Merge remote-tracking branch 'origin/3.2.1' into 3.2

This commit is contained in:
Damian Mooyman 2015-11-16 16:39:15 +13:00
commit fd6ae72e1d
26 changed files with 375 additions and 59 deletions

View File

@ -9,7 +9,7 @@ if(typeof(ss) == 'undefined' || typeof(ss.i18n) == 'undefined') {
"CMSMAIN.BATCH_PUBLISH_PROMPT": "Sie haben {num} Seite(n) ausgewählt.\n\nWollen Sie diese wirklich veröffentlichen?",
"CMSMAIN.BATCH_DELETE_PROMPT": "Sie haben {num} Seite(n) ausgewählt.\n\nWollen Sie diese wirklich löschen?",
"CMSMAIN.BATCH_ARCHIVE_PROMPT": "Sie haben {num} Seite(n) ausgewählt.\n\nWollen Sie diese wirklich archivieren?\n\nDiese Seiten und alle Unterseiten davon werden von der veröffentlichen Seite gelöscht und in das Archiv verschoben.",
"CMSMAIN.BATCH_RESTORE_PROMPT": "You have {num} page(s) selected.\n\nDo you really want to restore to stage?\n\nChildren of archived pages will be restored to the root level, unless those pages are also being restored.",
"CMSMAIN.BATCH_RESTORE_PROMPT": "Sie haben {num} Seite(n) ausgewählt.\\n\\nWollen Sie diese wirklich wiederherstellen?\\n\\nUnterseiten von archivierten Seiten werden auf der Root-Ebene wiederhergestellt, es sei denn, diese Seiten werden ebenfalls wiederhergestellt.",
"CMSMAIN.BATCH_DELETELIVE_PROMPT": "Sie haben {num} Seite(n) ausgewählt.\n\nWollen Sie diese wirklich von der veröfffentlichten Seite löschen?",
"LeftAndMain.CONFIRMUNSAVED": "Sind Sie sicher, dass Sie die Seite verlassen möchten?\n\nWARNUNG: Ihre Änderungen werden nicht gespeichert.\n\nDrücken Sie \"OK\" um fortzufahren, oder \"Abbrechen\" um auf dieser Seite zu bleiben.",
"LeftAndMain.CONFIRMUNSAVEDSHORT": "WARNUNG: Ihre Änderungen wurden nicht gespeichert.",

View File

@ -4,8 +4,8 @@ if(typeof(ss) == 'undefined' || typeof(ss.i18n) == 'undefined') {
if(typeof(console) != 'undefined') console.error('Class ss.i18n not defined');
} else {
ss.i18n.addDictionary('ro', {
"CMSMAIN.SELECTONEPAGE": "Please select at least one page",
"CMSMAIN.BATCH_UNPUBLISH_PROMPT": "You have {num} page(s) selected.\n\nDo you really want to unpublish",
"CMSMAIN.SELECTONEPAGE": "Vă rugăm să selectaţi cel puțin o pagină.",
"CMSMAIN.BATCH_UNPUBLISH_PROMPT": "Aveti {num} pagina(i) selectate.\n\nDoriti sa le nenublicati",
"CMSMAIN.BATCH_PUBLISH_PROMPT": "You have {num} page(s) selected.\n\nDo you really want to publish?",
"CMSMAIN.BATCH_DELETE_PROMPT": "You have {num} page(s) selected.\n\nDo you really want to delete?",
"CMSMAIN.BATCH_ARCHIVE_PROMPT": "You have {num} page(s) selected.\n\nAre you sure you want to archive these pages?\n\nThese pages and all of their children pages will be unpublished and sent to the archive.",

View File

@ -4,7 +4,7 @@
"CMSMAIN.BATCH_PUBLISH_PROMPT": "Sie haben {num} Seite(n) ausgewählt.\n\nWollen Sie diese wirklich veröffentlichen?",
"CMSMAIN.BATCH_DELETE_PROMPT": "Sie haben {num} Seite(n) ausgewählt.\n\nWollen Sie diese wirklich löschen?",
"CMSMAIN.BATCH_ARCHIVE_PROMPT": "Sie haben {num} Seite(n) ausgewählt.\n\nWollen Sie diese wirklich archivieren?\n\nDiese Seiten und alle Unterseiten davon werden von der veröffentlichen Seite gelöscht und in das Archiv verschoben.",
"CMSMAIN.BATCH_RESTORE_PROMPT": "You have {num} page(s) selected.\n\nDo you really want to restore to stage?\n\nChildren of archived pages will be restored to the root level, unless those pages are also being restored.",
"CMSMAIN.BATCH_RESTORE_PROMPT": "Sie haben {num} Seite(n) ausgewählt.\\n\\nWollen Sie diese wirklich wiederherstellen?\\n\\nUnterseiten von archivierten Seiten werden auf der Root-Ebene wiederhergestellt, es sei denn, diese Seiten werden ebenfalls wiederhergestellt.",
"CMSMAIN.BATCH_DELETELIVE_PROMPT": "Sie haben {num} Seite(n) ausgewählt.\n\nWollen Sie diese wirklich von der veröfffentlichten Seite löschen?",
"LeftAndMain.CONFIRMUNSAVED": "Sind Sie sicher, dass Sie die Seite verlassen möchten?\n\nWARNUNG: Ihre Änderungen werden nicht gespeichert.\n\nDrücken Sie \"OK\" um fortzufahren, oder \"Abbrechen\" um auf dieser Seite zu bleiben.",
"LeftAndMain.CONFIRMUNSAVEDSHORT": "WARNUNG: Ihre Änderungen wurden nicht gespeichert.",

View File

@ -1,6 +1,6 @@
{
"CMSMAIN.SELECTONEPAGE": "Please select at least one page",
"CMSMAIN.BATCH_UNPUBLISH_PROMPT": "You have {num} page(s) selected.\n\nDo you really want to unpublish",
"CMSMAIN.SELECTONEPAGE": "Vă rugăm să selectaţi cel puțin o pagină.",
"CMSMAIN.BATCH_UNPUBLISH_PROMPT": "Aveti {num} pagina(i) selectate.\n\nDoriti sa le nenublicati",
"CMSMAIN.BATCH_PUBLISH_PROMPT": "You have {num} page(s) selected.\n\nDo you really want to publish?",
"CMSMAIN.BATCH_DELETE_PROMPT": "You have {num} page(s) selected.\n\nDo you really want to delete?",
"CMSMAIN.BATCH_ARCHIVE_PROMPT": "You have {num} page(s) selected.\n\nAre you sure you want to archive these pages?\n\nThese pages and all of their children pages will be unpublished and sent to the archive.",

