Merge pull request #3196 from mateusz/patch-html-editor-field

BUG Sanitise the PHP output.
This commit is contained in:
Damian Mooyman 2014-06-11 12:13:33 +12:00
commit 8c10e12529

View File

@ -528,7 +528,7 @@ class HtmlEditorField_Toolbar extends RequestHandler {
} }
$this->extend('updateFieldsForFile', $fields, $url, $file); $this->extend('updateFieldsForFile', $fields, $url, $file);
return $fields; return $fields;
} }
@ -537,27 +537,35 @@ class HtmlEditorField_Toolbar extends RequestHandler {
*/ */
protected function getFieldsForOembed($url, $file) { protected function getFieldsForOembed($url, $file) {
if(isset($file->Oembed->thumbnail_url)) { if(isset($file->Oembed->thumbnail_url)) {
$thumbnailURL = $file->Oembed->thumbnail_url; $thumbnailURL = Convert::raw2att($file->Oembed->thumbnail_url);
} elseif($file->Type == 'photo') { } elseif($file->Type == 'photo') {
$thumbnailURL = $file->Oembed->url; $thumbnailURL = Convert::raw2att($file->Oembed->url);
} else { } else {
$thumbnailURL = FRAMEWORK_DIR . '/images/default_media.png'; $thumbnailURL = FRAMEWORK_DIR . '/images/default_media.png';
} }
$fileName = Convert::raw2att($file->Name);
$fields = new FieldList( $fields = new FieldList(
$filePreview = CompositeField::create( $filePreview = CompositeField::create(
CompositeField::create( CompositeField::create(
new LiteralField( new LiteralField(
"ImageFull", "ImageFull",
"<img id='thumbnailImage' class='thumbnail-preview' " "<img id='thumbnailImage' class='thumbnail-preview' "
. "src='{$thumbnailURL}?r=" . rand(1,100000) . "' alt='{$file->Name}' />\n" . "src='{$thumbnailURL}?r=" . rand(1,100000) . "' alt='$fileName' />\n"
) )
)->setName("FilePreviewImage")->addExtraClass('cms-file-info-preview'), )->setName("FilePreviewImage")->addExtraClass('cms-file-info-preview'),
CompositeField::create( CompositeField::create(
CompositeField::create( CompositeField::create(
new ReadonlyField("FileType", _t('AssetTableField.TYPE','File type') . ':', $file->Type), new ReadonlyField("FileType", _t('AssetTableField.TYPE','File type') . ':', $file->Type),
$urlField = ReadonlyField::create('ClickableURL', _t('AssetTableField.URL','URL'), $urlField = ReadonlyField::create(
sprintf('<a href="%s" target="_blank" class="file">%s</a>', $url, $url) 'ClickableURL',
_t('AssetTableField.URL','URL'),
sprintf(
'<a href="%s" target="_blank" class="file">%s</a>',
Convert::raw2att($url),
Convert::raw2att($url)
)
)->addExtraClass('text-wrap') )->addExtraClass('text-wrap')
) )
)->setName("FilePreviewData")->addExtraClass('cms-file-info-data') )->setName("FilePreviewData")->addExtraClass('cms-file-info-data')
@ -574,18 +582,19 @@ class HtmlEditorField_Toolbar extends RequestHandler {
) )
)->addExtraClass('last') )->addExtraClass('last')
); );
if($file->Width != null){ if($file->Width != null){
$fields->push( $fields->push(
FieldGroup::create( FieldGroup::create(
_t('HtmlEditorField.IMAGEDIMENSIONS', 'Dimensions'), _t('HtmlEditorField.IMAGEDIMENSIONS', 'Dimensions'),
TextField::create( TextField::create(
'Width', 'Width',
_t('HtmlEditorField.IMAGEWIDTHPX', 'Width'), _t('HtmlEditorField.IMAGEWIDTHPX', 'Width'),
$file->InsertWidth $file->InsertWidth
)->setMaxLength(5), )->setMaxLength(5),
TextField::create( TextField::create(
'Height', 'Height',
_t('HtmlEditorField.IMAGEHEIGHTPX', 'Height'), _t('HtmlEditorField.IMAGEHEIGHTPX', 'Height'),
$file->InsertHeight $file->InsertHeight
)->setMaxLength(5) )->setMaxLength(5)
)->addExtraClass('dimensions last') )->addExtraClass('dimensions last')
@ -595,13 +604,13 @@ class HtmlEditorField_Toolbar extends RequestHandler {
if($file->Type == 'photo') { if($file->Type == 'photo') {
$fields->insertBefore(new TextField( $fields->insertBefore(new TextField(
'AltText', 'AltText',
_t('HtmlEditorField.IMAGEALTTEXT', 'Alternative text (alt) - shown if image cannot be displayed'), _t('HtmlEditorField.IMAGEALTTEXT', 'Alternative text (alt) - shown if image cannot be displayed'),
$file->Title, $file->Title,
80 80
), 'CaptionText'); ), 'CaptionText');
$fields->insertBefore(new TextField( $fields->insertBefore(new TextField(
