FIX Use field editorconfig when sanitising content

This commit is contained in:
Bernie Hamlin 2023-10-16 12:39:18 +13:00 committed by Guy Sartorelli
parent 3e1b5e6452
commit 99e965b5d7
No known key found for this signature in database
GPG Key ID: F313E3B9504D496A
2 changed files with 40 additions and 1 deletions

View File

@ -138,7 +138,8 @@ class HTMLEditorField extends TextareaField
// Sanitise if requested // Sanitise if requested
$htmlValue = HTMLValue::create($this->Value()); $htmlValue = HTMLValue::create($this->Value());
if (HTMLEditorField::config()->sanitise_server_side) { if (HTMLEditorField::config()->sanitise_server_side) {
$santiser = HTMLEditorSanitiser::create(HTMLEditorConfig::get_active()); $config = $this->getEditorConfig();
$santiser = HTMLEditorSanitiser::create($config);
$santiser->sanitise($htmlValue); $santiser->sanitise($htmlValue);
} }

View File

@ -12,6 +12,7 @@ use SilverStripe\Control\Director;
use SilverStripe\Core\Config\Config; use SilverStripe\Core\Config\Config;
use SilverStripe\Dev\CSSContentParser; use SilverStripe\Dev\CSSContentParser;
use SilverStripe\Dev\FunctionalTest; use SilverStripe\Dev\FunctionalTest;
use SilverStripe\Forms\HTMLEditor\HTMLEditorConfig;
use SilverStripe\Forms\HTMLEditor\HTMLEditorField; use SilverStripe\Forms\HTMLEditor\HTMLEditorField;
use SilverStripe\Forms\HTMLEditor\TinyMCEConfig; use SilverStripe\Forms\HTMLEditor\TinyMCEConfig;
use SilverStripe\Forms\HTMLReadonlyField; use SilverStripe\Forms\HTMLReadonlyField;
@ -278,4 +279,41 @@ EOS
$this->assertEquals("auto", $data_config->height, 'Config height is not set'); $this->assertEquals("auto", $data_config->height, 'Config height is not set');
$this->assertEquals("60px", $data_config->row_height, 'Config row_height is not set'); $this->assertEquals("60px", $data_config->row_height, 'Config row_height is not set');
} }
public function testFieldConfigSanitization()
{
$obj = TestObject::create();
$editor = HTMLEditorField::create('Content');
$defaultValidElements = [
'@[id|class|style|title|data*]',
'a[id|rel|dir|tabindex|accesskey|type|name|href|target|title|class]',
'-strong/-b[class]',
'-em/-i[class]',
'-ol[class]',
'#p[id|dir|class|align|style]',
'-li[class]',
'br',
'-span[class|align|style]',
'-ul[class]',
'-h3[id|dir|class|align|style]',
'-h2[id|dir|class|align|style]',
'hr[class]',
];
$restrictedConfig = HTMLEditorConfig::get('restricted');
$restrictedConfig->setOption('valid_elements', implode(',', $defaultValidElements));
$editor->setEditorConfig($restrictedConfig);
$expectedHtmlString = '<p>standard text</p>Header';
$htmlValue = '<p>standard text</p><table><th><tr><td>Header</td></tr></th><tbody></tbody></table>';
$editor->setValue($htmlValue);
$editor->saveInto($obj);
$this->assertEquals($expectedHtmlString, $obj->Content, 'Table is not removed');
$defaultConfig = HTMLEditorConfig::get('default');
$editor->setEditorConfig($defaultConfig);
$editor->setValue($htmlValue);
$editor->saveInto($obj);
$this->assertEquals($htmlValue, $obj->Content, 'Table is removed');
}
} }