From f0d632073bdad7da90b15592e2a9346a30aee966 Mon Sep 17 00:00:00 2001 From: Romain Neutron Date: Tue, 17 Dec 2013 11:29:30 +0100 Subject: [PATCH] Fix #1622 : Sanitize captions display --- lib/Alchemy/Phrasea/Application.php | 16 +++++++++++++++- .../SearchEngine/Phrasea/PhraseaEngine.php | 2 +- .../SphinxSearch/SphinxSearchEngine.php | 4 ++-- lib/classes/caption/Field/Value.php | 19 ++++--------------- .../common/caption_templates/answer.html.twig | 2 +- .../basket_element.html.twig | 4 ++-- .../internal_publi.html.twig | 4 ++-- .../caption_templates/lazaret.html.twig | 4 ++-- .../caption_templates/overview.html.twig | 4 ++-- .../caption_templates/preview.html.twig | 4 ++-- .../SearchEngine/SearchEngineAbstractTest.php | 2 +- 11 files changed, 34 insertions(+), 31 deletions(-) diff --git a/lib/Alchemy/Phrasea/Application.php b/lib/Alchemy/Phrasea/Application.php index 3f63f12ecd..e7ad5c7c15 100644 --- a/lib/Alchemy/Phrasea/Application.php +++ b/lib/Alchemy/Phrasea/Application.php @@ -611,10 +611,24 @@ class Application extends SilexApplication $twig->addFilter('base_from_coll', new \Twig_Filter_Function('phrasea::baseFromColl')); $twig->addFilter('AppName', new \Twig_Filter_Function('Alchemy\Phrasea\Controller\Admin\ConnectedUsers::appName')); $twig->addFilter(new \Twig_SimpleFilter('escapeSimpleQuote', function ($value) { - $ret = str_replace("'", "\'", $value); + $ret = str_replace("'", "\\'", $value); return $ret; })); + $twig->addFilter(new \Twig_SimpleFilter('thesaurus', function (\Twig_Environment $twig, $value) { + if (!$value instanceof \ThesaurusValue) { + return twig_escape_filter($twig, str_replace(array('[[em]]', '[[/em]]'), array('', ''), $value)); + } + + return "getField()->get_databox()->get_sbas_id() . "','" + . str_replace("'", "\\'", $value->getQuery()) + . "', '" + . str_replace("'", "\\'", $value->getField()->get_name()) + . "');return(false);\">" + . twig_escape_filter($twig, str_replace(array('[[em]]', '[[/em]]'), array('', ''), $value->getValue())) + . ""; + }, array('needs_environment' => true, 'is_safe' => array('html')))); + $twig->addFilter(new \Twig_SimpleFilter('escapeDoubleQuote', function ($value) { return str_replace('"', '\"', $value); })); diff --git a/lib/Alchemy/Phrasea/SearchEngine/Phrasea/PhraseaEngine.php b/lib/Alchemy/Phrasea/SearchEngine/Phrasea/PhraseaEngine.php index c846f67c35..9847d1da4b 100644 --- a/lib/Alchemy/Phrasea/SearchEngine/Phrasea/PhraseaEngine.php +++ b/lib/Alchemy/Phrasea/SearchEngine/Phrasea/PhraseaEngine.php @@ -641,7 +641,7 @@ class PhraseaEngine implements SearchEngineInterface if ($sxe && $sxe->description && $sxe->description->$name) { $val = array(); foreach ($sxe->description->$name as $value) { - $val[] = str_replace(array('[[em]]', '[[/em]]'), array('', ''), (string) $value); + $val[] = (string) $value; } $separator = $field['separator'] ? $field['separator'][0] : ''; $val = implode(' ' . $separator . ' ', $val); diff --git a/lib/Alchemy/Phrasea/SearchEngine/SphinxSearch/SphinxSearchEngine.php b/lib/Alchemy/Phrasea/SearchEngine/SphinxSearch/SphinxSearchEngine.php index 5bbaa21f23..205c4bf792 100644 --- a/lib/Alchemy/Phrasea/SearchEngine/SphinxSearch/SphinxSearchEngine.php +++ b/lib/Alchemy/Phrasea/SearchEngine/SphinxSearch/SphinxSearchEngine.php @@ -552,8 +552,8 @@ class SphinxSearchEngine implements SearchEngineInterface } $opts = array( - 'before_match' => "", - 'after_match' => "", + 'before_match' => "[[em]]", + 'after_match' => "[[/em]]", ); $fields_to_send = array(); diff --git a/lib/classes/caption/Field/Value.php b/lib/classes/caption/Field/Value.php index e15826a05d..33d338c476 100644 --- a/lib/classes/caption/Field/Value.php +++ b/lib/classes/caption/Field/Value.php @@ -354,7 +354,7 @@ class caption_Field_Value implements cache_cacheableInterface } // ---------------- new code ---------------------- - $cleanvalue = str_replace(array("", "", "'"), array("", "", "'"), $value); + $cleanvalue = str_replace(array("[[em]]", "[[/em]]", "'"), array("", "", "'"), $value); list($term_noacc, $context_noacc) = $this->splitTermAndContext($cleanvalue); $term_noacc = $this->app['unicode']->remove_indexer_chars($term_noacc); @@ -388,21 +388,10 @@ class caption_Field_Value implements cache_cacheableInterface } if($bestnode) { - list($term, $context) = $this->splitTermAndContext($value); - $term = str_replace(array("", ""), array("", ""), $term); - $context = str_replace(array("", ""), array("", ""), $context); - $qjs = $term; - if ($context) { - $qjs .= " [" . $context . "]"; - } + list($term, $context) = $this->splitTermAndContext(str_replace(array("[[em]]", "[[/em]]"), array("", ""), $value)); + $qjs = $term . ($context ? '['.$context.']' : ''); - $value = "get_sbas_id() . "','" - . str_replace("'", "\'", $qjs) - . "', '" - . str_replace("'", "\'", $this->databox_field->get_name()) - . "');return(false);\">" - . $bestnode->getAttribute('v') - . ""; + $value = new ThesaurusValue($bestnode->getAttribute('v'), $this->databox_field, $qjs); } return $value; diff --git a/templates/web/common/caption_templates/answer.html.twig b/templates/web/common/caption_templates/answer.html.twig index 8d6875320a..ebb65f00bf 100644 --- a/templates/web/common/caption_templates/answer.html.twig +++ b/templates/web/common/caption_templates/answer.html.twig @@ -1,6 +1,6 @@ {% macro format_caption(record, highlight, searchEngine, includeBusiness) %} {% for value in record.get_caption().get_highlight_fields(highlight, null, searchEngine, includeBusiness) %} -
{{ value.label }} : {{value.value|raw}}
+
{{ value.label }} : {{ value.value | thesaurus }}
{% endfor %} {% if app['authentication'].getUser().getPrefs('technical_display') == 'group' %}
diff --git a/templates/web/common/caption_templates/basket_element.html.twig b/templates/web/common/caption_templates/basket_element.html.twig index 58de726519..4896301eb8 100644 --- a/templates/web/common/caption_templates/basket_element.html.twig +++ b/templates/web/common/caption_templates/basket_element.html.twig @@ -1,5 +1,5 @@ {% macro format_caption(record, highlight, searchEngine, includeBusiness) %} {% for value in record.get_caption().get_highlight_fields(highlight, null, searchEngine, includeBusiness) %} -
{{ value.label }} : {{value.value|raw}}
+
{{ value.label }} : {{ value.value | thesaurus }}
{% endfor %} -{% endmacro %} \ No newline at end of file +{% endmacro %} diff --git a/templates/web/common/caption_templates/internal_publi.html.twig b/templates/web/common/caption_templates/internal_publi.html.twig index e08a58bfc5..ebb65f00bf 100644 --- a/templates/web/common/caption_templates/internal_publi.html.twig +++ b/templates/web/common/caption_templates/internal_publi.html.twig @@ -1,9 +1,9 @@ {% macro format_caption(record, highlight, searchEngine, includeBusiness) %} {% for value in record.get_caption().get_highlight_fields(highlight, null, searchEngine, includeBusiness) %} -
