tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-09-29 12:49:06 +02:00
Code Issues Projects Releases Wiki Activity

Merge branch '3.4' into 3.5.0

Browse Source
This commit is contained in:
Daniel Hensby 2016-11-15 11:43:16 +00:00
commit 8e5f786b8d
No known key found for this signature in database
GPG Key ID: B00D1E9767F0B06E
9 changed files with 106 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
control/HTTPResponse.php
View File

@ -66,12 +66,12 @@ class SS_HTTPResponse {
); );
/** /**
* @var Int * @var int
*/ */
protected $statusCode = 200; protected $statusCode = 200;
/** /**
* @var String * @var string
*/ */
protected $statusDescription = "OK"; protected $statusDescription = "OK";
@ -93,9 +93,9 @@ class SS_HTTPResponse {
/** /**
* Create a new HTTP response * Create a new HTTP response
* *
* @param $body The body of the response * @param string $body The body of the response
* @param $statusCode The numeric status code - 200, 404, etc * @param int $statusCode The numeric status code - 200, 404, etc
* @param $statusDescription The text to be given alongside the status code. * @param string $statusDescription The text to be given alongside the status code.
* See {@link setStatusCode()} for more information. * See {@link setStatusCode()} for more information.
*/ */
public function __construct($body = null, $statusCode = null, $statusDescription = null) { public function __construct($body = null, $statusCode = null, $statusDescription = null) {
@ -104,12 +104,12 @@ class SS_HTTPResponse {
} }
/** /**
* @param String $code * @param int $code
* @param String $description Optional. See {@link setStatusDescription()}. * @param string $description Optional. See {@link setStatusDescription()}.
* No newlines are allowed in the description. * No newlines are allowed in the description.
* If omitted, will default to the standard HTTP description * If omitted, will default to the standard HTTP description
* for the given $code value (see {@link $status_codes}). * for the given $code value (see {@link $status_codes}).
* @return SS_HTTPRequest $this * @return $this
*/ */
public function setStatusCode($code, $description = null) { public function setStatusCode($code, $description = null) {
if(isset(self::$status_codes[$code])) $this->statusCode = $code; if(isset(self::$status_codes[$code])) $this->statusCode = $code;
@ -124,8 +124,8 @@ class SS_HTTPResponse {
* The text to be given alongside the status code ("reason phrase"). * The text to be given alongside the status code ("reason phrase").
* Caution: Will be overwritten by {@link setStatusCode()}. * Caution: Will be overwritten by {@link setStatusCode()}.
* *
* @param String $description * @param string $description
* @return SS_HTTPRequest $this * @return $this
*/ */
public function setStatusDescription($description) { public function setStatusDescription($description) {
$this->statusDescription = $description; $this->statusDescription = $description;
@ -133,7 +133,7 @@ class SS_HTTPResponse {
} }
/** /**
* @return Int * @return int
*/ */
public function getStatusCode() { public function getStatusCode() {
return $this->statusCode; return $this->statusCode;
@ -157,7 +157,7 @@ class SS_HTTPResponse {
/** /**
* @param string $body * @param string $body
* @return SS_HTTPRequest $this * @return $this
*/ */
public function setBody($body) { public function setBody($body) {
$this->body = $body ? (string) $body : $body; // Don't type-cast false-ish values, eg null is null not '' $this->body = $body ? (string) $body : $body; // Don't type-cast false-ish values, eg null is null not ''
@ -176,7 +176,7 @@ class SS_HTTPResponse {
* *
* @param string $header Example: "Content-Type" * @param string $header Example: "Content-Type"
* @param string $value Example: "text/xml" * @param string $value Example: "text/xml"
* @return SS_HTTPRequest $this * @return $this
*/ */
public function addHeader($header, $value) { public function addHeader($header, $value) {
$this->headers[$header] = $value; $this->headers[$header] = $value;
@ -206,7 +206,7 @@ class SS_HTTPResponse {
* e.g. "Content-Type". * e.g. "Content-Type".
* *
* @param string $header * @param string $header
* @return SS_HTTPRequest $this * @return $this
*/ */
public function removeHeader($header) { public function removeHeader($header) {
if(isset($this->headers[$header])) unset($this->headers[$header]); if(isset($this->headers[$header])) unset($this->headers[$header]);
@ -216,7 +216,7 @@ class SS_HTTPResponse {
/** /**
* @param string $dest * @param string $dest
* @param int $code * @param int $code
* @return SS_HTTPRequest $this * @return $this
*/ */
public function redirect($dest, $code=302) { public function redirect($dest, $code=302) {
if(!in_array($code, self::$redirect_codes)) $code = 302; if(!in_array($code, self::$redirect_codes)) $code = 302;
@ -310,12 +310,17 @@ EOT
*/ */
class SS_HTTPResponse_Exception extends Exception { class SS_HTTPResponse_Exception extends Exception {
/**
* @var SS_HTTPResponse
*/
protected $response; protected $response;
/** /**
* @param string|SS_HTTPResponse body Either the plaintext content of the error message, or an SS_HTTPResponse * @param string|SS_HTTPResponse body Either the plaintext content of the error message, or an SS_HTTPResponse
* object representing it. In either case, the $statusCode and * object representing it. In either case, the $statusCode and
* $statusDescription will be the HTTP status of the resulting response. * $statusDescription will be the HTTP status of the resulting response.
* @param int $statusCode
* @param string $statusDescription
* @see SS_HTTPResponse::__construct(); * @see SS_HTTPResponse::__construct();
*/ */
public function __construct($body = null, $statusCode = null, $statusDescription = null) { public function __construct($body = null, $statusCode = null, $statusDescription = null) {

