Jump to:

10850 Posts in 2517 Topics by 1793 members

All other Modules

SilverStripe Forums » All other Modules » User Forms Uploaded File links not working (escaping)

Discuss all other Modules here.

Moderators: martimiz, Sean, biapar, Willr, Ingo, swaiba, simon_w

Page: 1
Go to End
Author Topic: 1147 Views
  • JonoM
    Avatar
    Community Member
    103 Posts

    User Forms Uploaded File links not working (escaping) Link to this post

    Hi, this is probably more of a bug report but I couldn't login at open.silverstripe.org (got given a readout of python/mysql errors)

    I downloaded and installed User Forms and I think it's AWESOME but I noticed that if you upload a file through a User Forms form it doesn't create a link to it when you're reviewing submissions in the CMS or reading the email that is generated - rather you can see the code for the link i.e. the email reads like this:

    Uploaded file
    <a href="assets/Uploads/tacsiweb2.jpg" title="assets/Uploads/tacsiweb2.jpg">tacsiweb2</a>

    I'm using SS 2.3.5 and User Forms v.0.2.1

    I assume the fields are escaped automatically but after having a look through the source code I wouldn't know where to start to prevent just that field from escaping it's value when it's written to an email or in the cms. Does anyone have a quick fix?

    Also - the date validation didn't seem to be working when I tried making a date field. I changed

    return new TextField( $this->Name, $this->Title, $this->Default);


    to

    return new DateField( $this->Name, $this->Title, $this->Default);

    in EditableDateField.php and it seems to work okay now.

    Thanks

    Attached Files
  • JonoM
    Avatar
    Community Member
    103 Posts

    Re: User Forms Uploaded File links not working (escaping) Link to this post

    Okay so I'm out of my depth but I changed the data type of "Value" in SubmittedFormField.php from Text to HTMLText as such

    class SubmittedFormField extends DataObject {
       
       static $db = array(
          "Name" => "Varchar",
          "Value" => "HTMLText",
          "Title" => "Varchar(255)"
       );
       
       static $has_one = array(
          "Parent" => "SubmittedForm"
       );

    }

    and line 521 of UserDefinedForm.php from

             else {
                if(isset($data[$field->Name])) $submittedField->Value = $data[$field->Name];
             }


    to

             else {
                if(isset($data[$field->Name])) $submittedField->Value = Convert::raw2xml($data[$field->Name]);
             }

    So that values are stored as escaped data rather than letting the template engine escape it when the values are rendered.

    So far it seems to be behaving how I want it to and makes the file link clickable while escaping other values. I'm not sure that I haven't opened up some security holes with the other field types that have the 'getValueFromData' method defined because I didn't change them but since they treat the data differently I'm hoping they're safe.

  • JonoM
    Avatar
    Community Member
    103 Posts

    Re: User Forms Uploaded File links not working (escaping) Link to this post

    Also to make the CSV export work with pre-escaped data I changed line 131 of SubmittedFormReportField.php from

    else $csvData .= '"'.str_replace('"', '\"', $row[$i]).'",';

    to

    else $csvData .= '"'.str_replace('"', '\"', Convert::xml2raw($row[$i])).'",';

    1147 Views
Page: 1
Go to Top

Want to know more about the company that brought you SilverStripe? Then check out SilverStripe.com

Comments on this website? Please give feedback.