[SS-2016-010] FIX Cast FormField values as Text to prevent readonly fields embeding rogue HTML

This commit is contained in:
Daniel Hensby 2016-11-11 15:00:15 +00:00
parent c914dde7d1
commit 61e4055bdb
No known key found for this signature in database
GPG Key ID: B00D1E9767F0B06E
5 changed files with 31 additions and 18 deletions

View File

@ -157,6 +157,14 @@ class FormField extends RequestHandler {
*/ */
protected $attributes = array(); protected $attributes = array();
/**
* @config
* @var array
*/
private static $casting = array(
'Value' => 'Text',
);
/** /**
* Takes a field name and converts camelcase to spaced words. Also resolves combined field * Takes a field name and converts camelcase to spaced words. Also resolves combined field
* names with dot syntax to spaced words. * names with dot syntax to spaced words.

View File

@ -26,6 +26,14 @@ class HtmlEditorField extends TextareaField {
*/ */
private static $sanitise_server_side = false; private static $sanitise_server_side = false;
/**
* @config
* @var array
*/
private static $casting = array(
'Value' => 'HTMLText',
);
protected $rows = 30; protected $rows = 30;
/** /**

View File

@ -49,10 +49,24 @@ class ReadonlyField extends FormField {
} }
public function Value() { public function Value() {
if($this->value) return $this->dontEscape ? $this->value : Convert::raw2xml($this->value); if($this->value) return $this->value;
else return '<i>(' . _t('FormField.NONE', 'none') . ')</i>'; else return '<i>(' . _t('FormField.NONE', 'none') . ')</i>';
} }
/**
* This is a legacy fix to ensure that the `dontEscape` flag has an impact on readonly fields
* now that we've moved to casting template values more rigidly
*
* @param string $field
* @return string
*/
public function castingHelper($field) {
if ($field == 'Value' && $this->dontEscape) {
return 'HTMLText';
}
return parent::castingHelper($field);
}
public function getAttributes() { public function getAttributes() {
return array_merge( return array_merge(
parent::getAttributes(), parent::getAttributes(),

View File

@ -85,11 +85,4 @@ class TextareaField extends FormField {
return $parent; return $parent;
} }
/**
* @return string
*/
public function Value() {
return htmlentities($this->value, ENT_COMPAT, 'UTF-8');
}
} }

View File

@ -2,16 +2,6 @@
class TextareaFieldTest extends SapphireTest { class TextareaFieldTest extends SapphireTest {
/**
* Quick smoke test to ensure that text is being encoded properly.
*/
public function testTextEncoding() {
$inputText = "These are some unicodes: äöü";
$field = new TextareaField("Test", "Test");
$field->setValue($inputText);
$this->assertContains('These are some unicodes: &auml;&ouml;&uuml;', $field->Field());
}
/** /**
* Quick smoke test to ensure that text with unicodes is being displayed properly in readonly fields. * Quick smoke test to ensure that text with unicodes is being displayed properly in readonly fields.
*/ */