tmdinosaurcenter
/
tainacan
mirror of https://github.com/tainacan/tainacan
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Adds more texts and sanitized fields

This commit is contained in:
Rodrigo de Oliveira 2021-03-12 02:58:06 -03:00
parent 5fe6c41546
commit 566292eebd
2 changed files with 30 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
src/classes/repositories/class-tainacan-repository.php
View File

@ -121,8 +121,8 @@ abstract class Repository {
*/ */
public function insert( $obj ) { public function insert( $obj ) {
// validate // validate
$require_validation_statuses = [ 'publish', 'future', 'private']; $required_validation_statuses = ['publish', 'future', 'private'];
if (in_array( $obj->get_status(), apply_filters( 'tainacan-status-require-validation', $require_validation_statuses) ) && ! $obj->get_validated() ) { if (in_array( $obj->get_status(), apply_filters( 'tainacan-status-require-validation', $required_validation_statuses) ) && ! $obj->get_validated() ) {
throw new \Exception( 'Entities must be validated before you can save them' ); throw new \Exception( 'Entities must be validated before you can save them' );
// TODO: Throw Warning saying you must validate object before insert() // TODO: Throw Warning saying you must validate object before insert()
} }
@ -144,11 +144,6 @@ abstract class Repository {
} }
$obj->WP_Post->post_type = $obj::get_post_type(); $obj->WP_Post->post_type = $obj::get_post_type();
if ( $obj instanceof Entities\Taxonomy ) {
$sanitized = $this->sanitize_value($obj->get('name'));
$obj->WP_Post->post_title = $sanitized;
}
if ( $obj instanceof Entities\Log && ! ( isset( $obj->WP_Post->post_status ) && in_array( $obj->WP_Post->post_status, [ if ( $obj instanceof Entities\Log && ! ( isset( $obj->WP_Post->post_status ) && in_array( $obj->WP_Post->post_status, [
'publish', 'publish',
'pending' 'pending'
@ -175,9 +170,11 @@ abstract class Repository {
do_action( "tainacan-pre-insert-$obj_post_type", $obj ); do_action( "tainacan-pre-insert-$obj_post_type", $obj );
} }
if ($obj instanceof Entities\Collection || $obj instanceof Entities\Metadatum) { if ($obj instanceof Entities\Collection || $obj instanceof Entities\Metadatum || $obj instanceof Entities\Taxonomy) {
$sanitized = $this->sanitize_value($obj->get('name')); $sanitized = $this->sanitize_value($obj->get('name'));
$sanitized_desc = $this->sanitize_value($obj->get('description'));
$obj->WP_Post->post_title = $sanitized; $obj->WP_Post->post_title = $sanitized;
$obj->WP_Post->post_content = $sanitized_desc;
} }
$id = wp_insert_post( $obj->WP_Post ); $id = wp_insert_post( $obj->WP_Post );