View File

@ -16,6 +16,7 @@ class RSSFeed extends ViewableData {
private static $casting = array(
"Title" => "Varchar",
"Description" => "Varchar",
"Link" => "Varchar",
);
/**

View File

@ -188,14 +188,14 @@ class RequestHandler extends ViewableData {
user_error("Non-string method name: " . var_export($action, true), E_USER_ERROR);
}
$className = get_class($this);
$classMessage = Director::isLive() ? 'on this handler' : 'on class '.get_class($this);
try {
if(!$this->hasAction($action)) {
return $this->httpError(404, "Action '$action' isn't available on class $className.");
return $this->httpError(404, "Action '$action' isn't available $classMessage.");
}
if(!$this->checkAccessAction($action) || in_array(strtolower($action), array('run', 'init'))) {
return $this->httpError(403, "Action '$action' isn't allowed on class $className.");
return $this->httpError(403, "Action '$action' isn't allowed $classMessage.");
}
$result = $this->handleAction($request, $action);
}
@ -232,7 +232,7 @@ class RequestHandler extends ViewableData {
// But if we have more content on the URL and we don't know what to do with it, return an error.
} else {
return $this->httpError(404, "I can't handle sub-URLs of a $this->class object.");
return $this->httpError(404, "I can't handle sub-URLs $classMessage.");
}
return $this;
@ -276,10 +276,10 @@ class RequestHandler extends ViewableData {
* @return SS_HTTPResponse
*/
protected function handleAction($request, $action) {
$className = get_class($this);
$classMessage = Director::isLive() ? 'on this handler' : 'on class '.get_class($this);
if(!$this->hasMethod($action)) {
return new SS_HTTPResponse("Action '$action' isn't available on class $className.", 404);
return new SS_HTTPResponse("Action '$action' isn't available $classMessage.", 404);
}
$res = $this->extend('beforeCallActionHandler', $request, $action);

View File

@ -218,6 +218,18 @@ To refresh a oEmbed cache, append `?flush=1` to a URL.
To disable oEmbed usage, set the `Oembed.enabled` configuration property to "false".
## Limiting oembed URLs
HtmlEditorField can have whitelists set on both the scheme (default http & https) and domains allowed when
inserting files for use with oembed.
This is performed through the config variables `HtmlEditorField_Toolbar::$fileurl_scheme_whitelist` and
`HtmlEditorField_Toolbar::$fileurl_domain_whitelist`.
Setting these configuration variables to empty arrays will disable the whitelist. Setting them to an array of
lower case strings will require the scheme or domain respectively to exactly match one of those strings (no
wildcards are currently supported).
### Doctypes
Since TinyMCE generates markup, it needs to know which doctype your documents will be rendered in. You can set this

