mirror of
https://github.com/silverstripe/silverstripe-userforms.git
synced 2024-10-22 17:05:42 +02:00
BUG Use correct api for assigning field value
BUG Fix encoding of cms add-option in js ENHANCEMENT Sanitise literal HTML content
This commit is contained in:
parent
99ac1a3e20
commit
68b29e13e2
@ -538,8 +538,8 @@ class UserDefinedForm_Controller extends Page_Controller {
|
||||
public function getFormFields() {
|
||||
$fields = new FieldList();
|
||||
|
||||
if($this->Fields()) {
|
||||
foreach($this->Fields() as $editableField) {
|
||||
$editableFields = $this->Fields();
|
||||
if($editableFields) foreach($editableFields as $editableField) {
|
||||
// get the raw form field from the editable version
|
||||
$field = $editableField->getFormField();
|
||||
if(!$field) break;
|
||||
@ -549,7 +549,8 @@ class UserDefinedForm_Controller extends Page_Controller {
|
||||
|
||||
// set the right title on this field
|
||||
if($right = $editableField->getSetting('RightTitle')) {
|
||||
$field->setRightTitle($right);
|
||||
// Since this field expects raw html, safely escape the user data prior
|
||||
$field->setRightTitle(Convert::raw2xml($right));
|
||||
}
|
||||
|
||||
// if this field is required add some
|
||||
@ -563,21 +564,18 @@ class UserDefinedForm_Controller extends Page_Controller {
|
||||
}
|
||||
}
|
||||
// if this field has an extra class
|
||||
if($editableField->getSetting('ExtraClass')) {
|
||||
$field->addExtraClass(Convert::raw2att(
|
||||
$editableField->getSetting('ExtraClass')
|
||||
));
|
||||
if($extraClass = $editableField->getSetting('ExtraClass')) {
|
||||
$field->addExtraClass(Convert::raw2att($extraClass));
|
||||
}
|
||||
|
||||
// set the values passed by the url to the field
|
||||
$request = $this->getRequest();
|
||||
if($var = $request->getVar($field->name)) {
|
||||
$field->value = Convert::raw2att($var);
|
||||
if($value = $request->getVar($field->getName())) {
|
||||
$field->setValue($value);
|
||||
}
|
||||
|
||||
$fields->push($field);
|
||||
}
|
||||
}
|
||||
$this->extend('updateFormFields', $fields);
|
||||
|
||||
return $fields;
|
||||
|
@ -13,13 +13,69 @@ class EditableLiteralField extends EditableFormField {
|
||||
|
||||
private static $plural_name = 'HTML Blocks';
|
||||
|
||||
/**
|
||||
* Get the name of the editor config to use for HTML sanitisation. Defaults to the active config.
|
||||
*
|
||||
* @var string
|
||||
* @config
|
||||
*/
|
||||
private static $editor_config = null;
|
||||
|
||||
/**
|
||||
* Returns the {@see HtmlEditorConfig} instance to use for sanitisation
|
||||
*
|
||||
* @return HtmlEditorConfig
|
||||
*/
|
||||
protected function getEditorConfig() {
|
||||
$editorConfig = $this->config()->editor_config;
|
||||
if($editorConfig) return HtmlEditorConfig::get($editorConfig);
|
||||
return HtmlEditorConfig::get_active();
|
||||
}
|
||||
|
||||
/**
|
||||
* Safely sanitise html content, if enabled
|
||||
*
|
||||
* @param string $content Raw html
|
||||
* @return string Safely sanitised html
|
||||
*/
|
||||
protected function sanitiseContent($content) {
|
||||
// Check if sanitisation is enabled
|
||||
if(!HtmlEditorField::config()->sanitise_server_side) return $content;
|
||||
|
||||
// Perform sanitisation
|
||||
$htmlValue = Injector::inst()->create('HTMLValue', $content);
|
||||
$santiser = Injector::inst()->create('HtmlEditorSanitiser', $this->getEditorConfig());
|
||||
$santiser->sanitise($htmlValue);
|
||||
return $htmlValue->getContent();
|
||||
}
|
||||
|
||||
/**
|
||||
* Get HTML Content of this literal field
|
||||
*
|
||||
* @return string
|
||||
*/
|
||||
public function getContent() {
|
||||
// Apply html editor sanitisation rules
|
||||
$content = $this->getSetting('Content');
|
||||
return $this->sanitiseContent($content);
|
||||
}
|
||||
|
||||
/**
|
||||
* Set the content with the given value
|
||||
*
|
||||
* @param string $content
|
||||
*/
|
||||
public function setContent($content) {
|
||||
// Apply html editor sanitisation rules
|
||||
$content = $this->sanitiseContent($content);
|
||||
$this->setSetting('Content', $content);
|
||||
}
|
||||
|
||||
public function getFieldConfiguration() {
|
||||
$customSettings = unserialize($this->CustomSettings);
|
||||
$content = (isset($customSettings['Content'])) ? $customSettings['Content'] : '';
|
||||
$textAreaField = new TextareaField(
|
||||
$this->getSettingName('Content'),
|
||||
"HTML",
|
||||
$content
|
||||
$this->getContent()
|
||||
);
|
||||
$textAreaField->setRows(4);
|
||||
$textAreaField->setColumns(20);
|
||||
|
@ -330,11 +330,16 @@
|
||||
newRule.removeClass("hidden");
|
||||
|
||||
// update the fields dropdown
|
||||
newRule.children("select.fieldOption").empty();
|
||||
var optionChildren = newRule.children("select.fieldOption");
|
||||
optionChildren.empty();
|
||||
|
||||
$("#Fields_fields li.EditableFormField").each(function (i, domElement) {
|
||||
var name = $(domElement).attr("id").split(' ');
|
||||
newRule.children("select.fieldOption").append("<option value='"+ name[2] + "'>"+ $(domElement).find(".text").val() + "</option>");
|
||||
$("#Fields_fields li.EditableFormField").each(function () {
|
||||
var name = $(this).attr("id").split(' ');
|
||||
var option = $("<option></option>")
|
||||
.attr('value', name[2])
|
||||
.text($(this).find(".text").val());
|
||||
optionChildren
|
||||
.append(option);
|
||||
});
|
||||
|
||||
// append to the list
|
||||
|
38
tests/EditableLiteralFieldTest.php
Normal file
38
tests/EditableLiteralFieldTest.php
Normal file
@ -0,0 +1,38 @@
|
||||
<?php
|
||||
|
||||
/**
|
||||
* Tests the {@see EditableLiteralField} class
|
||||
*/
|
||||
class EditableLiteralFieldTest extends SapphireTest {
|
||||
|
||||
public function setUp() {
|
||||
parent::setUp();
|
||||
Config::nest();
|
||||
HtmlEditorConfig::set_active('cms');
|
||||
}
|
||||
|
||||
|
||||
public function tearDown() {
|
||||
Config::unnest();
|
||||
parent::tearDown();
|
||||
}
|
||||
|
||||
/**
|
||||
* Tests the sanitisation of HTML content
|
||||
*/
|
||||
public function testSanitisation() {
|
||||
$rawContent = '<h1>Welcome</h1><script>alert("Hello!");</script><p>Giant Robots!</p>';
|
||||
$safeContent = '<h1>Welcome</h1><p>Giant Robots!</p>';
|
||||
$field = new EditableLiteralField();
|
||||
|
||||
// Test with sanitisation enabled
|
||||
Config::inst()->update('HtmlEditorField', 'sanitise_server_side', true);
|
||||
$field->setContent($rawContent);
|
||||
$this->assertEquals($safeContent, $field->getContent());
|
||||
|
||||
// Test with sanitisation disabled
|
||||
Config::inst()->remove('HtmlEditorField', 'sanitise_server_side');
|
||||
$field->setContent($rawContent);
|
||||
$this->assertEquals($rawContent, $field->getContent());
|
||||
}
|
||||
}
|
Loading…
Reference in New Issue
Block a user