widget

fabien . potencier Fri, 12 Feb 2010 13:53:23 -0800

Author: Kris.Wallsmith
Date: 2010-02-12 22:53:20 +0100 (Fri, 12 Feb 2010)
New Revision: 27989


Modified:
   branches/1.2/lib/widget/sfWidgetFormSelectCheckbox.class.php
   branches/1.2/lib/widget/sfWidgetFormSelectRadio.class.php
   branches/1.2/test/unit/widget/sfWidgetFormSelectCheckboxTest.php
   branches/1.2/test/unit/widget/sfWidgetFormSelectRadioTest.php
Log:
[1.2] backported r27738 xss fix

Modified: branches/1.2/lib/widget/sfWidgetFormSelectCheckbox.class.php
===================================================================
--- branches/1.2/lib/widget/sfWidgetFormSelectCheckbox.class.php        
2010-02-12 21:52:53 UTC (rev 27988)
+++ branches/1.2/lib/widget/sfWidgetFormSelectCheckbox.class.php        
2010-02-12 21:53:20 UTC (rev 27989)
@@ -111,7 +111,7 @@
 
       $inputs[] = array(
         'input' => $this->renderTag('input', array_merge($baseAttributes, 
$attributes)),
-        'label' => $this->renderContentTag('label', $option, array('for' => 
$id)),
+        'label' => $this->renderContentTag('label', self::escapeOnce($option), 
array('for' => $id)),
       );
     }
 

Modified: branches/1.2/lib/widget/sfWidgetFormSelectRadio.class.php
===================================================================
--- branches/1.2/lib/widget/sfWidgetFormSelectRadio.class.php   2010-02-12 
21:52:53 UTC (rev 27988)
+++ branches/1.2/lib/widget/sfWidgetFormSelectRadio.class.php   2010-02-12 
21:53:20 UTC (rev 27989)
@@ -106,7 +106,7 @@
 
       $inputs[] = array(
         'input' => $this->renderTag('input', array_merge($baseAttributes, 
$attributes)),
-        'label' => $this->renderContentTag('label', $option, array('for' => 
$id)),
+        'label' => $this->renderContentTag('label', self::escapeOnce($option), 
array('for' => $id)),
       );
     }
 

Modified: branches/1.2/test/unit/widget/sfWidgetFormSelectCheckboxTest.php
===================================================================
--- branches/1.2/test/unit/widget/sfWidgetFormSelectCheckboxTest.php    
2010-02-12 21:52:53 UTC (rev 27988)
+++ branches/1.2/test/unit/widget/sfWidgetFormSelectCheckboxTest.php    
2010-02-12 21:53:20 UTC (rev 27989)
@@ -10,7 +10,7 @@
 
 require_once(dirname(__FILE__).'/../../bootstrap/unit.php');
 
-$t = new lime_test(10, new lime_output_color());
+$t = new lime_test(11, new lime_output_color());
 
 $dom = new DomDocument('1.0', 'utf-8');
 $dom->validateOnParse = true;
@@ -82,6 +82,12 @@
 $css = new sfDomCssSelector($dom);
 $t->is(count($css->matchAll('input[type="checkbox"]')->getNodes()), 3, 
'->render() accepts a sfCallable as a choices option');
 
+// choices are escaped
+$t->diag('choices are escaped');
+
+$w = new sfWidgetFormSelectCheckbox(array('choices' => array('<b>Hello 
world</b>')));
+$t->is($w->render('foo'), '<ul class="checkbox_list"><li><input name="foo[]" 
type="checkbox" value="0" id="foo_0" />&nbsp;<label for="foo_0">&lt;b&gt;Hello 
world&lt;/b&gt;</label></li></ul>', '->render() escapes the choices');
+
 // __clone()
 $t->diag('__clone()');
 $w = new sfWidgetFormSelectCheckbox(array('choices' => new 
sfCallable(array($w, 'foo'))));

Modified: branches/1.2/test/unit/widget/sfWidgetFormSelectRadioTest.php
===================================================================
--- branches/1.2/test/unit/widget/sfWidgetFormSelectRadioTest.php       
2010-02-12 21:52:53 UTC (rev 27988)
+++ branches/1.2/test/unit/widget/sfWidgetFormSelectRadioTest.php       
2010-02-12 21:53:20 UTC (rev 27989)
@@ -10,7 +10,7 @@
 
 require_once(dirname(__FILE__).'/../../bootstrap/unit.php');
 
-$t = new lime_test(9, new lime_output_color());
+$t = new lime_test(10, new lime_output_color());
 
 $dom = new DomDocument('1.0', 'utf-8');
 $dom->validateOnParse = true;
@@ -77,6 +77,12 @@
 $css = new sfDomCssSelector($dom);
 $t->is(count($css->matchAll('input[type="radio"]')->getNodes()), 3, 
'->render() accepts a sfCallable as a choices option');
 
+// choices as escaped
+$t->diag('choices are escaped');
+
+$w = new sfWidgetFormSelectRadio(array('choices' => array('<b>Hello 
world</b>')));
+$t->is($w->render('foo'), '<ul class="radio_list"><li><input name="foo" 
type="radio" value="0" id="foo_0" />&nbsp;<label for="foo_0">&lt;b&gt;Hello 
world&lt;/b&gt;</label></li></ul>', '->render() escapes the choices');
+
 // __clone()
 $t->diag('__clone()');
 $w = new sfWidgetFormSelectRadio(array('choices' => new sfCallable(array($w, 
'foo'))));

-- 
You received this message because you are subscribed to the Google Groups 
"symfony SVN" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to 
[email protected].
For more options, visit this group at 
http://groups.google.com/group/symfony-svn?hl=en.

r27989 - in branches/1.2: lib/widget test/unit/widget

Reply via email to