77 lines
3.0 KiB
PHP
77 lines
3.0 KiB
PHP
<?php
|
|
/**
|
|
* Copyright 2014 Openstack Foundation
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
**/
|
|
class SafeXSSForm extends Form {
|
|
|
|
private static $allowed_actions = array('httpSubmission');
|
|
|
|
function __construct($controller, $name, FieldList $fields, FieldList $actions, $validator = null) {
|
|
parent::__construct($controller, $name, $fields, $actions, $validator);
|
|
}
|
|
/**
|
|
* Save the contents of this form into the given data object.
|
|
* It will make use of setCastedField() to do this.
|
|
*
|
|
* @param $dataObject The object to save data into
|
|
* @param $fieldList An optional list of fields to process. This can be useful when you have a
|
|
* form that has some fields that save to one object, and some that save to another.
|
|
*/
|
|
function saveInto(DataObjectInterface $dataObject, $fieldList = null) {
|
|
$dataFields = $this->fields->saveableFields();
|
|
$lastField = null;
|
|
|
|
$config = HTMLPurifier_Config::createDefault();
|
|
// Remove any CSS or inline styles
|
|
$config->set('CSS.AllowedProperties', array());
|
|
$purifier = new HTMLPurifier($config);
|
|
|
|
if($dataFields) foreach($dataFields as $field) {
|
|
// Skip fields that have been excluded
|
|
if($fieldList && is_array($fieldList) && !in_array($field->Name(), $fieldList)) continue;
|
|
$saveMethod = "save{$field->getName()}";
|
|
//purify
|
|
$value = $field->dataValue();
|
|
$class = get_class($field);
|
|
if(is_string($value) && ($class=='TextField' || $class=="TextareaField"))
|
|
$field->setValue($purifier->purify($value));
|
|
|
|
if($field->getName() == "ClassName"){
|
|
$lastField = $field;
|
|
}else if( $dataObject->hasMethod( $saveMethod ) ){
|
|
$dataObject->$saveMethod( $field->dataValue());
|
|
} else if($field->getName() != "ID"){
|
|
$field->saveInto($dataObject);
|
|
}
|
|
}
|
|
if($lastField) $lastField->saveInto($dataObject);
|
|
}
|
|
|
|
function httpSubmission($request) {
|
|
// Protection against CSRF attacks
|
|
$token = $this->getSecurityToken();
|
|
if(!$token->checkRequest($request)) {
|
|
$this->httpError(412, "Security token doesn't match, possible CSRF attack.");
|
|
}
|
|
|
|
return parent::httpSubmission($request);
|
|
}
|
|
|
|
public function httpError($code, $message = null) {
|
|
if (!(Permission::check("ADMIN"))) {
|
|
$response = ErrorPage::response_for($code);
|
|
}
|
|
if (empty($response)) $response = $message;
|
|
throw new SS_HTTPResponse_Exception($response);
|
|
}
|
|
|
|
} |