Merge pull request #3196 from mateusz/patch-html-editor-field

BUG Sanitise the PHP output.
2024-10-03 22:58:24 +02:00 · 2014-06-11 12:13:33 +12:00 · 2014-06-11 12:13:33 +12:00 · 8c10e12529
commit 8c10e12529
parent fe597e32b4 18b6870cf2
1 changed files with 68 additions and 39 deletions
--- a/forms/HtmlEditorField.php
+++ b/forms/HtmlEditorField.php
@ -528,7 +528,7 @@ class HtmlEditorField_Toolbar extends RequestHandler {
 		}
 		$this->extend('updateFieldsForFile', $fields, $url, $file);
-		
+
 		return $fields;
 	}
@ -537,27 +537,35 @@ class HtmlEditorField_Toolbar extends RequestHandler {
 	 */
 	protected function getFieldsForOembed($url, $file) {
 		if(isset($file->Oembed->thumbnail_url)) {
-			$thumbnailURL = $file->Oembed->thumbnail_url;	
+			$thumbnailURL = Convert::raw2att($file->Oembed->thumbnail_url);
 		} elseif($file->Type == 'photo') {
-			$thumbnailURL = $file->Oembed->url;
+			$thumbnailURL = Convert::raw2att($file->Oembed->url);
 		} else {
 			$thumbnailURL = FRAMEWORK_DIR . '/images/default_media.png';
 		}
-		
+
 		$fileName = Convert::raw2att($file->Name);
 		$fields = new FieldList(
 			$filePreview = CompositeField::create(
 				CompositeField::create(
 					new LiteralField(
 						"ImageFull",
 						"<img id='thumbnailImage' class='thumbnail-preview' "
-							. "src='{$thumbnailURL}?r=" . rand(1,100000) . "' alt='{$file->Name}' />\n"
+							. "src='{$thumbnailURL}?r=" . rand(1,100000) . "' alt='$fileName' />\n"
 					)
 				)->setName("FilePreviewImage")->addExtraClass('cms-file-info-preview'),
 				CompositeField::create(
 					CompositeField::create(
 						new ReadonlyField("FileType", _t('AssetTableField.TYPE','File type') . ':', $file->Type),
-						$urlField = ReadonlyField::create('ClickableURL', _t('AssetTableField.URL','URL'),
+						$urlField = ReadonlyField::create(
-							sprintf('<a href="%s" target="_blank" class="file">%s</a>', $url, $url)
+							'ClickableURL',
 							_t('AssetTableField.URL','URL'),
 							sprintf(
 								'<a href="%s" target="_blank" class="file">%s</a>',
 								Convert::raw2att($url),
 								Convert::raw2att($url)
 							)
 						)->addExtraClass('text-wrap')
 					)
 				)->setName("FilePreviewData")->addExtraClass('cms-file-info-data')
@ -574,18 +582,19 @@ class HtmlEditorField_Toolbar extends RequestHandler {
 				)
 			)->addExtraClass('last')
 		);
 		if($file->Width != null){
 			$fields->push(
 				FieldGroup::create(
 					_t('HtmlEditorField.IMAGEDIMENSIONS', 'Dimensions'),
 					TextField::create(
-						'Width', 
+						'Width',
-						_t('HtmlEditorField.IMAGEWIDTHPX', 'Width'), 
+						_t('HtmlEditorField.IMAGEWIDTHPX', 'Width'),
 						$file->InsertWidth
 					)->setMaxLength(5),
 					TextField::create(
-						'Height', 
+						'Height',
-						_t('HtmlEditorField.IMAGEHEIGHTPX', 'Height'), 
+						_t('HtmlEditorField.IMAGEHEIGHTPX', 'Height'),
 						$file->InsertHeight
 					)->setMaxLength(5)
 				)->addExtraClass('dimensions last')
@ -595,13 +604,13 @@ class HtmlEditorField_Toolbar extends RequestHandler {
 		if($file->Type == 'photo') {
 			$fields->insertBefore(new TextField(
-				'AltText', 
+				'AltText',
-				_t('HtmlEditorField.IMAGEALTTEXT', 'Alternative text (alt) - shown if image cannot be displayed'), 
