Merge branch 'before_1313'

Author: emodric

README.md

@@ -1,6 +1,11 @@
-eZ Publish 4 (Referred to as `legacy` in eZ Publish 5.x) [![Build Status](https://secure.travis-ci.org/netgen/ezpublish-legacy.png)](http://travis-ci.org/netgen/ezpublish-legacy)
+eZ Publish 4 (Referred to as `legacy` in eZ Publish 5.x)
 =======================================================
 
+[![Build Status](https://img.shields.io/travis/ezsystems/ezpublish-legacy.svg?style=flat-square&branch=master)](https://travis-ci.org/ezsystems/ezpublish-legacy)
+[![Downloads](https://img.shields.io/packagist/dt/ezsystems/ezpublish-legacy.svg?style=flat-square)](https://packagist.org/packages/ezsystems/ezpublish-legacy)
+[![Latest version](https://img.shields.io/github/release/ezsystems/ezpublish-legacy.svg?style=flat-square)](https://github.com/ezsystems/ezpublish-legacy/releases)
+[![License](https://img.shields.io/packagist/l/ezsystems/ezpublish-legacy.svg?style=flat-square)](LICENSE)
+
 What is eZ Publish?
 -------------------
 eZ Publish is a professional PHP application framework with advanced CMS

cronjobs/indexcontent.php

@@ -114,6 +114,7 @@
             if ( $removeFromPendingActions )
             {
                 $db->query( "DELETE FROM ezpending_actions WHERE action = '$action' AND param = '$objectID'" );
+                eZContentCacheManager::clearContentCacheIfNeeded( $objectID );
             }
             else
             {

design/standard/templates/class/datatype/edit/ezobjectrelation.tpl

@@ -1,5 +1,7 @@
 {* DO NOT EDIT THIS FILE! Use an override template instead. *}
-{let content=$class_attribute.content}
+{let content=$class_attribute.content
+     class_list=$content.class_constraint_list
+     all_class_list=fetch( 'class', 'list', hash( 'sort_by', array( 'name', true() ) ) )}
 
 <div class="block">
 <label for="eccaor_selection_{$class_attribute.id}">{'Selection method'|i18n( 'design/standard/class/datatype' )}:</label>
@@ -11,6 +13,16 @@
 </select>
 </div>
 
+<div class="block">
+    <label for="eccaor_allowed_{$class_attribute.id}">{'Allowed classes'|i18n( 'design/standard/class/datatype' )}:</label>
+    <select id="eccaor_allowed_{$class_attribute.id}" name="ContentClass_ezobjectrelation_class_list_{$class_attribute.id}[]" multiple="multiple" title="{'Select which classes user can create'|i18n( 'design/standard/class/datatype' )}" size="{min( 8, count( $all_class_list ) )}">
+    <option value="" {if $class_list|lt(1)}selected="selected"{/if}>{'Any'|i18n( 'design/standard/class/datatype' )}</option>
+    {section name=Class loop=$all_class_list}
+    <option value="{$:item.identifier|wash}" {if $class_list|contains($:item.identifier)}selected="selected"{/if}>{$:item.name|wash}</option>
+    {/section}
+    </select>
+</div>
+
 <div class="block">
 <fieldset>
 <legend>{'Default selection item'|i18n( 'design/standard/class/datatype' )}</legend>

design/standard/templates/class/datatype/view/ezobjectrelation.tpl

@@ -7,6 +7,18 @@
     <p>{$content.selection_type|choose( 'Browse'|i18n( 'design/standard/class/datatype' ), 'Drop-down list'|i18n( 'design/standard/class/datatype' ), 'Drop-down tree'|i18n( 'design/standard/class/datatype' ) )}</p>
 </div>
 
+{* Allowed classes. *}
+<div class="block">
+    <label>{'Allowed classes'|i18n( 'design/standard/class/datatype' )}:</label>
+    {section show=$content.class_constraint_list|count|lt( 1 )}
+    <p>{'Any'|i18n( 'design/standard/class/datatype' )}</p>
+    {section-else}
+    <ul>
+    {section var=Classes loop=$content.class_constraint_list}<li>{$Classes.item}</li>{/section}
+    </ul>
+    {/section}
+</div>
+
 {* Selection item/node. *}
 <div class="block">
 <label>{'Default selection item'|i18n( 'design/standard/class/datatype' )}:</label>

