From c8b3703ee405b857a0b5b8fac8a067149e1e70d9 Mon Sep 17 00:00:00 2001
From: Jigal van Hemert <jigal.van.hemert@typo3.org>
Date: Thu, 8 Jun 2017 23:22:44 +0200
Subject: [PATCH] [BUGFIX] Skip quoted fields in insertData
While parsing the input value for expressions inside curly brackets
it must skip quoted field names which are also in curly brackets
but start with a '#'.
Resolves: #81492
Related: #80506
Releases: master, 8.7
Change-Id: Ic58fcdcbb68108ac77da746db3e6a442515ce7ea
Reviewed-on: https://review.typo3.org/53172
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Anja Leichsenring <anja.leichsenring@typo3.com>
Tested-by: Anja Leichsenring <anja.leichsenring@typo3.com>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
---
.../ContentObject/ContentObjectRenderer.php | 15 +++++++++--
.../ContentObjectRendererTest.php | 27 +++++++++++++++++++
2 files changed, 40 insertions(+), 2 deletions(-)
diff --git a/typo3/sysext/frontend/Classes/ContentObject/ContentObjectRenderer.php b/typo3/sysext/frontend/Classes/ContentObject/ContentObjectRenderer.php
index c790dafa571b..b0d7d1ff82ad 100644
--- a/typo3/sysext/frontend/Classes/ContentObject/ContentObjectRenderer.php
+++ b/typo3/sysext/frontend/Classes/ContentObject/ContentObjectRenderer.php
@@ -3277,8 +3277,13 @@ class ContentObjectRenderer
}
/**
- * Implements the "insertData" property of stdWrap meaning that if strings matching {...} is found in the input string they will be substituted with the return value from getData (datatype) which is passed the content of the curly braces.
- * Example: If input string is "This is the page title: {page:title}" then the part, '{page:title}', will be substituted with the current pages title field value.
+ * Implements the "insertData" property of stdWrap meaning that if strings matching {...} is found in the input string they
+ * will be substituted with the return value from getData (datatype) which is passed the content of the curly braces.
+ * If the content inside the curly braces starts with a hash sign {#...} it is a field name that must be quoted by Doctrine
+ * DBAL and is skipped here for later processing.
+ *
+ * Example: If input string is "This is the page title: {page:title}" then the part, '{page:title}', will be substituted with
+ * the current pages title field value.
*
* @param string $str Input value
* @return string Processed input value
@@ -3295,6 +3300,12 @@ class ContentObjectRenderer
$len = strcspn(substr($str, $pointer), '{');
$newVal .= substr($str, $pointer, $len);
$inside = true;
+ if (substr($str, $pointer + $len + 1, 1) === '#') {
+ $len2 = strcspn(substr($str, $pointer + $len), '}');
+ $newVal .= substr($str, $pointer + $len, $len2);
+ $len += $len2;
+ $inside = false;
+ }
} else {
$len = strcspn(substr($str, $pointer), '}') + 1;
$newVal .= $this->getData(substr($str, $pointer + 1, $len - 2), $this->data);
diff --git a/typo3/sysext/frontend/Tests/Unit/ContentObject/ContentObjectRendererTest.php b/typo3/sysext/frontend/Tests/Unit/ContentObject/ContentObjectRendererTest.php
index ec54c04ff890..b8ed108e2b3a 100644
--- a/typo3/sysext/frontend/Tests/Unit/ContentObject/ContentObjectRendererTest.php
+++ b/typo3/sysext/frontend/Tests/Unit/ContentObject/ContentObjectRendererTest.php
@@ -5628,6 +5628,33 @@ class ContentObjectRendererTest extends \TYPO3\TestingFramework\Core\Unit\UnitTe
$subject->stdWrap_insertData($content, $conf));
}
+ /**
+ * Data provider for stdWrap_insertData
+ *
+ * @return array [$expect, $content]
+ */
+ public function stdWrap_insertDataProvider()
+ {
+ return [
+ 'empty' => ['', ''],
+ 'notFoundData' => ['any=1', 'any{$string}=1'],
+ 'queryParameter' => ['any{#string}=1', 'any{#string}=1'],
+ ];
+ }
+
+ /**
+ * Check that stdWrap_insertData works properly with given input.
+ *
+ * @test
+ * @dataProvider stdWrap_insertDataProvider
+ * @param int $expect The expected output.
+ * @param string $content The given input.
+ */
+ public function stdWrap_insertDataAndInputExamples($expect, $content)
+ {
+ $this->assertSame($expect, $this->subject->stdWrap_insertData($content));
+ }
+
/**
* Data provider for stdWrap_intval
*
--
GitLab