+				_t('HtmlEditorField.IMAGEALTTEXT', 'Alternative text (alt) - shown if image cannot be displayed'),
-				$file->Title, 
+				$file->Title,
 				80
 			), 'CaptionText');
 			$fields->insertBefore(new TextField(
-				'Title', 
+				'Title',
 				_t('HtmlEditorField.IMAGETITLE', 'Title text (tooltip) - for additional information about the image')
 			), 'CaptionText');
 		}
@ -619,12 +628,12 @@ class HtmlEditorField_Toolbar extends RequestHandler {
 			FieldGroup::create(
 				_t('HtmlEditorField.IMAGEDIMENSIONS', 'Dimensions'),
 				TextField::create(
-					'Width', 
+					'Width',
-					_t('HtmlEditorField.IMAGEWIDTHPX', 'Width'), 
+					_t('HtmlEditorField.IMAGEWIDTHPX', 'Width'),
 					$file->Width
 				)->setMaxLength(5),
 				TextField::create(
-					'Height', 
+					'Height',
 					" x " . _t('HtmlEditorField.IMAGEHEIGHTPX', 'Height'),
 					$file->Height
 				)->setMaxLength(5)
@ -643,27 +652,35 @@ class HtmlEditorField_Toolbar extends RequestHandler {
 		if($file->File instanceof Image) {
 			$formattedImage = $file->File->generateFormattedImage('SetWidth',
 				Config::inst()->get('Image', 'asset_preview_width'));
-			$thumbnailURL = $formattedImage ? $formattedImage->URL : $url;	
+			$thumbnailURL = Convert::raw2att($formattedImage ? $formattedImage->URL : $url);
 		} else {
-			$thumbnailURL = $url;
+			$thumbnailURL = Convert::raw2att($url);
 		}
-		
+
 		$fileName = Convert::raw2att($file->Name);
 		$fields = new FieldList(
 			CompositeField::create(
 				CompositeField::create(
 					LiteralField::create(
 						"ImageFull",
-						"<img id='thumbnailImage' class='thumbnail-preview' " 
+						"<img id='thumbnailImage' class='thumbnail-preview' "
-							. "src='{$thumbnailURL}?r=" . rand(1,100000) . "' alt='{$file->Name}' />\n"
+							. "src='{$thumbnailURL}?r=" . rand(1,100000) . "' alt='$fileName' />\n"
 					)
 				)->setName("FilePreviewImage")->addExtraClass('cms-file-info-preview'),
 				CompositeField::create(
 					CompositeField::create(
 						new ReadonlyField("FileType", _t('AssetTableField.TYPE','File type'), $file->FileType),
 						new ReadonlyField("Size", _t('AssetTableField.SIZE','File size'), $file->getSize()),
-						$urlField = new ReadonlyField('ClickableURL', _t('AssetTableField.URL','URL'), 
+						$urlField = new ReadonlyField(
-							sprintf('<a href="%s" title="%s" target="_blank" class="file-url">%s</a>',
+							'ClickableURL',
-								$file->Link(), $file->Link(), $file->RelativeLink())
+							_t('AssetTableField.URL','URL'),
 							sprintf(
 								'<a href="%s" title="%s" target="_blank" class="file-url">%s</a>',
 								Convert::raw2att($file->Link()),
 								Convert::raw2att($file->Link()),
 								Convert::raw2att($file->RelativeLink())
 							)
 						),
 						new DateField_Disabled("Created", _t('AssetTableField.CREATED','First uploaded'),
 							$file->Created),
@ -671,18 +688,18 @@ class HtmlEditorField_Toolbar extends RequestHandler {
 							$file->LastEdited)
 					)
 				)->setName("FilePreviewData")->addExtraClass('cms-file-info-data')
-			)->setName("FilePreview")->addExtraClass('cms-file-info'),			
+			)->setName("FilePreview")->addExtraClass('cms-file-info'),
 			TextField::create(
-				'AltText', 
+				'AltText',