View File

@ -0,0 +1,56 @@
# 3.2.1
## Upgrading
FormField validation messages generated by the `Validator` class will now be automatically XML
encoded before being rendered alongside an invalid field.
If a validation message in a custom `Validator` instance should be rendered as literal HTML,
then the $message parameter for `Validator::validationError` should be passed as an instance
of `HTMLText`
For example:
:::php
class MyCustomValidator extends Validator {
public function php($data) {
$this->validationError(
'EmailAddress',
DBField::create_field('HTMLText', "Invalid email. Please sign up at <a href='signup'>this page</a>")
);
}
}
<!--- Changes below this line will be automatically regenerated -->
## Change Log
### Security
* 2015-11-12 [b61d6dc](https://github.com/silverstripe/silverstripe-framework/commit/b61d6dcd57577b0345af7a69e51da409305e1957) HtmlEditorField_Toolbar#viewfile not whitelisting URLs (Hamish Friedlander) - See [ss-2015-027](http://www.silverstripe.org/download/security-releases/ss-2015-027)
* 2015-11-11 [bc1b289](https://github.com/silverstripe/silverstripe-framework/commit/bc1b2893accba6401c03f9ea3b0cbc4621c7a02c) Fix FormField error messages not being encoded safely (Damian Mooyman) - See [ss-2015-026](http://www.silverstripe.org/download/security-releases/ss-2015-026)
* 2015-11-09 [f290d86](https://github.com/silverstripe/silverstripe-framework/commit/f290d869e01e0087286b4f2bc92e95d15c229c45) Dont expose class on error (Hamish Friedlander) - See [ss-2015-025](http://www.silverstripe.org/download/security-releases/ss-2015-025)
* 2015-11-01 [4f55b6a](https://github.com/silverstripe/silverstripe-framework/commit/4f55b6a115ce0de8c5c258fb44eca52b8b112caf) XML escape RSSFeed $link parameter (Ingo Schommer) - See [ss-2015-022](http://www.silverstripe.org/download/security-releases/ss-2015-022)
* 2015-10-28 [132e9b3](https://github.com/silverstripe/silverstripe-framework/commit/132e9b3e2fad361ebb4b502b6a37d34d013bfba3) Fix rewrite hash links XSS (Damian Mooyman) - See [ss-2015-021](http://www.silverstripe.org/download/security-releases/ss-2015-021)
### Bugfixes
* 2015-11-10 [732e705](https://github.com/silverstripe/silverstripe-framework/commit/732e705bbf548024b123d5160863395f2f74e7d9) Correct behaviour for empty filter array (as per 3.1) (Damian Mooyman)
* 2015-11-09 [414ea3d](https://github.com/silverstripe/silverstripe-framework/commit/414ea3de9e87812c5ac96cc15062307c608e0963) prevent UploadField edit form generation for Folders (Damian Mooyman)
* 2015-11-05 [c6c650f](https://github.com/silverstripe/silverstripe-cms/commit/c6c650f1366348327d973ca6cc5a5ed33a467786) Ensure CMSMainTest uses correct siteconfig (Damian Mooyman)
* 2015-11-02 [0272e44](https://github.com/silverstripe/silverstripe-framework/commit/0272e443f44ebca55b05c14f2a112260ff0df284) Prevent dev/build continually regenerating Number field type (Damian Mooyman)
* 2015-10-30 [2813f94](https://github.com/silverstripe/silverstripe-framework/commit/2813f94124c2ba14f1e4a51001e3898b0e0c32aa) Ensure that filters on any fixed field are scoped to the base data table (Damian Mooyman)
* 2015-10-30 [38ca963](https://github.com/silverstripe/silverstripe-framework/commit/38ca9632c4e9df0a74eae70cec98fdce242da529) Add missing CMSSecurity route (Damian Mooyman)
* 2015-10-29 [daa86d3](https://github.com/silverstripe/silverstripe-framework/commit/daa86d3a4ce75bf8637134726864ae14fbbdf586) Fix regression from #4396 in test fixtures (Damian Mooyman)
* 2015-10-28 [db16248](https://github.com/silverstripe/silverstripe-framework/commit/db16248b9ab7677cc4b4e25857a6b6d36f8c35f0) Fix broken InlineFormAction (Damian Mooyman)
* 2015-10-27 [293d847](https://github.com/silverstripe/silverstripe-framework/commit/293d84721efafedf3dd3fe69dd1d013a8c07d3ff) for #4712: Dropping in some PHP documentation on return types for dynamically generated image methods. (Patrick Nelson)
* 2015-10-20 [b857bdf](https://github.com/silverstripe/silverstripe-framework/commit/b857bdf209d79fc623724e68f6a660354cbd5f93) Fix duplicate files being included in case of flush (Damian Mooyman)
* 2015-10-19 [c364158](https://github.com/silverstripe/silverstripe-framework/commit/c3641587a5d5977af4fa053e5813846ce990d86c) only use sethasemptydefault if exists. (Cam Findlay)
* 2015-10-08 [ff6c0a3](https://github.com/silverstripe/silverstripe-cms/commit/ff6c0a3160c5eb3ca624efea6585efb44399dc1c) (v3.1) for #1294 to workaround ErrorPage fatal errors (and undefined var) when publishing. (Patrick Nelson)
* 2015-10-08 [785f850](https://github.com/silverstripe/silverstripe-cms/commit/785f85047f64b76011c34542362c7f09dbf59021) for #1294 to workaround ErrorPage fatal errors (and undefined var) when publishing. (Patrick Nelson)
* 2015-10-01 [75dc391](https://github.com/silverstripe/silverstripe-cms/commit/75dc391df9b396756a6f02c5fca08eafcb53ba31) for #586 and possible fix for #736 and relates to #2449: Don't perform validation upon deletion, since it isn't necessary. Cleaned up type hint. (Patrick Nelson)
* 2015-09-17 [e64d73c](https://github.com/silverstripe/silverstripe-framework/commit/e64d73c1f741399412b6015f6602ed707b2e9778) Fix ClassInfo::table_for_object_field (Damian Mooyman)
* 2015-08-05 [2901664](https://github.com/silverstripe/silverstripe-framework/commit/29016645e5e759b1ecf49876fa79c357a68c5794) . FulltextFilter requires table identifiers in match query (Elvinas L.)
* 2015-07-12 [f192a6e](https://github.com/silverstripe/silverstripe-framework/commit/f192a6ecaf70446ec60f6c7ef2a555395f83ea16) #4392: Ensure headers are checked first before being clobbered by globally maintained state. Also ensuring tests utilize separate responses for isolation. (Patrick Nelson)

