mirror of
https://github.com/silverstripe/silverstripe-userforms.git
synced 2024-10-22 17:05:42 +02:00
BUG Use correct api for assigning field value
BUG Fix encoding of cms add-option in js ENHANCEMENT Sanitise literal HTML content
This commit is contained in:
parent
99ac1a3e20
commit
68b29e13e2
@ -538,8 +538,8 @@ class UserDefinedForm_Controller extends Page_Controller {
|
|||||||
public function getFormFields() {
|
public function getFormFields() {
|
||||||
$fields = new FieldList();
|
$fields = new FieldList();
|
||||||
|
|
||||||
if($this->Fields()) {
|
$editableFields = $this->Fields();
|
||||||
foreach($this->Fields() as $editableField) {
|
if($editableFields) foreach($editableFields as $editableField) {
|
||||||
// get the raw form field from the editable version
|
// get the raw form field from the editable version
|
||||||
$field = $editableField->getFormField();
|
$field = $editableField->getFormField();
|
||||||
if(!$field) break;
|
if(!$field) break;
|
||||||
@ -549,7 +549,8 @@ class UserDefinedForm_Controller extends Page_Controller {
|
|||||||
|
|
||||||
// set the right title on this field
|
// set the right title on this field
|
||||||
if($right = $editableField->getSetting('RightTitle')) {
|
if($right = $editableField->getSetting('RightTitle')) {
|
||||||
$field->setRightTitle($right);
|
// Since this field expects raw html, safely escape the user data prior
|
||||||
|
$field->setRightTitle(Convert::raw2xml($right));
|
||||||
}
|
}
|
||||||
|
|
||||||
// if this field is required add some
|
// if this field is required add some
|
||||||
@ -563,21 +564,18 @@ class UserDefinedForm_Controller extends Page_Controller {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
// if this field has an extra class
|
// if this field has an extra class
|
||||||
if($editableField->getSetting('ExtraClass')) {
|
if($extraClass = $editableField->getSetting('ExtraClass')) {
|
||||||
$field->addExtraClass(Convert::raw2att(
|
$field->addExtraClass(Convert::raw2att($extraClass));
|
||||||
$editableField->getSetting('ExtraClass')
|
|
||||||
));
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// set the values passed by the url to the field
|
// set the values passed by the url to the field
|
||||||
$request = $this->getRequest();
|
$request = $this->getRequest();
|
||||||
if($var = $request->getVar($field->name)) {
|
if($value = $request->getVar($field->getName())) {
|
||||||
$field->value = Convert::raw2att($var);
|
$field->setValue($value);
|
||||||
}
|
}
|
||||||
|
|
||||||
$fields->push($field);
|
$fields->push($field);
|
||||||
}
|
}
|
||||||
}
|
|
||||||
$this->extend('updateFormFields', $fields);
|
$this->extend('updateFormFields', $fields);
|
||||||
|
|
||||||
return $fields;
|
return $fields;
|
||||||
|
@ -13,13 +13,69 @@ class EditableLiteralField extends EditableFormField {
|
|||||||
|
|
||||||
private static $plural_name = 'HTML Blocks';
|
private static $plural_name = 'HTML Blocks';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Get the name of the editor config to use for HTML sanitisation. Defaults to the active config.
|
||||||
|
*
|
||||||
|
* @var string
|
||||||
|
* @config
|
||||||
|
*/
|
||||||
|
private static $editor_config = null;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Returns the {@see HtmlEditorConfig} instance to use for sanitisation
|
||||||
|
*
|
||||||
|
* @return HtmlEditorConfig
|
||||||
|
*/
|
||||||
|
protected function getEditorConfig() {
|
||||||
|
$editorConfig = $this->config()->editor_config;
|
||||||
|
if($editorConfig) return HtmlEditorConfig::get($editorConfig);
|
||||||
|
return HtmlEditorConfig::get_active();
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Safely sanitise html content, if enabled
|
||||||
|
*
|
||||||
|
* @param string $content Raw html
|
||||||
|
* @return string Safely sanitised html
|
||||||
|
*/
|
||||||
|
protected function sanitiseContent($content) {
|
||||||
|
// Check if sanitisation is enabled
|
||||||
|
if(!HtmlEditorField::config()->sanitise_server_side) return $content;
|
||||||
|
|
||||||
|
// Perform sanitisation
|
||||||
|
$htmlValue = Injector::inst()->create('HTMLValue', $content);
|
||||||
|
$santiser = Injector::inst()->create('HtmlEditorSanitiser', $this->getEditorConfig());
|
||||||
|
$santiser->sanitise($htmlValue);
|
||||||
|
return $htmlValue->getContent();
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Get HTML Content of this literal field
|
||||||
|
*
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
public function getContent() {
|
||||||
|
// Apply html editor sanitisation rules
|
||||||
|
$content = $this->getSetting('Content');
|
||||||
|
return $this->sanitiseContent($content);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Set the content with the given value
|
||||||
|
*
|
||||||
|
* @param string $content
|
||||||
|
*/
|
||||||
|
public function setContent($content) {
|
||||||
|
// Apply html editor sanitisation rules
|
||||||
|
$content = $this->sanitiseContent($content);
|
||||||
|
$this->setSetting('Content', $content);
|
||||||
|
}
|
||||||
|
|
||||||
public function getFieldConfiguration() {
|
public function getFieldConfiguration() {
|
||||||
$customSettings = unserialize($this->CustomSettings);
|
|
||||||
$content = (isset($customSettings['Content'])) ? $customSettings['Content'] : '';
|
|
||||||
$textAreaField = new TextareaField(
|
$textAreaField = new TextareaField(
|
||||||
$this->getSettingName('Content'),
|
$this->getSettingName('Content'),
|
||||||
"HTML",
|
"HTML",
|
||||||
$content
|
$this->getContent()
|
||||||
);
|
);
|
||||||
$textAreaField->setRows(4);
|
$textAreaField->setRows(4);
|
||||||
$textAreaField->setColumns(20);
|
$textAreaField->setColumns(20);
|
||||||
|
@ -330,11 +330,16 @@
|
|||||||
newRule.removeClass("hidden");
|
newRule.removeClass("hidden");
|
||||||
|
|
||||||
// update the fields dropdown
|
// update the fields dropdown
|
||||||
newRule.children("select.fieldOption").empty();
|
var optionChildren = newRule.children("select.fieldOption");
|
||||||
|
optionChildren.empty();
|
||||||
|
|
||||||
$("#Fields_fields li.EditableFormField").each(function (i, domElement) {
|
$("#Fields_fields li.EditableFormField").each(function () {
|
||||||
var name = $(domElement).attr("id").split(' ');
|
var name = $(this).attr("id").split(' ');
|
||||||
newRule.children("select.fieldOption").append("<option value='"+ name[2] + "'>"+ $(domElement).find(".text").val() + "</option>");
|
var option = $("<option></option>")
|
||||||
|
.attr('value', name[2])
|
||||||
|
.text($(this).find(".text").val());
|
||||||
|
optionChildren
|
||||||
|
.append(option);
|
||||||
});
|
});
|
||||||
|
|
||||||
// append to the list
|
// append to the list
|
||||||
|
38
tests/EditableLiteralFieldTest.php
Normal file
38
tests/EditableLiteralFieldTest.php
Normal file
@ -0,0 +1,38 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Tests the {@see EditableLiteralField} class
|
||||||
|
*/
|
||||||
|
class EditableLiteralFieldTest extends SapphireTest {
|
||||||
|
|
||||||
|
public function setUp() {
|
||||||
|
parent::setUp();
|
||||||
|
Config::nest();
|
||||||
|
HtmlEditorConfig::set_active('cms');
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
public function tearDown() {
|
||||||
|
Config::unnest();
|
||||||
|
parent::tearDown();
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Tests the sanitisation of HTML content
|
||||||
|
*/
|
||||||
|
public function testSanitisation() {
|
||||||
|
$rawContent = '<h1>Welcome</h1><script>alert("Hello!");</script><p>Giant Robots!</p>';
|
||||||
|
$safeContent = '<h1>Welcome</h1><p>Giant Robots!</p>';
|
||||||
|
$field = new EditableLiteralField();
|
||||||
|
|
||||||
|
// Test with sanitisation enabled
|
||||||
|
Config::inst()->update('HtmlEditorField', 'sanitise_server_side', true);
|
||||||
|
$field->setContent($rawContent);
|
||||||
|
$this->assertEquals($safeContent, $field->getContent());
|
||||||
|
|
||||||
|
// Test with sanitisation disabled
|
||||||
|
Config::inst()->remove('HtmlEditorField', 'sanitise_server_side');
|
||||||
|
$field->setContent($rawContent);
|
||||||
|
$this->assertEquals($rawContent, $field->getContent());
|
||||||
|
}
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user