Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

All other Modules /

Discuss all other Modules here.

Moderators: martimiz, Sean, biapar, Willr, Ingo, swaiba, simon_w

User Forms Uploaded File links not working (escaping)


Reply


3 Posts   1247 Views

Avatar
JonoM

Community Member, 103 Posts

19 February 2010 at 7:42pm

Edited: 19/02/2010 7:42pm

Hi, this is probably more of a bug report but I couldn't login at open.silverstripe.org (got given a readout of python/mysql errors)

I downloaded and installed User Forms and I think it's AWESOME but I noticed that if you upload a file through a User Forms form it doesn't create a link to it when you're reviewing submissions in the CMS or reading the email that is generated - rather you can see the code for the link i.e. the email reads like this:

Uploaded file
<a href="assets/Uploads/tacsiweb2.jpg" title="assets/Uploads/tacsiweb2.jpg">tacsiweb2</a>

I'm using SS 2.3.5 and User Forms v.0.2.1

I assume the fields are escaped automatically but after having a look through the source code I wouldn't know where to start to prevent just that field from escaping it's value when it's written to an email or in the cms. Does anyone have a quick fix?

Also - the date validation didn't seem to be working when I tried making a date field. I changed

return new TextField( $this->Name, $this->Title, $this->Default);


to

return new DateField( $this->Name, $this->Title, $this->Default);

in EditableDateField.php and it seems to work okay now.

Thanks

Attached Files
Avatar
JonoM

Community Member, 103 Posts

22 February 2010 at 4:39pm

Okay so I'm out of my depth but I changed the data type of "Value" in SubmittedFormField.php from Text to HTMLText as such

class SubmittedFormField extends DataObject {
   
   static $db = array(
      "Name" => "Varchar",
      "Value" => "HTMLText",
      "Title" => "Varchar(255)"
   );
   
   static $has_one = array(
      "Parent" => "SubmittedForm"
   );

}

and line 521 of UserDefinedForm.php from

         else {
            if(isset($data[$field->Name])) $submittedField->Value = $data[$field->Name];
         }


to

         else {
            if(isset($data[$field->Name])) $submittedField->Value = Convert::raw2xml($data[$field->Name]);
         }

So that values are stored as escaped data rather than letting the template engine escape it when the values are rendered.

So far it seems to be behaving how I want it to and makes the file link clickable while escaping other values. I'm not sure that I haven't opened up some security holes with the other field types that have the 'getValueFromData' method defined because I didn't change them but since they treat the data differently I'm hoping they're safe.

Avatar
JonoM

Community Member, 103 Posts

22 February 2010 at 4:55pm

Also to make the CSV export work with pre-escaped data I changed line 131 of SubmittedFormReportField.php from

else $csvData .= '"'.str_replace('"', '\"', $row[$i]).'",';

to

else $csvData .= '"'.str_replace('"', '\"', Convert::xml2raw($row[$i])).'",';