Allow HTML to be escaped for custom fields on display4.4/custom-field-html-option

If we are displaying the content of a customfield and the content is
HTML content, it is useful to see the whole content escaped.

11 files changed, 58 insertions, 4 deletions

diff --git a/etc/schema.Oracle b/etc/schema.Oracle
index b3e677b827..beac4cb01b 100644
--- a/etc/schema.Oracle
+++ b/etc/schema.Oracle
@@ -364,7 +364,8 @@ CREATE TABLE CustomFields (
         Created           DATE,
         LastUpdatedBy     NUMBER(11,0) DEFAULT 0 NOT NULL,
         LastUpdated       DATE,
-        Disabled          NUMBER(11,0) DEFAULT 0 NOT NULL
+        Disabled          NUMBER(11,0) DEFAULT 0 NOT NULL,
+        EscapeHTML        NUMBER(11,0) DEFAULT 0 NOT NULL
 );
 
 
diff --git a/etc/schema.Pg b/etc/schema.Pg
index aa4b437e0a..7143ac749c 100644
--- a/etc/schema.Pg
+++ b/etc/schema.Pg
@@ -550,6 +550,7 @@ CREATE TABLE CustomFields (
   LastUpdatedBy integer NOT NULL DEFAULT 0  ,
   LastUpdated TIMESTAMP NULL  ,
   Disabled integer NOT NULL DEFAULT 0 ,
+  EscapeHTML integer NOT NULL DEFAULT 0  ,
   PRIMARY KEY (id)
 
 );
diff --git a/etc/schema.SQLite b/etc/schema.SQLite
index f8e6ae9327..f34827ec96 100644
--- a/etc/schema.SQLite
+++ b/etc/schema.SQLite
@@ -396,6 +396,7 @@ CREATE TABLE CustomFields (
   LastUpdatedBy integer NOT NULL DEFAULT 0  ,
   LastUpdated DATETIME NULL  ,
   Disabled int2 NOT NULL DEFAULT 0 ,
+  EscapeHTML int2 NOT NULL DEFAULT 0 ,
   PRIMARY KEY (id)
 ) ;
 
diff --git a/etc/schema.mysql b/etc/schema.mysql
index eefc145ca4..807f0c919d 100644
--- a/etc/schema.mysql
+++ b/etc/schema.mysql
@@ -368,6 +368,7 @@ CREATE TABLE CustomFields (
   LastUpdatedBy integer NOT NULL DEFAULT 0  ,
   LastUpdated DATETIME NULL  ,
   Disabled int2 NOT NULL DEFAULT 0 ,
+  EscapeHTML int2 NOT NULL DEFAULT 0 ,
   PRIMARY KEY (id)
 ) ENGINE=InnoDB CHARACTER SET utf8;
 
diff --git a/etc/upgrade/4.4.5/schema.Oracle b/etc/upgrade/4.4.5/schema.Oracle
new file mode 100644
index 0000000000..f6d7326645
--- /dev/null
+++ b/etc/upgrade/4.4.5/schema.Oracle
@@ -0,0 +1 @@
+ALTER TABLE CustomFields ADD EscapeHTML NUMBER(11,0) DEFAULT 0 NOT NULL;
diff --git a/etc/upgrade/4.4.5/schema.Pg b/etc/upgrade/4.4.5/schema.Pg
new file mode 100644
index 0000000000..5a1bc26f11
--- /dev/null
+++ b/etc/upgrade/4.4.5/schema.Pg
@@ -0,0 +1 @@
+ALTER TABLE CustomFields ADD COLUMN EscapeHTML integer NOT NULL DEFAULT 0;
diff --git a/etc/upgrade/4.4.5/schema.SQLite b/etc/upgrade/4.4.5/schema.SQLite
new file mode 100644
index 0000000000..fc5413b2f4
--- /dev/null
+++ b/etc/upgrade/4.4.5/schema.SQLite
@@ -0,0 +1 @@
+ALTER TABLE CustomFields ADD COLUMN EscapeHTML int2 NOT NULL DEFAULT 0;
diff --git a/etc/upgrade/4.4.5/schema.mysql b/etc/upgrade/4.4.5/schema.mysql
new file mode 100644
index 0000000000..fc5413b2f4
--- /dev/null
+++ b/etc/upgrade/4.4.5/schema.mysql
@@ -0,0 +1 @@
+ALTER TABLE CustomFields ADD COLUMN EscapeHTML int2 NOT NULL DEFAULT 0;
diff --git a/lib/RT/CustomField.pm b/lib/RT/CustomField.pm
index c0dfd3d34d..d9c0765d49 100644
--- a/lib/RT/CustomField.pm
+++ b/lib/RT/CustomField.pm
@@ -271,6 +271,7 @@ sub Create {
         EntryHint              => undef,
         UniqueValues           => 0,
         CanonicalizeClass      => undef,
+        EscapeHTML             => 0,
         @_,
     );
 
@@ -364,6 +365,7 @@ sub Create {
         LookupType        => $args{'LookupType'},
         UniqueValues      => $args{'UniqueValues'},
         CanonicalizeClass => $args{'CanonicalizeClass'},
+        EscapeHTML        => $args{'EscapeHTML'}
     );
 
     if ($rv) {
@@ -1188,6 +1190,30 @@ sub SetDisabled {
     }
 }
 
+sub EscapeHTML {
+    my $self = shift;
+    my $val  = shift;
+
+    return $self->_Value('EscapeHTML');
+}
+
+sub SetEscapeHTML {
+    my $self = shift;
+    my $val  = shift;
+
+    my ($status, $msg) = $self->_Set(Field => 'EscapeHTML', Value => $val);
+
+    unless ($status) {
+        return ($status, $msg);
+    }
+
+    if ( $val == 1 ) {
+        return (1, $self->loc("HTML escaping on display enabled"));
+    } else {
+        return (1, $self->loc("HTML escaping on display disabled"));
+    }
+}
+
 =head2 SetTypeComposite
 
 Set this custom field's type and maximum values as a composite value
diff --git a/share/html/Admin/CustomFields/Modify.html b/share/html/Admin/CustomFields/Modify.html
index 9067140ae4..707889e441 100644
--- a/share/html/Admin/CustomFields/Modify.html
+++ b/share/html/Admin/CustomFields/Modify.html
@@ -177,6 +177,14 @@ jQuery( function() {
 
 % $m->callback(CallbackName => 'BeforeEnabled', CustomField => $CustomFieldObj, CFvalidations => \@CFvalidations);
 
+% if ( $CustomFieldObj->Type && grep { $CustomFieldObj->Type eq $_ } qw/Freeform Text/ ) {
+    <tr><td class="label">&nbsp;</td><td>
+    <input type="hidden" class="hidden" name="SetEscapeHTML" value="1" />
+    <input type="checkbox" class="checkbox" id="EscapeHTML" name="EscapeHTML" value="1" <% $EscapeHTMLChecked |n %> />
+    <label for="EscapeHTML"><&|/l&>Escape HTML of custom field value</&></label>
+    </td></tr>
+% }
+
 <tr><td class="label">&nbsp;</td><td>
 <input type="hidden" class="hidden" name="SetEnabled" value="1" />
 <input type="checkbox" class="checkbox" id="Enabled" name="Enabled" value="1" <% $EnabledChecked |n %> />
@@ -224,6 +232,7 @@ else {
             Disabled      => ($Enabled ? 0 : 1),
             EntryHint     => $EntryHint,
             UniqueValues  => $UniqueValues,
+            EscapeHTML    => $EscapeHTML
         );
         if (!$val) {
             push @results, loc("Could not create CustomField: [_1]", $msg);
@@ -248,8 +257,9 @@ if ( $ARGS{'Update'} && $id ne 'new' ) {
 
     # make sure the unchecked checkbox still causes an update
     $ARGS{UniqueValues} ||= 0 if $SetUniqueValues;
+    $ARGS{EscapeHTML} ||= 0 if $SetEscapeHTML;
 
-    my @attribs = qw(Disabled Pattern Name TypeComposite LookupType Description LinkValueTo IncludeContentForValue EntryHint UniqueValues);
+    my @attribs = qw(EscapeHTML Disabled Pattern Name TypeComposite LookupType Description LinkValueTo IncludeContentForValue EntryHint UniqueValues);
 
     push @results, UpdateRecordObject(
         AttributesRef => \@attribs,
@@ -410,6 +420,9 @@ MaybeRedirectForResults(
 my $EnabledChecked = qq[checked="checked"];
 $EnabledChecked = '' if $CustomFieldObj->Disabled;
 
+my $EscapeHTMLChecked = '';
+$EscapeHTMLChecked = qq[checked="checked"] if $CustomFieldObj->EscapeHTML;
+
 my $UniqueValuesChecked = qq[checked="checked"];
 $UniqueValuesChecked = '' if !$CustomFieldObj->UniqueValues;
 
@@ -442,4 +455,6 @@ $LinkValueTo => undef
 $IncludeContentForValue => undef
 $BasedOn => undef
 $EntryHint => undef
+$EscapeHTML    => 0
+$SetEscapeHTML => undef
 </%ARGS>
diff --git a/share/html/Elements/ShowCustomFieldText b/share/html/Elements/ShowCustomFieldText
index 7b763e6016..a2d97de1e5 100644
--- a/share/html/Elements/ShowCustomFieldText
+++ b/share/html/Elements/ShowCustomFieldText
@@ -47,10 +47,15 @@
 %# END BPS TAGGED BLOCK }}}
 <%init>
  my $content = $Object->LargeContent || $Object->Content;
- $content = $m->comp('/Elements/ScrubHTML', Content => $content);
- $content =~ s|\n|<br />|g;
+ if ( $EscapeHTML ) {
+    RT::Interface::Web::EscapeHTML(\$content);
+ } else {
+    $content = $m->comp('/Elements/ScrubHTML', Content => $content);
+    $content =~ s|\n|<br />|g;
+ }
 </%init>
 <%$content|n%>
 <%ARGS>
 $Object
+$EscapeHTML  => 0
 </%ARGS>