Fix #1622 : Sanitize captions display

2025-10-13 13:03:20 +00:00 · 2013-12-17 11:29:30 +01:00
parent c788daa1e9
commit f0d632073b
11 changed files with 34 additions and 31 deletions
--- a/lib/Alchemy/Phrasea/Application.php
+++ b/lib/Alchemy/Phrasea/Application.php
@@ -611,10 +611,24 @@ class Application extends SilexApplication
                $twig->addFilter('base_from_coll', new \Twig_Filter_Function('phrasea::baseFromColl'));
                $twig->addFilter('AppName', new \Twig_Filter_Function('Alchemy\Phrasea\Controller\Admin\ConnectedUsers::appName'));
                $twig->addFilter(new \Twig_SimpleFilter('escapeSimpleQuote', function ($value) {
-                    $ret = str_replace("'", "\'", $value);
+                    $ret = str_replace("'", "\\'", $value);
                    return $ret;
                }));
                $twig->addFilter(new \Twig_SimpleFilter('thesaurus', function (\Twig_Environment $twig, $value) {
                    if (!$value instanceof \ThesaurusValue) {
                        return twig_escape_filter($twig, str_replace(array('[[em]]', '[[/em]]'), array('<em>', '</em>'), $value));
                    }
                    return "<a class=\"bounce\" onclick=\"bounce('" . $value->getField()->get_databox()->get_sbas_id() . "','"
                        . str_replace("'", "\\'", $value->getQuery())
                        . "', '"
                        . str_replace("'", "\\'", $value->getField()->get_name())
                        . "');return(false);\">"
                        . twig_escape_filter($twig, str_replace(array('[[em]]', '[[/em]]'), array('<em>', '</em>'), $value->getValue()))
                        . "</a>";
                }, array('needs_environment' => true, 'is_safe' => array('html'))));
                $twig->addFilter(new \Twig_SimpleFilter('escapeDoubleQuote', function ($value) {
                    return str_replace('"', '\"', $value);
                }));
--- a/lib/Alchemy/Phrasea/SearchEngine/Phrasea/PhraseaEngine.php
+++ b/lib/Alchemy/Phrasea/SearchEngine/Phrasea/PhraseaEngine.php
@@ -641,7 +641,7 @@ class PhraseaEngine implements SearchEngineInterface
            if ($sxe && $sxe->description && $sxe->description->$name) {
                $val = array();
                foreach ($sxe->description->$name as $value) {
-                    $val[] = str_replace(array('[[em]]', '[[/em]]'), array('<em>', '</em>'), (string) $value);
+                    $val[] = (string) $value;
                }
                $separator = $field['separator'] ? $field['separator'][0] : '';
                $val = implode(' ' . $separator . ' ', $val);
--- a/lib/Alchemy/Phrasea/SearchEngine/SphinxSearch/SphinxSearchEngine.php
+++ b/lib/Alchemy/Phrasea/SearchEngine/SphinxSearch/SphinxSearchEngine.php
@@ -552,8 +552,8 @@ class SphinxSearchEngine implements SearchEngineInterface
        }
        $opts = array(
-            'before_match' => "<em>",
+            'before_match' => "[[em]]",
-            'after_match'  => "</em>",
+            'after_match'  => "[[/em]]",
        );
        $fields_to_send = array();
--- a/lib/classes/caption/Field/Value.php
+++ b/lib/classes/caption/Field/Value.php
@@ -354,7 +354,7 @@ class caption_Field_Value implements cache_cacheableInterface
        }
        // ---------------- new code ----------------------
-        $cleanvalue = str_replace(array("<em>", "</em>", "'"), array("", "", "&apos;"), $value);
+        $cleanvalue = str_replace(array("[[em]]", "[[/em]]", "'"), array("", "", "&apos;"), $value);
        list($term_noacc, $context_noacc) = $this->splitTermAndContext($cleanvalue);
        $term_noacc = $this->app['unicode']->remove_indexer_chars($term_noacc);
@@ -388,21 +388,10 @@ class caption_Field_Value implements cache_cacheableInterface
        }
        if($bestnode)
        {
-            list($term, $context) = $this->splitTermAndContext($value);
+            list($term, $context) = $this->splitTermAndContext(str_replace(array("[[em]]", "[[/em]]"), array("", ""), $value));
-            $term = str_replace(array("<em>", "</em>"), array("", ""), $term);
+            $qjs = $term . ($context ? '['.$context.']' : '');
            $context = str_replace(array("<em>", "</em>"), array("", ""), $context);
            $qjs = $term;
            if ($context) {
                $qjs .= " [" . $context . "]";
            }
-            $value = "<a class=\"bounce\" onclick=\"bounce('" . $databox->get_sbas_id() . "','"
+            $value = new ThesaurusValue($bestnode->getAttribute('v'), $this->databox_field, $qjs);
                . str_replace("'", "\'", $qjs)
                . "', '"
                . str_replace("'", "\'", $this->databox_field->get_name())
                . "');return(false);\">"
                . $bestnode->getAttribute('v')
                . "</a>";
        }
        return $value;
--- a/templates/web/common/caption_templates/answer.html.twig
+++ b/templates/web/common/caption_templates/answer.html.twig
@@ -1,6 +1,6 @@
 {% macro format_caption(record, highlight, searchEngine, includeBusiness) %}
    {% for value in record.get_caption().get_highlight_fields(highlight, null, searchEngine, includeBusiness) %}
-        <div class="desc{% if loop.index is odd %}im{% endif %}pair"><b>{{ value.label }}</b> : {{value.value|raw}}</div>
+        <div class="desc{% if loop.index is odd %}im{% endif %}pair"><b>{{ value.label }}</b> : {{ value.value | thesaurus }}</div>
    {% endfor %}
    {% if app['authentication'].getUser().getPrefs('technical_display') == 'group' %}
        <hr/>
--- a/templates/web/common/caption_templates/basket_element.html.twig
+++ b/templates/web/common/caption_templates/basket_element.html.twig
@@ -1,5 +1,5 @@
 {% macro format_caption(record, highlight, searchEngine, includeBusiness) %}
  {% for value in record.get_caption().get_highlight_fields(highlight, null, searchEngine, includeBusiness) %}
-  <div class="desc{% if loop.index is odd %}im{% endif %}pair"><b>{{ value.label }}</b> : {{value.value|raw}}</div>
+  <div class="desc{% if loop.index is odd %}im{% endif %}pair"><b>{{ value.label }}</b> : {{ value.value | thesaurus }}</div>
  {% endfor %}
-{% endmacro %}
+{% endmacro %}
--- a/templates/web/common/caption_templates/internal_publi.html.twig
+++ b/templates/web/common/caption_templates/internal_publi.html.twig
@@ -1,9 +1,9 @@
 {% macro format_caption(record, highlight, searchEngine, includeBusiness) %}
    {% for value in record.get_caption().get_highlight_fields(highlight, null, searchEngine, includeBusiness) %}
-        <div class="desc{% if loop.index is odd %}im{% endif %}pair"><b>{{ value.label }}</b> : {{value.value|raw}}</div>
+        <div class="desc{% if loop.index is odd %}im{% endif %}pair"><b>{{ value.label }}</b> : {{ value.value | thesaurus }}</div>
    {% endfor %}
    {% if app['authentication'].getUser().getPrefs('technical_display') == 'group' %}
        <hr/>
        {% include 'common/technical_datas.html.twig' %}
    {% endif %}
-{% endmacro %}
+{% endmacro %}
--- a/templates/web/common/caption_templates/lazaret.html.twig
+++ b/templates/web/common/caption_templates/lazaret.html.twig
@@ -1,9 +1,9 @@
 {% macro format_caption(record, highlight, searchEngine, includeBusiness) %}
    {% for value in record.get_caption().get_highlight_fields(highlight, null, searchEngine, includeBusiness) %}
-        <div class="desc{% if loop.index is odd %}im{% endif %}pair"><b>{{ value.label }}</b> : {{value.value|raw}}</div>
+        <div class="desc{% if loop.index is odd %}im{% endif %}pair"><b>{{ value.label }}</b> : {{ value.value | thesaurus }}</div>
    {% endfor %}
    {% if app['authentication'].getUser().getPrefs('technical_display') == 'group' %}
        <hr/>
        {% include 'common/technical_datas.html.twig' %}
    {% endif %}
-{% endmacro %}
+{% endmacro %}
--- a/templates/web/common/caption_templates/overview.html.twig
+++ b/templates/web/common/caption_templates/overview.html.twig
@@ -1,5 +1,5 @@
 {% macro format_caption(record, highlight, searchEngine, includeBusiness) %}
  {% for value in record.get_caption().get_highlight_fields(highlight, null, searchEngine, includeBusiness) %}
-  <div><b>{{ value.label }}</b> : {{value.value|raw}}</div>
+  <div><b>{{ value.label }}</b> : {{ value.value }}</div>
  {% endfor %}
-{% endmacro %}
+{% endmacro %}
--- a/templates/web/common/caption_templates/preview.html.twig
+++ b/templates/web/common/caption_templates/preview.html.twig
@@ -1,5 +1,5 @@
 {% macro format_caption(record, highlight, searchEngine, includeBusiness) %}
  {% for value in record.get_caption().get_highlight_fields(highlight, null, searchEngine, includeBusiness) %}
-  <div class="desc{% if loop.index is odd %}im{% endif %}pair"><b>{{ value.label }}</b> : {{value.value|raw}}</div>
+  <div class="desc{% if loop.index is odd %}im{% endif %}pair"><b>{{ value.label }}</b> : {{ value.value | thesaurus }}</div>
  {% endfor %}
-{% endmacro %}
+{% endmacro %}
--- a/tests/Alchemy/Tests/Phrasea/SearchEngine/SearchEngineAbstractTest.php
+++ b/tests/Alchemy/Tests/Phrasea/SearchEngine/SearchEngineAbstractTest.php
@@ -754,7 +754,7 @@ abstract class SearchEngineAbstractTest extends \PhraseanetPHPUnitAuthenticatedA
        $found = false;
        foreach (self::$searchEngine->excerpt($query_string, $fields, $foundRecord) as $field) {
-            if (strpos($field, '<em>') !== false && strpos($field, '</em>') !== false) {
+            if (strpos($field, '[[em]]') !== false && strpos($field, '[[/em]]') !== false) {
                $found = true;
                break;
            }