Fix over-escaped values in templates; fixes #1673

author Guillaume AGNIERAY <dev@agnieray.net>

Fri, 10 Mar 2023 14:41:29 +0000 (15:41 +0100)

committer Johan Cwiklinski <trasher@x-tnd.be>

Sat, 11 Mar 2023 14:35:43 +0000 (15:35 +0100)
author Guillaume AGNIERAY <dev@agnieray.net>
Fri, 10 Mar 2023 14:41:29 +0000 (15:41 +0100)
committer Johan Cwiklinski <trasher@x-tnd.be>
Sat, 11 Mar 2023 14:35:43 +0000 (15:35 +0100)
diff --git a/galette/templates/default/components/dynamic_fields.html.twig b/galette/templates/default/components/dynamic_fields.html.twig

index be66f4e48e66b1368cc1dd52e045f98590bcbcb3..d8315157ad2930aab341f2ae41403514f57cb297 100644 (file)
--- a/galette/templates/default/components/dynamic_fields.html.twig
+++ b/galette/templates/default/components/dynamic_fields.html.twig
@@ -25,12 +25,12 @@
                  {% if not masschange %}
                      {% if field.isRequired() %} required="required"{% endif %}
                  {% endif %}
-                    {% if disabled %} disabled="disabled"{% endif %}>{{ valuedata }}</textarea>
+                    {% if disabled %} disabled="disabled"{% endif %}>{{ valuedata|raw }}</textarea>
              {% elseif get_class(field) == 'Galette\\DynamicFields\\Line' %}
                  <input type="text" name="info_field_{{ field.getId() }}_{{ loop }}" id="info_field_{{ field.getId() }}_{{ loop }}"
                      {% if field.getWidth() > 0 %}size="{{ field.getWidth() }}"{% endif %}
                      {% if field.getSize() > 0 %}maxlength="{{ field.getSize() }}"{% endif %}
-                    value="{{ valuedata }}"
+                    value="{{ valuedata|raw }}"
                  {% if not masschange %}
                      {% if field.isRequired() %} required="required"{% endif %}
                  {% endif %}
diff --git a/galette/templates/default/elements/display_dynamic_fields.html.twig b/galette/templates/default/elements/display_dynamic_fields.html.twig

index e86cc48325b9f84a80c565175459bd36a8d92cd5..37583d2401847fbe2fe429ccb77087c231989c5a 100644 (file)
--- a/galette/templates/default/elements/display_dynamic_fields.html.twig
+++ b/galette/templates/default/elements/display_dynamic_fields.html.twig
@@ -17,13 +17,15 @@
                      <th class="three wide column">{{ field.getName()|escape }}</th>
                      <td>
                          {% for field_data in object.getDynamicFields().getValues(field.getId()) %}
-                            {% set value = field_data.field_val %}
+                            {% set value = field_data.field_val|escape|default("") %}
                              {% if get_class(field) == 'Galette\\DynamicFields\\Choice' %}
                                  {% if field_data.text_val is defined %}
                                      {% set value = field_data.text_val %}
                                  {% else %}
                                      {% set value = "" %}
                                  {% endif %}
+                            {% elseif get_class(field) == 'Galette\\DynamicFields\\Text' %}
+                                {% set value = field_data.field_val|escape|nl2br|default("") %}
                              {% endif %}
                              {% if not loop.first %}<br />{% endif %}
                              {% if get_class(field) == 'Galette\\DynamicFields\\Boolean' %}
@@ -33,13 +35,13 @@
                          {{ _T("No") }}
                                  {% endif %}
                              {% elseif get_class(field) == 'Galette\\DynamicFields\\File' %}
-                        <a href="{{ url_for("getDynamicFile", {"id": object.id, "fid": field.getId(), "pos": loop.index, "name": value}) }}">{{ value }}</a>
+                                <a href="{{ url_for("getDynamicFile", {"id": object.id, "fid": field.getId(), "pos": loop.index, "name": value}) }}">{{ value }}</a>
                              {% elseif get_class(field) == 'Galette\\DynamicFields\\Line' and callstatic("Galette\\Core\\GaletteMail", "isValidEmail", value) %}
                                  <a href="mailto:{{ value }}">{{ value }}</a>
                              {% elseif get_class(field) == 'Galette\\DynamicFields\\Line' and callstatic("Galette\\Core\\GaletteMail", "isUrl", value) %}
                                  <a href="{{ value }}" target="_blank" title="{{ _T("Open '%s' in a new window")|replace({"%s": value}) }}">{{ value }}</a>
                              {% else %}
-                        {{ value|nl2br|default("") }}
+                                {{ value|raw }}
                              {% endif %}
                          {% endfor %}
                      </td>
diff --git a/galette/templates/default/pages/member_show.html.twig b/galette/templates/default/pages/member_show.html.twig

index 98f93ed0db961d9056ddb7cb61be31942616edef..6945f6561c30ce4f03f26873cab1985d10251e47 100644 (file)
--- a/galette/templates/default/pages/member_show.html.twig
+++ b/galette/templates/default/pages/member_show.html.twig
@@ -222,7 +222,7 @@
                  {% elseif element.field_id == 'ddn_adh' %}
                                  {{ value }} {{ member.getAge() }}
                  {% else %}
-                                {{ value }}
+                                {{ value|raw }}
                  {% endif %}
                                  </td>
                              </tr>
author	Guillaume AGNIERAY <dev@agnieray.net>
	Fri, 10 Mar 2023 14:41:29 +0000 (15:41 +0100)
committer	Johan Cwiklinski <trasher@x-tnd.be>
	Sat, 11 Mar 2023 14:35:43 +0000 (15:35 +0100)
galette/templates/default/components/dynamic_fields.html.twig		patch \| blob \| history
galette/templates/default/elements/display_dynamic_fields.html.twig		patch \| blob \| history
galette/templates/default/pages/member_show.html.twig		patch \| blob \| history