Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

All other Modules

Discuss all other Modules here.

Moderators: martimiz, Sean, biapar, Willr, Ingo, swaiba, simon_w

User Forms Uploaded File links not working (escaping)


Reply

3 Posts   1200 Views

Avatar
JonoM

19 February 2010 at 7:42pm (Last edited: 19 February 2010 7:42pm), Community Member, 103 Posts

Hi, this is probably more of a bug report but I couldn't login at open.silverstripe.org (got given a readout of python/mysql errors)

I downloaded and installed User Forms and I think it's AWESOME but I noticed that if you upload a file through a User Forms form it doesn't create a link to it when you're reviewing submissions in the CMS or reading the email that is generated - rather you can see the code for the link i.e. the email reads like this:

Uploaded file
<a href="assets/Uploads/tacsiweb2.jpg" title="assets/Uploads/tacsiweb2.jpg">tacsiweb2</a>

I'm using SS 2.3.5 and User Forms v.0.2.1

I assume the fields are escaped automatically but after having a look through the source code I wouldn't know where to start to prevent just that field from escaping it's value when it's written to an email or in the cms. Does anyone have a quick fix?

Also - the date validation didn't seem to be working when I tried making a date field. I changed

return new TextField( $this->Name, $this->Title, $this->Default);


to

return new DateField( $this->Name, $this->Title, $this->Default);

in EditableDateField.php and it seems to work okay now.

Thanks

Attached Files
Avatar
JonoM

22 February 2010 at 4:39pm Community Member, 103 Posts

Okay so I'm out of my depth but I changed the data type of "Value" in SubmittedFormField.php from Text to HTMLText as such

class SubmittedFormField extends DataObject {
   
   static $db = array(
      "Name" => "Varchar",
      "Value" => "HTMLText",
      "Title" => "Varchar(255)"
   );
   
   static $has_one = array(
      "Parent" => "SubmittedForm"
   );

}

and line 521 of UserDefinedForm.php from

         else {
            if(isset($data[$field->Name])) $submittedField->Value = $data[$field->Name];
         }


to

         else {
            if(isset($data[$field->Name])) $submittedField->Value = Convert::raw2xml($data[$field->Name]);
         }

So that values are stored as escaped data rather than letting the template engine escape it when the values are rendered.

So far it seems to be behaving how I want it to and makes the file link clickable while escaping other values. I'm not sure that I haven't opened up some security holes with the other field types that have the 'getValueFromData' method defined because I didn't change them but since they treat the data differently I'm hoping they're safe.

Avatar
JonoM

22 February 2010 at 4:55pm Community Member, 103 Posts

Also to make the CSV export work with pre-escaped data I changed line 131 of SubmittedFormReportField.php from

else $csvData .= '"'.str_replace('"', '\"', $row[$i]).'",';

to

else $csvData .= '"'.str_replace('"', '\"', Convert::xml2raw($row[$i])).'",';