'Title', 'Title',
_t('HtmlEditorField.IMAGETITLE', 'Title text (tooltip) - for additional information about the image') _t('HtmlEditorField.IMAGETITLE', 'Title text (tooltip) - for additional information about the image')
), 'CaptionText'); ), 'CaptionText');
} }
@ -619,12 +628,12 @@ class HtmlEditorField_Toolbar extends RequestHandler {
FieldGroup::create( FieldGroup::create(
_t('HtmlEditorField.IMAGEDIMENSIONS', 'Dimensions'), _t('HtmlEditorField.IMAGEDIMENSIONS', 'Dimensions'),
TextField::create( TextField::create(
'Width', 'Width',
_t('HtmlEditorField.IMAGEWIDTHPX', 'Width'), _t('HtmlEditorField.IMAGEWIDTHPX', 'Width'),
$file->Width $file->Width
)->setMaxLength(5), )->setMaxLength(5),
TextField::create( TextField::create(
'Height', 'Height',
" x " . _t('HtmlEditorField.IMAGEHEIGHTPX', 'Height'), " x " . _t('HtmlEditorField.IMAGEHEIGHTPX', 'Height'),
$file->Height $file->Height
)->setMaxLength(5) )->setMaxLength(5)
@ -643,27 +652,35 @@ class HtmlEditorField_Toolbar extends RequestHandler {
if($file->File instanceof Image) { if($file->File instanceof Image) {
$formattedImage = $file->File->generateFormattedImage('SetWidth', $formattedImage = $file->File->generateFormattedImage('SetWidth',
Config::inst()->get('Image', 'asset_preview_width')); Config::inst()->get('Image', 'asset_preview_width'));
$thumbnailURL = $formattedImage ? $formattedImage->URL : $url; $thumbnailURL = Convert::raw2att($formattedImage ? $formattedImage->URL : $url);
} else { } else {
$thumbnailURL = $url; $thumbnailURL = Convert::raw2att($url);
} }
$fileName = Convert::raw2att($file->Name);
$fields = new FieldList( $fields = new FieldList(
CompositeField::create( CompositeField::create(
CompositeField::create( CompositeField::create(
LiteralField::create( LiteralField::create(
"ImageFull", "ImageFull",
"<img id='thumbnailImage' class='thumbnail-preview' " "<img id='thumbnailImage' class='thumbnail-preview' "
. "src='{$thumbnailURL}?r=" . rand(1,100000) . "' alt='{$file->Name}' />\n" . "src='{$thumbnailURL}?r=" . rand(1,100000) . "' alt='$fileName' />\n"
) )
)->setName("FilePreviewImage")->addExtraClass('cms-file-info-preview'), )->setName("FilePreviewImage")->addExtraClass('cms-file-info-preview'),
CompositeField::create( CompositeField::create(
CompositeField::create( CompositeField::create(
new ReadonlyField("FileType", _t('AssetTableField.TYPE','File type'), $file->FileType), new ReadonlyField("FileType", _t('AssetTableField.TYPE','File type'), $file->FileType),
new ReadonlyField("Size", _t('AssetTableField.SIZE','File size'), $file->getSize()), new ReadonlyField("Size", _t('AssetTableField.SIZE','File size'), $file->getSize()),
$urlField = new ReadonlyField('ClickableURL', _t('AssetTableField.URL','URL'), $urlField = new ReadonlyField(
sprintf('<a href="%s" title="%s" target="_blank" class="file-url">%s</a>', 'ClickableURL',
$file->Link(), $file->Link(), $file->RelativeLink()) _t('AssetTableField.URL','URL'),
sprintf(
'<a href="%s" title="%s" target="_blank" class="file-url">%s</a>',
Convert::raw2att($file->Link()),
Convert::raw2att($file->Link()),
Convert::raw2att($file->RelativeLink())
)
), ),
new DateField_Disabled("Created", _t('AssetTableField.CREATED','First uploaded'), new DateField_Disabled("Created", _t('AssetTableField.CREATED','First uploaded'),
$file->Created), $file->Created),
@ -671,18 +688,18 @@ class HtmlEditorField_Toolbar extends RequestHandler {
$file->LastEdited) $file->LastEdited)
) )
)->setName("FilePreviewData")->addExtraClass('cms-file-info-data') )->setName("FilePreviewData")->addExtraClass('cms-file-info-data')
)->setName("FilePreview")->addExtraClass('cms-file-info'), )->setName("FilePreview")->addExtraClass('cms-file-info'),
TextField::create( TextField::create(
'AltText', 'AltText',
_t('HtmlEditorField.IMAGEALT', 'Alternative text (alt)'), _t('HtmlEditorField.IMAGEALT', 'Alternative text (alt)'),
$file->Title, $file->Title,
80 80
)->setDescription( )->setDescription(
_t('HtmlEditorField.IMAGEALTTEXTDESC', 'Shown to screen readers or if image can not be displayed')), _t('HtmlEditorField.IMAGEALTTEXTDESC', 'Shown to screen readers or if image can not be displayed')),
