Commit 1de3c188 authored by Carsten  Rose's avatar Carsten Rose
Browse files

Refs #12636. Add doc. Add unit tests. Fix some bugs with 'single tick'...

Refs #12636. Add doc. Add unit tests. Fix some bugs with 'single tick' replacement. New: double ticks in attributes are replaced by ''' - this guarantees that there are no more single ticks saved and the code is valid to be reused as variable inside QFQ Report.
parent 315e128b
Pipeline #5324 passed with stages
in 4 minutes and 10 seconds
......@@ -1547,15 +1547,17 @@ Type: editor
* TinyMCE (https://www.tinymce.com, community edition) is used as the QFQ Rich Text Editor.
* The content will be saved as HTML code in the database.
* *FormElement.encode*
* *none*: No encoding at all. Might produce problems with single ticks if the content is reprocessed by QFQ variables.
* *specialchar*: For Editor, this is not useful at all! All HTML tags will be HTML entity encoded. The tags loose their HTML meaning!
* *single tick*: **Recommended** for Editor. Single ticks will be HTML entity converted where possible.
.. important::
*FormElement.encode*: To save HTML code, incl. HTML tags (bold, table, lists, ...), the **htmspecialchar**
encoding can't be used, cause the HTML tags loose their meaning. Therefore **single tick** or **none** is necessary.
* *FormElement.checktype*
* *all*: The only useful setting for Editor. HTML tags might contain % ' " < > and so on. This is **dangerous** for malicous code! There is no other option.
* *all*: The only useful setting for Editor. HTML tags might contain ``% ' " < >`` and so on. This is **dangerous**
due of potential inserted malicous code! But there is no other option, cause the HTML tags are required.
* All configuration and plugins will be configured via the 'parameter' field. Just prepend the word 'editor-' in front
of each TinyMCE keyword. Check possible options under:
......
......@@ -511,6 +511,19 @@ class OnString {
}
/**
* Replaces single tick in a HTML code by html entity
* or if a attribute is quoted with single tick convert the attribute to double quoted.
* If there is a double quote in single tick quoted attribute, it's replaced by '&quot;'.
*
* Content (outside of an HTML tag): single ticks will be replaced by '&apos;':
* <b>John's</b> >> <b>John&apos;s</b>
*
* HTML tag attribute: A single tick quoted attribute will be converted to a double tick quoted attribute.
* <img title='Moon'> >> <img title="Moon">
*
* HTML tag attribute: A single ticks in a double tick quoted string will be replaced by '&apos;'
* <img title='echo "hello"'> >> <img title="echo &quot;hello&quot;'>
*
* @param $line
* @return string
*/
......@@ -520,7 +533,6 @@ class OnString {
$flagAttributeStartSingleTick = false;
$flagAttributeStartDoubleTick = false;
$flagAttributeStarted = false;
$flagDoubleTickInAttribute = false;
$posStartSingleTick = null;
$new = '';
......@@ -532,11 +544,9 @@ class OnString {
// HTML tag ends here: close all open flags
$flagTag = false;
$flagAttribute = false;
$flagDoubleTickInAttribute = false;
$flagAttributeStartSingleTick = false;
$flagAttributeStartDoubleTick = false;
$flagAttributeStarted = false;
$flagDoubleTickInAttribute = false;
$posStartSingleTick = null;
break;
......@@ -556,11 +566,9 @@ class OnString {
// Space after start attribute and no quotes used, means: attribute ends here.
if ($flagTag && $flagAttribute && $flagAttributeStarted && !$flagAttributeStartSingleTick && !$flagAttributeStartDoubleTick) {
$flagAttribute = false;
$flagDoubleTickInAttribute = false;
$flagAttributeStartSingleTick = false;
$flagAttributeStartDoubleTick = false;
$flagAttributeStarted = false;
$flagDoubleTickInAttribute = false;
$posStartSingleTick = null;
}
break;
......@@ -583,17 +591,12 @@ class OnString {
$flagAttribute = false;
$flagAttributeStarted = false;
if (!$flagDoubleTickInAttribute) {
// No double tick found: single ticks can be replaced by double tick
$new[$posStartSingleTick] = '"';
$new .= '"';
continue 2;
}
$flagDoubleTickInAttribute = false;
break;
}
if ($flagAttributeStartDoubleTick) {
// Single tick inside a double tick quoted attribute: can be replaced
$new .= '&apos;';
......@@ -624,8 +627,9 @@ class OnString {
break;
}
if ($flagAttributeStartSingleTick) {
$flagDoubleTickInAttribute = true;
break;
// Double tick quoted by singe tick: replace by &quot;
$new .= '&quot;';
continue 2;
}
}
}
......