15
forms/Form.php
View File

@ -355,8 +355,21 @@ class Form extends RequestHandler {
$vars = $request->requestVars(); $vars = $request->requestVars();
} }
// construct an array of allowed fields that can be populated from request data.
// readonly or disabled fields should not be loading data from requests
$allowedFields = array();
$dataFields = $this->Fields()->dataFields();
if ($dataFields) {
/** @var FormField $field */
foreach ($this->Fields()->dataFields() as $name => $field) {
if (!$field->isReadonly() && !$field->isDisabled()) {
$allowedFields[] = $name;
}
}
}
// Populate the form // Populate the form
$this->loadDataFrom($vars, true); $this->loadDataFrom($vars, true, $allowedFields);
// Protection against CSRF attacks // Protection against CSRF attacks
$token = $this->getSecurityToken(); $token = $this->getSecurityToken();

8
forms/FormField.php
View File

@ -164,6 +164,14 @@ class FormField extends RequestHandler {
*/ */
protected $attributes = array(); protected $attributes = array();
/**
* @config
* @var array
*/
private static $casting = array(
'Value' => 'Text',
);
/** /**
* Takes a field name and converts camelcase to spaced words. Also resolves combined field * Takes a field name and converts camelcase to spaced words. Also resolves combined field
* names with dot syntax to spaced words. * names with dot syntax to spaced words.

8
forms/HtmlEditorField.php
View File

@ -26,6 +26,14 @@ class HtmlEditorField extends TextareaField {
*/ */
private static $sanitise_server_side = false; private static $sanitise_server_side = false;
/**
* @config
* @var array
*/
private static $casting = array(
'Value' => 'HTMLText',
);
protected $rows = 30; protected $rows = 30;
/** /**

20
forms/ReadonlyField.php
View File

@ -53,10 +53,28 @@ class ReadonlyField extends FormField {
} }
public function Value() { public function Value() {
if($this->value) return $this->dontEscape ? $this->value : Convert::raw2xml($this->value); if($this->value) return $this->value;
else return '<i>(' . _t('FormField.NONE', 'none') . ')</i>'; else return '<i>(' . _t('FormField.NONE', 'none') . ')</i>';
} }
/**
* This is a legacy fix to ensure that the `dontEscape` flag has an impact on readonly fields
* now that we've moved to casting template values more rigidly
*
* @param string $field
* @return string
*/
public function castingHelper($field) {
if (
(strcasecmp($field, 'Value') === 0)
&& ($this->dontEscape || empty($this->value))
) {
// Value is either empty, or unescaped
return 'HTMLText';
}
return parent::castingHelper($field);
}
public function getAttributes() { public function getAttributes() {
return array_merge( return array_merge(
parent::getAttributes(), parent::getAttributes(),

