From 45bce2a7aa621db95f394466eb17967c90b098ef Mon Sep 17 00:00:00 2001 From: Nick Liu Date: Thu, 23 Sep 2021 16:12:52 -0500 Subject: [PATCH] #4572: `e_form`: No `htmlspecialchars()` on "other" attributes Fixes: #4572 Discussion: https://github.com/e107inc/e107/pull/4554#issuecomment-926113601 --- e107_handlers/form_handler.php | 5 ++++- e107_tests/tests/unit/e_formTest.php | 18 +++++++++++++++++- 2 files changed, 21 insertions(+), 2 deletions(-) diff --git a/e107_handlers/form_handler.php b/e107_handlers/form_handler.php index c130b2b9b..399189d31 100644 --- a/e107_handlers/form_handler.php +++ b/e107_handlers/form_handler.php @@ -3907,7 +3907,10 @@ var_dump($select_options);*/ // foreach ($options as $option => $optval) { - $optval = htmlspecialchars(trim((string) $optval), ENT_COMPAT | ENT_HTML401, 'UTF-8', false); + if ($option !== 'other') + { + $optval = htmlspecialchars(trim((string) $optval), ENT_COMPAT | ENT_HTML401, 'UTF-8', false); + } switch ($option) { diff --git a/e107_tests/tests/unit/e_formTest.php b/e107_tests/tests/unit/e_formTest.php index 51befcc66..e7031f612 100644 --- a/e107_tests/tests/unit/e_formTest.php +++ b/e107_tests/tests/unit/e_formTest.php @@ -867,6 +867,22 @@ class e_formTest extends \Codeception\Test\Unit $this->assertSame($expected, $actual); } + + /** + * @link https://github.com/e107inc/e107/issues/4572 + */ + public function testGet_attributesOther() + { + $options = array( + 'size' => '300px', + 'other' => 'v-bind:class="{ active: isActive }"', + ); + + $actual = $this->_frm->get_attributes($options); + $expected = ' size=\'300px\' v-bind:class="{ active: isActive }"'; + + $this->assertSame($expected, $actual); + } /* public function test_format_id() { @@ -879,7 +895,7 @@ class e_formTest extends \Codeception\Test\Unit $expected = 'something-hello-there-and-test'; $result = $this->_frm->name2id($text); - + $this->assertEquals($expected, $result); } /*