diff options
| author | Nathan Guse <nathaniel.guse@gmail.com> | 2012-12-09 13:24:43 -0600 |
|---|---|---|
| committer | Nathan Guse <nathaniel.guse@gmail.com> | 2012-12-09 13:24:43 -0600 |
| commit | 357a4facf6a5b026c507b54dc8c35b20207e80e0 (patch) | |
| tree | ab66915bf0bd5afa84eff7899d88b17c5581cbd2 | |
| parent | 37565f37e4363f257a160145bc7973a2d5738a86 (diff) | |
| parent | 3fe381eed561e724700b21789e28ea3efb1f7ef9 (diff) | |
| download | forums-357a4facf6a5b026c507b54dc8c35b20207e80e0.tar forums-357a4facf6a5b026c507b54dc8c35b20207e80e0.tar.gz forums-357a4facf6a5b026c507b54dc8c35b20207e80e0.tar.bz2 forums-357a4facf6a5b026c507b54dc8c35b20207e80e0.tar.xz forums-357a4facf6a5b026c507b54dc8c35b20207e80e0.zip | |
Merge branch 'develop' of git://github.com/phpbb/phpbb3 into ticket/11103
Conflicts:
phpBB/includes/functions.php
| -rw-r--r-- | phpBB/includes/functions.php | 103 | ||||
| -rw-r--r-- | phpBB/styles/prosilver/template/jumpbox.html | 3 | ||||
| -rw-r--r-- | phpBB/styles/subsilver2/template/jumpbox.html | 4 | ||||
| -rw-r--r-- | phpBB/styles/subsilver2/template/mcp_jumpbox.html | 3 | ||||
| -rw-r--r-- | tests/dbal/write_sequence_test.php | 4 | ||||
| -rw-r--r-- | tests/functions/build_hidden_fields_for_query_params_test.php | 71 | ||||
| -rw-r--r-- | tests/functions/quoteattr_test.php | 44 | ||||
| -rw-r--r-- | tests/search/mysql_test.php | 2 | ||||
| -rw-r--r-- | tests/search/native_test.php | 2 | ||||
| -rw-r--r-- | tests/search/postgres_test.php | 2 |
10 files changed, 229 insertions, 9 deletions
diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index c2694d3bd7..6f619ef51d 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -4942,12 +4942,107 @@ function phpbb_http_login($param) } /** +* Escapes and quotes a string for use as an HTML/XML attribute value. +* +* This is a port of Python xml.sax.saxutils quoteattr. +* +* The function will attempt to choose a quote character in such a way as to +* avoid escaping quotes in the string. If this is not possible the string will +* be wrapped in double quotes and double quotes will be escaped. +* +* @param string $data The string to be escaped +* @param array $entities Associative array of additional entities to be escaped +* @return string Escaped and quoted string +*/ +function phpbb_quoteattr($data, $entities = null) +{ + $data = str_replace('&', '&', $data); + $data = str_replace('>', '>', $data); + $data = str_replace('<', '<', $data); + + $data = str_replace("\n", ' ', $data); + $data = str_replace("\r", ' ', $data); + $data = str_replace("\t", '	', $data); + + if (!empty($entities)) + { + $data = str_replace(array_keys($entities), array_values($entities), $data); + } + + if (strpos($data, '"') !== false) + { + if (strpos($data, "'") !== false) + { + $data = '"' . str_replace('"', '"', $data) . '"'; + } + else + { + $data = "'" . $data . "'"; + } + } + else + { + $data = '"' . $data . '"'; + } + + return $data; +} + +/** +* Converts query string (GET) parameters in request into hidden fields. +* +* Useful for forwarding GET parameters when submitting forms with GET method. +* +* It is possible to omit some of the GET parameters, which is useful if +* they are specified in the form being submitted. +* +* sid is always omitted. +* +* @param phpbb_request $request Request object +* @param array $exclude A list of variable names that should not be forwarded +* @return string HTML with hidden fields +*/ +function phpbb_build_hidden_fields_for_query_params($request, $exclude = null) +{ + $names = $request->variable_names(phpbb_request_interface::GET); + $hidden = ''; + foreach ($names as $name) + { + // Sessions are dealt with elsewhere, omit sid always + if ($name == 'sid') + { + continue; + } + + // Omit any additional parameters requested + if (!empty($exclude) && in_array($name, $exclude)) + { + continue; + } + + $escaped_name = phpbb_quoteattr($name); + + // Note: we might retrieve the variable from POST or cookies + // here. To avoid exposing cookies, skip variables that are + // overwritten somewhere other than GET entirely. + $value = $request->variable($name, '', true); + $get_value = $request->variable($name, '', true, phpbb_request_interface::GET); + if ($value === $get_value) + { + $escaped_value = phpbb_quoteattr($value); + $hidden .= "<input type='hidden' name=$escaped_name value=$escaped_value />"; + } + } + return $hidden; +} + +/** * Generate page header */ function page_header($page_title = '', $display_online_list = true, $item_id = 0, $item = 'forum') { global $db, $config, $template, $SID, $_SID, $_EXTRA_URL, $user, $auth, $phpEx, $phpbb_root_path; - global $phpbb_dispatcher, $phpbb_notifications; + global $phpbb_dispatcher, $request, $phpbb_notifications; if (defined('HEADER_INC')) { @@ -5135,7 +5230,7 @@ function page_header($page_title = '', $display_online_list = true, $item_id = 0 { $timezone_name = $user->lang['timezones'][$timezone_name]; } - + // Output the notifications if ($config['load_notifications']) { @@ -5150,6 +5245,9 @@ function page_header($page_title = '', $display_online_list = true, $item_id = 0 } } + $hidden_fields_for_jumpbox = phpbb_build_hidden_fields_for_query_params($request, array('f')); + + // The following assigns all _common_ variables that may be used at any point in a template. $template->assign_vars(array( 'SITENAME' => $config['sitename'], @@ -5164,6 +5262,7 @@ function page_header($page_title = '', $display_online_list = true, $item_id = 0 'RECORD_USERS' => $l_online_record, 'PRIVATE_MESSAGE_INFO' => $l_privmsgs_text, 'PRIVATE_MESSAGE_INFO_UNREAD' => $l_privmsgs_text_unread, + 'HIDDEN_FIELDS_FOR_JUMPBOX' => $hidden_fields_for_jumpbox, 'UNREAD_NOTIFICATIONS_COUNT' => ($config['load_notifications']) ? $notifications['unread_count'] : '', 'NOTIFICATIONS_COUNT' => ($config['load_notifications']) ? $user->lang('NOTIFICATIONS_COUNT', $notifications['unread_count']) : '', diff --git a/phpBB/styles/prosilver/template/jumpbox.html b/phpBB/styles/prosilver/template/jumpbox.html index ff234464dc..dd793fbadc 100644 --- a/phpBB/styles/prosilver/template/jumpbox.html +++ b/phpBB/styles/prosilver/template/jumpbox.html @@ -10,13 +10,14 @@ <!-- ENDIF --> <!-- IF S_DISPLAY_JUMPBOX --> - <form method="post" id="jumpbox" action="{S_JUMPBOX_ACTION}" onsubmit="if(this.f.value == -1){return false;}"> + <form method="get" id="jumpbox" action="{S_JUMPBOX_ACTION}" onsubmit="if(this.f.value == -1){return false;}"> <!-- IF $CUSTOM_FIELDSET_CLASS --> <fieldset class="{$CUSTOM_FIELDSET_CLASS}"> <!-- ELSE --> <fieldset class="jumpbox"> <!-- ENDIF --> + {HIDDEN_FIELDS_FOR_JUMPBOX} <label for="f" accesskey="j"><!-- IF S_IN_MCP and S_MERGE_SELECT -->{L_SELECT_TOPICS_FROM}<!-- ELSEIF S_IN_MCP -->{L_MODERATE_FORUM}<!-- ELSE -->{L_JUMP_TO}<!-- ENDIF -->{L_COLON}</label> <select name="f" id="f" onchange="if(this.options[this.selectedIndex].value != -1){ document.forms['jumpbox'].submit() }"> <!-- BEGIN jumpbox_forums --> diff --git a/phpBB/styles/subsilver2/template/jumpbox.html b/phpBB/styles/subsilver2/template/jumpbox.html index f4153d7692..e0603c6a6e 100644 --- a/phpBB/styles/subsilver2/template/jumpbox.html +++ b/phpBB/styles/subsilver2/template/jumpbox.html @@ -1,10 +1,10 @@ <!-- IF S_DISPLAY_JUMPBOX --> - <form method="post" name="jumpbox" action="{S_JUMPBOX_ACTION}" onsubmit="if(document.jumpbox.f.value == -1){return false;}"> + <form method="get" name="jumpbox" action="{S_JUMPBOX_ACTION}" onsubmit="if(document.jumpbox.f.value == -1){return false;}"> <table cellspacing="0" cellpadding="0" border="0"> <tr> - <td nowrap="nowrap"><span class="gensmall"><!-- IF S_IN_MCP and S_MERGE_SELECT -->{L_SELECT_TOPICS_FROM}<!-- ELSEIF S_IN_MCP -->{L_MODERATE_FORUM}<!-- ELSE -->{L_JUMP_TO}<!-- ENDIF -->{L_COLON}</span> <select name="f" onchange="if(this.options[this.selectedIndex].value != -1){ document.forms['jumpbox'].submit() }"> + <td nowrap="nowrap">{HIDDEN_FIELDS_FOR_JUMPBOX}<span class="gensmall"><!-- IF S_IN_MCP and S_MERGE_SELECT -->{L_SELECT_TOPICS_FROM}<!-- ELSEIF S_IN_MCP -->{L_MODERATE_FORUM}<!-- ELSE -->{L_JUMP_TO}<!-- ENDIF -->{L_COLON}</span> <select name="f" onchange="if(this.options[this.selectedIndex].value != -1){ document.forms['jumpbox'].submit() }"> <!-- BEGIN jumpbox_forums --> <!-- IF jumpbox_forums.S_FORUM_COUNT eq 1 --><option value="-1">------------------</option><!-- ENDIF --> diff --git a/phpBB/styles/subsilver2/template/mcp_jumpbox.html b/phpBB/styles/subsilver2/template/mcp_jumpbox.html index 734222bc77..e6ef4ecdad 100644 --- a/phpBB/styles/subsilver2/template/mcp_jumpbox.html +++ b/phpBB/styles/subsilver2/template/mcp_jumpbox.html @@ -1,7 +1,8 @@ <!-- Note: no longer in use... --> -<form name="jumpbox" method="post" action="{S_JUMPBOX_ACTION}"> +<form name="jumpbox" method="get" action="{S_JUMPBOX_ACTION}"> + {HIDDEN_FIELDS_FOR_JUMPBOX} <span class="gensmall">{L_JUMP_TO}{L_COLON}</span> <select name="f" onChange="if(this.options[this.selectedIndex].value != -1 && this.options[this.selectedIndex].value != document.jumpbox.current_f.value){ document.forms['jumpbox'].submit() }"> <!-- IF S_ENABLE_SELECT_ALL --> diff --git a/tests/dbal/write_sequence_test.php b/tests/dbal/write_sequence_test.php index 8975cfbfb1..f382a971a5 100644 --- a/tests/dbal/write_sequence_test.php +++ b/tests/dbal/write_sequence_test.php @@ -33,6 +33,10 @@ class phpbb_dbal_write_sequence_test extends phpbb_database_test_case { $db = $this->new_dbal(); + // dbal uses cache + global $cache; + $cache = new phpbb_mock_cache(); + $sql = 'INSERT INTO phpbb_users ' . $db->sql_build_array('INSERT', array( 'username' => $username, 'username_clean' => $username, diff --git a/tests/functions/build_hidden_fields_for_query_params_test.php b/tests/functions/build_hidden_fields_for_query_params_test.php new file mode 100644 index 0000000000..ef2f5744d3 --- /dev/null +++ b/tests/functions/build_hidden_fields_for_query_params_test.php @@ -0,0 +1,71 @@ +<?php +/** +* +* @package testing +* @copyright (c) 2012 phpBB Group +* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2 +* +*/ + +require_once dirname(__FILE__) . '/../../phpBB/includes/functions.php'; + +class phpbb_build_hidden_fields_for_query_params_test extends phpbb_test_case +{ + public function build_hidden_fields_for_query_params_test_data() + { + return array( + // get + // post + // exclude + // expected + array( + array('foo' => 'bar'), + array(), + array(), + "<input type='hidden' name=\"foo\" value=\"bar\" />", + ), + array( + array('foo' => 'bar', 'a' => 'b'), + array(), + array(), + "<input type='hidden' name=\"foo\" value=\"bar\" /><input type='hidden' name=\"a\" value=\"b\" />", + ), + array( + array('a' => 'quote"', 'b' => '<less>'), + array(), + array(), + "<input