tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 14:05:37 +02:00
Code Issues Projects Releases Wiki Activity

API Escape form validation messages (SS-2013-008)

Browse Source
This commit is contained in:
Ingo Schommer 2013-09-24 13:58:32 +02:00
parent 114fb59107
commit c243418597
2 changed files with 16 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
forms/Form.php
View File

@ -65,7 +65,7 @@ class Form extends RequestHandler {
protected $validator; protected $validator;
protected $formMethod = "post"; protected $formMethod = "post";
protected static $current_action; protected static $current_action;
/** /**
@ -144,6 +144,10 @@ class Form extends RequestHandler {
*/ */
protected $attributes = array(); protected $attributes = array();
public static $casting = array(
'Message' => 'Text'
);
/** /**
* Create a new form, with the given fields an action buttons. * Create a new form, with the given fields an action buttons.
* *
@ -203,7 +207,7 @@ class Form extends RequestHandler {
'GET ' => 'httpSubmission', 'GET ' => 'httpSubmission',
'HEAD ' => 'httpSubmission', 'HEAD ' => 'httpSubmission',
); );
/** /**
* Set up current form errors in session to * Set up current form errors in session to
* the current form if appropriate. * the current form if appropriate.
@ -239,7 +243,7 @@ class Form extends RequestHandler {
* if the form is valid. * if the form is valid.
*/ */
public function httpSubmission($request) { public function httpSubmission($request) {
$vars = $request->requestVars(); $vars = $request->requestVars();
if(isset($funcName)) { if(isset($funcName)) {
Form::set_current_action($funcName); Form::set_current_action($funcName);
} }
@ -281,7 +285,7 @@ class Form extends RequestHandler {
if(isset($funcName)) { if(isset($funcName)) {
$this->setButtonClicked($funcName); $this->setButtonClicked($funcName);
} }
// Permission checks (first on controller, then falling back to form) // Permission checks (first on controller, then falling back to form)
if( if(
// Ensure that the action is actually a button or method on the form, // Ensure that the action is actually a button or method on the form,
@ -355,8 +359,8 @@ class Form extends RequestHandler {
} }
return $this->controller->redirectBack(); return $this->controller->redirectBack();
} }
} }
// First, try a handler method on the controller (has been checked for allowed_actions above already) // First, try a handler method on the controller (has been checked for allowed_actions above already)
if($this->controller->hasMethod($funcName)) { if($this->controller->hasMethod($funcName)) {
return $this->controller->$funcName($vars, $this, $request); return $this->controller->$funcName($vars, $this, $request);
@ -439,7 +443,7 @@ class Form extends RequestHandler {
} }
/** /**
* Add an error message to a field on this form. It will be saved into the session * Add a plain text error message to a field on this form. It will be saved into the session
* and used the next time this form is displayed. * and used the next time this form is displayed.
*/ */
public function addErrorMessage($fieldName, $message, $messageType) { public function addErrorMessage($fieldName, $message, $messageType) {
@ -865,7 +869,7 @@ class Form extends RequestHandler {
$this->formMethod = strtolower($method); $this->formMethod = strtolower($method);
return $this; return $this;
} }
/** /**
* Return the form's action attribute. * Return the form's action attribute.
* This is build by adding an executeForm get variable to the parent controller's Link() value * This is build by adding an executeForm get variable to the parent controller's Link() value

4
forms/FormField.php
View File

@ -93,6 +93,10 @@ class FormField extends RequestHandler {
*/ */
protected $attributes = array(); protected $attributes = array();
public static $casting = array(
'Message' => 'Text'
);
/** /**
* Takes a fieldname and converts camelcase to spaced * Takes a fieldname and converts camelcase to spaced
* words. Also resolves combined fieldnames with dot syntax * words. Also resolves combined fieldnames with dot syntax