||||
* @return string
|
||||
*/
|
||||
public function castingHelper($field) {
|
||||
if ($field == 'Value' && $this->dontEscape) {
|
||||
return 'HTMLText';
|
||||
}
|
||||
return parent::castingHelper($field);
|
||||
}
|
||||
|
||||
public function getAttributes() {
|
||||
return array_merge(
|
||||
parent::getAttributes(),
|
||||
|
||||
@ -85,11 +85,4 @@ class TextareaField extends FormField {
|
||||
|
||||
return $parent;
|
||||
}
|
||||
|
||||
/**
|
||||
* @return string
|
||||
*/
|
||||
public function Value() {
|
||||
return htmlentities($this->value, ENT_COMPAT, 'UTF-8');
|
||||
}
|
||||
}
|
||||
|
||||
@ -2,16 +2,6 @@
|
||||
|
||||
class TextareaFieldTest extends SapphireTest {
|
||||
|
||||
/**
|
||||
* Quick smoke test to ensure that text is being encoded properly.
|
||||
*/
|
||||
public function testTextEncoding() {
|
||||
$inputText = "These are some unicodes: äöü";
|
||||
$field = new TextareaField("Test", "Test");
|
||||
$field->setValue($inputText);
|
||||
$this->assertContains('These are some unicodes: äöü', $field->Field());
|
||||
}
|
||||
|
||||
/**
|
||||
* Quick smoke test to ensure that text with unicodes is being displayed properly in readonly fields.
|
||||
*/
|
||||
|
||||
Loading…
Reference in New Issue
Block a user