From 96e1388dde31885170b61c71cbb0d5ae37f70d94 Mon Sep 17 00:00:00 2001 From: jf-cbd Date: Thu, 4 Jul 2024 10:55:52 +0200 Subject: [PATCH] =?UTF-8?q?N=C2=B07603=20-=20Security=20hardening=20+=20UI?= =?UTF-8?q?=20blocks=20examples=20updated?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- pages/run_query.php | 4 +-- .../Layout/UIContentBlockUIBlockFactory.php | 28 +++++++++++++------ .../Backoffice/RenderAllUiBlocks.php | 17 +++++++++++ 3 files changed, 39 insertions(+), 10 deletions(-) diff --git a/pages/run_query.php b/pages/run_query.php index c197182ca..8139b382a 100644 --- a/pages/run_query.php +++ b/pages/run_query.php @@ -243,11 +243,11 @@ EOF $aMoreInfoBlocks = []; $oDevelopedQuerySet = new FieldSet(Dict::S('UI:RunQuery:DevelopedQuery')); - $oDevelopedQuerySet->AddSubBlock(UIContentBlockUIBlockFactory::MakeForCode(utils::EscapeHtml($oFilter->ToOQL()))); + $oDevelopedQuerySet->AddSubBlock(UIContentBlockUIBlockFactory::MakeForCode($oFilter->ToOQL())); $aMoreInfoBlocks[] = $oDevelopedQuerySet; $oSerializedQuerySet = new FieldSet(Dict::S('UI:RunQuery:SerializedFilter')); - $oSerializedQuerySet->AddSubBlock(UIContentBlockUIBlockFactory::MakeForCode(utils::EscapeHtml($oFilter->serialize()))); + $oSerializedQuerySet->AddSubBlock(UIContentBlockUIBlockFactory::MakeForCode($oFilter->serialize())); $aMoreInfoBlocks[] = $oSerializedQuerySet; diff --git a/sources/application/UI/Base/Layout/UIContentBlockUIBlockFactory.php b/sources/application/UI/Base/Layout/UIContentBlockUIBlockFactory.php index f55eda536..07d557ee1 100644 --- a/sources/application/UI/Base/Layout/UIContentBlockUIBlockFactory.php +++ b/sources/application/UI/Base/Layout/UIContentBlockUIBlockFactory.php @@ -45,33 +45,45 @@ class UIContentBlockUIBlockFactory extends AbstractUIBlockFactory * The \n are replaced by
* * @api - * @param string $sCode + * @param string $sCode plain text code * @param string|null $sId * * @return \Combodo\iTop\Application\UI\Base\Layout\UIContentBlock */ public static function MakeForCode(string $sCode, string $sId = null) { - $oCode = new UIContentBlock($sId, ['ibo-is-code']); - $sCode = str_replace("\n", '
', $sCode); - $oCode->AddSubBlock(new Html($sCode)); + $sCode = str_replace("\n", '
', \utils::HtmlEntities($sCode)); - return $oCode; + return self::MakeFromHTMLCode($sId, $sCode); } /** * Used to display a block of preformatted text in a 
 tag.
 	 *
 	 * @api
-	 * @param string $sCode
+	 * @param string $sCode plain text code
 	 * @param string|null $sId
 	 *
 	 * @return \Combodo\iTop\Application\UI\Base\Layout\UIContentBlock
 	 */
 	public static function MakeForPreformatted(string $sCode, string $sId = null)
 	{
-		$sCode = '
'.$sCode.'
';
+		$sCode = '
'.\utils::HtmlEntities($sCode).'
';
 
-		return static::MakeForCode($sCode, $sId);
+		return self::MakeFromHTMLCode($sId, $sCode);
+	}
+
+	/**
+	 * @param string|null $sId
+	 * @param string $sCode
+	 *
+	 * @return \Combodo\iTop\Application\UI\Base\Layout\UIContentBlock
+	 */
+	private static function MakeFromHTMLCode(?string $sId, string $sCode): UIContentBlock
+	{
+		$oCode = new UIContentBlock($sId, ['ibo-is-code']);
+		$oCode->AddSubBlock(new Html($sCode));
+
+		return $oCode;
 	}
 }
\ No newline at end of file
diff --git a/tests/manual-visual-tests/Backoffice/RenderAllUiBlocks.php b/tests/manual-visual-tests/Backoffice/RenderAllUiBlocks.php
index ea7ed9bb5..579997ee0 100644
--- a/tests/manual-visual-tests/Backoffice/RenderAllUiBlocks.php
+++ b/tests/manual-visual-tests/Backoffice/RenderAllUiBlocks.php
@@ -42,6 +42,7 @@ use Combodo\iTop\Application\UI\Base\Component\PopoverMenu\PopoverMenu;
 use Combodo\iTop\Application\UI\Base\Component\Title\TitleUIBlockFactory;
 use Combodo\iTop\Application\UI\Base\Layout\Object\ObjectFactory;
 use Combodo\iTop\Application\UI\Base\Layout\PageContent\PageContentFactory;
+use Combodo\iTop\Application\UI\Base\Layout\UIContentBlockUIBlockFactory;
 use Combodo\iTop\Application\UI\Base\Layout\UIContentBlockWithJSRefreshCallback;
 use iTopWebPage;
 use LoginWebPage;
@@ -355,6 +356,22 @@ $oDashletFieldset2->AddSubBlock($oDashletField4);
 $oDashletFieldset2->AddSubBlock($oDashletField5);
 $oDashletFieldset2->AddSubBlock($oDashletField6);
 
+/////////
+// Code
+/////////
+
+$oPage->AddUiBlock(TitleUIBlockFactory::MakeNeutral('Code examples (MakeForCode)', 2 ));
+$oCode1 = UIContentBlockUIBlockFactory::MakeForCode('function mean(int $a, int $b) {
+	return ($a + $b)/2
+}');
+$oPage->AddUiBlock($oCode1);
+
+$oPage->AddUiBlock(TitleUIBlockFactory::MakeNeutral('Code examples (MakeForPreformatted)', 2 ));
+$oCode2 = UIContentBlockUIBlockFactory::MakeForPreformatted('function mean(int $a, int $b) {
+	return ($a + $b)/2
+}');
+$oPage->AddUiBlock($oCode2);
+
 /////////
 // Pill
 /////////