Item12958: HTML in a label can break the editor

Given a formfield definition such as:

| <h2>Comments</h2> | label | | | | |

when you try to edit the topic, Form.pm tries to link to the topic <h2>Comments</h2>. normalizeWebTopicName breaks this down as web=<h2>Comments< and topic=h2>. The web name validator then refuses to deal with this web name and returns undef, and the crash happens. Oh, and it tries to use {web} which is not a field in a Form.

Fix is to ensure a valid web name is always found:

Index: Form.pm
===================================================================
--- Form.pm   (revision 17781)
+++ Form.pm   (working copy)
@@ -329,10 +329,11 @@
     $tooltip ||= $defaultToolTip;
 
     ( my $web, $topic ) =
-      $this->session->normalizeWebTopicName( $this->{web}, $topic );
+      $this->session->normalizeWebTopicName( $this->web(), $topic );
 
     $web =
       Foswiki::Sandbox::untaint( $web, \&Foswiki::Sandbox::validateWebName );
+    $web ||= $this->web();
 
     $topic = Foswiki::Sandbox::untaint( $topic,
         \&Foswiki::Sandbox::validateTopicName );

-- CrawfordCurrie - 07 Jul 2014

HI Crawford, can this be checked in? What is it waiting for, and is there a unit test for it?

-- GeorgeClark - 21 Jul 2014

There are no unit tests for any part of the edit script, AFAICT. It has been tested in a live site, however, and can be checked in IMHO.

-- CrawfordCurrie - 22 Jul 2014

Check in to trunk

-- CrawfordCurrie - 25 Nov 2014

Commenting is disabled while not logged in