Commit fabee237 authored by Cecilia Vela Gurovic's avatar Cecilia Vela Gurovic
Browse files

Bug 1705126: fix for tag encoding

Fix for tag search when they have a character changed by urlencoding()
Fix for tag display in Tagged posts block when tag has a character
  changed by htmlspecialchar()
Fix for not executing javascript inside the text of a tag
Fix to delete blocktype_taggedposts_tags entries when deleting a
  tagged posts block

behatnotneeded

Change-Id: Ic4a56ea90457e605c99203f0b355def93a04baa1
parent af730d73
...@@ -96,6 +96,8 @@ class PluginBlocktypeTaggedposts extends MaharaCoreBlocktype { ...@@ -96,6 +96,8 @@ class PluginBlocktypeTaggedposts extends MaharaCoreBlocktype {
$limit = isset($configdata['count']) ? (int) $configdata['count'] : 10; $limit = isset($configdata['count']) ? (int) $configdata['count'] : 10;
foreach ($tagrecords as $tag) { foreach ($tagrecords as $tag) {
//tag is encoded in the db if it has special characters
$tag->tag = htmlspecialchars_decode($tag->tag);
if ($tag->tagtype == PluginBlocktypeTaggedposts::TAGTYPE_INCLUDE) { if ($tag->tagtype == PluginBlocktypeTaggedposts::TAGTYPE_INCLUDE) {
$tagsin[] = $tag->tag; $tagsin[] = $tag->tag;
} }
...@@ -270,14 +272,14 @@ class PluginBlocktypeTaggedposts extends MaharaCoreBlocktype { ...@@ -270,14 +272,14 @@ class PluginBlocktypeTaggedposts extends MaharaCoreBlocktype {
if ($key > 0) { if ($key > 0) {
$tagstr .= ', '; $tagstr .= ', ';
} }
$tagstr .= ($viewownerdisplay) ? '"' . $tag . '"' : '"<a href="' . get_config('wwwroot') . 'tags.php?tag=' . $tag . '&sort=name&type=text">' . $tag . '</a>"'; $tagstr .= ($viewownerdisplay) ? '"' . $tag . '"' : '"<a href="' . get_config('wwwroot') . 'tags.php?tag=' . urlencode($tag) . '&sort=name&type=text">' . hsc($tag) . '</a>"';
} }
if (!empty($tagsout)) { if (!empty($tagsout)) {
foreach ($tagsout as $key => $tag) { foreach ($tagsout as $key => $tag) {
if ($key > 0) { if ($key > 0) {
$tagomitstr .= ', '; $tagomitstr .= ', ';
} }
$tagomitstr .= ($viewownerdisplay) ? '"' . $tag . '"' : '"<a href="' . get_config('wwwroot') . 'tags.php?tag=' . $tag . '&sort=name&type=text">' . $tag . '</a>"'; $tagomitstr .= ($viewownerdisplay) ? '"' . $tag . '"' : '"<a href="' . get_config('wwwroot') . 'tags.php?tag=' . urlencode($tag) . '&sort=name&type=text">' . hsc($tag) . '</a>"';
} }
} }
if (empty($tagsin)) { if (empty($tagsin)) {
...@@ -338,10 +340,10 @@ class PluginBlocktypeTaggedposts extends MaharaCoreBlocktype { ...@@ -338,10 +340,10 @@ class PluginBlocktypeTaggedposts extends MaharaCoreBlocktype {
if ($tagrecords) { if ($tagrecords) {
foreach ($tagrecords as $tag) { foreach ($tagrecords as $tag) {
if ($tag->tagtype == PluginBlocktypeTaggedposts::TAGTYPE_INCLUDE) { if ($tag->tagtype == PluginBlocktypeTaggedposts::TAGTYPE_INCLUDE) {
$tagselect[] = hsc($tag->tag); $tagselect[] = $tag->tag;
} }
else { else {
$tagselect[] = '-' . hsc($tag->tag); $tagselect[] = '-' . $tag->tag;
} }
} }
} }
...@@ -353,7 +355,7 @@ function (item, container) { ...@@ -353,7 +355,7 @@ function (item, container) {
if (item.id[0] == "-") { if (item.id[0] == "-") {
container.addClass("tagexcluded"); container.addClass("tagexcluded");
if (!item.text.match(/sr\-only/)) { if (!item.text.match(/sr\-only/)) {
return '<span class="sr-only">{$excludetag}</span>' + item.text; return '<span class="sr-only">{$excludetag}</span>' + jQuery('<div>').text(item.text).html();
} }
} }
return item.text; return item.text;
...@@ -376,7 +378,14 @@ EOF; ...@@ -376,7 +378,14 @@ EOF;
'extraparams' => array( 'extraparams' => array(
'templateSelection' => "$formatSelection", 'templateSelection' => "$formatSelection",
// We'll escape the text on the PHP side, so select2 doesn't need to // We'll escape the text on the PHP side, so select2 doesn't need to
'escapeMarkup' => 'function(textToEscape) { return textToEscape; }', 'escapeMarkup' => 'function(textToEscape) {
if (textToEscape.match(/sr\-only/)) {
return textToEscape;
}
else {
return jQuery("<div>").text(textToEscape).html();
}
}',
), ),
); );
$elements[] = PluginArtefactBlog::block_advanced_options_element($configdata, 'taggedposts'); $elements[] = PluginArtefactBlog::block_advanced_options_element($configdata, 'taggedposts');
...@@ -409,6 +418,10 @@ EOF; ...@@ -409,6 +418,10 @@ EOF;
} }
public static function delete_instance(BlockInstance $instance) {
delete_records('blocktype_taggedposts_tags', 'block_instance', $instance->get('id'));
}
public static function instance_config_validate(Pieform $form, $values) { public static function instance_config_validate(Pieform $form, $values) {
if (empty($values['tagselect'])) { if (empty($values['tagselect'])) {
...@@ -439,7 +452,7 @@ EOF; ...@@ -439,7 +452,7 @@ EOF;
} }
