Commit 5cf4f329 authored by Wouter Wolters's avatar Wouter Wolters Committed by Christian Kuhn
Browse files

[TASK] Use GeneralUtility::quoteJSvalue() where needed part 2

This patch resolves it for all FormEngine related classes.

Resolves: #66635
Releases: master
Change-Id: I436e8990aa3c003dd5005937a429168825b56fb5
Reviewed-on: http://review.typo3.org/39037

Reviewed-by: Andreas Fernandez's avatarAndreas Fernandez <typo3@scripting-base.de>
Tested-by: Andreas Fernandez's avatarAndreas Fernandez <typo3@scripting-base.de>
Reviewed-by: Christian Kuhn's avatarChristian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn's avatarChristian Kuhn <lolli@schwarzbu.ch>
parent d49c7b46
......@@ -488,14 +488,14 @@ class InlineRecordContainer extends AbstractContainer {
// "Up/Down" links
if ($enabledControls['sort'] && $permsEdit && $enableManualSorting) {
// Up
$onClick = 'return inline.changeSorting(\'' . $nameObjectFtId . '\', \'1\')';
$onClick = 'return inline.changeSorting(' . GeneralUtility::quoteJSvalue($nameObjectFtId) . ', \'1\')';
$style = $config['inline']['first'] == $rec['uid'] ? 'style="visibility: hidden;"' : '';
$cells['sort.up'] = '
<a class="btn btn-default sortingUp" href="#" onclick="' . htmlspecialchars($onClick) . '" ' . $style . '>
' . IconUtility::getSpriteIcon('actions-move-up', array('title' => $languageService->sL('LLL:EXT:lang/locallang_mod_web_list.xlf:moveUp', TRUE))) . '
</a>';
// Down
$onClick = 'return inline.changeSorting(\'' . $nameObjectFtId . '\', \'-1\')';
$onClick = 'return inline.changeSorting(' . GeneralUtility::quoteJSvalue($nameObjectFtId) . ', \'-1\')';
$style = $config['inline']['last'] == $rec['uid'] ? 'style="visibility: hidden;"' : '';
$cells['sort.down'] = '
<a class="btn btn-default sortingDown" href="#" onclick="' . htmlspecialchars($onClick) . '" ' . $style . '>
......
......@@ -152,7 +152,7 @@ class SingleFieldContainer extends AbstractContainer {
$row['uid']
)
);
$parameterArray['fieldChangeFunc']['inline'] = 'inline.handleChangedField(\'' . $parameterArray['itemFormElName'] . '\',\'' . $inlineObjectId . '\');';
$parameterArray['fieldChangeFunc']['inline'] = 'inline.handleChangedField(' . GeneralUtility::quoteJSvalue($parameterArray['itemFormElName']) . ',' . GeneralUtility::quoteJSvalue($inlineObjectId) . ');';
}
// Based on the type of the item, call a render function on a child element
......
......@@ -282,7 +282,7 @@ abstract class AbstractFormElement extends AbstractNode {
if (isset($wizardConfiguration['popup_onlyOpenIfSelected']) && $wizardConfiguration['popup_onlyOpenIfSelected']) {
$notSelectedText = $languageService->sL('LLL:EXT:lang/locallang_core.xlf:mess.noSelItemForEdit');
$onlyIfSelectedJS =
'if (!TBE_EDITOR.curSelected(\'' . $itemName . $listFlag . '\')){' .
'if (!TBE_EDITOR.curSelected(' . GeneralUtility::quoteJSvalue($itemName . $listFlag) . ')){' .
'alert(' . GeneralUtility::quoteJSvalue($notSelectedText) . ');' .
'return false;' .
'}';
......@@ -290,13 +290,12 @@ abstract class AbstractFormElement extends AbstractNode {
$aOnClick =
'this.blur();' .
$onlyIfSelectedJS .
'vHWin=window.open(' .
'\'' . $url . '\'+\'&P[currentValue]=\'+TBE_EDITOR.rawurlencode(' .
'document.editform[\'' . $itemName . '\'].value,200' .
'vHWin=window.open(' . GeneralUtility::quoteJSvalue($url) . '+\'&P[currentValue]=\'+TBE_EDITOR.rawurlencode(' .
'document.editform[' . GeneralUtility::quoteJSvalue($itemName) . '].value,200' .
')' .
'+\'&P[currentSelectedValues]=\'+TBE_EDITOR.curSelected(\'' . $itemName . $listFlag . '\'),' .
'\'popUp' . $md5ID . '\',' .
'\'' . $wizardConfiguration['JSopenParams'] . '\'' .
'+\'&P[currentSelectedValues]=\'+TBE_EDITOR.curSelected(' . GeneralUtility::quoteJSvalue($itemName . $listFlag) . '),' .
GeneralUtility::quoteJSvalue('popUp' . $md5ID) . ',' .
GeneralUtility::quoteJSvalue($wizardConfiguration['JSopenParams']) .
');' .
'vHWin.focus();' .
'return false;';
......@@ -336,13 +335,12 @@ abstract class AbstractFormElement extends AbstractNode {
$aOnClick =
'this.blur();' .
'vHWin=window.open(' .
'\'' . $url . '\'+\'&P[currentValue]=\'+TBE_EDITOR.rawurlencode(' .
'vHWin=window.open('. GeneralUtility::quoteJSvalue($url) . '+\'&P[currentValue]=\'+TBE_EDITOR.rawurlencode(' .
'document.editform[\'' . $itemName . '\'].value,200' .
')' .
'+\'&P[currentSelectedValues]=\'+TBE_EDITOR.curSelected(\'' . $itemName . $listFlag . '\'),' .
'\'popUp' . $md5ID . '\',' .
'\'' . $wizardConfiguration['JSopenParams'] . '\'' .
'+\'&P[currentSelectedValues]=\'+TBE_EDITOR.curSelected(' . GeneralUtility::quoteJSvalue($itemName . $listFlag) . '),' .
GeneralUtility::quoteJSvalue('popUp' . $md5ID) . ',' .
GeneralUtility::quoteJSvalue($wizardConfiguration['JSopenParams']) .
');' .
'vHWin.focus();' .
'return false;';
......@@ -399,11 +397,11 @@ abstract class AbstractFormElement extends AbstractNode {
$options[] = '<option value="' . htmlspecialchars($p[1]) . '">' . htmlspecialchars($p[0]) . '</option>';
}
if ($wizardConfiguration['mode'] == 'append') {
$assignValue = 'document.editform[\'' . $itemName . '\'].value=\'\'+this.options[this.selectedIndex].value+document.editform[\'' . $itemName . '\'].value';
$assignValue = 'document.editform[' . GeneralUtility::quoteJSvalue($itemName) . '].value=\'\'+this.options[this.selectedIndex].value+document.editform[' . GeneralUtility::quoteJSvalue($itemName) . '].value';
} elseif ($wizardConfiguration['mode'] == 'prepend') {
$assignValue = 'document.editform[\'' . $itemName . '\'].value+=\'\'+this.options[this.selectedIndex].value';
$assignValue = 'document.editform[' . GeneralUtility::quoteJSvalue($itemName) . '].value+=\'\'+this.options[this.selectedIndex].value';
} else {
$assignValue = 'document.editform[\'' . $itemName . '\'].value=this.options[this.selectedIndex].value';
$assignValue = 'document.editform[' . GeneralUtility::quoteJSvalue($itemName) . '].value=this.options[this.selectedIndex].value';
}
$otherWizards[] =
'<select' .