TextField::create( TextField::create(
'Title', 'Title',
_t('HtmlEditorField.IMAGETITLETEXT', 'Title text (tooltip)') _t('HtmlEditorField.IMAGETITLETEXT', 'Title text (tooltip)')
)->setDescription( )->setDescription(
_t('HtmlEditorField.IMAGETITLETEXTDESC', 'For additional information about the image')), _t('HtmlEditorField.IMAGETITLETEXTDESC', 'For additional information about the image')),
@ -699,16 +716,17 @@ class HtmlEditorField_Toolbar extends RequestHandler {
) )
)->addExtraClass('last') )->addExtraClass('last')
); );
if($file->Width != null){ if($file->Width != null){
$fields->push( $fields->push(
FieldGroup::create(_t('HtmlEditorField.IMAGEDIMENSIONS', 'Dimensions'), FieldGroup::create(_t('HtmlEditorField.IMAGEDIMENSIONS', 'Dimensions'),
TextField::create( TextField::create(
'Width', 'Width',
_t('HtmlEditorField.IMAGEWIDTHPX', 'Width'), _t('HtmlEditorField.IMAGEWIDTHPX', 'Width'),
$file->InsertWidth $file->InsertWidth
)->setMaxLength(5), )->setMaxLength(5),
TextField::create( TextField::create(
'Height', 'Height',
" x " . _t('HtmlEditorField.IMAGEHEIGHTPX', 'Height'), " x " . _t('HtmlEditorField.IMAGEHEIGHTPX', 'Height'),
$file->InsertHeight $file->InsertHeight
)->setMaxLength(5) )->setMaxLength(5)
@ -764,6 +782,11 @@ class HtmlEditorField_Toolbar extends RequestHandler {
*/ */
class HtmlEditorField_File extends ViewableData { class HtmlEditorField_File extends ViewableData {
private static $casting = array(
'URL' => 'Varchar',
'Name' => 'Varchar'
);
/** @var String */ /** @var String */
protected $url; protected $url;
@ -823,7 +846,7 @@ class HtmlEditorField_File extends ViewableData {
} else { } else {
// Hack to use the framework's built-in thumbnail support without creating a local file representation // Hack to use the framework's built-in thumbnail support without creating a local file representation
$tmpFile = new File(array('Name' => $this->Name, 'Filename' => $this->Name)); $tmpFile = new File(array('Name' => $this->Name, 'Filename' => $this->Name));
return $tmpFile->appCategory(); return $tmpFile->appCategory();
} }
} }
@ -837,6 +860,12 @@ class HtmlEditorField_File extends ViewableData {
* @subpackage fields-formattedinput * @subpackage fields-formattedinput
*/ */
class HtmlEditorField_Embed extends HtmlEditorField_File { class HtmlEditorField_Embed extends HtmlEditorField_File {
private static $casting = array(
'Type' => 'Varchar',
'Info' => 'Varchar'
);
protected $oembed; protected $oembed;
public function __construct($url, $file = null) { public function __construct($url, $file = null) {
@ -867,7 +896,7 @@ class HtmlEditorField_Embed extends HtmlEditorField_File {
/** /**
* Provide an initial width for inserted media, restricted based on $embed_width * Provide an initial width for inserted media, restricted based on $embed_width
* *
* @return int * @return int
*/ */
public function getInsertWidth() { public function getInsertWidth() {
@ -878,7 +907,7 @@ class HtmlEditorField_Embed extends HtmlEditorField_File {
/** /**
* Provide an initial height for inserted media, scaled proportionally to the initial width * Provide an initial height for inserted media, scaled proportionally to the initial width
* *
* @return int * @return int
*/ */
public function getInsertHeight() { public function getInsertHeight() {
@ -890,7 +919,7 @@ class HtmlEditorField_Embed extends HtmlEditorField_File {
public function getPreview() { public function getPreview() {
if(isset($this->oembed->thumbnail_url)) { if(isset($this->oembed->thumbnail_url)) {
return sprintf('<img src="%s" />', $this->oembed->thumbnail_url); return sprintf('<img src="%s" />', Convert::raw2att($this->oembed->thumbnail_url));
} }
} }
@ -974,7 +1003,7 @@ class HtmlEditorField_Image extends HtmlEditorField_File {
} }
public function getPreview() { public function getPreview() {
return ($this->file) ? $this->file->CMSThumbnail() : sprintf('<img src="%s" />', $this->url); return ($this->file) ? $this->file->CMSThumbnail() : sprintf('<img src="%s" />', Convert::raw2att($this->url));
} }
} }