34
tests/test-html-injection.php
View File

@ -28,16 +28,21 @@ class HTML_Injection extends TAINACAN_UnitTestCase
$css = "my text along with some style <style>a { display: none }</style>"; $css = "my text along with some style <style>a { display: none }</style>";
$iframe = "<iframe src='www.tainacan.org' title='Taiancan'></iframe>"; $iframe = "<iframe src='www.tainacan.org' title='Taiancan'></iframe>";
$text_and_link = "my very interesting name and $link as well"; $text_and_link = "my very interesting name and $link as well";
$text_and_iframe = "description item $iframe";
// Accepted formatting // Accepted formatting
$strong = "I have some info to tell the world. And I can <strong> bold it </strong>"; $strong = "I have some info to tell the world. And I can <strong> bold it </strong>";
$html = "<div><h1>Main Info</h1><h3>sub title</h3><p>My structure description<p></p>and another paragraph</p></div>"; $html = "<div><h1>Main Info</h1><h3>sub title</h3><p>My structure description<p></p>and another paragraph</p></div>";
// Expected returns
$expected_title = 'my very interesting name and link as well';
$expected_desc = 'description item';
$collection = $this->tainacan_entity_factory->create_entity( $collection = $this->tainacan_entity_factory->create_entity(
'collection', 'collection',
array( array(
'name' => 'collection name <a href="www.tainacan.org">link <a href="link2.com.br"> link2 </a> </a>', 'name' => 'collection name <a href="www.tainacan.org">link <a href="link2.com.br"> link2 </a> </a>',
'description' => 'collection description', 'description' => $text_and_iframe,
), ),
true true
); );
@ -45,6 +50,7 @@ class HTML_Injection extends TAINACAN_UnitTestCase
// Test Collection // Test Collection
$this->assertEquals($collection->get_name(), 'collection name link link2'); $this->assertEquals($collection->get_name(), 'collection name link link2');
$this->assertEquals($collection->get_description(), $expected_desc);
$metadatum = $this->tainacan_entity_factory->create_entity( $metadatum = $this->tainacan_entity_factory->create_entity(
'metadatum', 'metadatum',
@ -57,23 +63,24 @@ class HTML_Injection extends TAINACAN_UnitTestCase
true true
); );
$metadatum = $Tainacan_Metadata->fetch($metadatum->get_id()); $metadatum = $Tainacan_Metadata->fetch($metadatum->get_id());
$this->assertEquals($metadatum->get_name(), 'my very interesting name and link as well'); $this->assertEquals($metadatum->get_name(), $expected_title);
$item = $this->tainacan_entity_factory->create_entity( $item = $this->tainacan_entity_factory->create_entity(
'item', 'item',
array( array(
'title' => 'title item <script>console.log("XSS")</script>', 'title' => 'title item <script>console.log("XSS")</script>',
'description' => 'description item <iframe src="www.tainacan.org" title="Taiancan"></iframe>', 'description' => $text_and_iframe,
'collection' => $collection 'collection' => $collection
), ),
true true
); );
$taxonomy = $this->tainacan_entity_factory->create_entity( $taxonomy = $this->tainacan_entity_factory->create_entity(
'taxonomy', 'taxonomy',
array( array(
'name' => $text_and_link, 'name' => $text_and_link,
'collections' => [$collection], 'collections' => [$collection],
'description' => $text_and_iframe,
'status' => 'publish' 'status' => 'publish'
), ),
true true
@ -81,9 +88,11 @@ class HTML_Injection extends TAINACAN_UnitTestCase
$item = $Tainacan_Items->fetch($item->get_id()); $item = $Tainacan_Items->fetch($item->get_id());
$this->assertEquals($item->get_title(), 'title item console.log("XSS")'); $this->assertEquals($item->get_title(), 'title item console.log("XSS")');
$this->assertEquals($item->get_description(), 'description item'); $this->assertEquals($item->get_description(), $expected_desc);
// Test metadata /*
* Test metadata
*/
$item_metadata = new \Tainacan\Entities\Item_Metadata_Entity($item, $metadatum); $item_metadata = new \Tainacan\Entities\Item_Metadata_Entity($item, $metadatum);
$item_metadata->set_value($js); $item_metadata->set_value($js);
$item_metadata->validate(); $item_metadata->validate();
@ -116,10 +125,15 @@ class HTML_Injection extends TAINACAN_UnitTestCase
$item_metadata = $Tainacan_Item_Metadata->update($item_metadata); $item_metadata = $Tainacan_Item_Metadata->update($item_metadata);
$this->assertEquals($item_metadata->get_value(), $html); $this->assertEquals($item_metadata->get_value(), $html);
// Test terms /*
* Test terms
*/
// Test taxonomies /*
* Test taxonomies
*/
$tx = $Tainacan_Taxonomies->fetch($taxonomy->get_id()); $tx = $Tainacan_Taxonomies->fetch($taxonomy->get_id());
$this->assertEquals($tx->get_name(), 'my very interesting name and link as well'); $this->assertEquals($tx->get_name(), $expected_title);
$this->assertEquals($tx->get_description(), $expected_desc);
} }
} }