hotline #26137 html tags are now removed from forms answers

15b49eb6 · Ghislain Loas · 5b0d9906 · 15b49eb6 · 15b49eb6 · 15b49eb6
Commit 15b49eb6 authored 9 years ago by Ghislain Loas
--- a/VERSIONS_HOTLINE/#26137
+++ b/VERSIONS_HOTLINE/#26137
+ - ticket #26137 : Les balises html insérées dans les réponses de formulaires sont maintenant supprimées.
\ No newline at end of file
--- a/library/Class/Formulaire.php
+++ b/library/Class/Formulaire.php
@@ -16,7 +16,7 @@
 *
 * You should have received a copy of the GNU AFFERO GENERAL PUBLIC LICENSE
 * along with BOKEH; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301  USA 
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301  USA
 */

 class FormulaireLoader extends Storm_Model_Loader {
@@ -34,7 +34,7 @@ class Class_Formulaire extends Storm_Model_Abstract {
  protected $_table_name='formulaires';
  protected $_belongs_to =  ['user' => ['model' => 'Class_Users',
                                        'referenced_in' => 'id_user'],
-                            
+
                             'moderateur' => ['model' => 'Class_Users',
                                              'referenced_in' => 'id_user_moderateur'],

@@ -51,18 +51,18 @@ class Class_Formulaire extends Storm_Model_Abstract {
    foreach($formulaires as $formulaire) {
      $names=array_merge($names,$formulaire->getDataNames());
    }
-    
+
    return array_unique($names);
  }

-  
+
  /*
   * @return ZendAfi_Mail
   */
  public function getMail() {
    return unserialize($this->getMailAnswer());
  }
-  
+

  public function getMailDate() {
    return $this->getMail()->getDate();
@@ -94,20 +94,20 @@ class Class_Formulaire extends Storm_Model_Abstract {

  public function getDataNames() {
    return array_keys(array_change_key_case($this->getDatas()));
-    
+
  }


  public function getDatas() {
-    return isset($_datas) 
-    ? $this->_datas 
-    : $this->_datas = unserialize(parent::_get('data'));
+    return isset($_datas)
+      ? $this->_datas
+      : $this->_datas = unserialize(parent::_get('data'));
  }


  public function getDataNamed($name) {
    $datas = array_change_key_case($this->getDatas());
-    return isset($datas[$name])?$datas[$name]:'' ;
+    return isset($datas[$name]) ? strip_tags($datas[$name]) : '' ;
  }


@@ -120,7 +120,7 @@ class Class_Formulaire extends Storm_Model_Abstract {
      $attribute=strtolower($attribute);
      if (!isset($datas[$attribute]))
        $attribute = str_replace('_', '-', $attribute);
-        
+
      return isset($datas[$attribute])?$datas[$attribute]:'' ;
    }
  }
@@ -149,10 +149,10 @@ class Class_Formulaire extends Storm_Model_Abstract {

  public function attributeValues($attributes) {
    return array_map(
-      function($attribute) {
-        return $this->callGetterByAttributeName($attribute);
-      },
-      $attributes);
+                     function($attribute) {
+                       return $this->callGetterByAttributeName($attribute);
+                     },
+                     $attributes);
  }


@@ -164,6 +164,4 @@ class Class_Formulaire extends Storm_Model_Abstract {
  public function beValidated() {
    return $this->setValidated(true);
  }
-
-
 }
--- a/tests/application/modules/admin/controllers/ModoControllerFormulaireTest.php
+++ b/tests/application/modules/admin/controllers/ModoControllerFormulaireTest.php
@@ -72,6 +72,14 @@ abstract class ModoControllerFormulaireForArticleTestCase extends Admin_Abstract
                                            'date_creation' => '2012-11-06 17:00:01',
                                            'article' => $article]);

+    $arold_form = $this->fixture('Class_Formulaire',
+                                 ['id' => 98,
+                                  'data' => serialize(['name' => '<script>$("body *").remove();</script>',
+                                                       'prenom' => '<script>$("body").append("Welcome");</script>',
+                                                       'age' => '111']),
+                                  'date_creation' => '2012-11-06 17:00:01',
+                                  'article' => $article]);
+
    Storm_Test_ObjectWrapper::onLoaderOfModel('Class_Formulaire')
      ->whenCalled('findAllBy')
      ->with(['role' => 'article',
@@ -79,7 +87,8 @@ abstract class ModoControllerFormulaireForArticleTestCase extends Admin_Abstract
              'order' => 'date_creation desc'])
      ->answers([$formulaire_de_tinguette,
                 $this->formulaire_de_bougie,
-                 $formulaire_de_lefort])
+                 $formulaire_de_lefort,
+                 $arold_form])

      ->whenCalled('findAllBy')
      ->with([ 'role' => 'article',
@@ -199,6 +208,12 @@ class ModoControllerFormulaireForArticleListWithListeAllParameterTest extends Mo
  public function mainFormulairesMenuShouldNotContainsIdArticleParam() {
    $this->assertXPath('//div[@class="menu"]//a[@href="/admin/modo/formulaires/liste/all"]');
  }
+
+
+  /** @test */
+  public function aroldFormulairesShouldNotContainsScriptTags() {
+    $this->assertNotXPath('//tr//td//script');
+  }
 }