Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

User Forms Uploaded File links not working (escaping) » All other Modules

We've moved the forum!

Please use forum.silverstripe.org for any new questions (announcement).
The forum archive will stick around, but will be read only.

You can also use our Slack channel or StackOverflow to ask for help.
Check out our community overview for more options to contribute.

All other Modules /

Discuss all other Modules here.

Moderators: martimiz, Sean, Ed, biapar, Willr, Ingo, swaiba

User Forms Uploaded File links not working (escaping)

Go to End


3 Posts   1674 Views

Avatar
JonoM

Community Member, 130 Posts

19 February 2010 at 7:42pm

Edited: 19/02/2010 7:42pm

Hi, this is probably more of a bug report but I couldn't login at open.silverstripe.org (got given a readout of python/mysql errors)

I downloaded and installed User Forms and I think it's AWESOME but I noticed that if you upload a file through a User Forms form it doesn't create a link to it when you're reviewing submissions in the CMS or reading the email that is generated - rather you can see the code for the link i.e. the email reads like this:

Uploaded file
<a href="/assets/Uploads/tacsiweb2.jpg" title="assets/Uploads/tacsiweb2.jpg">tacsiweb2</a>

I'm using SS 2.3.5 and User Forms v.0.2.1

I assume the fields are escaped automatically but after having a look through the source code I wouldn't know where to start to prevent just that field from escaping it's value when it's written to an email or in the cms. Does anyone have a quick fix?

Also - the date validation didn't seem to be working when I tried making a date field. I changed

return new TextField( $this->Name, $this->Title, $this->Default);

to
return new DateField( $this->Name, $this->Title, $this->Default);

in EditableDateField.php and it seems to work okay now.

Thanks

Attached Files
Avatar
JonoM

Community Member, 130 Posts

22 February 2010 at 4:39pm

Okay so I'm out of my depth but I changed the data type of "Value" in SubmittedFormField.php from Text to HTMLText as such

class SubmittedFormField extends DataObject {
	
	static $db = array(
		"Name" => "Varchar",
		"Value" => "HTMLText",
		"Title" => "Varchar(255)"
	);
	
	static $has_one = array(
		"Parent" => "SubmittedForm"
	);

}

and line 521 of UserDefinedForm.php from

			else {
				if(isset($data[$field->Name])) $submittedField->Value = $data[$field->Name];
			}

to
			else {
				if(isset($data[$field->Name])) $submittedField->Value = Convert::raw2xml($data[$field->Name]);
			}

So that values are stored as escaped data rather than letting the template engine escape it when the values are rendered.

So far it seems to be behaving how I want it to and makes the file link clickable while escaping other values. I'm not sure that I haven't opened up some security holes with the other field types that have the 'getValueFromData' method defined because I didn't change them but since they treat the data differently I'm hoping they're safe.

Avatar
JonoM

Community Member, 130 Posts

22 February 2010 at 4:55pm

Also to make the CSV export work with pre-escaped data I changed line 131 of SubmittedFormReportField.php from

else $csvData .= '"'.str_replace('"', '\"', $row[$i]).'",';

to

else $csvData .= '"'.str_replace('"', '\"', Convert::xml2raw($row[$i])).'",';

Go to Top
Go to TopReturn to top