......@@ -260,23 +260,28 @@ class OnStringTest extends TestCase {
$this->assertEquals("<b title= \"te&apos;st\">hel&apos;lo</b>", OnString::escapeSingleTickInHtml("<b title= \"te'st\">hel'lo</b>"));
$this->assertEquals("<b title= \"te&apos;st\" >hel&apos;lo</b>", OnString::escapeSingleTickInHtml("<b title= \"te'st\" >hel'lo</b>"));
$this->assertEquals("<b title='te\"st'>hel&apos;lo</b>", OnString::escapeSingleTickInHtml("<b title='te\"st'>hel'lo</b>"));
$this->assertEquals("<b title= 'te\"st'>hel&apos;lo</b>", OnString::escapeSingleTickInHtml("<b title= 'te\"st'>hel'lo</b>"));
$this->assertEquals("<b title= 'te\"st' >hel&apos;lo</b>", OnString::escapeSingleTickInHtml("<b title= 'te\"st' >hel'lo</b>"));
$this->assertEquals("<b title=\"te&quot;st\">hel&apos;lo</b>", OnString::escapeSingleTickInHtml("<b title='te\"st'>hel'lo</b>"));
$this->assertEquals("<b title= \"te&quot;st\">hel&apos;lo</b>", OnString::escapeSingleTickInHtml("<b title= 'te\"st'>hel'lo</b>"));
$this->assertEquals("<b title= \"te&quot;st\" >hel&apos;lo</b>", OnString::escapeSingleTickInHtml("<b title= 'te\"st' >hel'lo</b>"));
$this->assertEquals("<b src=gif title=\"test\" alt=jpg>hel&apos;lo</b>", OnString::escapeSingleTickInHtml("<b src=gif title='test' alt=jpg>hel'lo</b>"));
$this->assertEquals("<b src=\"gif\" title=\"test\" alt=\"jpg\">hel&apos;lo</b>", OnString::escapeSingleTickInHtml("<b src='gif' title='test' alt='jpg'>hel'lo</b>"));
$this->assertEquals("<b src=\"gif\" title=\"test\" alt=\"jpg\">hel&apos;lo</b>", OnString::escapeSingleTickInHtml("<b src=\"gif\" title='test' alt='jpg'>hel'lo</b>"));
$this->assertEquals("<b src=\"gif\" title=\"test\" alt=\"jpg\">hel&apos;lo</b>", OnString::escapeSingleTickInHtml("<b src='gif' title='test' alt=\"jpg\">hel'lo</b>"));
$this->assertEquals("<b src=gif title='te\"st' alt=jpg>hel&apos;lo</b>", OnString::escapeSingleTickInHtml("<b src=gif title='te\"st' alt=jpg>hel'lo</b>"));
$this->assertEquals("<b src=\"gif\" title='te\"st' alt=\"jpg\">hel&apos;lo</b>", OnString::escapeSingleTickInHtml("<b src='gif' title='te\"st' alt=\"jpg\">hel'lo</b>"));
$this->assertEquals("<b src=\"gif\" title='te\"st' alt=\"jpg\">hel&apos;lo</b>", OnString::escapeSingleTickInHtml("<b src=\"gif\" title='te\"st' alt='jpg'>hel'lo</b>"));
$this->assertEquals("<b src=gif title=\"te&quot;st\" alt=jpg>hel&apos;lo</b>", OnString::escapeSingleTickInHtml("<b src=gif title='te\"st' alt=jpg>hel'lo</b>"));
$this->assertEquals("<b src=\"gif\" title=\"te&quot;st\" alt=\"jpg\">hel&apos;lo</b>", OnString::escapeSingleTickInHtml("<b src='gif' title='te\"st' alt=\"jpg\">hel'lo</b>"));
$this->assertEquals("<b src=\"gif\" title=\"te&quot;st\" alt=\"jpg\">hel&apos;lo</b>", OnString::escapeSingleTickInHtml("<b src=\"gif\" title='te\"st' alt='jpg'>hel'lo</b>"));
$this->assertEquals("<b src=gif title=\"te&apos;st\" alt=jpg>hel&apos;lo</b>", OnString::escapeSingleTickInHtml("<b src=gif title=\"te'st\" alt=jpg>hel'lo</b>"));
$this->assertEquals("<b src=\"gif\" title=\"te&apos;st\" alt=\"jpg\">hel&apos;lo</b>", OnString::escapeSingleTickInHtml("<b src='gif' title=\"te'st\" alt='jpg'>hel'lo</b>"));
$this->assertEquals("<b src=\"gif\" title=\"te&apos;st\" alt=\"jpg\">hel&apos;lo</b>", OnString::escapeSingleTickInHtml("<b src=\"gif\" title=\"te'st\" alt='jpg'>hel'lo</b>"));
$this->assertEquals("<b src=\"gif\" title=\"te&apos;st\" alt=\"jpg\">hel&apos;lo</b>", OnString::escapeSingleTickInHtml("<b src='gif' title=\"te'st\" alt=\"jpg\">hel'lo</b>"));
$expected = "<img src=\"pig.gif\" title=\"Pig\"><img src=\"sun.gif\" title=\"Sun\">";
$this->assertEquals($expected, OnString::escapeSingleTickInHtml("<img src='pig.gif' title='Pig'><img src='sun.gif' title='Sun'>"));
$expected = "<img src=\"pig.gif\" title=\"Pig &quot;blue&quot;\"><img src=\"sun.gif\" title=\"Sun &quot;bright&quot;\">";
$this->assertEquals($expected, OnString::escapeSingleTickInHtml("<img src='pig.gif' title='Pig \"blue\"'><img src='sun.gif' title='Sun \"bright\"'>"));
}
}
\ No newline at end of file
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment