holm/egroupware
1
1
Fork 0
forked from extern/egroupware
Code Issues Pull Requests Packages Projects Releases Wiki Activity

* Api: Prevent invalid customfield names

Browse Source 
(cherry picked from commit ae86eb7812)
This commit is contained in:
nathangray 2021-06-11 10:02:36 -06:00
parent b6282742a2
commit d6c6e14abf
2 changed files with 44 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
api/src/Storage/Customfields.php
View File

@ -382,6 +382,8 @@ class Customfields implements \IteratorAggregate
// Add new one in for numbering
if(!$cf['id'])
{
// Make sure name is safe
$cf['name'] = str_replace(array(">", "<", '"', "&"), "", $cf['name']);
$cfs[$cf['name']] = $cf;
}

42
api/tests/Storage/CustomfieldsTest.php
View File

@ -34,6 +34,18 @@ class CustomfieldsTest extends LoggedInTest
'private' => array()
);
public function tearDown(): void
{
// Clean
$fields = Customfields::get(self::APP);
foreach($this->customfields as $field_name)
{
unset($fields[$field_name]);
}
Customfields::save(self::APP, $fields);
parent::tearDown();
}
protected function assertPreConditions() : void
{
parent::assertPreConditions();
@ -48,6 +60,7 @@ class CustomfieldsTest extends LoggedInTest
{
// Create
$field = $this->simple_field;
$this->customfields[] = $field['name'];
Customfields::update($field);
@ -240,6 +253,34 @@ class CustomfieldsTest extends LoggedInTest
$this->assertCount(1, $options);
}
/**
* Certain characters (&, ", etc.) will break our XML templates.
* Make sure they get stripped out.
*/
public function testInvalidName()
{
// Create
$field = $this->simple_field;
$this->customfields[] = $invalid_name = $field['name'] = '<Invalid> & "TEST"';
$this->customfields[] = $valid_name = 'Invalid TEST';
Customfields::update($field);
// Check
$fields = Customfields::get(self::APP);
$this->assertArrayNotHasKey($invalid_name, $fields, "Invalid customfield name was allowed");
$this->assertArrayHasKey($valid_name, $fields, "Invalid customfield name was not corrected");
$saved_field = $fields[$valid_name];
$this->assertEquals($valid_name, $saved_field['name'], "Invalid customfield name was allowed");
// Clean
unset($fields[$invalid_name], $fields[$saved_field['name']]);
Customfields::save(self::APP, $fields);
}
protected function create_private_field()
{
// Create field
@ -249,6 +290,7 @@ class CustomfieldsTest extends LoggedInTest
'private' => array($GLOBALS['egw_info']['user']['account_id'])
)
);
$this->customfields[] = $field['name'];
Customfields::update($field);
return $field;