-
Notifications
You must be signed in to change notification settings - Fork 44
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[SS-2018-017] Potential XSS vulnerability in checkbox field, update o…
…verloading from core The MultiValueCheckboxField overloads many methods from CheckboxSetField without defining any custom logic in them. Those methods are removed. The logic in getOptions() has also been updated to reflect the code in silverstripe/framework, and the custom HTML construction which has a potential XSS vulnerability in it has been removed in favour of using the default CheckboxSetField rendering
- Loading branch information
1 parent
9262efd
commit f523dfc
Showing
2 changed files
with
142 additions
and
199 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
<?php | ||
|
||
/** | ||
* @mixin PHPUnit_Framework_TestCase | ||
*/ | ||
class MultiValueCheckboxFieldTest extends SapphireTest | ||
{ | ||
public function testGetOptionsFromMultiValueFieldRelationship() | ||
{ | ||
// Our stubbed object has a "join" method which returns a MultiValueField containing values | ||
$multiField = new MultiValueCheckboxField('FooField'); | ||
$multiField->setName('multiRelation'); | ||
|
||
// Create a mocked DataObject that returns a MultiValueField via a relation join getter | ||
$stub = $this->getMockBuilder(DataObject::class) | ||
->setMethods(['multiRelation']) | ||
->getMock(); | ||
|
||
$returnedField = new MultiValueField('Foo'); | ||
$returnedField->setValue(Member::get()); | ||
|
||
$stub->expects($this->once()) | ||
->method('multiRelation') | ||
->will($this->returnValue($returnedField)); | ||
|
||
// Create a stub form which has the StubObject as its data record | ||
$form = new Form(new Controller(), 'StubForm', new FieldList(), new FieldList()); | ||
$form->loadDataFrom($stub); | ||
$multiField->setForm($form); | ||
|
||
// Ensure that the returned result is a list and only contains members | ||
$result = $multiField->getOptions(); | ||
$this->assertInstanceOf('SS_List', $result); | ||
$this->assertContainsOnlyInstancesOf('Member', $result); | ||
} | ||
} |