type='hidden' name=\"a\" value='quote\"' /><input type='hidden' name=\"b\" value=\"<less>\" />", + ), + array( + array('a' => "quotes'\""), + array(), + array(), + "<input type='hidden' name=\"a\" value=\"quotes'"\" />", + ), + array( + array('foo' => 'bar', 'a' => 'b'), + array('a' => 'c'), + array(), + "<input type='hidden' name=\"foo\" value=\"bar\" />", + ), + // strict equality check + array( + array('foo' => 'bar', 'a' => '0'), + array('a' => ''), + array(), + "<input type='hidden' name=\"foo\" value=\"bar\" />", + ), + ); + } + + /** + * @dataProvider build_hidden_fields_for_query_params_test_data + */ + public function test_build_hidden_fields_for_query_params($get, $post, $exclude, $expected) + { + $request = new phpbb_mock_request($get, $post); + $result = phpbb_build_hidden_fields_for_query_params($request, $exclude); + + $this->assertEquals($expected, $result); + } +} diff --git a/tests/functions/quoteattr_test.php b/tests/functions/quoteattr_test.php new file mode 100644 index 0000000000..9d2a7d470e --- /dev/null +++ b/tests/functions/quoteattr_test.php @@ -0,0 +1,44 @@ +<?php +/** +* +* @package testing +* @copyright (c) 2012 phpBB Group +* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2 +* +*/ + +require_once dirname(__FILE__) . '/../../phpBB/includes/functions.php'; + +class phpbb_quoteattr_test extends phpbb_test_case +{ + public function quoteattr_test_data() + { + return array( + array('foo', null, '"foo"'), + array('', null, '""'), + array(' ', null, '" "'), + array('<a>', null, '"<a>"'), + array('&', null, '"&amp;"'), + array('"hello"', null, "'\"hello\"'"), + array("'hello'", null, "\"'hello'\""), + array("\"'", null, "\""'\""), + array("a\nb", null, '"a b"'), + array("a\r\nb", null, '"a b"'), + array("a\tb", null, '"a	b"'), + array('a b', null, '"a b"'), + array('"a<b"', null, "'\"a<b\"'"), + array('foo', array('f' => 'z'), '"zoo"'), + array('<a>', array('a' => '&'), '"<&>"'), + ); + } + + /** + * @dataProvider quoteattr_test_data + */ + public function test_quoteattr($input, $entities, $expected) + { + $output = phpbb_quoteattr($input, $entities); + + $this->assertEquals($expected, $output); + } +} diff --git a/tests/search/mysql_test.php b/tests/search/mysql_test.php index 3ba3915714..3ad15bd806 100644 --- a/tests/search/mysql_test.php +++ b/tests/search/mysql_test.php @@ -26,7 +26,7 @@ class phpbb_search_mysql_test extends phpbb_search_common_test_case parent::setUp(); // dbal uses cache - $cache = new phpbb_cache_service(new phpbb_cache_driver_null); + $cache = new phpbb_mock_cache(); // set config values $config['fulltext_mysql_min_word_len'] = 4; diff --git a/tests/search/native_test.php b/tests/search/native_test.php index eeee3a44f3..4a2c210013 100644 --- a/tests/search/native_test.php +++ b/tests/search/native_test.php @@ -26,7 +26,7 @@ class phpbb_search_native_test extends phpbb_search_test_case parent::setUp(); // dbal uses cache - $cache = new phpbb_cache_service(new phpbb_cache_driver_null); + $cache = new phpbb_mock_cache(); $this->db = $this->new_dbal(); $error = null; diff --git a/tests/search/postgres_test.php b/tests/search/postgres_test.php index 9c77e0c09e..923af6f854 100644 --- a/tests/search/postgres_test.php +++ b/tests/search/postgres_test.php @@ -26,7 +26,7 @@ class phpbb_search_postgres_test extends phpbb_search_common_test_case parent::setUp(); // dbal uses cache - $cache = new phpbb_cache_service(new phpbb_cache_driver_null); + $cache = new phpbb_mock_cache(); // set config values $config['fulltext_postgres_min_word_len'] = 4; |