Merge pull request #621 from ArthurHoaro/hotfix/update-escape-config

Fix update method escapeUnescapedConfig
shaarli · Aug 2, 2016 · c7a42ab · c7a42ab
2 parents 58f0660 + b9f8b83
commit c7a42ab
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 2 deletions.
diff --git a/application/Updater.php b/application/Updater.php
@@ -198,11 +198,11 @@ public function updateMethodConfigToJson()
      * Escape settings which have been manually escaped in every request in previous versions:
      *   - general.title
      *   - general.header_link
-     *   - extras.redirector
+     *   - redirector.url
      *
      * @return bool true if the update is successful, false otherwise.
      */
-    public function escapeUnescapedConfig()
+    public function updateMethodEscapeUnescapedConfig()
     {
         try {
             $this->conf->set('general.title', escape($this->conf->get('general.title')));

diff --git a/tests/Updater/UpdaterTest.php b/tests/Updater/UpdaterTest.php
@@ -263,4 +263,28 @@ public function testConfigToJsonNothingToDo()
         $expected = filemtime($this->conf->getConfigFileExt());
         $this->assertEquals($expected, $filetime);
     }
+
+    /**
+     * Test escapeUnescapedConfig with valid data.
+     */
+    public function testEscapeConfig()
+    {
+        $sandbox = 'sandbox/config';
+        copy(self::$configFile .'.json.php', $sandbox .'.json.php');
+        $this->conf = new ConfigManager($sandbox);
+        $title = '<script>alert("title");</script>';
+        $headerLink = '<script>alert("header_link");</script>';
+        $redirectorUrl = '<script>alert("redirector");</script>';
+        $this->conf->set('general.title', $title);
+        $this->conf->set('general.header_link', $headerLink);
+        $this->conf->set('redirector.url', $redirectorUrl);
+        $updater = new Updater(array(), array(), $this->conf, true);
+        $done = $updater->updateMethodEscapeUnescapedConfig();
+        $this->assertTrue($done);
+        $this->conf->reload();
+        $this->assertEquals(escape($title), $this->conf->get('general.title'));
+        $this->assertEquals(escape($headerLink), $this->conf->get('general.header_link'));
+        $this->assertEquals(escape($redirectorUrl), $this->conf->get('redirector.url'));
+        unlink($sandbox .'.json.php');
+    }
 }