Merge branch 'hotline_#26137_remove_html_tags_in_forms_answers' into 'stable'

Hotline #26137 remove html tags in forms answers See merge request !1048

Merge branch 'hotline_#26137_remove_html_tags_in_forms_answers' into 'stable'
Hotline #26137 remove html tags in forms answers See merge request !1048
be143f46 · Patrick Barroca · 5b0d9906 · e3b8a5ab · be143f46 · be143f46
Commit be143f46 authored 9 years ago by Patrick Barroca
--- a/VERSIONS_HOTLINE/#26137
+++ b/VERSIONS_HOTLINE/#26137
+ - ticket #26137 : Les balises html insérées dans les réponses de formulaires sont maintenant supprimées.
\ No newline at end of file
--- a/application/modules/admin/views/scripts/modo/formulaires.phtml
+++ b/application/modules/admin/views/scripts/modo/formulaires.phtml
 <h1><?php echo $this->_('Modération des formulaires: '.$this->article->getTitre());?></h1>
-<?php 
+<?php
 if($this->liste==='all')
 echo $this->tagAnchor($this->url(['module'=>'admin',
                                  'controller'=>'modo',
@@ -31,8 +31,8 @@ echo $this->tagAnchor($this->url(['module'=>'admin',
    <thead>
      <tr>
        <th><?php echo $this->_('Date') ?></th>
-        <th><?php echo $this->_('Posté par') ?></th> 
-        <th><?php echo $this->_('Bibliothèque') ?></th> 
+        <th><?php echo $this->_('Posté par') ?></th>
+        <th><?php echo $this->_('Bibliothèque') ?></th>
        <?php foreach($data_names as $name) echo '<th>'.$name.'</th>'; ?>
          <th><?php echo $this->_('Actions') ?></th>
      </tr>
@@ -40,14 +40,14 @@ echo $this->tagAnchor($this->url(['module'=>'admin',
    <tbody>
      <?php
      foreach($this->formulaires as $formulaire) {
-        $datas = [$this->humanDate($formulaire->getDateCreation(), 'dd/MM/yyyy'), 
-                  $formulaire->getCompte(), 
+        $datas = [$this->humanDate($formulaire->getDateCreation(), 'dd/MM/yyyy'),
+                  $formulaire->getCompte(),
                  $formulaire->getLibelleBib()];
        foreach($data_names as $name)
        $datas[]=$formulaire->getDataNamed($name);

        echo '<tr>';
-        foreach($datas as $data) echo '<td>'.$data.'</td>';
+        foreach($datas as $data) echo '<td>' . $this->escape($data) . '</td>';

        echo '<td>';
        echo $this->tagAnchor(['action' => 'visualiser-reponse-ajax',
@@ -59,7 +59,7 @@ echo $this->tagAnchor($this->url(['module'=>'admin',
        echo $this->tagAnchor(['action' => 'validate-formulaire',
                               'id' => $formulaire->getId()],
                              $this->boutonIco('type=validate'));
-        
+
        echo '</td>';
        echo '</tr>';
      }

--- a/library/Class/Formulaire.php
+++ b/library/Class/Formulaire.php
@@ -16,7 +16,7 @@
 *
 * You should have received a copy of the GNU AFFERO GENERAL PUBLIC LICENSE
 * along with BOKEH; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301  USA 
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301  USA
 */

 class FormulaireLoader extends Storm_Model_Loader {
@@ -34,7 +34,7 @@ class Class_Formulaire extends Storm_Model_Abstract {
  protected $_table_name='formulaires';
  protected $_belongs_to =  ['user' => ['model' => 'Class_Users',
                                        'referenced_in' => 'id_user'],
-                            
+
                             'moderateur' => ['model' => 'Class_Users',
                                              'referenced_in' => 'id_user_moderateur'],

