From e5eb98cc3491785cbae17bb53be0be05fd5a6f42 Mon Sep 17 00:00:00 2001 From: Bernie Hamlin Date: Mon, 16 Oct 2023 12:39:18 +1300 Subject: [PATCH] Use field editorconfig when sanitising content --- src/Forms/HTMLEditor/HTMLEditorField.php | 3 +- .../Forms/HTMLEditor/HTMLEditorFieldTest.php | 38 +++++++++++++++++++ 2 files changed, 40 insertions(+), 1 deletion(-) diff --git a/src/Forms/HTMLEditor/HTMLEditorField.php b/src/Forms/HTMLEditor/HTMLEditorField.php index 63ef950c2..5e64ed038 100644 --- a/src/Forms/HTMLEditor/HTMLEditorField.php +++ b/src/Forms/HTMLEditor/HTMLEditorField.php @@ -145,7 +145,8 @@ class HTMLEditorField extends TextareaField // Sanitise if requested $htmlValue = HTMLValue::create($this->Value()); if (HTMLEditorField::config()->sanitise_server_side) { - $santiser = HTMLEditorSanitiser::create(HTMLEditorConfig::get_active()); + $config = $this->getEditorConfig(); + $santiser = HTMLEditorSanitiser::create($config); $santiser->sanitise($htmlValue); } diff --git a/tests/php/Forms/HTMLEditor/HTMLEditorFieldTest.php b/tests/php/Forms/HTMLEditor/HTMLEditorFieldTest.php index 68ff44b51..d7f350a36 100644 --- a/tests/php/Forms/HTMLEditor/HTMLEditorFieldTest.php +++ b/tests/php/Forms/HTMLEditor/HTMLEditorFieldTest.php @@ -11,6 +11,7 @@ use SilverStripe\Assets\Image; use SilverStripe\Core\Config\Config; use SilverStripe\Dev\CSSContentParser; use SilverStripe\Dev\FunctionalTest; +use SilverStripe\Forms\HTMLEditor\HTMLEditorConfig; use SilverStripe\Forms\HTMLEditor\HTMLEditorField; use SilverStripe\Forms\HTMLEditor\TinyMCEConfig; use SilverStripe\Forms\HTMLReadonlyField; @@ -229,4 +230,41 @@ EOS $field->obj('ValueEntities')->forTemplate() ); } + + public function testFieldConfigSanitization() + { + $obj = TestObject::create(); + $editor = HTMLEditorField::create('Content'); + $defaultValidElements = [ + '@[id|class|style|title|data*]', + 'a[id|rel|dir|tabindex|accesskey|type|name|href|target|title|class]', + '-strong/-b[class]', + '-em/-i[class]', + '-ol[class]', + '#p[id|dir|class|align|style]', + '-li[class]', + 'br', + '-span[class|align|style]', + '-ul[class]', + '-h3[id|dir|class|align|style]', + '-h2[id|dir|class|align|style]', + 'hr[class]', + ]; + $restrictedConfig = HTMLEditorConfig::get('restricted'); + $restrictedConfig->setOption('valid_elements', implode(',', $defaultValidElements)); + $editor->setEditorConfig($restrictedConfig); + + $expectedHtmlString = '

standard text

Header'; + $htmlValue = '

standard text

Header
'; + $editor->setValue($htmlValue); + $editor->saveInto($obj); + $this->assertEquals($expectedHtmlString, $obj->Content, 'Table is not removed'); + + $defaultConfig = HTMLEditorConfig::get('default'); + $editor->setEditorConfig($defaultConfig); + + $editor->setValue($htmlValue); + $editor->saveInto($obj); + $this->assertEquals($htmlValue, $obj->Content, 'Table is removed'); + } }