extern/egroupware_official
1
0
Fork 0
mirror of https://github.com/EGroupware/egroupware.git synced 2025-01-03 04:29:28 +01:00
Code Issues Packages Projects Releases Wiki Activity

* Api: Prevent invalid customfield names

Browse Source
This commit is contained in:
nathangray 2021-06-11 10:02:36 -06:00
parent 9da0cfe5e8
commit ae86eb7812
2 changed files with 44 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
api/src/Storage/Customfields.php
View File

@ -382,6 +382,8 @@ class Customfields implements \IteratorAggregate
// Add new one in for numbering // Add new one in for numbering
if(!$cf['id']) if(!$cf['id'])
{ {
// Make sure name is safe
$cf['name'] = str_replace(array(">", "<", '"', "&"), "", $cf['name']);
$cfs[$cf['name']] = $cf; $cfs[$cf['name']] = $cf;
} }

42
api/tests/Storage/CustomfieldsTest.php
View File

@ -34,6 +34,18 @@ class CustomfieldsTest extends LoggedInTest
'private' => array() 'private' => array()
); );
public function tearDown(): void
{
// Clean
$fields = Customfields::get(self::APP);
foreach($this->customfields as $field_name)
{
unset($fields[$field_name]);
}
Customfields::save(self::APP, $fields);
parent::tearDown();
}
protected function assertPreConditions() : void protected function assertPreConditions() : void
{ {
parent::assertPreConditions(); parent::assertPreConditions();
@ -48,6 +60,7 @@ class CustomfieldsTest extends LoggedInTest
{ {
// Create // Create
$field = $this->simple_field; $field = $this->simple_field;
$this->customfields[] = $field['name'];
Customfields::update($field); Customfields::update($field);
@ -240,6 +253,34 @@ class CustomfieldsTest extends LoggedInTest
$this->assertCount(1, $options); $this->assertCount(1, $options);
} }
/**
* Certain characters (&, ", etc.) will break our XML templates.
* Make sure they get stripped out.
*/
public function testInvalidName()
{
// Create
$field = $this->simple_field;
$this->customfields[] = $invalid_name = $field['name'] = '<Invalid> & "TEST"';
$this->customfields[] = $valid_name = 'Invalid TEST';
Customfields::update($field);
// Check
$fields = Customfields::get(self::APP);
$this->assertArrayNotHasKey($invalid_name, $fields, "Invalid customfield name was allowed");
$this->assertArrayHasKey($valid_name, $fields, "Invalid customfield name was not corrected");
$saved_field = $fields[$valid_name];
$this->assertEquals($valid_name, $saved_field['name'], "Invalid customfield name was allowed");
// Clean
unset($fields[$invalid_name], $fields[$saved_field['name']]);
Customfields::save(self::APP, $fields);
}
protected function create_private_field() protected function create_private_field()
{ {
// Create field // Create field
@ -249,6 +290,7 @@ class CustomfieldsTest extends LoggedInTest
'private' => array($GLOBALS['egw_info']['user']['account_id']) 'private' => array($GLOBALS['egw_info']['user']['account_id'])
) )
); );
$this->customfields[] = $field['name'];
Customfields::update($field); Customfields::update($field);
return $field; return $field;