@@ -51,18 +51,18 @@ class Class_Formulaire extends Storm_Model_Abstract {
    foreach($formulaires as $formulaire) {
      $names=array_merge($names,$formulaire->getDataNames());
    }
-    
+
    return array_unique($names);
  }

-  
+
  /*
   * @return ZendAfi_Mail
   */
  public function getMail() {
    return unserialize($this->getMailAnswer());
  }
-  
+

  public function getMailDate() {
    return $this->getMail()->getDate();
@@ -94,20 +94,20 @@ class Class_Formulaire extends Storm_Model_Abstract {

  public function getDataNames() {
    return array_keys(array_change_key_case($this->getDatas()));
-    
+
  }


  public function getDatas() {
-    return isset($_datas) 
-    ? $this->_datas 
-    : $this->_datas = unserialize(parent::_get('data'));
+    return isset($_datas)
+      ? $this->_datas
+      : $this->_datas = unserialize(parent::_get('data'));
  }


  public function getDataNamed($name) {
    $datas = array_change_key_case($this->getDatas());
-    return isset($datas[$name])?$datas[$name]:'' ;
+    return isset($datas[$name]) ? $datas[$name] : '' ;
  }


@@ -120,7 +120,7 @@ class Class_Formulaire extends Storm_Model_Abstract {
      $attribute=strtolower($attribute);
      if (!isset($datas[$attribute]))
        $attribute = str_replace('_', '-', $attribute);
-        
+
      return isset($datas[$attribute])?$datas[$attribute]:'' ;
    }
  }
@@ -149,10 +149,10 @@ class Class_Formulaire extends Storm_Model_Abstract {

  public function attributeValues($attributes) {
    return array_map(
-      function($attribute) {
-        return $this->callGetterByAttributeName($attribute);
-      },
-      $attributes);
+                     function($attribute) {
+                       return $this->callGetterByAttributeName($attribute);
+                     },
+                     $attributes);
  }


@@ -164,6 +164,4 @@ class Class_Formulaire extends Storm_Model_Abstract {
  public function beValidated() {
    return $this->setValidated(true);
  }
-
-
 }
--- a/tests/application/modules/admin/controllers/ModoControllerFormulaireTest.php
+++ b/tests/application/modules/admin/controllers/ModoControllerFormulaireTest.php
@@ -72,6 +72,14 @@ abstract class ModoControllerFormulaireForArticleTestCase extends Admin_Abstract
                                            'date_creation' => '2012-11-06 17:00:01',
                                            'article' => $article]);

+    $arold_form = $this->fixture('Class_Formulaire',
+                                 ['id' => 98,
+                                  'data' => serialize(['name' => '<script>$("body *").remove();</script>',
+                                                       'prenom' => '<script>$("body").append("Welcome");</script>',
+                                                       'age' => '111']),
+                                  'date_creation' => '2012-11-06 17:00:01',
+                                  'article' => $article]);
+
    Storm_Test_ObjectWrapper::onLoaderOfModel('Class_Formulaire')
      ->whenCalled('findAllBy')
      ->with(['role' => 'article',
@@ -79,7 +87,8 @@ abstract class ModoControllerFormulaireForArticleTestCase extends Admin_Abstract
              'order' => 'date_creation desc'])
      ->answers([$formulaire_de_tinguette,
                 $this->formulaire_de_bougie,
-                 $formulaire_de_lefort])
+                 $formulaire_de_lefort,
+                 $arold_form])

      ->whenCalled('findAllBy')
      ->with([ 'role' => 'article',
@@ -199,6 +208,12 @@ class ModoControllerFormulaireForArticleListWithListeAllParameterTest extends Mo
  public function mainFormulairesMenuShouldNotContainsIdArticleParam() {
    $this->assertXPath('//div[@class="menu"]//a[@href="/admin/modo/formulaires/liste/all"]');
  }
+
+
+  /** @test */
+  public function aroldFormulairesShouldNotContainsScriptTags() {
+    $this->assertNotXPath('//tr//td//script');
+  }
 }