BUG Use correct api for assigning field value

BUG Fix encoding of cms add-option in js
ENHANCEMENT Sanitise literal HTML content
This commit is contained in:
Damian Mooyman 2015-02-10 15:32:44 +13:00
parent 99ac1a3e20
commit 68b29e13e2
4 changed files with 143 additions and 46 deletions

View File

@ -538,8 +538,8 @@ class UserDefinedForm_Controller extends Page_Controller {
public function getFormFields() { public function getFormFields() {
$fields = new FieldList(); $fields = new FieldList();
if($this->Fields()) { $editableFields = $this->Fields();
foreach($this->Fields() as $editableField) { if($editableFields) foreach($editableFields as $editableField) {
// get the raw form field from the editable version // get the raw form field from the editable version
$field = $editableField->getFormField(); $field = $editableField->getFormField();
if(!$field) break; if(!$field) break;
@ -549,7 +549,8 @@ class UserDefinedForm_Controller extends Page_Controller {
// set the right title on this field // set the right title on this field
if($right = $editableField->getSetting('RightTitle')) { if($right = $editableField->getSetting('RightTitle')) {
$field->setRightTitle($right); // Since this field expects raw html, safely escape the user data prior
$field->setRightTitle(Convert::raw2xml($right));
} }
// if this field is required add some // if this field is required add some
@ -563,21 +564,18 @@ class UserDefinedForm_Controller extends Page_Controller {
} }
} }
// if this field has an extra class // if this field has an extra class
if($editableField->getSetting('ExtraClass')) { if($extraClass = $editableField->getSetting('ExtraClass')) {
$field->addExtraClass(Convert::raw2att( $field->addExtraClass(Convert::raw2att($extraClass));
$editableField->getSetting('ExtraClass')
));
} }
// set the values passed by the url to the field // set the values passed by the url to the field
$request = $this->getRequest(); $request = $this->getRequest();
if($var = $request->getVar($field->name)) { if($value = $request->getVar($field->getName())) {
$field->value = Convert::raw2att($var); $field->setValue($value);
} }
$fields->push($field); $fields->push($field);
} }
}
$this->extend('updateFormFields', $fields); $this->extend('updateFormFields', $fields);
return $fields; return $fields;

View File

@ -13,13 +13,69 @@ class EditableLiteralField extends EditableFormField {
private static $plural_name = 'HTML Blocks'; private static $plural_name = 'HTML Blocks';
/**
* Get the name of the editor config to use for HTML sanitisation. Defaults to the active config.
*
* @var string
* @config
*/
private static $editor_config = null;
/**
* Returns the {@see HtmlEditorConfig} instance to use for sanitisation
*
* @return HtmlEditorConfig
*/
protected function getEditorConfig() {
$editorConfig = $this->config()->editor_config;
if($editorConfig) return HtmlEditorConfig::get($editorConfig);
return HtmlEditorConfig::get_active();
}
/**
* Safely sanitise html content, if enabled
*
* @param string $content Raw html
* @return string Safely sanitised html
*/
protected function sanitiseContent($content) {
// Check if sanitisation is enabled
if(!HtmlEditorField::config()->sanitise_server_side) return $content;
// Perform sanitisation
$htmlValue = Injector::inst()->create('HTMLValue', $content);
$santiser = Injector::inst()->create('HtmlEditorSanitiser', $this->getEditorConfig());
$santiser->sanitise($htmlValue);
return $htmlValue->getContent();
}
/**
* Get HTML Content of this literal field
*
* @return string
*/
public function getContent() {
// Apply html editor sanitisation rules
$content = $this->getSetting('Content');
return $this->sanitiseContent($content);
}
/**
* Set the content with the given value
*
* @param string $content
*/
public function setContent($content) {
// Apply html editor sanitisation rules
$content = $this->sanitiseContent($content);
$this->setSetting('Content', $content);
}
public function getFieldConfiguration() { public function getFieldConfiguration() {
$customSettings = unserialize($this->CustomSettings);
$content = (isset($customSettings['Content'])) ? $customSettings['Content'] : '';
$textAreaField = new TextareaField( $textAreaField = new TextareaField(
$this->getSettingName('Content'), $this->getSettingName('Content'),
"HTML", "HTML",
$content $this->getContent()
); );
$textAreaField->setRows(4); $textAreaField->setRows(4);
$textAreaField->setColumns(20); $textAreaField->setColumns(20);

View File

@ -330,11 +330,16 @@
newRule.removeClass("hidden"); newRule.removeClass("hidden");
// update the fields dropdown // update the fields dropdown
newRule.children("select.fieldOption").empty(); var optionChildren = newRule.children("select.fieldOption");
optionChildren.empty();
$("#Fields_fields li.EditableFormField").each(function (i, domElement) { $("#Fields_fields li.EditableFormField").each(function () {
var name = $(domElement).attr("id").split(' '); var name = $(this).attr("id").split(' ');
newRule.children("select.fieldOption").append("<option value='"+ name[2] + "'>"+ $(domElement).find(".text").val() + "</option>"); var option = $("<option></option>")
.attr('value', name[2])
.text($(this).find(".text").val());
optionChildren
.append(option);
}); });
// append to the list // append to the list

View File

@ -0,0 +1,38 @@
<?php
/**
* Tests the {@see EditableLiteralField} class
*/
class EditableLiteralFieldTest extends SapphireTest {
public function setUp() {
parent::setUp();
Config::nest();
HtmlEditorConfig::set_active('cms');
}
public function tearDown() {
Config::unnest();
parent::tearDown();
}
/**
* Tests the sanitisation of HTML content
*/
public function testSanitisation() {
$rawContent = '<h1>Welcome</h1><script>alert("Hello!");</script><p>Giant Robots!</p>';
$safeContent = '<h1>Welcome</h1><p>Giant Robots!</p>';
$field = new EditableLiteralField();
// Test with sanitisation enabled
Config::inst()->update('HtmlEditorField', 'sanitise_server_side', true);
$field->setContent($rawContent);
$this->assertEquals($safeContent, $field->getContent());
// Test with sanitisation disabled
Config::inst()->remove('HtmlEditorField', 'sanitise_server_side');
$field->setContent($rawContent);
$this->assertEquals($rawContent, $field->getContent());
}
}