N°7603 - Security hardening + UI blocks examples updated

pages/run_query.php

@@ -243,11 +243,11 @@ EOF
 		$aMoreInfoBlocks = [];
 
 		$oDevelopedQuerySet = new FieldSet(Dict::S('UI:RunQuery:DevelopedQuery'));
-		$oDevelopedQuerySet->AddSubBlock(UIContentBlockUIBlockFactory::MakeForCode(utils::EscapeHtml($oFilter->ToOQL())));
+		$oDevelopedQuerySet->AddSubBlock(UIContentBlockUIBlockFactory::MakeForCode($oFilter->ToOQL()));
 		$aMoreInfoBlocks[] = $oDevelopedQuerySet;
 
 		$oSerializedQuerySet = new FieldSet(Dict::S('UI:RunQuery:SerializedFilter'));
-		$oSerializedQuerySet->AddSubBlock(UIContentBlockUIBlockFactory::MakeForCode(utils::EscapeHtml($oFilter->serialize())));
+		$oSerializedQuerySet->AddSubBlock(UIContentBlockUIBlockFactory::MakeForCode($oFilter->serialize()));
 		$aMoreInfoBlocks[] = $oSerializedQuerySet;
 
 

sources/application/UI/Base/Layout/UIContentBlockUIBlockFactory.php

@@ -45,33 +45,45 @@ class UIContentBlockUIBlockFactory extends AbstractUIBlockFactory
 	 * The \n are replaced by <br>
 	 *
 	 * @api
-	 * @param string $sCode
+	 * @param string $sCode plain text code
 	 * @param string|null $sId
 	 *
 	 * @return \Combodo\iTop\Application\UI\Base\Layout\UIContentBlock
 	 */
 	public static function MakeForCode(string $sCode, string $sId = null)
 	{
-		$oCode = new UIContentBlock($sId, ['ibo-is-code']);
-		$sCode = str_replace("\n", '<br>', $sCode);
-		$oCode->AddSubBlock(new Html($sCode));
+		$sCode = str_replace("\n", '<br>', \utils::HtmlEntities($sCode));
 
-		return $oCode;
+		return self::MakeFromHTMLCode($sId, $sCode);
 	}
 
 	/**
 	 * Used to display a block of preformatted text in a <pre> tag.
 	 *
 	 * @api
-	 * @param string $sCode
+	 * @param string $sCode plain text code
 	 * @param string|null $sId
 	 *
 	 * @return \Combodo\iTop\Application\UI\Base\Layout\UIContentBlock
 	 */
 	public static function MakeForPreformatted(string $sCode, string $sId = null)
 	{
-		$sCode = '<pre>'.$sCode.'</pre>';
+		$sCode = '<pre>'.\utils::HtmlEntities($sCode).'</pre>';
 
-		return static::MakeForCode($sCode, $sId);
+		return self::MakeFromHTMLCode($sId, $sCode);
+	}
+
+	/**
+	 * @param string|null $sId
+	 * @param string $sCode
+	 *
+	 * @return \Combodo\iTop\Application\UI\Base\Layout\UIContentBlock
+	 */
+	private static function MakeFromHTMLCode(?string $sId, string $sCode): UIContentBlock
+	{
+		$oCode = new UIContentBlock($sId, ['ibo-is-code']);
+		$oCode->AddSubBlock(new Html($sCode));
+
+		return $oCode;
 	}
 }

tests/manual-visual-tests/Backoffice/RenderAllUiBlocks.php

@@ -42,6 +42,7 @@ use Combodo\iTop\Application\UI\Base\Component\PopoverMenu\PopoverMenu;
 use Combodo\iTop\Application\UI\Base\Component\Title\TitleUIBlockFactory;
 use Combodo\iTop\Application\UI\Base\Layout\Object\ObjectFactory;
 use Combodo\iTop\Application\UI\Base\Layout\PageContent\PageContentFactory;
+use Combodo\iTop\Application\UI\Base\Layout\UIContentBlockUIBlockFactory;
 use Combodo\iTop\Application\UI\Base\Layout\UIContentBlockWithJSRefreshCallback;
 use iTopWebPage;
 use LoginWebPage;
@@ -355,6 +356,22 @@ $oDashletFieldset2->AddSubBlock($oDashletField4);
 $oDashletFieldset2->AddSubBlock($oDashletField5);
 $oDashletFieldset2->AddSubBlock($oDashletField6);
 
+/////////
+// Code
+/////////
+
+$oPage->AddUiBlock(TitleUIBlockFactory::MakeNeutral('Code examples (MakeForCode)', 2 ));
+$oCode1 = UIContentBlockUIBlockFactory::MakeForCode('function mean(int $a, int $b) {
+	return ($a + $b)/2
+}');
+$oPage->AddUiBlock($oCode1);
+
+$oPage->AddUiBlock(TitleUIBlockFactory::MakeNeutral('Code examples (MakeForPreformatted)', 2 ));
+$oCode2 = UIContentBlockUIBlockFactory::MakeForPreformatted('function mean(int $a, int $b) {
+	return ($a + $b)/2
+}');
+$oPage->AddUiBlock($oCode2);
+
 /////////
 // Pill
 /////////