......@@ -582,7 +580,7 @@ abstract class AbstractFormElement extends AbstractNode {
if ($inlineParent['config']['foreign_table'] == $table && $inlineParent['config']['foreign_unique'] == $field) {
$objectPrefix = $inlineStackProcessor->getCurrentStructureDomObjectIdPrefix($this->globalOptions['inlineFirstPid']) . '-' . $table;
$aOnClickInline = $objectPrefix . '|inline.checkUniqueElement|inline.setUniqueElement';
$rOnClickInline = 'inline.revertUnique(\'' . $objectPrefix . '\',null,\'' . $uid . '\');';
$rOnClickInline = 'inline.revertUnique(' . GeneralUtility::quoteJSvalue($objectPrefix) . ',null,' . GeneralUtility::quoteJSvalue($uid) . ');';
}
}
if (is_array($config['appearance']) && isset($config['appearance']['elementBrowserType'])) {
......@@ -595,8 +593,8 @@ abstract class AbstractFormElement extends AbstractNode {
} else {
$elementBrowserAllowed = $allowed;
}
$aOnClick = 'setFormValueOpenBrowser(\'' . $elementBrowserType . '\',\''
. ($fName . '|||' . $elementBrowserAllowed . '|' . $aOnClickInline) . '\'); return false;';
$aOnClick = 'setFormValueOpenBrowser(' . GeneralUtility::quoteJSvalue($elementBrowserType) . ','
. GeneralUtility::quoteJSvalue(($fName . '|||' . $elementBrowserAllowed . '|' . $aOnClickInline)) . '); return false;';
$icons['R'][] = '
<a href="#"
onclick="' . htmlspecialchars($aOnClick) . '"
......@@ -651,10 +649,10 @@ abstract class AbstractFormElement extends AbstractNode {
$elValue = $itemTable . '_' . $itemUid;
} else {
// 'file', 'file_reference' and 'folder' mode
$itemTitle = 'unescape(\'' . rawurlencode(basename($elValue)) . '\')';
$itemTitle = 'unescape(' . GeneralUtility::quoteJSvalue(rawurlencode(basename($elValue))) . ')';
}
$aOnClick .= 'setFormValueFromBrowseWin(\'' . $fName . '\',unescape(\''
. rawurlencode(str_replace('%20', ' ', $elValue)) . '\'),' . $itemTitle . ',' . $itemTitle . ');';
$aOnClick .= 'setFormValueFromBrowseWin(' . GeneralUtility::quoteJSvalue($fName) . ',unescape('
. GeneralUtility::quoteJSvalue(rawurlencode(str_replace('%20', ' ', $elValue))) . '),' . $itemTitle . ',' . $itemTitle . ');';
}
$aOnClick .= 'return false;';
$icons['R'][] = '
......
......@@ -82,15 +82,15 @@ class GroupElement extends AbstractFormElement {
// If maxitems==1 then automatically replace the current item (in list and file selector)
if ($maxitems === 1) {
$resultArray['additionalJavaScriptPost'][] =
'TBE_EDITOR.clearBeforeSettingFormValueFromBrowseWin[\'' . $parameterArray['itemFormElName'] . '\'] = {
'TBE_EDITOR.clearBeforeSettingFormValueFromBrowseWin[' . GeneralUtility::quoteJSvalue($parameterArray['itemFormElName']) . '] = {
itemFormElID_file: ' . GeneralUtility::quoteJSvalue($parameterArray['itemFormElID_file']) . '
}';
$parameterArray['fieldChangeFunc']['TBE_EDITOR_fieldChanged'] = 'setFormValueManipulate(\'' . $parameterArray['itemFormElName']
. '\', \'Remove\'); ' . $parameterArray['fieldChangeFunc']['TBE_EDITOR_fieldChanged'];
$parameterArray['fieldChangeFunc']['TBE_EDITOR_fieldChanged'] = 'setFormValueManipulate(' . GeneralUtility::quoteJSvalue($parameterArray['itemFormElName'])
. ', \'Remove\'); ' . $parameterArray['fieldChangeFunc']['TBE_EDITOR_fieldChanged'];
} elseif ($noList) {
// If the list controls have been removed and the maximum number is reached, remove the first entry to avoid "write once" field
$parameterArray['fieldChangeFunc']['TBE_EDITOR_fieldChanged'] = 'setFormValueManipulate(\'' . $parameterArray['itemFormElName']
. '\', \'RemoveFirstIfFull\', \'' . $maxitems . '\'); ' . $parameterArray['fieldChangeFunc']['TBE_EDITOR_fieldChanged'];
$parameterArray['fieldChangeFunc']['TBE_EDITOR_fieldChanged'] = 'setFormValueManipulate(' . GeneralUtility::quoteJSvalue($parameterArray['itemFormElName'])
. ', \'RemoveFirstIfFull\', ' . GeneralUtility::quoteJSvalue($maxitems) . '); ' . $parameterArray['fieldChangeFunc']['TBE_EDITOR_fieldChanged'];
}
$html = '<input type="hidden" name="' . $parameterArray['itemFormElName'] . '_mul" value="' . ($config['multiple'] ? 1 : 0) . '"' . $disabled . ' />';
......@@ -269,7 +269,7 @@ class GroupElement extends AbstractFormElement {
$allowedTables[] = array(
'name' => htmlspecialchars($languageService->sL($GLOBALS['TCA'][$allowedTable]['ctrl']['title'])),
'icon' => IconUtility::getSpriteIconForRecord($allowedTable, array()),
'onClick' => 'setFormValueOpenBrowser(\'db\', \'' . ($parameterArray['itemFormElName'] . '|||' . $allowedTable) . '\'); return false;'
'onClick' => 'setFormValueOpenBrowser(\'db\', ' . GeneralUtility::quoteJSvalue($parameterArray['itemFormElName'] . '|||' . $allowedTable) . '); return false;'
);
}
}
......
......@@ -187,7 +187,7 @@ class SelectSingleElement extends AbstractFormElement {
if ($icon && !$suppressIcons && (!$onlySelectedIconShown || $selected)) {
$onClick = 'document.editform[' . GeneralUtility::quoteJSvalue($parameterArray['itemFormElName']) . '].selectedIndex=' . $selectItemCounter . ';';
if ($config['iconsInOptionTags']) {
$onClick .= 'document.getElementById(\'' . $selectId . '_icon\').innerHTML = '
$onClick .= 'document.getElementById(' . GeneralUtility::quoteJSvalue($selectId . '_icon') . ').innerHTML = '
. 'document.editform[' . GeneralUtility::quoteJSvalue($parameterArray['itemFormElName']) . ']'
. '.options[' . $selectItemCounter . '].getAttribute(\'data-icon\'); ';
}
......@@ -230,7 +230,7 @@ class SelectSingleElement extends AbstractFormElement {
// Create item form fields:
$sOnChange = 'if (this.options[this.selectedIndex].value==\'--div--\') {this.selectedIndex=' . $selectedIndex . ';} ';
if ($config['iconsInOptionTags']) {
$sOnChange .= 'document.getElementById(\'' . $selectId . '_icon\').innerHTML = this.options[this.selectedIndex].getAttribute(\'data-icon\'); ';
$sOnChange .= 'document.getElementById(' . GeneralUtility::quoteJSvalue($selectId . '_icon') . ').innerHTML = this.options[this.selectedIndex].getAttribute(\'data-icon\'); ';
}
$sOnChange .= implode('', $parameterArray['fieldChangeFunc']);
......
......@@ -570,14 +570,14 @@ class FormEngine {
);
$jsonArray['scriptCall'][] = 'inline.domAddRecordDetails(' . GeneralUtility::quoteJSvalue($domObjectId) . ',' . GeneralUtility::quoteJSvalue($objectPrefix) . ',' . ($expandSingle ? '1' : '0') . ',json.data);';
if ($config['foreign_unique']) {
$jsonArray['scriptCall'][] = 'inline.removeUsed(\'' . $objectPrefix . '\',\'' . $record['uid'] . '\');';
$jsonArray['scriptCall'][] = 'inline.removeUsed(' . GeneralUtility::quoteJSvalue($objectPrefix) . ',' . GeneralUtility::quoteJSvalue($record['uid']) . ');';
}
$jsonArray = $this->getInlineAjaxCommonScriptCalls($jsonArray, $config, $inlineFirstPid);
// Collapse all other records if requested:
if (!$collapseAll && $expandSingle) {
$jsonArray['scriptCall'][] = 'inline.collapseAllRecords(\'' . $objectId . '\',\'' . $objectPrefix . '\',\'' . $record['uid'] . '\');';
$jsonArray['scriptCall'][] = 'inline.collapseAllRecords(' . GeneralUtility::quoteJSvalue($objectId) . ',' . GeneralUtility::quoteJSvalue($objectPrefix) . ',' . GeneralUtility::quoteJSvalue($record['uid']) . ');';
}
return $jsonArray;
......@@ -702,24 +702,24 @@ class FormEngine {
);
if (!$current['uid']) {
$jsonArray['scriptCall'][] = 'inline.domAddNewRecord(\'bottom\',\'' . $objectName . '_records\',\'' . $objectPrefix . '\',json.data);';
$jsonArray['scriptCall'][] = 'inline.memorizeAddRecord(\'' . $objectPrefix . '\',\'' . $record['uid'] . '\',null,\'' . $foreignUid . '\');';
$jsonArray['scriptCall'][] = 'inline.domAddNewRecord(\'bottom\',' . GeneralUtility::quoteJSvalue($objectName . '_records') . ',' . GeneralUtility::quoteJSvalue($objectPrefix) . ',json.data);';
$jsonArray['scriptCall'][] = 'inline.memorizeAddRecord(' . GeneralUtility::quoteJSvalue($objectPrefix) . ',' . GeneralUtility::quoteJSvalue($record['uid']) . ',null,' . GeneralUtility::quoteJSvalue($foreignUid) . ');';
} else {
$jsonArray['scriptCall'][] = 'inline.domAddNewRecord(\'after\',\'' . $domObjectId . '_div' . '\',\'' . $objectPrefix . '\',json.data);';
$jsonArray['scriptCall'][] = 'inline.memorizeAddRecord(\'' . $objectPrefix . '\',\'' . $record['uid'] . '\',\'' . $current['uid'] . '\',\'' . $foreignUid . '\');';
$jsonArray['scriptCall'][] = 'inline.domAddNewRecord(\'after\',' . GeneralUtility::quoteJSvalue($domObjectId . '_div') . ',' . GeneralUtility::quoteJSvalue($objectPrefix) . ',json.data);';
$jsonArray['scriptCall'][] = 'inline.memorizeAddRecord(' . GeneralUtility::quoteJSvalue($objectPrefix) . ',' . GeneralUtility::quoteJSvalue($record['uid']) . ',' . GeneralUtility::quoteJSvalue($current['uid']) . ',' . GeneralUtility::quoteJSvalue($foreignUid) . ');';
}
$jsonArray = $this->getInlineAjaxCommonScriptCalls($jsonArray, $config, $inlineFirstPid);
// Collapse all other records if requested:
if (!$collapseAll && $expandSingle) {
$jsonArray['scriptCall'][] = 'inline.collapseAllRecords(\'' . $objectId . '\', \'' . $objectPrefix . '\', \'' . $record['uid'] . '\');';
$jsonArray['scriptCall'][] = 'inline.collapseAllRecords(' . GeneralUtility::quoteJSvalue($objectId) . ', ' . GeneralUtility::quoteJSvalue($objectPrefix) . ', ' . GeneralUtility::quoteJSvalue($record['uid']) . ');';
}
// Tell the browser to scroll to the newly created record
$jsonArray['scriptCall'][] = 'Element.scrollTo(\'' . $objectId . '_div\');';
$jsonArray['scriptCall'][] = 'Element.scrollTo(' . GeneralUtility::quoteJSvalue($objectId . '_div') . ');';
// Fade out and fade in the new record in the browser view to catch the user's eye
$jsonArray['scriptCall'][] = 'inline.fadeOutFadeIn(\'' . $objectId . '_div\');';
$jsonArray['scriptCall'][] = 'inline.fadeOutFadeIn(' . GeneralUtility::quoteJSvalue($objectId . '_div') . ');';
return $jsonArray;
}
......@@ -768,7 +768,7 @@ class FormEngine {
$localizedItems = array_diff($newItems, $oldItems);
// Set the items that should be removed in the forms view:
foreach ($removedItems as $item) {
$jsonArray['scriptCall'][] = 'inline.deleteRecord(\'' . $nameObjectForeignTable . '-' . $item . '\', {forceDirectRemoval: true});';
$jsonArray['scriptCall'][] = 'inline.deleteRecord(' . GeneralUtility::quoteJSvalue($nameObjectForeignTable . '-' . $item) . ', {forceDirectRemoval: true});';
}
// Set the items that should be added in the forms view:
$html = '';
......@@ -776,7 +776,7 @@ class FormEngine {
// @todo: This should be another container ...
foreach ($localizedItems as $item) {
$row = $inlineRelatedRecordResolver->getRecord($current['table'], $item);
$selectedValue = $foreignSelector ? '\'' . $row[$foreignSelector] . '\'' : 'null';
$selectedValue = $foreignSelector ? GeneralUtility::quoteJSvalue($row[$foreignSelector]) : 'null';
$options = $this->getConfigurationOptionsForChildElements();
$options['databaseRow'] = array('uid' => $parent['uid']);
......@@ -824,15 +824,15 @@ class FormEngine {
}
}
$jsonArray['scriptCall'][] = 'inline.memorizeAddRecord(\'' . $nameObjectForeignTable . '\', \'' . $item . '\', null, ' . $selectedValue . ');';
$jsonArray['scriptCall'][] = 'inline.memorizeAddRecord(' . GeneralUtility::quoteJSvalue($nameObjectForeignTable) . ', ' . GeneralUtility::quoteJSvalue($item) . ', null, ' . $selectedValue . ');';
// Remove possible virtual records in the form which showed that a child records could be localized:
if (isset($row[$transOrigPointerField]) && $row[$transOrigPointerField]) {
$jsonArray['scriptCall'][] = 'inline.fadeAndRemove(\'' . $nameObjectForeignTable . '-' . $row[$transOrigPointerField] . '_div' . '\');';
$jsonArray['scriptCall'][] = 'inline.fadeAndRemove(' . GeneralUtility::quoteJSvalue($nameObjectForeignTable . '-' . $row[$transOrigPointerField] . '_div') . ');';
}
}
if (!empty($html)) {
$jsonArray['data'] = $html;
array_unshift($jsonArray['scriptCall'], 'inline.domAddNewRecord(\'bottom\', \'' . $nameObject . '_records\', \'' . $nameObjectForeignTable . '\', json.data);');
array_unshift($jsonArray['scriptCall'], 'inline.domAddNewRecord(\'bottom\', ' . GeneralUtility::quoteJSvalue($nameObject . '_records') . ', ' . GeneralUtility::quoteJSvalue($nameObjectForeignTable) . ', json.data);');
}
// @todo: Refactor this mess ... see other methods like getMainFields, too
......@@ -1045,7 +1045,7 @@ class FormEngine {
// If script.aculo.us Sortable is used, update the Observer to know the record:
if ($config['appearance']['useSortable']) {
$inlineObjectName = $this->inlineStackProcessor->getCurrentStructureDomObjectIdPrefix($inlineFirstPid);
$jsonArray['scriptCall'][] = 'inline.createDragAndDropSorting(\'' . $inlineObjectName . '_records\');';
$jsonArray['scriptCall'][] = 'inline.createDragAndDropSorting(' . GeneralUtility::quoteJSvalue($inlineObjectName . '_records') . ');';
}
// If FormEngine has some JavaScript code to be executed, just do it
// @todo: this is done by JSBottom() already?!
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment