Commit 2a47a427 authored by Nigel McNie's avatar Nigel McNie Committed by Nigel McNie
Browse files

Fixed gaping security hole when not using the wysiwyg editor, also made

sure that the formatting remained reasonably consistent between switching
from the WYSIWYG editor to the textarea and back
parent 94c4cc22
......@@ -64,11 +64,25 @@ function pieform_element_wysiwyg(Pieform $form, $element) {
log_warn('No value for cols or width specified for textarea ' . $element['name']);
}
$element['style'] = (isset($element['style'])) ? $style . $element['style'] : $style;
if ($USER->get_account_preference('wysiwyg')) {
$value = Pieform::hsc($form->get_value($element));
}
else {
// Replace <br>s as added by wysiwyg editor or nl2br with a newline
$value = preg_replace("#<br />\s#", "\n", $form->get_value($element));
// As placed in the value by the wysiwyg editor
$value = str_replace('</p><p>', "\n\n", $value);
// Find the last </p> and replace with newlines
$value = preg_replace('#</p>\s#', "\n", $value);
$value = strip_tags($value);
}
return '<textarea'
. (($rows) ? ' rows="' . $rows . '"' : '')
. (($cols) ? ' cols="' . $cols . '"' : '')
. $form->element_attributes($element, array('maxlength', 'size'))
. '>' . Pieform::hsc($form->get_value($element)) . '</textarea>';
. '>' . $value . '</textarea>';
}
function pieform_element_wysiwyg_rule_required(Pieform $form, $value, $element) {
......@@ -83,4 +97,27 @@ function pieform_element_wysiwyg_get_headdata() {
return array();
}
function pieform_element_wysiwyg_get_value(Pieform $form, $element) {
global $USER;
$global = ($form->get_property('method') == 'get') ? $_GET : $_POST;
if (isset($element['value'])) {
log_debug('returning value');
return $element['value'];
}
else if (isset($global[$element['name']])) {
$value = $global[$element['name']];
if (!get_account_preference($USER->get('id'), 'wysiwyg')) {
$value = format_whitespace($value);
}
else {
$value = clean_text($value);
}
return $value;
}
else if (isset($element['defaultvalue'])) {
return $element['defaultvalue'];
}
return null;
}
?>
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment