2.4.13 FormField casting on Message to Text causes CheckboxField to show an empty message span #2489

Closed
colintucker opened this Issue Oct 4, 2013 · 3 comments

Comments

Projects
None yet
4 participants
Contributor

colintucker commented Oct 4, 2013

Hi all,

Upgraded a local site from 2.4.11 to 2.4.13, and noticed the following:

login
oops

In the 2.4.13 release, FormField is now casting the Message attribute to Text, lines 76-78 in FormField:

public static $casting = array(
'Message' => 'Text'
);

Problem has been traced to CheckboxField, line 50:

$messageBlock = isset($Message) ? "<span class=\"message $MessageType\">$Message</span>" : '';

Because the code is using "isset", we are now getting a true result as the casting causes the $Message to be set. Suggest we also need to check if $Message is an empty string? For example:

$messageBlock = (isset($Message) && $Message != "") ? "<span class=\"message $MessageType\">$Message</span>" : '';

Not sure if this problem is duplicated in other fields.

Contributor

colintucker commented Oct 4, 2013

Discovered another side effect of the Message casting to Text (in Form.php), though this may be intentional (due to escaping of HTML in Message, i.e. XSS prevention), but looks a bit horrible... this is in a CTF popup:

popup

Had exactly the same problem here.

'Fixed' it by changing the casting of Message in sapphire/forms/Form.php
I don't think is the best way to do this concerning this raises the XSS problem again? But it works for the time being.

In line 140 in Form.php changed:

public static $casting = array(
    'Message' => 'Text'
);

to:

public static $casting = array(
    'Message' => 'HTMLText'
);

Hi, I've the same problem here. Found a reference also on forums: http://www.silverstripe.org/general-questions/show/25254

I've changed CheckboxField.php:58 to

$messageBlock = empty($Message) ? '' : "<span class=\"message $MessageType\">$Message</span>";

gbonanome added a commit to comperio/silverstripe-framework that referenced this issue Dec 11, 2013

gbonanome added a commit to gbonanome/silverstripe-framework that referenced this issue Dec 11, 2013

Fix empty $messageBlock on CheckboxFields
From 2.4.13 the Message attribute is set to Text, so every checkbox now show an empty $messageBlock,
See silverstripe#2489 or http://www.silverstripe.org/general-questions/show/25254

@simonwelsh simonwelsh closed this Mar 15, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment