Merge pull request #1512 from aleho/2.4

Correctly encode confirm handlers
cakephp · Aug 14, 2013 · 6c22faa · 6c22faa
2 parents 7fce977 + 80e589f
commit 6c22faa
Show file tree

Hide file tree

Showing 5 changed files with 30 additions and 4 deletions.
diff --git a/lib/Cake/Test/Case/View/Helper/FormHelperTest.php b/lib/Cake/Test/Case/View/Helper/FormHelperTest.php
@@ -7050,6 +7050,19 @@ public function testPostLink() {
 			'/a'
 		));
 
+		$result = $this->Form->postLink('Delete', '/posts/delete/1', array('escape' => false), '\'Confirm\' this "deletion"?');
+		$this->assertTags($result, array(
+			'form' => array(
+				'method' => 'post', 'action' => '/posts/delete/1',
+				'name' => 'preg:/post_\w+/', 'id' => 'preg:/post_\w+/', 'style' => 'display:none;'
+			),
+			'input' => array('type' => 'hidden', 'name' => '_method', 'value' => 'POST'),
+			'/form',
+			'a' => array('href' => '#', 'onclick' => 'preg:/if \(confirm\(&quot;&#039;Confirm&#039; this \\\\&quot;deletion\\\\&quot;\?&quot;\)\) \{ document\.post_\w+\.submit\(\); \} event\.returnValue = false; return false;/'),
+			'Delete',
+			'/a'
+		));
+
 		$result = $this->Form->postLink('Delete', '/posts/delete', array('data' => array('id' => 1)));
 		$this->assertContains('<input type="hidden" name="data[id]" value="1"/>', $result);
 

diff --git a/lib/Cake/Test/Case/View/Helper/HtmlHelperTest.php b/lib/Cake/Test/Case/View/Helper/HtmlHelperTest.php
@@ -221,6 +221,14 @@ public function testLink() {
 		);
 		$this->assertTags($result, $expected);
 
+		$result = $this->Html->link('Home', '/home', array('escape' => false, 'confirm' => 'Confirm\'s "nightmares"'));
+		$expected = array(
+			'a' => array('href' => '/home', 'onclick' => 'if (confirm(&quot;Confirm&#039;s \&quot;nightmares\&quot;&quot;)) { return true; } return false;'),
+			'Home',
+			'/a'
+		);
+		$this->assertTags($result, $expected);
+
 		$result = $this->Html->link('Home', '/home', array('default' => false));
 		$expected = array(
 			'a' => array('href' => '/home', 'onclick' => 'event.returnValue = false; return false;'),

diff --git a/lib/Cake/View/Helper.php b/lib/Cake/View/Helper.php
@@ -505,11 +505,16 @@ protected function _formatAttribute($key, $value, $escape = true) {
  * @param string $message Message to be displayed
  * @param string $okCode Code to be executed after user chose 'OK'
  * @param string $cancelCode Code to be executed after user chose 'Cancel'
+ * @param array $options Array of options
  * @return string onclick JS code
  */
-	protected function _confirm($message, $okCode, $cancelCode = '') {
+	protected function _confirm($message, $okCode, $cancelCode = '', $options = array()) {
 		$message = json_encode($message);
-		return "if (confirm({$message})) { {$okCode} } {$cancelCode}";
+		$confirm = "if (confirm({$message})) { {$okCode} } {$cancelCode}";
+		if (isset($options['escape']) && $options['escape'] === false) {
+			$confirm = h($confirm);
+		}
+		return $confirm;
 	}
 
 /**

diff --git a/lib/Cake/View/Helper/FormHelper.php b/lib/Cake/View/Helper/FormHelper.php
@@ -1784,7 +1784,7 @@ public function postLink($title, $url = null, $options = array(), $confirmMessag
 		$url = '#';
 		$onClick = 'document.' . $formName . '.submit();';
 		if ($confirmMessage) {
-			$options['onclick'] = $this->_confirm($confirmMessage, $onClick);
+			$options['onclick'] = $this->_confirm($confirmMessage, $onClick, '', $options);
 		} else {
 			$options['onclick'] = $onClick . ' ';
 		}

diff --git a/lib/Cake/View/Helper/HtmlHelper.php b/lib/Cake/View/Helper/HtmlHelper.php
@@ -359,7 +359,7 @@ public function link($title, $url = null, $options = array(), $confirmMessage =
 			unset($options['confirm']);
 		}
 		if ($confirmMessage) {
-			$options['onclick'] = $this->_confirm($confirmMessage, 'return true;', 'return false;');
+			$options['onclick'] = $this->_confirm($confirmMessage, 'return true;', 'return false;', $options);
 		} elseif (isset($options['default']) && !$options['default']) {
 			if (isset($options['onclick'])) {
 				$options['onclick'] .= ' ';