View File

@ -0,0 +1,34 @@
# 3.2.1-rc1
See [3.2.1](/changelogs/3.2.1) changelog for more information on what is new in 3.2.1
<!--- Changes below this line will be automatically regenerated -->
## Change Log
### Security
* 2015-11-11 [bc1b289](https://github.com/silverstripe/silverstripe-framework/commit/bc1b2893accba6401c03f9ea3b0cbc4621c7a02c) Fix FormField error messages not being encoded safely (Damian Mooyman) - See [ss-2015-026](http://www.silverstripe.org/download/security-releases/ss-2015-026)
* 2015-11-09 [f290d86](https://github.com/silverstripe/silverstripe-framework/commit/f290d869e01e0087286b4f2bc92e95d15c229c45) Dont expose class on error (Hamish Friedlander) - See [ss-2015-025](http://www.silverstripe.org/download/security-releases/ss-2015-025)
* 2015-11-01 [4f55b6a](https://github.com/silverstripe/silverstripe-framework/commit/4f55b6a115ce0de8c5c258fb44eca52b8b112caf) XML escape RSSFeed $link parameter (Ingo Schommer) - See [ss-2015-022](http://www.silverstripe.org/download/security-releases/ss-2015-022)
* 2015-10-28 [132e9b3](https://github.com/silverstripe/silverstripe-framework/commit/132e9b3e2fad361ebb4b502b6a37d34d013bfba3) Fix rewrite hash links XSS (Damian Mooyman) - See [ss-2015-021](http://www.silverstripe.org/download/security-releases/ss-2015-021)
### Bugfixes
* 2015-11-10 [732e705](https://github.com/silverstripe/silverstripe-framework/commit/732e705bbf548024b123d5160863395f2f74e7d9) Correct behaviour for empty filter array (as per 3.1) (Damian Mooyman)
* 2015-11-09 [414ea3d](https://github.com/silverstripe/silverstripe-framework/commit/414ea3de9e87812c5ac96cc15062307c608e0963) prevent UploadField edit form generation for Folders (Damian Mooyman)
* 2015-11-05 [c6c650f](https://github.com/silverstripe/silverstripe-cms/commit/c6c650f1366348327d973ca6cc5a5ed33a467786) Ensure CMSMainTest uses correct siteconfig (Damian Mooyman)
* 2015-11-02 [0272e44](https://github.com/silverstripe/silverstripe-framework/commit/0272e443f44ebca55b05c14f2a112260ff0df284) Prevent dev/build continually regenerating Number field type (Damian Mooyman)
* 2015-10-30 [2813f94](https://github.com/silverstripe/silverstripe-framework/commit/2813f94124c2ba14f1e4a51001e3898b0e0c32aa) Ensure that filters on any fixed field are scoped to the base data table (Damian Mooyman)
* 2015-10-30 [38ca963](https://github.com/silverstripe/silverstripe-framework/commit/38ca9632c4e9df0a74eae70cec98fdce242da529) Add missing CMSSecurity route (Damian Mooyman)
* 2015-10-29 [daa86d3](https://github.com/silverstripe/silverstripe-framework/commit/daa86d3a4ce75bf8637134726864ae14fbbdf586) Fix regression from #4396 in test fixtures (Damian Mooyman)
* 2015-10-28 [db16248](https://github.com/silverstripe/silverstripe-framework/commit/db16248b9ab7677cc4b4e25857a6b6d36f8c35f0) Fix broken InlineFormAction (Damian Mooyman)
* 2015-10-27 [293d847](https://github.com/silverstripe/silverstripe-framework/commit/293d84721efafedf3dd3fe69dd1d013a8c07d3ff) for #4712: Dropping in some PHP documentation on return types for dynamically generated image methods. (Patrick Nelson)
* 2015-10-20 [b857bdf](https://github.com/silverstripe/silverstripe-framework/commit/b857bdf209d79fc623724e68f6a660354cbd5f93) Fix duplicate files being included in case of flush (Damian Mooyman)
* 2015-10-19 [c364158](https://github.com/silverstripe/silverstripe-framework/commit/c3641587a5d5977af4fa053e5813846ce990d86c) only use sethasemptydefault if exists. (Cam Findlay)
* 2015-10-08 [ff6c0a3](https://github.com/silverstripe/silverstripe-cms/commit/ff6c0a3160c5eb3ca624efea6585efb44399dc1c) (v3.1) for #1294 to workaround ErrorPage fatal errors (and undefined var) when publishing. (Patrick Nelson)
* 2015-10-08 [785f850](https://github.com/silverstripe/silverstripe-cms/commit/785f85047f64b76011c34542362c7f09dbf59021) for #1294 to workaround ErrorPage fatal errors (and undefined var) when publishing. (Patrick Nelson)
* 2015-10-01 [75dc391](https://github.com/silverstripe/silverstripe-cms/commit/75dc391df9b396756a6f02c5fca08eafcb53ba31) for #586 and possible fix for #736 and relates to #2449: Don't perform validation upon deletion, since it isn't necessary. Cleaned up type hint. (Patrick Nelson)
* 2015-09-17 [e64d73c](https://github.com/silverstripe/silverstripe-framework/commit/e64d73c1f741399412b6015f6602ed707b2e9778) Fix ClassInfo::table_for_object_field (Damian Mooyman)
* 2015-08-05 [2901664](https://github.com/silverstripe/silverstripe-framework/commit/29016645e5e759b1ecf49876fa79c357a68c5794) . FulltextFilter requires table identifiers in match query (Elvinas L.)
* 2015-07-12 [f192a6e](https://github.com/silverstripe/silverstripe-framework/commit/f192a6ecaf70446ec60f6c7ef2a555395f83ea16) #4392: Ensure headers are checked first before being clobbered by globally maintained state. Also ensuring tests utilize separate responses for isolation. (Patrick Nelson)

View File

@ -0,0 +1,11 @@
# 3.2.1-rc2
See [3.2.1](/changelogs/3.2.1) changelog for more information on what is new in 3.2.1
<!--- Changes below this line will be automatically regenerated -->
## Change Log
### Security
* 2015-11-12 [b61d6dc](https://github.com/silverstripe/silverstripe-framework/commit/b61d6dcd57577b0345af7a69e51da409305e1957) HtmlEditorField_Toolbar#viewfile not whitelisting URLs (Hamish Friedlander) - See [ss-2015-027](http://www.silverstripe.org/download/security-releases/ss-2015-027)

View File

@ -1303,6 +1303,18 @@ class Form extends RequestHandler {
// Load errors into session and post back
$data = $this->getData();
// Encode validation messages as XML before saving into session state
// As per Form::addErrorMessage()
$errors = array_map(function($error) {
// Encode message as XML by default
if($error['message'] instanceof DBField) {
$error['message'] = $error['message']->forTemplate();;
} else {
$error['message'] = Convert::raw2xml($error['message']);
}
return $error;
}, $errors);
Session::set("FormInfo.{$this->FormName()}.errors", $errors);
Session::set("FormInfo.{$this->FormName()}.data", $data);