5
forms/TextareaField.php
View File

@ -18,6 +18,11 @@
* @subpackage fields-basic * @subpackage fields-basic
*/ */
class TextareaField extends FormField { class TextareaField extends FormField {
private static $casting = array(
'Value' => 'HTMLText',
);
/** /**
* Visible number of text lines. * Visible number of text lines.
* *

2
security/CMSSecurity.php
View File

@ -213,7 +213,7 @@ PHP
'<p>Login success. If you are not automatically redirected '. '<p>Login success. If you are not automatically redirected '.
'<a target="_top" href="{link}">click here</a></p>', '<a target="_top" href="{link}">click here</a></p>',
'Login message displayed in the cms popup once a user has re-authenticated themselves', 'Login message displayed in the cms popup once a user has re-authenticated themselves',
array('link' => $backURL) array('link' => Convert::raw2att($backURL))
) )
)); ));

32
tests/forms/FormTest.php
View File

@ -64,6 +64,33 @@ class FormTest extends FunctionalTest {
$this->assertEquals($fields->fieldByName('othernamespace[key5][key6][key7]')->Value(), 'val7'); $this->assertEquals($fields->fieldByName('othernamespace[key5][key6][key7]')->Value(), 'val7');
} }
public function testSubmitReadonlyFields() {
$this->get('FormTest_Controller');
// Submitting a value for a readonly field should be ignored
$response = $this->post(
'FormTest_Controller/Form',
array(
'Email' => 'invalid',
'Number' => '888',
'ReadonlyField' => '<script>alert("hacxzored")</script>'
// leaving out "Required" field
)
);
// Number field updates its value
$this->assertContains('<input type="text" name="Number" value="888"', $response->getBody());
// Readonly field remains
$this->assertContains(
'<input type="text" name="ReadonlyField" value="This value is readonly"',
$response->getBody()
);
$this->assertNotContains('hacxzored', $response->getBody());
}
public function testLoadDataFromUnchangedHandling() { public function testLoadDataFromUnchangedHandling() {
$form = new Form( $form = new Form(
new Controller(), new Controller(),
@ -783,7 +810,10 @@ class FormTest_Controller extends Controller implements TestOnly {
new EmailField('Email'), new EmailField('Email'),
new TextField('SomeRequiredField'), new TextField('SomeRequiredField'),
new CheckboxSetField('Boxes', null, array('1'=>'one','2'=>'two')), new CheckboxSetField('Boxes', null, array('1'=>'one','2'=>'two')),
new NumericField('Number') new NumericField('Number'),
TextField::create('ReadonlyField')
->setReadonly(true)
->setValue('This value is readonly')
), ),
new FieldList( new FieldList(
new FormAction('doSubmit') new FormAction('doSubmit')

10
tests/forms/TextareaFieldTest.php
View File

@ -2,16 +2,6 @@
class TextareaFieldTest extends SapphireTest { class TextareaFieldTest extends SapphireTest {
/**
* Quick smoke test to ensure that text is being encoded properly.
*/
public function testTextEncoding() {
$inputText = "These are some unicodes: äöü";
$field = new TextareaField("Test", "Test");
$field->setValue($inputText);
$this->assertContains('These are some unicodes: &auml;&ouml;&uuml;', $field->Field());
}
/** /**
* Quick smoke test to ensure that text with unicodes is being displayed properly in readonly fields. * Quick smoke test to ensure that text with unicodes is being displayed properly in readonly fields.
*/ */