Merge pull request #3196 from mateusz/patch-html-editor-field

BUG Sanitise the PHP output.
2024-10-22 14:05:37 +02:00 · 2014-06-11 12:13:33 +12:00 · 2014-06-11 12:13:33 +12:00 · 8c10e12529
commit 8c10e12529
parent fe597e32b4 18b6870cf2
1 changed files with 68 additions and 39 deletions
--- a/forms/HtmlEditorField.php
+++ b/forms/HtmlEditorField.php
@ -537,27 +537,35 @@ class HtmlEditorField_Toolbar extends RequestHandler {
 	 */
 	protected function getFieldsForOembed($url, $file) {
 		if(isset($file->Oembed->thumbnail_url)) {
-			$thumbnailURL = $file->Oembed->thumbnail_url;	
+			$thumbnailURL = Convert::raw2att($file->Oembed->thumbnail_url);
 		} elseif($file->Type == 'photo') {
-			$thumbnailURL = $file->Oembed->url;
+			$thumbnailURL = Convert::raw2att($file->Oembed->url);
 		} else {
 			$thumbnailURL = FRAMEWORK_DIR . '/images/default_media.png';
 		}

+		$fileName = Convert::raw2att($file->Name);
+
 		$fields = new FieldList(
 			$filePreview = CompositeField::create(
 				CompositeField::create(
 					new LiteralField(
 						"ImageFull",
 						"<img id='thumbnailImage' class='thumbnail-preview' "
-							. "src='{$thumbnailURL}?r=" . rand(1,100000) . "' alt='{$file->Name}' />\n"
+							. "src='{$thumbnailURL}?r=" . rand(1,100000) . "' alt='$fileName' />\n"
 					)
 				)->setName("FilePreviewImage")->addExtraClass('cms-file-info-preview'),
 				CompositeField::create(
 					CompositeField::create(
 						new ReadonlyField("FileType", _t('AssetTableField.TYPE','File type') . ':', $file->Type),
-						$urlField = ReadonlyField::create('ClickableURL', _t('AssetTableField.URL','URL'),
-							sprintf('<a href="%s" target="_blank" class="file">%s</a>', $url, $url)
+						$urlField = ReadonlyField::create(
+							'ClickableURL',
+							_t('AssetTableField.URL','URL'),
+							sprintf(
+								'<a href="%s" target="_blank" class="file">%s</a>',
+								Convert::raw2att($url),
+								Convert::raw2att($url)
+							)
 						)->addExtraClass('text-wrap')
 					)
 				)->setName("FilePreviewData")->addExtraClass('cms-file-info-data')
@ -574,6 +582,7 @@ class HtmlEditorField_Toolbar extends RequestHandler {
 				)
 			)->addExtraClass('last')
 		);
+
 		if($file->Width != null){
 			$fields->push(
 				FieldGroup::create(
@ -643,27 +652,35 @@ class HtmlEditorField_Toolbar extends RequestHandler {
 		if($file->File instanceof Image) {
 			$formattedImage = $file->File->generateFormattedImage('SetWidth',
 				Config::inst()->get('Image', 'asset_preview_width'));
-			$thumbnailURL = $formattedImage ? $formattedImage->URL : $url;	
+			$thumbnailURL = Convert::raw2att($formattedImage ? $formattedImage->URL : $url);
 		} else {
-			$thumbnailURL = $url;
+			$thumbnailURL = Convert::raw2att($url);
 		}

+		$fileName = Convert::raw2att($file->Name);
+
 		$fields = new FieldList(
 			CompositeField::create(
 				CompositeField::create(
 					LiteralField::create(
 						"ImageFull",
 						"<img id='thumbnailImage' class='thumbnail-preview' "
-							. "src='{$thumbnailURL}?r=" . rand(1,100000) . "' alt='{$file->Name}' />\n"
+							. "src='{$thumbnailURL}?r=" . rand(1,100000) . "' alt='$fileName' />\n"
 					)
 				)->setName("FilePreviewImage")->addExtraClass('cms-file-info-preview'),
 				CompositeField::create(
 					CompositeField::create(
 						new ReadonlyField("FileType", _t('AssetTableField.TYPE','File type'), $file->FileType),
 						new ReadonlyField("Size", _t('AssetTableField.SIZE','File size'), $file->getSize()),
-						$urlField = new ReadonlyField('ClickableURL', _t('AssetTableField.URL','URL'), 
-							sprintf('<a href="%s" title="%s" target="_blank" class="file-url">%s</a>',
-								$file->Link(), $file->Link(), $file->RelativeLink())
+						$urlField = new ReadonlyField(
+							'ClickableURL',
+							_t('AssetTableField.URL','URL'),
+							sprintf(
+								'<a href="%s" title="%s" target="_blank" class="file-url">%s</a>',
+								Convert::raw2att($file->Link()),
+								Convert::raw2att($file->Link()),
+								Convert::raw2att($file->RelativeLink())
+							)
 						),
 						new DateField_Disabled("Created", _t('AssetTableField.CREATED','First uploaded'),
 							$file->Created),
@ -699,6 +716,7 @@ class HtmlEditorField_Toolbar extends RequestHandler {
 				)
 			)->addExtraClass('last')
 		);
+
 		if($file->Width != null){
 			$fields->push(
 				FieldGroup::create(_t('HtmlEditorField.IMAGEDIMENSIONS', 'Dimensions'),
@ -764,6 +782,11 @@ class HtmlEditorField_Toolbar extends RequestHandler {
 */
 class HtmlEditorField_File extends ViewableData {

+	private static $casting = array(
+		'URL' => 'Varchar',
+		'Name' => 'Varchar'
+	);
+
 	/** @var String */
 	protected $url;

@ -837,6 +860,12 @@ class HtmlEditorField_File extends ViewableData {
 * @subpackage fields-formattedinput
 */
 class HtmlEditorField_Embed extends HtmlEditorField_File {
+
+	private static $casting = array(
+		'Type' => 'Varchar',
+		'Info' => 'Varchar'
+	);
+
 	protected $oembed;

 	public function __construct($url, $file = null) {
@ -890,7 +919,7 @@ class HtmlEditorField_Embed extends HtmlEditorField_File {

 	public function getPreview() {
 		if(isset($this->oembed->thumbnail_url)) {
-			return sprintf('<img src="%s" />', $this->oembed->thumbnail_url);
+			return sprintf('<img src="%s" />', Convert::raw2att($this->oembed->thumbnail_url));
 		}
 	}

@ -974,7 +1003,7 @@ class HtmlEditorField_Image extends HtmlEditorField_File {
 	}

 	public function getPreview() {
-		return ($this->file) ? $this->file->CMSThumbnail() : sprintf('<img src="%s" />', $this->url);
+		return ($this->file) ? $this->file->CMSThumbnail() : sprintf('<img src="%s" />', Convert::raw2att($this->url));
 	}

 }