View File

@ -449,40 +449,98 @@ class HtmlEditorField_Toolbar extends RequestHandler {
return $form;
}
/**
* @config
* @var array - list of allowed schemes (no wildcard, all lower case) or empty to allow all schemes
*/
private static $fileurl_scheme_whitelist = array('http', 'https');
/**
* @config
* @var array - list of allowed domains (no wildcard, all lower case) or empty to allow all domains
*/
private static $fileurl_domain_whitelist = array();
protected function viewfile_getLocalFileByID($id) {
$file = DataObject::get_by_id('File', $id);
if ($file && $file->canView()) return array($file, $file->RelativeLink());
return array(null, null);
}
protected function viewfile_getLocalFileByURL($fileUrl) {
$filteredUrl = Director::makeRelative($fileUrl);
$filteredUrl = preg_replace('/_resampled\/[^-]+-/', '', $filteredUrl);
$file = File::get()->filter('Filename', $filteredUrl)->first();
if ($file && $file->canView()) return array($file, $filteredUrl);
return array(null, null);
}
protected function viewfile_getRemoteFileByURL($fileUrl) {
$scheme = strtolower(parse_url($fileUrl, PHP_URL_SCHEME));
$allowed_schemes = self::config()->fileurl_scheme_whitelist;
if (!$scheme || ($allowed_schemes && !in_array($scheme, $allowed_schemes))) {
$exception = new SS_HTTPResponse_Exception("This file scheme is not included in the whitelist", 400);
$exception->getResponse()->addHeader('X-Status', $exception->getMessage());
throw $exception;
}
$domain = strtolower(parse_url($fileUrl, PHP_URL_HOST));
$allowed_domains = self::config()->fileurl_domain_whitelist;
if (!$domain || ($allowed_domains && !in_array($domain, $allowed_domains))) {
$exception = new SS_HTTPResponse_Exception("This file hostname is not included in the whitelist", 400);
$exception->getResponse()->addHeader('X-Status', $exception->getMessage());
throw $exception;
}
return array(
new File(array(
'Title' => basename($fileUrl),
'Filename' => $fileUrl
)),
$fileUrl
);
}
/**
* View of a single file, either on the filesystem or on the web.
*/
public function viewfile($request) {
$file = null;
$url = null;
// TODO Would be cleaner to consistently pass URL for both local and remote files,
// but GridField doesn't allow for this kind of metadata customization at the moment.
if($url = $request->getVar('FileURL')) {
if(Director::is_absolute_url($url) && !Director::is_site_url($url)) {
$url = $url;
$file = new File(array(
'Title' => basename($url),
'Filename' => $url
));
} else {
$url = Director::makeRelative($request->getVar('FileURL'));
$url = preg_replace('/_resampled\/[^-]+-/', '', $url);
$file = File::get()->filter('Filename', $url)->first();
if(!$file) $file = new File(array(
'Title' => basename($url),
'Filename' => $url
));
if($fileUrl = $request->getVar('FileURL')) {
// If this isn't an absolute URL, or is, but is to this site, try and get the File object
// that is associated with it
if(!Director::is_absolute_url($fileUrl) || Director::is_site_url($fileUrl)) {
list($file, $url) = $this->viewfile_getLocalFileByURL($fileUrl);
}
} elseif($id = $request->getVar('ID')) {
$file = DataObject::get_by_id('File', $id);
$url = $file->RelativeLink();
} else {
throw new LogicException('Need either "ID" or "FileURL" parameter to identify the file');
// If this is an absolute URL, but not to this site, use as an oembed source (after whitelisting URL)
else {
list($file, $url) = $this->viewfile_getRemoteFileByURL($fileUrl);
}
}
// Or we could have been passed an ID directly
elseif($id = $request->getVar('ID')) {
list($file, $url) = $this->viewfile_getLocalFileByID($id);
}
// Or we could have been passed nothing, in which case panic
else {
throw new SS_HTTPResponse_Exception('Need either "ID" or "FileURL" parameter to identify the file', 400);
}
// Instanciate file wrapper and get fields based on its type
// Check if appCategory is an image and exists on the local system, otherwise use oEmbed to refference a
// remote image
if($file && $file->appCategory() == 'image' && Director::is_site_url($url)) {
if (!$file || !$url) {
throw new SS_HTTPResponse_Exception('Unable to find file to view', 404);
} elseif($file->appCategory() == 'image' && Director::is_site_url($url)) {
$fileWrapper = new HtmlEditorField_Image($url, $file);
} elseif(!Director::is_site_url($url)) {
$fileWrapper = new HtmlEditorField_Embed($url, $file);

View File

@ -292,8 +292,6 @@ cs:
FROMWEB: 'Z webu'
FindInFolder: 'Hledat ve složce'
IMAGEALT: 'Alternativní text (alt)'
IMAGEALTTEXT: 'Alternativní text (alt) - ukáže se, když obrázek nemúže být zobrazen'
IMAGEALTTEXTDESC: 'Zobrazeno na obrazovce, anebo když obrázek nemůže být zobrazen'
IMAGEDIMENSIONS: Rozměry
IMAGEHEIGHTPX: Výška
IMAGETITLE: 'Titul text (tooltip) - další informace o obrázku'
@ -328,11 +326,9 @@ cs:
DELETED: Smazáno.
DropdownBatchActionsDefault: Akcie
HELP: Nápověda
PAGETYPE: 'Typ stránky:'
PERMAGAIN: 'Byli jste odhlášeni z CMS. Pokud se chcete znovu přihlásit, zadejte níže své uživatelské jméno a heslo.'
PERMALREADY: 'Omlouvám se, ale nemůžete vstoupit do této části CMS. Pokud se chcete přihlásit jako někdo jiný, udělejte tak níže.'
PERMDEFAULT: 'Musíte být přihlášen/a k přístup do oblasti administrace, zadejte vaše přihlošovací údaje dole, prosím.'
PLEASESAVE: 'Uložte stránku, prosím. Tato stránka nemůže být aktualizována, protože ještě nebyla uložena.'
PreviewButton: Náhled
REORGANISATIONSUCCESSFUL: 'Strom webu reorganizován úspěšně.'
SAVEDUP: Uloženo.

View File

@ -260,6 +260,7 @@ de:
many_many_Members: Mitglieder
GroupImportForm:
Help1: '<p>Eine oder mehrere Gruppen im <em>CSV</em>-Format (kommaseparierte Werte) importieren. <small><a href="#" class="toggle-advanced">Erweiterte Nutzung</a></small></p>'
Help2: '<div class="advanced"><h4>Erweiterte Benutzung</h4><ul><li>Gültige Spalten: <em>%s</em></li><li>Bereits existierende Gruppen werden anhand ihres eindeutigen <em>Code</em> identifiziert und um neue Einträge aus der Importdatei erweitert.</li><li>Gruppenhierarchien können mittels der Spalte <em>ParentCode</em> erstellt werden.</li><li>Berechtigungen können in der Spalte <em>PermissionCode</em> hinzugefügt werden. Schon zugewiesene Berechtigungen werden nicht entfernt.</li></ul></div>'
ResultCreated: '{count} Gruppe(n) wurden erstellt'
ResultDeleted: '%d Gruppe(n) gelöscht'
ResultUpdated: '%d Gruppe(n) aktualisiert'
@ -291,6 +292,7 @@ de:
FROMWEB: 'Aus dem Web'
FindInFolder: 'In Ordner suchen'
IMAGEALT: 'Alternativtext (alt)'
IMAGEALTTEXT: 'Alternativtext (alt) - erscheint, falls das Bild nicht angezeigt werden kann.'
IMAGEDIMENSIONS: Dimensionen
IMAGEHEIGHTPX: Höhe (px)
IMAGETITLE: 'Titeltext (Tooltip) - für zusätzliche Informationen über das Bild'
@ -325,7 +327,11 @@ de:
DELETED: Gelöscht.
DropdownBatchActionsDefault: Aktionen
HELP: Hilfe
PAGETYPE: 'Seitentyp:'
PERMAGAIN: 'Sie wurden aus dem System ausgeloggt. Falls Sie sich wieder einloggen möchten, geben Sie bitte Benutzernamen und Passwort im untenstehenden Formular an.'
PERMALREADY: 'Leider dürfen Sie diesen Teil des CMS nicht aufrufen. Wenn Sie sich als jemand anderes einloggen wollen, benutzen Sie bitte das nachstehende Formular.'
PERMDEFAULT: 'Sie müssen angemeldet sein, um auf diesen Bereich zugreifen zu können. Bitte geben Sie Ihre Zugangsdaten ein.'
PLEASESAVE: 'Diese Seite konnte nicht aktualisiert werden weil sie noch nicht gespeichert wurde - bitte speichern.'
PreviewButton: Vorschau
REORGANISATIONSUCCESSFUL: 'Der Seitenbaum wurde erfolgreich sortiert.'
SAVEDUP: Gespeichert.
@ -413,6 +419,7 @@ de:
Toggle: 'Hilfe zur Formatierung anzeigen'
MemberImportForm:
Help1: '<p>Mitglieder im <em>CSV</em>-Format (kommaseparierte Werte) importieren. <small><a href="#" class="toggle-advanced">Erweiterte Nutzung</a></small></p>'
Help2: '<div class="advanced"><h4>Erweiterte Benutzung</h4><ul><li>Gültige Spalten: <em>%s</em></li><li>Bereits existierende Benutzer werden anhand ihres eindeutigen <em>Code</em> identifiziert und um neue Einträge aus der Importdatei erweitert.</li><li>Gruppen können in der Spalte <em>Gruppen</em> hinzugefügt werden. Gruppen werden anhand ihres <em>Code</em> erkannt. Mehrere Gruppen werden Komma-separiert eingetragen. Schon zugewiesene Gruppen werden nicht entfernt.</li></ul></div>'
ResultCreated: '{count} Mitglied(er) wurde(n) erstellt'
ResultDeleted: '%d Mitglied(er) gelöscht'
ResultNone: 'Keine Änderungen'

View File

@ -82,6 +82,7 @@ es:
CMSSecurity:
INVALIDUSER: '<p>Usuario inválido. <a target="_top" href="{link}">Por favor, vuelva a autenticar aquí</a> para continuar.</p>'
LoginMessage: '<p>Si Ud tiene cualquier trabajo sin guardar puede volver donde lo dejó, iniciando sesión más abajo.</p>'
SUCCESS: Exito
SUCCESSCONTENT: '<p>Inicio de sesión exitoso. Si Ud no es automáticamente redireccionado, <a target="_top" href="{link}">haga clic aquí</a></p>'
TimedOutTitleAnonymous: 'Expiró su sesión.'
TimedOutTitleMember: 'Eh {name}!<br />Tu sesión expiró.'
@ -259,6 +260,7 @@ es:
many_many_Members: Miembros
GroupImportForm:
Help1: '<p>Importar uno o más grupos en formato <em>CSV</em> (valores separados por coma). <small><a href="#" class="toggle-advanced">Mostrar uso avanzado</a></small></p>'
Help2: '<div class="advanced"><h4>Uso avanzado</h4><ul><li>Columnas permitidas: <em>%s</em></li><li>Grupos existentes son relacionados con su <em>Código único</em> y actualizados con cualquier nuevo valor desde el archivo importado</li><li>Jerarquías de grupo pueden ser creadas utilizando la columna <em>ParentCode</em>.</li><li>Códigos de permiso pueden ser asignados por la columna <em>PermissionCode</em>. Códigos de permisos existentes no son eliminados.</li></ul></div>'
ResultCreated: 'Creados {count} grupos'
ResultDeleted: 'Se eliminaron %d grupos'
ResultUpdated: 'Actualizados grupos %d'
@ -325,6 +327,8 @@ es:
DropdownBatchActionsDefault: Acciones
HELP: Ayuda
PERMAGAIN: 'Ha sido desconectado del CMS. Si quiere volver a entrar, introduzca su nombre de usuario y contraseña a continuación.'
PERMALREADY: 'Lamentablemente no puede acceder a esta parte del CMS. Si quiere entrar como alguien distinto, hágalo a continuación'
PERMDEFAULT: 'Debes estar conectado para acceder al área de administración; por favor ingresa tus datos a continuación'
PreviewButton: Vista previa
REORGANISATIONSUCCESSFUL: 'Reorganizado el árbol del sitio con éxito.'
SAVEDUP: Guardado
@ -412,6 +416,7 @@ es:
Toggle: 'Cambiar'
MemberImportForm:
Help1: '<p>Importar usuarios en <em>formato CSV</em> (valores separados por coma). <small><a href="#" class="toggle-advanced">Mostrar uso avanzado</a></small></p>'
Help2: '<div class="advanced"><h4>Uso avanzado</h4><ul><li>Columnas permitidas: <em>%s</em></li><li>Usuarios existentes son relacionados con su <em>Código único</em>, y actualizados con cualquier nuevo valor desde el archivo importado.</li><li>Grupos pueden ser asignados por la columna <em>Groups</em>. Grupos son identificados por su propiedad <em>Code</em>, multiples grupos pueden ser separados por una coma. La pertenencia a grupos existentes no se borra.</li></ul></div>'
ResultCreated: 'Creados {count} miembros'
ResultDeleted: 'Se eliminaron %d miembros'
ResultNone: 'No hay cambios'
@ -475,6 +480,7 @@ es:
SINGULARNAME: Regla
Title: Título
PermissionRoleCode:
PLURALNAME: 'Códigos de permiso'
PermsError: 'No se puede asignar permisos privilegiados al código "% s" (requiere acceso de administrador)'
SINGULARNAME: 'Códigos de las regla de permisos'
Permissions:

View File

@ -251,9 +251,9 @@ fr:
CAPTIONTEXT: 'Légende'
CSSCLASS: 'Alignement / Style'
CSSCLASSCENTER: 'Centré'
CSSCLASSLEFT: 'A gauche, avec texte à la ligne.'
CSSCLASSLEFT: 'À gauche, avec texte autour.'
CSSCLASSLEFTALONE: 'Sur la gauche seulement'
CSSCLASSRIGHT: 'a droite, avec texte à la ligne.'
CSSCLASSRIGHT: 'À droite, avec texte autour.'
DETAILS: Détails
EMAIL: 'Adresse email'
FILE: Fichier

View File

@ -326,6 +326,8 @@ it:
DropdownBatchActionsDefault: Azioni
HELP: Aiuto
PERMAGAIN: 'Sei stato disconnesso dal CMS. Se desideri autenticarti nuovamente, inserisci qui sotto nome utente e password.'
PERMALREADY: 'Siamo spiacenti, ma non puoi accedere a questa sezione del CMS. Se desideri autenticarti come qualcun altro, fallo qui sotto.'
PERMDEFAULT: 'Devi essere autenticato per accedere all''area amministrativa; Per favore inserisci le tue credenziali qui sotto'
PreviewButton: Anteprima
REORGANISATIONSUCCESSFUL: 'Albero del sito riorganizzato con successo.'
SAVEDUP: Salvato.

View File

@ -292,8 +292,6 @@ sk:
FROMWEB: 'Z webu'
FindInFolder: 'Vyhľadať v priečinku'
IMAGEALT: 'Atlernatívny text (alt)'
IMAGEALTTEXT: 'Atlernatívny text (alt) - zobrazí sa ak obrázok nemože byť zobrazený '
IMAGEALTTEXTDESC: 'Zobrazí sa na obrazovke, ak obrázok nemôže byť zobrazený'
IMAGEDIMENSIONS: Rozmery
IMAGEHEIGHTPX: Výška
IMAGETITLE: 'Text titulky (tooltip) - pre doplňujúce informácie o obrázku'
@ -328,11 +326,9 @@ sk:
DELETED: Zmazané.
DropdownBatchActionsDefault: Akcie
HELP: Pomoc
PAGETYPE: 'Typ stránky:'
PERMAGAIN: 'Boli ste odhlásený'
PERMALREADY: 'Je mi ľúto, ale nemáte prístup k tejto časti CMS. Ak sa chcete prihlásiť ako niekto iný, urobte tak nižšie'
PERMDEFAULT: 'Musíte byť prihlásený/á k prístupu do oblasti administrácie, zadajte vaše prihlasovacie údaje dole, prosím.'
PLEASESAVE: 'Uložte stránku, prosím. Táto stránka nemôže byť aktualizovaná, pretože eště nebola uložená.'
PreviewButton: Náhľad
REORGANISATIONSUCCESSFUL: 'Strom webu bol reorganizovaný úspešne.'
SAVEDUP: Uložené.

View File

@ -43,6 +43,13 @@ class RSSFeedTest extends SapphireTest {
$this->assertContains('<description>ItemC AltContent</description>', $content);
}
public function testLinkEncoding() {
$list = new ArrayList();
$rssFeed = new RSSFeed($list, "http://www.example.com/?param1=true&param2=true", "Test RSS Feed");
$content = $rssFeed->outputToBrowser();
$this->assertContains('<link>http://www.example.com/?param1=true&amp;param2=true', $content);
}
public function testRSSFeedWithShortcode() {
$list = new ArrayList();
$list->push(new RSSFeedTest_ItemD());

View File

@ -235,6 +235,7 @@ class FormTest extends FunctionalTest {
'FormTest_Controller/Form',
array(
'Email' => 'invalid',
'Number' => '<a href="http://mysite.com">link</a>' // XSS attempt
// leaving out "Required" field
)
);
@ -253,6 +254,17 @@ class FormTest extends FunctionalTest {
),
'Required fields show a notification on field when left blank'
);
$this->assertContains(
'&#039;&lt;a href=&quot;http://mysite.com&quot;&gt;link&lt;/a&gt;&#039; is not a number, only numbers can be accepted for this field',
$response->getBody(),
"Validation messages are safely XML encoded"
);
$this->assertNotContains(
'<a href="http://mysite.com">link</a>',
$response->getBody(),
"Unsafe content is not emitted directly inside the response body"
);
}
public function testSessionSuccessMessage() {
@ -685,7 +697,8 @@ class FormTest_Controller extends Controller implements TestOnly {
new FieldList(
new EmailField('Email'),
new TextField('SomeRequiredField'),
new CheckboxSetField('Boxes', null, array('1'=>'one','2'=>'two'))
new CheckboxSetField('Boxes', null, array('1'=>'one','2'=>'two')),
new NumericField('Number')
),
new FieldList(
new FormAction('doSubmit')

View File

@ -0,0 +1,71 @@
<?php
class HtmlEditorFieldToolbarTest_Toolbar extends HtmlEditorField_Toolbar {
public function viewfile_getLocalFileByID($id) {
return parent::viewfile_getLocalFileByID($id);
}
public function viewfile_getLocalFileByURL($fileUrl) {
return parent::viewfile_getLocalFileByURL($fileUrl);
}
public function viewfile_getRemoteFileByURL($fileUrl) {
return parent::viewfile_getRemoteFileByURL($fileUrl);
}
}
class HtmlEditorFieldToolbarTest extends SapphireTest {
protected static $fixture_file = 'HtmlEditorFieldToolbarTest.yml';
protected function getToolbar() {
return new HtmlEditorFieldToolbarTest_Toolbar(null, '/');
}
public function setUp() {
parent::setUp();
Config::nest();
Config::inst()->update('HtmlEditorField_Toolbar', 'fileurl_scheme_whitelist', array('http'));
Config::inst()->update('HtmlEditorField_Toolbar', 'fileurl_domain_whitelist', array('example.com'));
}
public function tearDown() {
Config::unnest();
parent::tearDown();
}
public function testValidLocalReference() {
list($file, $url) = $this->getToolbar()->viewfile_getLocalFileByURL('folder/subfolder/example.pdf');
$this->assertEquals($this->objFromFixture('File', 'example_file'), $file);
}
public function testInvalidLocalReference() {
list($file, $url) = $this->getToolbar()->viewfile_getLocalFileByURL('folder/subfolder/missing.pdf');
$this->assertNull($file);
}
public function testValidScheme() {
list($file, $url) = $this->getToolbar()->viewfile_getRemoteFileByURL('http://example.com/test.pdf');
$this->assertInstanceOf('File', $file);
$this->assertEquals($file->Filename, 'http://example.com/test.pdf');
}
/** @expectedException SS_HTTPResponse_Exception */
public function testInvalidScheme() {
list($file, $url) = $this->getToolbar()->viewfile_getRemoteFileByURL('nosuchscheme://example.com/test.pdf');
}
public function testValidDomain() {
list($file, $url) = $this->getToolbar()->viewfile_getRemoteFileByURL('http://example.com/test.pdf');
$this->assertInstanceOf('File', $file);
$this->assertEquals($file->Filename, 'http://example.com/test.pdf');
}
/** @expectedException SS_HTTPResponse_Exception */
public function testInvalidDomain() {
list($file, $url) = $this->getToolbar()->viewfile_getRemoteFileByURL('http://evil.com/test.pdf');
}
}

