summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDaniel Braksator2012-02-08 05:55:21 (GMT)
committer Daniel Braksator2012-02-08 05:55:21 (GMT)
commit58443aa63138579a5a15770bb719960959041f23 (patch)
tree08314bebf260becf9be6cb67fc93e28dcd516df9
parent758fcf9378fb37e731df683e9aeb9448c09c97af (diff)
Issue #M7G677 by danielb: Beyond the night, a rising sun. Beyond the night a battle's won. A battle's won.7.x-2.0-alpha8
-rwxr-xr-xfinder.install1
-rw-r--r--includes/build.inc30
-rw-r--r--includes/theme.inc6
-rw-r--r--modules/finder_ui/includes/field.inc47
-rw-r--r--plugins/element_handler/autocomplete.inc4
5 files changed, 80 insertions, 8 deletions
diff --git a/finder.install b/finder.install
index 171e814..b1d38d6 100755
--- a/finder.install
+++ b/finder.install
@@ -450,6 +450,7 @@ function finder_update_7203() {
'table' => $table,
'field' => $field_name,
'relationship' => NULL,
+ 'format' => isset($element->settings['choices']['sanitization']['format']) ? $element->settings['choices']['sanitization']['format'] : 'filter_xss',
);
if (isset($relationships[$field])) {
$new_field->relationship = $relationships[$field];
diff --git a/includes/build.inc b/includes/build.inc
index 8f8169c..e39d721 100644
--- a/includes/build.inc
+++ b/includes/build.inc
@@ -235,6 +235,7 @@ function finder_build_style_render(&$style_plugin) {
foreach ($records as $label => $row) {
if ($mode == 'choices') {
foreach ($field_info[$element->id] as $key => $field) {
+ $format = isset($field->format) ? $field->format : 'filter_xss';
foreach (array_keys($field->field_alias) as $delta) {
// If there is no match field, or if there is and it's set.
if (!isset($field->field_matched[$delta]) || (!empty($field->field_matched[$delta]) && !empty($row->{$field->field_matched[$delta]}))) {
@@ -255,7 +256,7 @@ function finder_build_style_render(&$style_plugin) {
$display = finder_eval($finder->esetting($element, 'choices_rewrite'), $variables);
}
- $results[$value] = $display;
+ $results[$value] = finder_sanitize($display, $format);
$style_plugin->view->row_index++;
}
}
@@ -370,3 +371,30 @@ function finder_alias($type, $eid, $table = NULL, $field = NULL, $delta = NULL)
return 'finder_' . $type . '_' . $alias;
}
+/**
+ * Sanitize a finder choice.
+ *
+ * @param $option
+ * The option object with unsanitized display field.
+ * @param $filter
+ * The filter to use.
+ * @return
+ * The option object with sanitized display field.
+ */
+function finder_sanitize($option, $filter = 'filter_xss') {
+ switch ($filter) {
+ case 'filter_xss':
+ case 'filter_xss_admin':
+ case 'check_plain':
+ case 'check_url':
+ $option = $filter($option);
+ break;
+ default:
+ $option = check_markup($option, $filter, FALSE);
+ }
+ return $option;
+}
+
+
+
+
diff --git a/includes/theme.inc b/includes/theme.inc
index d2d504c..0bc6abc 100644
--- a/includes/theme.inc
+++ b/includes/theme.inc
@@ -78,7 +78,11 @@ function theme_finder_results($variables) {
// stored as an array, so we always act as though they were multiple.
foreach (array_keys($field->field_alias) as $delta) {
if (!empty($result->{$field->field_alias[$delta]})) {
- $values[] = $result->{$field->field_alias[$delta]};
+ // Use finder_sanitize() when outputting a result item in HTML,
+ // especially if the expected value is user-supplied. You can of
+ // course just hard code other sanitization techniques:
+ // http://api.drupal.org/api/drupal/includes--common.inc/group/sanitization/7
+ $values[] = finder_sanitize($result->{$field->field_alias[$delta]}, $field->format);
}
}
// Output the values separated by a comma.
diff --git a/modules/finder_ui/includes/field.inc b/modules/finder_ui/includes/field.inc
index 049ce1e..b00d0be 100644
--- a/modules/finder_ui/includes/field.inc
+++ b/modules/finder_ui/includes/field.inc
@@ -45,6 +45,7 @@ function finder_ui_field_page($finder, $feid, $field_key, $js) {
$element = &$finder->elements[$feid];
$field_key = $form_state['values']['field'];
$relationship = $form_state['values']['relationship'];
+ $format = $form_state['values']['format'];
list($table, $field) = explode('.', $field_key);
@@ -52,6 +53,7 @@ function finder_ui_field_page($finder, $feid, $field_key, $js) {
'table' => $table,
'field' => $field,
'relationship' => $relationship,
+ 'format' => $format,
);
ctools_object_cache_set('finder', $finder->name, $finder);
@@ -148,10 +150,51 @@ function finder_ui_field_form($form, &$form_state) {
);
}
- if ($field_key != 'new' && empty($relationships)) {
- $form['no_config']['#markup'] = t('There is nothing to configure for this field.');
+ $form['sanitization'] = array(
+ '#type' => 'fieldset',
+ '#title' => t('Sanitization'),
+ '#description' => t('No piece of user-submitted content should ever be placed as-is into HTML.'),
+ '#collapsible' => TRUE,
+ '#collapsed' => TRUE,
+ );
+
+ $format_options = array(
+ 'filter_xss' => t('Filter XSS') . theme('filter_tips', array('tips' => array(array(
+ array('tip' => t('Filters HTML to prevent cross-site-scripting (XSS) vulnerabilities.')),
+ array('tip' => t('Allowed HTML tags') . check_plain(': <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>')),
+ array('tip' => '<strong>' . t('Recommended for finder fields that contain only plain values or the above HTML tags.') . '</strong>')
+ ))), FALSE),
+ 'filter_xss_admin' => t('Filter XSS permissive') . theme('filter_tips', array('tips' => array(array(
+ array('tip' => t('Allows all tags that can be used inside an HTML body, save for scripts and styles.')),
+ array('tip' => '<strong>' . t('Recommended for finder fields that contain HTML.') . '</strong>')
+ ))), FALSE),
+ 'check_plain' => t('Check plain') . theme('filter_tips', array('tips' => array(array(
+ array('tip' => t('Encodes special characters in a plain-text string for display as HTML.')),
+ array('tip' => '<strong>' . t('Approved for finder fields that contain only plain values.') . '</strong>')
+ ))), FALSE),
+ 'check_url' => t('Check URL') . theme('filter_tips', array('tips' => array(array(
+ array('tip' => t('Strips dangerous protocols from a URI and encodes it for output to HTML.')),
+ array('tip' => '<strong>' . t('Approved for finder fields where the value is a URL.') . '</strong>')
+ ))), FALSE),
+ );
+ $filter_formats = filter_formats();
+ foreach ($filter_formats as $filter_format) {
+ $tips = _filter_tips($filter_format->format, FALSE);
+ $tips[$filter_format->name]['finder'] = array('tip' => t('Not pre-approved for finder fields, use with caution.'));
+ $format_options[$filter_format->format] = $filter_format->name . theme('filter_tips', array('tips' => $tips));
}
+ $form['sanitization']['format'] = array(
+ '#type' => 'radios',
+ '#title' => t('Sanitization filter'),
+ '#default_value' => !empty($field->format) ? $field->format : 'filter_xss',
+ '#options' => $format_options,
+ );
+
+ //if ($field_key != 'new' && empty($relationships)) {
+ // $form['no_config']['#markup'] = t('There is nothing to configure for this field.');
+ //}
+
// Add buttons.
$form['actions']['submit'] = array(
'#type' => 'submit',
diff --git a/plugins/element_handler/autocomplete.inc b/plugins/element_handler/autocomplete.inc
index 50a1976..bb2f132 100644
--- a/plugins/element_handler/autocomplete.inc
+++ b/plugins/element_handler/autocomplete.inc
@@ -364,10 +364,6 @@ function finder_autocomplete_autocomplete($finder_name, $element_id, $keywords =
$finder->find();
$choices = !empty($finder->find['results']) ? $finder->find['results'] : array();
- foreach (array_keys($choices) as $autofill) {
- $choices[$autofill] = filter_xss($choices[$autofill]);
- }
-
drupal_json_output($choices);
}