mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-22 14:05:37 +02:00
[SS-2016-010] FIX Cast FormField values as Text to prevent readonly fields embeding rogue HTML
This commit is contained in:
Daniel Hensby
parent
c914dde7d1
commit
61e4055bdb
@ -157,6 +157,14 @@ class FormField extends RequestHandler {
|
|||||||
*/
|
*/
|
||||||
protected $attributes = array();
|
protected $attributes = array();
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @config
|
||||||
|
* @var array
|
||||||
|
*/
|
||||||
|
private static $casting = array(
|
||||||
|
'Value' => 'Text',
|
||||||
|
);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Takes a field name and converts camelcase to spaced words. Also resolves combined field
|
* Takes a field name and converts camelcase to spaced words. Also resolves combined field
|
||||||
* names with dot syntax to spaced words.
|
* names with dot syntax to spaced words.
|
||||||
|
|||||||
@ -26,6 +26,14 @@ class HtmlEditorField extends TextareaField {
|
|||||||
*/
|
*/
|
||||||
private static $sanitise_server_side = false;
|
private static $sanitise_server_side = false;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @config
|
||||||
|
* @var array
|
||||||
|
*/
|
||||||
|
private static $casting = array(
|
||||||
|
'Value' => 'HTMLText',
|
||||||
|
);
|
||||||
|
|
||||||
protected $rows = 30;
|
protected $rows = 30;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|||||||
@ -49,10 +49,24 @@ class ReadonlyField extends FormField {
|
|||||||
}
|
}
|
||||||
|
|
||||||
public function Value() {
|
public function Value() {
|
||||||
if($this->value) return $this->dontEscape ? $this->value : Convert::raw2xml($this->value);
|
if($this->value) return $this->value;
|
||||||
else return '<i>(' . _t('FormField.NONE', 'none') . ')</i>';
|
else return '<i>(' . _t('FormField.NONE', 'none') . ')</i>';
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* This is a legacy fix to ensure that the `dontEscape` flag has an impact on readonly fields
|
||||||
|
* now that we've moved to casting template values more rigidly
|
||||||
|
*
|
||||||
|
* @param string $field
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
public function castingHelper($field) {
|
||||||
|
if ($field == 'Value' && $this->dontEscape) {
|
||||||
|
return 'HTMLText';
|
||||||
|
}
|
||||||
|
return parent::castingHelper($field);
|
||||||
|
}
|
||||||
|
|
||||||
public function getAttributes() {
|
public function getAttributes() {
|
||||||
return array_merge(
|
return array_merge(
|
||||||
parent::getAttributes(),
|
parent::getAttributes(),
|
||||||
|
|||||||
@ -85,11 +85,4 @@ class TextareaField extends FormField {
|
|||||||
|
|
||||||
return $parent;
|
return $parent;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
* @return string
|
|
||||||
*/
|
|
||||||
public function Value() {
|
|
||||||
return htmlentities($this->value, ENT_COMPAT, 'UTF-8');
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|||||||
@ -2,16 +2,6 @@
|
|||||||
|
|
||||||
class TextareaFieldTest extends SapphireTest {
|
class TextareaFieldTest extends SapphireTest {
|
||||||
|
|
||||||
/**
|
|
||||||
* Quick smoke test to ensure that text is being encoded properly.
|
|
||||||
*/
|
|
||||||
public function testTextEncoding() {
|
|
||||||
$inputText = "These are some unicodes: äöü";
|
|
||||||
$field = new TextareaField("Test", "Test");
|
|
||||||
$field->setValue($inputText);
|
|
||||||
$this->assertContains('These are some unicodes: äöü', $field->Field());
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Quick smoke test to ensure that text with unicodes is being displayed properly in readonly fields.
|
* Quick smoke test to ensure that text with unicodes is being displayed properly in readonly fields.
|
||||||
*/
|
*/
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user