form : Add htmlspecialchars in display errors to allow '<' error message

git-svn-id: https://svn.fournier38.fr/svn/ProgSVN/trunk@4703 bf3deb0d-5f1a-0410-827f-c0cc1f45334c
2018-11-14 15:51:27 +00:00
parent 7e77e6b841
commit 522c5e7cfa
1 changed files with 21 additions and 12 deletions
--- a/form.php
+++ b/form.php
@@ -196,7 +196,7 @@ class form
    {
      $this->loggingCallable (LOG_ERR,
        "Unknown FORM method (GET or POST allowed)");
-      throw new Exception (dgettext("domframework",
+      throw new \Exception (dgettext("domframework",
                           "Unknown FORM method (GET or POST allowed)"));
    }

@@ -207,10 +207,10 @@ class form
      {
        $this->checkToken ($values[$this->csrfField]);
      }
-      catch (Exception $e)
+      catch (\Exception $e)
      {
        $this->loggingCallable (LOG_ERR, $e->getMessage ());
-        throw new Exception (dgettext("domframework",
+        throw new \Exception (dgettext("domframework",
          "Can not read the data from the form : ".
          "Expired or missing CSRF Token"), 500);
      }
@@ -252,7 +252,7 @@ class form
    {
      $this->loggingCallable (LOG_ERR,
          "Can't display a form without defined field");
-      throw new Exception ("Can't display a form without defined field", 500);
+      throw new \Exception ("Can't display a form without defined field", 500);
    }
    if (isset ($_SESSION))
      $_SESSION["domframework"]["form"][$this->formName]["fields"] =
@@ -361,7 +361,9 @@ class form
    }
    if ($focusElement !== null)
      $res .= "<script>document.getElementById('".$this->formName."_".
-              $focusElement."').focus();</script>\n";
+              $focusElement."').focus();".
+              "var formFocusElement='".$this->formName."_".
+              $focusElement."';</script>\n";
    $res .= "</form>\n";
    return $res;
  }
@@ -776,7 +778,8 @@ class formfield
        $res .= "<span class='text-muted'>".$this->help."</span>";
      if (isset ($this->help) && isset ($this->errors))
        $res .= "<br/>";
-      if (isset ($this->errors)) $res .= $this->errors[1];
+      if (isset ($this->errors))
+        $res .= htmlspecialchars ($this->errors[1]);
      $res .= "</span>\n";
    }
    $res .= "    </div>\n"; // End controls
@@ -865,7 +868,8 @@ class formfield
        $res .= "<span class='text-muted'>".$this->help."</span>";
      if (isset ($this->help) && isset ($this->errors))
        $res .= "<br/>";
-      if (isset ($this->errors)) $res .= $this->errors[1];
+      if (isset ($this->errors))
+        $res .= htmlspecialchars ($this->errors[1]);
      $res .= "</span>\n";
    }
    $res .= "    </div>\n"; // End controls
@@ -945,7 +949,8 @@ class formfield
        $res .= "<span class='text-muted'>".$this->help."</span>";
      if (isset ($this->help) && isset ($this->errors))
        $res .= "<br/>";
-      if (isset ($this->errors)) $res .= $this->errors[1];
+      if (isset ($this->errors))
+          $res .= htmlspecialchars ($this->errors[1]);
      $res .= "</span>\n";
    }
    $res .= "    </div>\n"; // End controls
@@ -1064,7 +1069,8 @@ class formfield
          $res .= "<span class='text-muted'>".$this->help."</span>";
      if (isset ($this->help) && isset ($this->errors))
        $res .= "<br/>";
-        if (isset ($this->errors)) $res .= $this->errors[1];
+        if (isset ($this->errors))
+          $res .= htmlspecialchars ($this->errors[1]);
        $res .= "</span>\n";
      }
    }
@@ -1183,7 +1189,8 @@ class formfield
        $res .= "<span class='text-muted'>".$this->help."</span>";
      if (isset ($this->help) && isset ($this->errors))
        $res .= "<br/>";
-      if (isset ($this->errors)) $res .= $this->errors[1];
+      if (isset ($this->errors))
+        $res .= htmlspecialchars ($this->errors[1]);
      $res .= "</span>\n";
    }
    $res .= "    </div>\n"; // End controls
@@ -1253,7 +1260,8 @@ class formfield
        $res .= "<span class='text-muted'>".$this->help."</span>";
      if (isset ($this->help) && isset ($this->errors))
        $res .= "<br/>";
-      if (isset ($this->errors)) $res .= $this->errors[1];
+      if (isset ($this->errors))
+        $res .= htmlspecialchars ($this->errors[1]);
      $res .= "</span>\n";
    }
    $res .= "    </div>\n"; // End controls
@@ -1334,7 +1342,8 @@ class formfield
        $res .= "<span class='text-muted'>".$this->help."</span>";
      if (isset ($this->help) && isset ($this->errors))
        $res .= "<br/>";
-      if (isset ($this->errors)) $res .= $this->errors[1];
+      if (isset ($this->errors))
+        $res .= htmlspecialchars ($this->errors[1]);
      $res .= "</span>\n";
    }