View File

@ -0,0 +1,9 @@
File:
example_file:
Name: example.pdf
Filename: folder/subfolder/example.pdf
Image:
example_image:
Name: HTMLEditorFieldTest_example.jpg
Filename: tests/forms/images/HTMLEditorFieldTest_example.jpg

View File

@ -2,6 +2,13 @@
class SSViewerTest extends SapphireTest {
/**
* Backup of $_SERVER global
*
* @var array
*/
protected $oldServer = array();
protected $extraDataObjects = array(
'SSViewerTest_Object',
);
@ -10,6 +17,12 @@ class SSViewerTest extends SapphireTest {
parent::setUp();
Config::inst()->update('SSViewer', 'source_file_comments', false);
Config::inst()->update('SSViewer_FromString', 'cache_template', false);
$this->oldServer = $_SERVER;
}
public function tearDown() {
$_SERVER = $this->oldServer;
parent::tearDown();
}
/**
@ -1156,10 +1169,13 @@ after')
$orig = Config::inst()->get('SSViewer', 'rewrite_hash_links');
Config::inst()->update('SSViewer', 'rewrite_hash_links', true);
$_SERVER['REQUEST_URI'] = 'http://path/to/file?foo"onclick="alert(\'xss\')""';
$_SERVER['HTTP_HOST'] = 'www.mysite.com';
$_SERVER['REQUEST_URI'] = '//file.com?foo"onclick="alert(\'xss\')""';
// Emulate SSViewer::process()
$base = Convert::raw2att($_SERVER['REQUEST_URI']);
// Note that leading double slashes have been rewritten to prevent these being mis-interepreted
// as protocol-less absolute urls
$base = Convert::raw2att('/file.com?foo"onclick="alert(\'xss\')""');
$tmplFile = TEMP_FOLDER . '/SSViewerTest_testRewriteHashlinks_' . sha1(rand()) . '.ss';
@ -1227,10 +1243,11 @@ after')
$obj = new ViewableData();
$obj->InsertedLink = '<a class="inserted" href="#anchor">InsertedLink</a>';
$result = $tmpl->process($obj);
$this->assertContains(
'<a class="inserted" href="<?php echo Convert::raw2att(',
$result
);
$code = <<<'EOC'
<a class="inserted" href="<?php echo Convert::raw2att(preg_replace("/^(\/)+/", "/", $_SERVER['REQUEST_URI'])); ?>#anchor">InsertedLink</a>
EOC;
$this->assertContains($code, $result);
// TODO Fix inline links in PHP mode
// $this->assertContains(
// '<a class="inline" href="<?php echo str_replace(',

View File

@ -4681,11 +4681,15 @@ class SSTemplateParser extends Parser implements TemplateParser {
// TODO: This is pretty ugly & gets applied on all files not just html. I wonder if we can make this
// non-dynamically calculated
$code = <<<'EOC'
(\Config::inst()->get('SSViewer', 'rewrite_hash_links')
? \Convert::raw2att( preg_replace("/^(\\/)+/", "/", $_SERVER['REQUEST_URI'] ) )
: "")
EOC;
// Because preg_replace replacement requires escaped slashes, addcslashes here
$text = preg_replace(
'/(<a[^>]+href *= *)"#/i',
'\\1"\' . (Config::inst()->get(\'SSViewer\', \'rewrite_hash_links\') ?' .
' Convert::raw2att( $_SERVER[\'REQUEST_URI\'] ) : "") .
\'#',
'\\1"\' . ' . addcslashes($code, '\\') . ' . \'#',
$text
);

View File

@ -1135,11 +1135,15 @@ class SSTemplateParser extends Parser implements TemplateParser {
// TODO: This is pretty ugly & gets applied on all files not just html. I wonder if we can make this
// non-dynamically calculated
$code = <<<'EOC'
(\Config::inst()->get('SSViewer', 'rewrite_hash_links')
? \Convert::raw2att( preg_replace("/^(\\/)+/", "/", $_SERVER['REQUEST_URI'] ) )
: "")
EOC;
// Because preg_replace replacement requires escaped slashes, addcslashes here
$text = preg_replace(
'/(<a[^>]+href *= *)"#/i',
'\\1"\' . (Config::inst()->get(\'SSViewer\', \'rewrite_hash_links\') ?' .
' Convert::raw2att( $_SERVER[\'REQUEST_URI\'] ) : "") .
\'#',
'\\1"\' . ' . addcslashes($code, '\\') . ' . \'#',
$text
);

View File

@ -1129,10 +1129,10 @@ class SSViewer implements Flushable {
$rewrite = Config::inst()->get('SSViewer', 'rewrite_hash_links');
if($this->rewriteHashlinks && $rewrite) {
if(strpos($output, '<base') !== false) {
if($rewrite === 'php') {
$thisURLRelativeToBase = "<?php echo Convert::raw2att(\$_SERVER['REQUEST_URI']); ?>";
if($rewrite === 'php') {
$thisURLRelativeToBase = "<?php echo Convert::raw2att(preg_replace(\"/^(\\\\/)+/\", \"/\", \$_SERVER['REQUEST_URI'])); ?>";
} else {
$thisURLRelativeToBase = Convert::raw2att($_SERVER['REQUEST_URI']);
$thisURLRelativeToBase = Convert::raw2att(preg_replace("/^(\\/)+/", "/", $_SERVER['REQUEST_URI']));
}
$output = preg_replace('/(<a[^>]+href *= *)"#/i', '\\1"' . $thisURLRelativeToBase . '#', $output);