mirror/php-e107
1
0
Fork 0
mirror of https://github.com/e107inc/e107.git synced 2025-07-26 17:30:24 +02:00
Code Issues Releases Wiki Activity

#4572: e_form: No htmlspecialchars() on "other" attributes

Browse Source 
Fixes: #4572

Discussion:
https://github.com/e107inc/e107/pull/4554#issuecomment-926113601
This commit is contained in:
Nick Liu
2021-09-23 16:12:52 -05:00
parent 171cac87b1
commit 45bce2a7aa
2 changed files with 21 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
e107_handlers/form_handler.php
View File

@@ -3906,8 +3906,11 @@ var_dump($select_options);*/
$ret = ''; $ret = '';
// //
foreach ($options as $option => $optval) foreach ($options as $option => $optval)
{
if ($option !== 'other')
{ {
$optval = htmlspecialchars(trim((string) $optval), ENT_COMPAT | ENT_HTML401, 'UTF-8', false); $optval = htmlspecialchars(trim((string) $optval), ENT_COMPAT | ENT_HTML401, 'UTF-8', false);
}
switch ($option) switch ($option)
{ {

16
e107_tests/tests/unit/e_formTest.php
View File

@@ -867,6 +867,22 @@ class e_formTest extends \Codeception\Test\Unit
$this->assertSame($expected, $actual); $this->assertSame($expected, $actual);
} }
/**
* @link https://github.com/e107inc/e107/issues/4572
*/
public function testGet_attributesOther()
{
$options = array(
'size' => '300px',
'other' => 'v-bind:class="{ active: isActive }"',
);
$actual = $this->_frm->get_attributes($options);
$expected = ' size=\'300px\' v-bind:class="{ active: isActive }"';
$this->assertSame($expected, $actual);
}
/* /*
public function test_format_id() public function test_format_id()
{ {