Item11501: Change from validate to encode

git-svn-id: http://svn.foswiki.org/trunk@13923 0b4bb1d4-4e5a-0410-9cc4-b2b747904278
foswiki · Feb 5, 2012 · 64d15b0 · 64d15b0
1 parent ab3cd15
commit 64d15b0
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 18 deletions.
diff --git a/UnitTestContrib/test/unit/RegisterTests.pm b/UnitTestContrib/test/unit/RegisterTests.pm
@@ -890,13 +890,13 @@ sub verify_rejectEvilContent {
             'Twk1Email'    => [ $this->{new_user_email} ],
             'Twk1WikiName' => [ $this->{new_user_wikiname} ],
             'Twk1Name'     => [ $this->{new_user_fullname} ],
-            'Twk0Comment'  => [''],
+            'Twk0Comment'  => ['<blah>'],
 
             #'Twk1LoginName' => [ 'Bad@User' ],
             'Twk1FirstName'    => [ $this->{new_user_fname} ],
             'Twk1LastName'     => [ $this->{new_user_sname} ],
-            'Twk1Password'     => ['12345aaaaa'],
-            'Twk1Confirm'      => ['12345aaaaa'],
+            'Twk1Password'     => ['123<><>aaa'],
+            'Twk1Confirm'      => ['123<><>aaa'],
             'Twk0Organization' => ['<script>Bad stuff</script>'],
             'action'           => ['register'],
         }
@@ -911,16 +911,18 @@ sub verify_rejectEvilContent {
     }
     catch Foswiki::OopsException with {
         my $e = shift;
-        #$this->assert_matches(
-        #    /Invalid Organization/,
-        #    $e->stringify
-        #);
-        $this->assert_str_equals( "attention", $e->{template},
+        $this->assert_str_equals( "200", $e->{status},
             $e->stringify() );
-        $this->assert_str_equals( "Organization", $e->{params}[0], $e->stringify() );
-        $this->assert_str_equals( "invalid_field", $e->{def}, $e->stringify() );
-        $this->assert_equals( 0, scalar(@FoswikiFnTestCase::mails) );
-        @FoswikiFnTestCase::mails = ();
+        $this->assert_matches( qr/.*Comment: %3cblah%3e.*Organization: %3cscript%3eBad%20stuff%3c\/script%3e/ms, $FoswikiFnTestCase::mails[0] );
+
+        my ($meta) = Foswiki::Func::readTopic( $Foswiki::cfg{UsersWebName},
+            $this->{new_user_wikiname} );
+        my $text = $meta->text;
+        $meta->finish();
+        $this->assert_matches( qr/.*Comment: %3cblah%3e.*Organization: %3cscript%3eBad%20stuff%3c\/script%3e/ms, $text );
+
+    return;
+
     }
     catch Foswiki::AccessControlException with {
         my $e = shift;

diff --git a/core/lib/Foswiki/UI/Register.pm b/core/lib/Foswiki/UI/Register.pm
@@ -1572,16 +1572,15 @@ sub _getDataFromQuery {
             my $value = join( ',', @values );
 
             try {
-                $data->{$name} = $users->validateRegistrationField( $name, $value );
+                $data->{$name} =
+                  $users->validateRegistrationField( $name, $value );
             }
             catch Error::Simple with {
                 my $e = shift;
                 throw Foswiki::OopsException(
                     'attention',
-                    #web    => $data->{webName},
-                    #topic  => $session->{topicName},
                     def    => 'invalid_field',
-                    params => [ $name ]
+                    params => [$name]
                 );
             };
             push(

diff --git a/core/lib/Foswiki/UserMapping.pm b/core/lib/Foswiki/UserMapping.pm
@@ -36,6 +36,7 @@ use strict;
 use warnings;
 use Assert;
 use Error ();
+use Foswiki::Func;
 
 =begin TML
 
@@ -557,16 +558,34 @@ sub validateRegistrationField {
     #my ($this, $field, $value) = @_;
 
     # Filter username per the login validation rules.
-    if ( lc( $_[1] ) eq 'username'
+    #    Note:  loginname excluded as it's validated directly in the mapper
+
+    return $_[2] if ( lc( $_[1] ) eq 'loginname' );
+
+    if ( ( lc( $_[1] ) eq 'username' )
         && !( $_[2] =~ m/$Foswiki::cfg{LoginNameFilterIn}/ ) )
     {
-        throw Error::Simple("Invalid username");
+        throw Error::Simple("Invalid $_[1]");
     }
 
     # Don't check contents of password - it's never displayed.
     return $_[2] if ( lc( $_[1] ) eq 'password' || lc( $_[1] ) eq 'confirm' );
 
+    unless ( $_[1] =~ m/^(?:firstname|lastname|email|wikiname|name|)$/i ) {
+
+# SMELL This would be better but for now I can't make it work.
+# Undefined subroutine &Foswiki::Macros::ENCODE called
+#
+#require Foswiki::Macros::ENCODE;
+#my $session = $Foswiki::Plugins::SESSION;
+#my $value = Foswiki::Macros::ENCODE->ENCODE( $session, { type => 'safe', _DEFAULT => $_[2] } );
+#print STDERR "Encoding $_[1] as $value\n";
+
+        $_[2] = Foswiki::Func::expandCommonVariables("%ENCODE{\"$_[2]\"}%");
+    }
+
     # Don't allow html markup in any other fields.
+    # This should never hit if the encoding works correctly.
     throw Error::Simple("Invalid $_[1]") if ( $_[2] =~ m/[<>]+/ );
 
     return $_[2];