{{ value.label }} : {{value.value|raw}}
+
{{ value.label }} : {{ value.value | thesaurus }}
{% endfor %} {% if app['authentication'].getUser().getPrefs('technical_display') == 'group' %}
{% include 'common/technical_datas.html.twig' %} {% endif %} -{% endmacro %} \ No newline at end of file +{% endmacro %} diff --git a/templates/web/common/caption_templates/lazaret.html.twig b/templates/web/common/caption_templates/lazaret.html.twig index e08a58bfc5..ebb65f00bf 100644 --- a/templates/web/common/caption_templates/lazaret.html.twig +++ b/templates/web/common/caption_templates/lazaret.html.twig @@ -1,9 +1,9 @@ {% macro format_caption(record, highlight, searchEngine, includeBusiness) %} {% for value in record.get_caption().get_highlight_fields(highlight, null, searchEngine, includeBusiness) %} -
{{ value.label }} : {{value.value|raw}}
+
{{ value.label }} : {{ value.value | thesaurus }}
{% endfor %} {% if app['authentication'].getUser().getPrefs('technical_display') == 'group' %}
{% include 'common/technical_datas.html.twig' %} {% endif %} -{% endmacro %} \ No newline at end of file +{% endmacro %} diff --git a/templates/web/common/caption_templates/overview.html.twig b/templates/web/common/caption_templates/overview.html.twig index 4298a51bca..78e01030f8 100644 --- a/templates/web/common/caption_templates/overview.html.twig +++ b/templates/web/common/caption_templates/overview.html.twig @@ -1,5 +1,5 @@ {% macro format_caption(record, highlight, searchEngine, includeBusiness) %} {% for value in record.get_caption().get_highlight_fields(highlight, null, searchEngine, includeBusiness) %} -
{{ value.label }} : {{value.value|raw}}
+
{{ value.label }} : {{ value.value }}
{% endfor %} -{% endmacro %} \ No newline at end of file +{% endmacro %} diff --git a/templates/web/common/caption_templates/preview.html.twig b/templates/web/common/caption_templates/preview.html.twig index 58de726519..4896301eb8 100644 --- a/templates/web/common/caption_templates/preview.html.twig +++ b/templates/web/common/caption_templates/preview.html.twig @@ -1,5 +1,5 @@ {% macro format_caption(record, highlight, searchEngine, includeBusiness) %} {% for value in record.get_caption().get_highlight_fields(highlight, null, searchEngine, includeBusiness) %} -
{{ value.label }} : {{value.value|raw}}
+
{{ value.label }} : {{ value.value | thesaurus }}
{% endfor %} -{% endmacro %} \ No newline at end of file +{% endmacro %} diff --git a/tests/Alchemy/Tests/Phrasea/SearchEngine/SearchEngineAbstractTest.php b/tests/Alchemy/Tests/Phrasea/SearchEngine/SearchEngineAbstractTest.php index 5f2d48fdcf..7a83858c22 100644 --- a/tests/Alchemy/Tests/Phrasea/SearchEngine/SearchEngineAbstractTest.php +++ b/tests/Alchemy/Tests/Phrasea/SearchEngine/SearchEngineAbstractTest.php @@ -754,7 +754,7 @@ abstract class SearchEngineAbstractTest extends \PhraseanetPHPUnitAuthenticatedA $found = false; foreach (self::$searchEngine->excerpt($query_string, $fields, $foundRecord) as $field) { - if (strpos($field, '') !== false && strpos($field, '') !== false) { + if (strpos($field, '[[em]]') !== false && strpos($field, '[[/em]]') !== false) { $found = true; break; }