$todb = new stdClass(); $todb = new stdClass();
$todb->block_instance = $instance->get('id'); $todb->block_instance = $instance->get('id');
$todb->tag = $tag; $todb->tag = htmlspecialchars_decode($tag);
$todb->tagtype = $value; $todb->tagtype = $value;
insert_record('blocktype_taggedposts_tags', $todb); insert_record('blocktype_taggedposts_tags', $todb);
} }
......
...@@ -52,8 +52,8 @@ while ($alltags !== false && $more && count($tmptags) < $tagsperpage) { ...@@ -52,8 +52,8 @@ while ($alltags !== false && $more && count($tmptags) < $tagsperpage) {
} }
if (stripos($tag->tag, $request) !== false || $request === '') { if (stripos($tag->tag, $request) !== false || $request === '') {
$tmptags[] = (object) array( $tmptags[] = (object) array(
'id' => hsc($tagexcluded . $tag->tag), 'id' => $tagexcluded . $tag->tag,
'text' => hsc($tag->tag), 'text' => $tag->tag,
); );
} }
} }
......
...@@ -15,7 +15,9 @@ define('JSON', 1); ...@@ -15,7 +15,9 @@ define('JSON', 1);
require(dirname(dirname(__FILE__)) . '/init.php'); require(dirname(dirname(__FILE__)) . '/init.php');
require_once('searchlib.php'); require_once('searchlib.php');
$tag = param_variable('tag', null); if ($tag = param_variable('tag', null)) {
$tag = urldecode($tag);
}
$limit = param_integer('limit', 10); $limit = param_integer('limit', 10);
$offset = param_integer('offset', 0); $offset = param_integer('offset', 0);
$sort = param_alpha('sort', 'name'); $sort = param_alpha('sort', 'name');
......
...@@ -101,6 +101,8 @@ function pieform_element_autocomplete(Pieform $form, $element) { ...@@ -101,6 +101,8 @@ function pieform_element_autocomplete(Pieform $form, $element) {
} }
} }
$renderresult = isset($element['extraparams']['renderresult']) ? $element['extraparams']['renderresult'] : null;
$smarty->assign('id', $form->get_name() . '_' . $element['id']); $smarty->assign('id', $form->get_name() . '_' . $element['id']);
$smarty->assign('name', $element['name']); $smarty->assign('name', $element['name']);
$smarty->assign('initvalues', $initvalues); $smarty->assign('initvalues', $initvalues);
...@@ -115,6 +117,7 @@ function pieform_element_autocomplete(Pieform $form, $element) { ...@@ -115,6 +117,7 @@ function pieform_element_autocomplete(Pieform $form, $element) {
$smarty->assign('hint', empty($element['hint']) ? get_string('defaulthint') : $element['hint']); $smarty->assign('hint', empty($element['hint']) ? get_string('defaulthint') : $element['hint']);
$smarty->assign('extraparams', $extraparams); $smarty->assign('extraparams', $extraparams);
$smarty->assign('inblockconfig', !empty($element['inblockconfig']) ? 'true' : 'false'); $smarty->assign('inblockconfig', !empty($element['inblockconfig']) ? 'true' : 'false');
$smarty->assign('renderresult', $renderresult);
if (isset($element['description'])) { if (isset($element['description'])) {
$smarty->assign('describedby', $form->element_descriptors($element)); $smarty->assign('describedby', $form->element_descriptors($element));
} }
......
...@@ -50,7 +50,7 @@ function translate_tags_to_names(array $ids) { ...@@ -50,7 +50,7 @@ function translate_tags_to_names(array $ids) {
$results[] = (object) array('id' => $id, 'text' => display_tag($id, $alltags['tags'])); $results[] = (object) array('id' => $id, 'text' => display_tag($id, $alltags['tags']));
} }
else { else {
$results[] = (object) array('id' => $id, 'text' => hsc($id)); $results[] = (object) array('id' => $id, 'text' => $id);
} }
} }
return $results; return $results;
......
...@@ -205,6 +205,7 @@ $form = pieform(array( ...@@ -205,6 +205,7 @@ $form = pieform(array(
return data.text; return data.text;
} }
}', }',
'renderresult' => true,
), ),
'ajaxextraparams' => array(), 'ajaxextraparams' => array(),
'rules' => array('required' => true), 'rules' => array('required' => true),
......
...@@ -27,6 +27,7 @@ ...@@ -27,6 +27,7 @@
}, },
processResults: function(data, page) { processResults: function(data, page) {
return { return {
{{if $renderresult}}
results: jQuery.map(data.results, function(item) { results: jQuery.map(data.results, function(item) {
// sometimes text contains html that has to be renderered in the result list (e.g. user profile) // sometimes text contains html that has to be renderered in the result list (e.g. user profile)
// we're assigning text to resultsText variable that get rendered in results, and // we're assigning text to resultsText variable that get rendered in results, and
...@@ -36,6 +37,9 @@ ...@@ -36,6 +37,9 @@
text: jQuery('<div>').html(item.text).text() text: jQuery('<div>').html(item.text).text()
}) })
}), }),
{{else}}
results: data.results,
{{/if}}
pagination: { pagination: {
more: data.more more: data.more
} }
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment