diff options
author | Craig Kaiser <craig@bestpractical.com> | 2019-03-20 18:25:43 +0300 |
---|---|---|
committer | Craig Kaiser <craig@bestpractical.com> | 2019-04-08 21:07:32 +0300 |
commit | c44e53a44b1da9934ac47d8b9f6735904942eea8 (patch) | |
tree | 4731ddbc95ddae5b0e8314b241bf639d677b50e3 | |
parent | 2ae073d2f75f446810b9f2a0ceec154e0e2c1c93 (diff) |
Allow HTML to be escaped for custom fields on display4.4/custom-field-html-option
If we are displaying the content of a customfield and the content is
HTML content, it is useful to see the whole content escaped.
-rw-r--r-- | etc/schema.Oracle | 3 | ||||
-rw-r--r-- | etc/schema.Pg | 1 | ||||
-rw-r--r-- | etc/schema.SQLite | 1 | ||||
-rw-r--r-- | etc/schema.mysql | 1 | ||||
-rw-r--r-- | etc/upgrade/4.4.5/schema.Oracle | 1 | ||||
-rw-r--r-- | etc/upgrade/4.4.5/schema.Pg | 1 | ||||
-rw-r--r-- | etc/upgrade/4.4.5/schema.SQLite | 1 | ||||
-rw-r--r-- | etc/upgrade/4.4.5/schema.mysql | 1 | ||||
-rw-r--r-- | lib/RT/CustomField.pm | 26 | ||||
-rw-r--r-- | share/html/Admin/CustomFields/Modify.html | 17 | ||||
-rw-r--r-- | share/html/Elements/ShowCustomFieldText | 9 |
11 files changed, 58 insertions, 4 deletions
diff --git a/etc/schema.Oracle b/etc/schema.Oracle index b3e677b827..beac4cb01b 100644 --- a/etc/schema.Oracle +++ b/etc/schema.Oracle @@ -364,7 +364,8 @@ CREATE TABLE CustomFields ( Created DATE, LastUpdatedBy NUMBER(11,0) DEFAULT 0 NOT NULL, LastUpdated DATE, - Disabled NUMBER(11,0) DEFAULT 0 NOT NULL + Disabled NUMBER(11,0) DEFAULT 0 NOT NULL, + EscapeHTML NUMBER(11,0) DEFAULT 0 NOT NULL ); diff --git a/etc/schema.Pg b/etc/schema.Pg index aa4b437e0a..7143ac749c 100644 --- a/etc/schema.Pg +++ b/etc/schema.Pg @@ -550,6 +550,7 @@ CREATE TABLE CustomFields ( LastUpdatedBy integer NOT NULL DEFAULT 0 , LastUpdated TIMESTAMP NULL , Disabled integer NOT NULL DEFAULT 0 , + EscapeHTML integer NOT NULL DEFAULT 0 , PRIMARY KEY (id) ); diff --git a/etc/schema.SQLite b/etc/schema.SQLite index f8e6ae9327..f34827ec96 100644 --- a/etc/schema.SQLite +++ b/etc/schema.SQLite @@ -396,6 +396,7 @@ CREATE TABLE CustomFields ( LastUpdatedBy integer NOT NULL DEFAULT 0 , LastUpdated DATETIME NULL , Disabled int2 NOT NULL DEFAULT 0 , + EscapeHTML int2 NOT NULL DEFAULT 0 , PRIMARY KEY (id) ) ; diff --git a/etc/schema.mysql b/etc/schema.mysql index eefc145ca4..807f0c919d 100644 --- a/etc/schema.mysql +++ b/etc/schema.mysql @@ -368,6 +368,7 @@ CREATE TABLE CustomFields ( LastUpdatedBy integer NOT NULL DEFAULT 0 , LastUpdated DATETIME NULL , Disabled int2 NOT NULL DEFAULT 0 , + EscapeHTML int2 NOT NULL DEFAULT 0 , PRIMARY KEY (id) ) ENGINE=InnoDB CHARACTER SET utf8; diff --git a/etc/upgrade/4.4.5/schema.Oracle b/etc/upgrade/4.4.5/schema.Oracle new file mode 100644 index 0000000000..f6d7326645 --- /dev/null +++ b/etc/upgrade/4.4.5/schema.Oracle @@ -0,0 +1 @@ +ALTER TABLE CustomFields ADD EscapeHTML NUMBER(11,0) DEFAULT 0 NOT NULL; diff --git a/etc/upgrade/4.4.5/schema.Pg b/etc/upgrade/4.4.5/schema.Pg new file mode 100644 index 0000000000..5a1bc26f11 --- /dev/null +++ b/etc/upgrade/4.4.5/schema.Pg @@ -0,0 +1 @@ +ALTER TABLE CustomFields ADD COLUMN EscapeHTML integer NOT NULL DEFAULT 0; diff --git a/etc/upgrade/4.4.5/schema.SQLite b/etc/upgrade/4.4.5/schema.SQLite new file mode 100644 index 0000000000..fc5413b2f4 --- /dev/null +++ b/etc/upgrade/4.4.5/schema.SQLite @@ -0,0 +1 @@ +ALTER TABLE CustomFields ADD COLUMN EscapeHTML int2 NOT NULL DEFAULT 0; diff --git a/etc/upgrade/4.4.5/schema.mysql b/etc/upgrade/4.4.5/schema.mysql new file mode 100644 index 0000000000..fc5413b2f4 --- /dev/null +++ b/etc/upgrade/4.4.5/schema.mysql @@ -0,0 +1 @@ +ALTER TABLE CustomFields ADD COLUMN EscapeHTML int2 NOT NULL DEFAULT 0; diff --git a/lib/RT/CustomField.pm b/lib/RT/CustomField.pm index c0dfd3d34d..d9c0765d49 100644 --- a/lib/RT/CustomField.pm +++ b/lib/RT/CustomField.pm @@ -271,6 +271,7 @@ sub Create { EntryHint => undef, UniqueValues => 0, CanonicalizeClass => undef, + EscapeHTML => 0, @_, ); @@ -364,6 +365,7 @@ sub Create { LookupType => $args{'LookupType'}, UniqueValues => $args{'UniqueValues'}, CanonicalizeClass => $args{'CanonicalizeClass'}, + EscapeHTML => $args{'EscapeHTML'} ); if ($rv) { @@ -1188,6 +1190,30 @@ sub SetDisabled { } } +sub EscapeHTML { + my $self = shift; + my $val = shift; + + return $self->_Value('EscapeHTML'); +} + +sub SetEscapeHTML { + my $self = shift; + my $val = shift; + + my ($status, $msg) = $self->_Set(Field => 'EscapeHTML', Value => $val); + + unless ($status) { + return ($status, $msg); + } + + if ( $val == 1 ) { + return (1, $self->loc("HTML escaping on display enabled")); + } else { + return (1, $self->loc("HTML escaping on display disabled")); + } +} + =head2 SetTypeComposite Set this custom field's type and maximum values as a composite value diff --git a/share/html/Admin/CustomFields/Modify.html b/share/html/Admin/CustomFields/Modify.html index 9067140ae4..707889e441 100644 --- a/share/html/Admin/CustomFields/Modify.html +++ b/share/html/Admin/CustomFields/Modify.html @@ -177,6 +177,14 @@ jQuery( function() { % $m->callback(CallbackName => 'BeforeEnabled', CustomField => $CustomFieldObj, CFvalidations => \@CFvalidations); +% if ( $CustomFieldObj->Type && grep { $CustomFieldObj->Type eq $_ } qw/Freeform Text/ ) { + <tr><td class="label"> </td><td> + <input type="hidden" class="hidden" name="SetEscapeHTML" value="1" /> + <input type="checkbox" class="checkbox" id="EscapeHTML" name="EscapeHTML" value="1" <% $EscapeHTMLChecked |n %> /> + <label for="EscapeHTML"><&|/l&>Escape HTML of custom field value</&></label> + </td></tr> +% } + <tr><td class="label"> </td><td> <input type="hidden" class="hidden" name="SetEnabled" value="1" /> <input type="checkbox" class="checkbox" id="Enabled" name="Enabled" value="1" <% $EnabledChecked |n %> /> @@ -224,6 +232,7 @@ else { Disabled => ($Enabled ? 0 : 1), EntryHint => $EntryHint, UniqueValues => $UniqueValues, + EscapeHTML => $EscapeHTML ); if (!$val) { push @results, loc("Could not create CustomField: [_1]", $msg); @@ -248,8 +257,9 @@ if ( $ARGS{'Update'} && $id ne 'new' ) { # make sure the unchecked checkbox still causes an update $ARGS{UniqueValues} ||= 0 if $SetUniqueValues; + $ARGS{EscapeHTML} ||= 0 if $SetEscapeHTML; - my @attribs = qw(Disabled Pattern Name TypeComposite LookupType Description LinkValueTo IncludeContentForValue EntryHint UniqueValues); + my @attribs = qw(EscapeHTML Disabled Pattern Name TypeComposite LookupType Description LinkValueTo IncludeContentForValue EntryHint UniqueValues); push @results, UpdateRecordObject( AttributesRef => \@attribs, @@ -410,6 +420,9 @@ MaybeRedirectForResults( my $EnabledChecked = qq[checked="checked"]; $EnabledChecked = '' if $CustomFieldObj->Disabled; +my $EscapeHTMLChecked = ''; +$EscapeHTMLChecked = qq[checked="checked"] if $CustomFieldObj->EscapeHTML; + my $UniqueValuesChecked = qq[checked="checked"]; $UniqueValuesChecked = '' if !$CustomFieldObj->UniqueValues; @@ -442,4 +455,6 @@ $LinkValueTo => undef $IncludeContentForValue => undef $BasedOn => undef $EntryHint => undef +$EscapeHTML => 0 +$SetEscapeHTML => undef </%ARGS> diff --git a/share/html/Elements/ShowCustomFieldText b/share/html/Elements/ShowCustomFieldText index 7b763e6016..a2d97de1e5 100644 --- a/share/html/Elements/ShowCustomFieldText +++ b/share/html/Elements/ShowCustomFieldText @@ -47,10 +47,15 @@ %# END BPS TAGGED BLOCK }}} <%init> my $content = $Object->LargeContent || $Object->Content; - $content = $m->comp('/Elements/ScrubHTML', Content => $content); - $content =~ s|\n|<br />|g; + if ( $EscapeHTML ) { + RT::Interface::Web::EscapeHTML(\$content); + } else { + $content = $m->comp('/Elements/ScrubHTML', Content => $content); + $content =~ s|\n|<br />|g; + } </%init> <%$content|n%> <%ARGS> $Object +$EscapeHTML => 0 </%ARGS> |