Skip to content

Commit

Permalink
Escape HTML by default in dropdown and toast (#2267)
Browse files Browse the repository at this point in the history
  • Loading branch information
@mvorisek
mvorisek authored Mar 8, 2025
1 parent dec9546 commit 6cce1b3
Show file tree
Hide file tree
Showing 16 changed files with 922 additions and 1,804 deletions.
2 changes: 1 addition & 1 deletion demos/form-control/tree-item-selector.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,7 @@
$control->set([201, 301, 503]);

$control->onItem(static function (array $values) use ($pathFromIdFx, $items) {
return new JsToast('Selected: ' . implode(',<br>', array_map(static fn ($v) => $pathFromIdFx($items, $v), $values)));
return new JsToast('Selected: ' . implode(', ', array_map(static fn ($v) => $pathFromIdFx($items, $v), $values)));
});

$control = $form->addControl('tree1', [Form\Control\TreeItemSelector::class, 'treeItems' => $items, 'allowMultiple' => false, 'caption' => 'Single selection:']);
Expand Down
2 changes: 1 addition & 1 deletion demos/form/form-section.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@

return new JsToast([
'title' => 'POSTed field values',
'message' => '<pre>' . $form->getApp()->encodeJson($form->entity->get()) . '</pre>',
'message' => $form->getApp()->encodeJson(array_diff_key($form->entity->get(), [$form->entity->idField => true])),
'class' => 'success',
'displayTime' => 5000,
]);
Expand Down
4 changes: 2 additions & 2 deletions demos/form/form.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -69,11 +69,11 @@
$form->buttonSave->set('Compare Date');

$form->onSubmit(static function (Form $form) {
$message = 'field = ' . print_r($form->entity->get('field'), true) . '; <br> control = ' . print_r($form->entity->get('control'), true);
$messageHtml = 'field = ' . print_r($form->entity->get('field'), true) . '; <br> control = ' . print_r($form->entity->get('control'), true);
$view = new Message('Date field vs control:');
$view->setApp($form->getApp());
$view->invokeInit();
$view->text->dangerouslyAddHtml($message);
$view->text->dangerouslyAddHtml($messageHtml);

return $view;
});
Expand Down
1 change: 1 addition & 0 deletions js/src/JqueryPlugin/ConfirmPlugin.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@ export default class AtkConfirmPlugin extends AbstractPlugin {
}

getDialogHtml(message) {
// TODO: HTML escape
return `
<div class=" content">${message}</div>
<div class="actions">
Expand Down
1 change: 1 addition & 0 deletions js/src/JqueryPlugin/CreateModalPlugin.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ export default class AtkCreateModalPlugin extends AbstractPlugin {
}

getDialogHtml(title) {
// TODO: HTML escape
return `<i class="close icon"></i>
` + (title ? `<div class="${this.settings.headerClass}">${title}</div>
` : '') + `<div class="${this.settings.contentClass} content atk-dialog-content">
Expand Down
2 changes: 1 addition & 1 deletion js/src/JqueryPlugin/JsSortablePlugin.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -107,7 +107,7 @@ export default class AtkJsSortablePlugin extends AbstractPlugin {
}

injectStyles(style) {
$('head').append('<style>' + style + '</style>');
$('head').append('<style>' + style + '</style>'); // TODO: prevent HTML injection
}
}

Expand Down
7 changes: 4 additions & 3 deletions js/src/Service/apiService.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -232,12 +232,13 @@ class ApiService {
m.data('needRemove', true).modal().modal('show');
}

getErrorHtml(titleHtml, messageHtml) {
getErrorHtml(title, message) {
// TODO: HTML escape
return `<div class="ui negative icon message" style="margin: 0px;">
<i class="warning sign icon"></i>
<div class="content">
<div class="header">${titleHtml}</div>
<div>${messageHtml}</div>
<div class="header">${title}</div>
<div>${message}</div>
</div>
</div>`;
}
Expand Down
2 changes: 1 addition & 1 deletion js/src/Service/modalService.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -141,7 +141,7 @@ class ModalService {

getLoaderHtml(loaderText) {
return '<div class="ui active inverted dimmer">'
+ '<div class="ui text loader">' + loaderText + '</div>'
+ '<div class="ui text loader">' + loaderText + '</div>' // TODO: HTML escape
+ '</div>';
}
}
Expand Down
Loading

0 comments on commit 6cce1b3

Please sign in to comment.