-				_t('HtmlEditorField.IMAGEALT', 'Alternative text (alt)'),  
+				_t('HtmlEditorField.IMAGEALT', 'Alternative text (alt)'),
-				$file->Title, 
+				$file->Title,
 				80
 			)->setDescription(
 				_t('HtmlEditorField.IMAGEALTTEXTDESC', 'Shown to screen readers or if image can not be displayed')),
 			TextField::create(
-				'Title', 
+				'Title',
 				_t('HtmlEditorField.IMAGETITLETEXT', 'Title text (tooltip)')
 			)->setDescription(
 				_t('HtmlEditorField.IMAGETITLETEXTDESC', 'For additional information about the image')),
@ -699,16 +716,17 @@ class HtmlEditorField_Toolbar extends RequestHandler {
 				)
 			)->addExtraClass('last')
 		);
 		if($file->Width != null){
 			$fields->push(
 				FieldGroup::create(_t('HtmlEditorField.IMAGEDIMENSIONS', 'Dimensions'),
 					TextField::create(
-						'Width', 
+						'Width',
-						_t('HtmlEditorField.IMAGEWIDTHPX', 'Width'), 
+						_t('HtmlEditorField.IMAGEWIDTHPX', 'Width'),
 						$file->InsertWidth
 					)->setMaxLength(5),
 					TextField::create(
-						'Height', 
+						'Height',
 						" x " . _t('HtmlEditorField.IMAGEHEIGHTPX', 'Height'),
 						$file->InsertHeight
 					)->setMaxLength(5)
@ -764,6 +782,11 @@ class HtmlEditorField_Toolbar extends RequestHandler {
 */
 class HtmlEditorField_File extends ViewableData {
 	private static $casting = array(
 		'URL' => 'Varchar',
 		'Name' => 'Varchar'
 	);
 	/** @var String */
 	protected $url;
@ -823,7 +846,7 @@ class HtmlEditorField_File extends ViewableData {
 		} else {
 			// Hack to use the framework's built-in thumbnail support without creating a local file representation
 			$tmpFile = new File(array('Name' => $this->Name, 'Filename' => $this->Name));
-			return $tmpFile->appCategory();			
+			return $tmpFile->appCategory();
 		}
 	}
@ -837,6 +860,12 @@ class HtmlEditorField_File extends ViewableData {
 * @subpackage fields-formattedinput
 */
 class HtmlEditorField_Embed extends HtmlEditorField_File {
 	private static $casting = array(
 		'Type' => 'Varchar',
 		'Info' => 'Varchar'
 	);
 	protected $oembed;
 	public function __construct($url, $file = null) {
@ -867,7 +896,7 @@ class HtmlEditorField_Embed extends HtmlEditorField_File {
 	/**
 	 * Provide an initial width for inserted media, restricted based on $embed_width
-	 * 
+	 *
 	 * @return int
 	 */
 	public function getInsertWidth() {
@ -878,7 +907,7 @@ class HtmlEditorField_Embed extends HtmlEditorField_File {
 	/**
 	 * Provide an initial height for inserted media, scaled proportionally to the initial width
-	 * 
+	 *
 	 * @return int
 	 */
 	public function getInsertHeight() {
@ -890,7 +919,7 @@ class HtmlEditorField_Embed extends HtmlEditorField_File {
 	public function getPreview() {
 		if(isset($this->oembed->thumbnail_url)) {
-			return sprintf('<img src="%s" />', $this->oembed->thumbnail_url);
+			return sprintf('<img src="%s" />', Convert::raw2att($this->oembed->thumbnail_url));
 		}
 	}
@ -974,7 +1003,7 @@ class HtmlEditorField_Image extends HtmlEditorField_File {
 	}
 	public function getPreview() {
-		return ($this->file) ? $this->file->CMSThumbnail() : sprintf('<img src="%s" />', $this->url);
+		return ($this->file) ? $this->file->CMSThumbnail() : sprintf('<img src="%s" />', Convert::raw2att($this->url));
 	}
 }