design/standard/templates/content/datatype/edit/ezobjectrelation.tpl

@@ -55,6 +55,9 @@
 {if $attribute.class_content.default_selection_node}
     <input type="hidden" name="{$attribute_base}_browse_for_object_start_node[{$attribute.id}]" value="{$attribute.class_content.default_selection_node|wash}" />
 {/if}
+{if is_set( $class_content.class_constraint_list[0] )}
+    <input type="hidden" name="{$attribute_base}_browse_for_object_class_constraint_list[{$attribute.id}]" value="{$class_content.class_constraint_list|implode(',')}" />
+{/if}
 {if $attribute.content}
     <input class="button ezobject-relation-remove-button" type="submit" name="CustomActionButton[{$attribute.id}_remove_object]" value="{'Remove object'|i18n( 'design/standard/content/datatype' )}" />
 {else}
@@ -88,14 +91,27 @@
 {* Dropdown list. *}
 {case match=1}
 {let parent_node=fetch( content, node, hash( node_id, $class_content.default_selection_node ) )}
-
+{def $nodesList=cond( and( is_set( $class_content.class_constraint_list ), $class_content.class_constraint_list|count|ne( 0 ) ),
+                         fetch( 'content', 'list',
+                                hash( 'parent_node_id', $parent_node.node_id,
+                                      'class_filter_type','include',
+                                      'class_filter_array', $class_content.class_constraint_list,
+                                      'sort_by', $parent_node.sort_array
+                                     ) ),
+                         fetch( 'content', 'list',
+                                hash( 'parent_node_id', $parent_node.node_id,
+                                      'sort_by', $parent_node.sort_array )
+                                     ) )
+                        )}
 <select id="ezcoa-{if ne( $attribute_base, 'ContentObjectAttribute' )}{$attribute_base}-{/if}{$attribute.contentclassattribute_id}_{$attribute.contentclass_attribute_identifier}" class="ezcc-{$attribute.object.content_class.identifier} ezcca-{$attribute.object.content_class.identifier}_{$attribute.contentclass_attribute_identifier}" name="{$attribute_base}_data_object_relation_id_{$attribute.id}">
 {if $attribute.contentclass_attribute.is_required|not}
 <option value="" {if eq( $attribute.data_int, '' )}selected="selected"{/if}>{'No relation'|i18n( 'design/standard/content/datatype' )}</option>
 {/if}
-{section var=Nodes loop=fetch( content, list, hash( parent_node_id, $parent_node.node_id, sort_by, $parent_node.sort_array ) )}
-<option value="{$Nodes.item.contentobject_id}" {if eq( $attribute.data_int, $Nodes.item.contentobject_id )}selected="selected"{/if}>{$Nodes.item.name|wash}</option>
-{/section}
+{if $nodesList}
+    {foreach $nodesList as $nodeOption}
+        <option value="{$nodeOption.contentobject_id}" {if eq( $attribute.data_int, $nodeOption.contentobject_id )}selected="selected"{/if}>{$nodeOption.name|wash()}</option>
+    {/foreach}
+{/if}
 </select>
 
 {if $class_content.fuzzy_match}

extension/ezoe/ezxmltext/handlers/input/ezoeinputparser.php

@@ -262,7 +262,7 @@ function setAttributes( $element, $attributes )
                     if ( isset( $this->Namespaces[$prefix] ) )
                     {
                         $URI = $this->Namespaces[$prefix];
-                        $element->setAttributeNS( $URI, $qualifiedName, $value );
+                        $element->setAttributeNS( $URI, $qualifiedName, htmlspecialchars_decode( $value ) );
                     }
                     else
                     {
@@ -271,7 +271,7 @@ function setAttributes( $element, $attributes )
                 }
                 else
                 {
-                    $element->setAttribute( $qualifiedName, $value );
+                    $element->setAttribute( $qualifiedName, htmlspecialchars_decode( $value ) );
                 }
             }
         }

extension/ezoe/ezxmltext/handlers/input/ezoexmlinput.php

@@ -1744,12 +1744,12 @@ public static function getCustomAttrPart( $tag, &$styleString )
                 if ( $customAttributePart === '' )
                 {
                     $customAttributePart = ' customattributes="';
-                    $customAttributePart .= $attribute->name . '|' . $attribute->value;
+                    $customAttributePart .= $attribute->name . '|' . htmlspecialchars( $attribute->value );
                 }
                 else
                 {
                    $customAttributePart .= 'attribute_separation' . $attribute->name . '|' .
-                                           $attribute->value;
+                       htmlspecialchars( $attribute->value );
                 }
                 if ( isset( self::$customAttributeStyleMap[$attribute->name] ) )
                 {

extension/ezoe/tests/ezoexmltext_regression.php

@@ -34,16 +34,37 @@ public function providerParsingGreaterThanAttribute()
             array(
                 '<div type="custom" class="ezoeItemCustomTag factbox" customattributes="title|<a href=&quot;#test&quot;>Test</a>attribute_separationalign|right"><p>This is a fact</p></div>',
                 '<?xml version="1.0" encoding="utf-8"?>
-<section xmlns:image="http://ez.no/namespaces/ezpublish3/image/" xmlns:xhtml="http://ez.no/namespaces/ezpublish3/xhtml/" xmlns:custom="http://ez.no/namespaces/ezpublish3/custom/"><paragraph xmlns:tmp="http://ez.no/namespaces/ezpublish3/temporary/"><custom name="factbox" custom:title="&lt;a href=&amp;quot;#test&amp;quot;&gt;Test&lt;/a&gt;"><paragraph>This is a fact</paragraph></custom></paragraph></section>',
+<section xmlns:image="http://ez.no/namespaces/ezpublish3/image/" xmlns:xhtml="http://ez.no/namespaces/ezpublish3/xhtml/" xmlns:custom="http://ez.no/namespaces/ezpublish3/custom/"><paragraph xmlns:tmp="http://ez.no/namespaces/ezpublish3/temporary/"><custom name="factbox" custom:title="&lt;a href=&quot;#test&quot;&gt;Test&lt;/a&gt;"><paragraph>This is a fact</paragraph></custom></paragraph></section>',
             ),
             array(
                 '<div type="custom" class="ezoeItemCustomTag factbox" customattributes="title|<a href=&quot;#test&quot;>Test</a>attribute_separationalign|right"><p>This is a fact</p></div><p>Text between</p><div type="custom" class="ezoeItemCustomTag factbox" customattributes="title|<a href=&quot;#test&quot;>Test</a>attribute_separationalign|right"><p>This is a fact</p></div>',
                 '<?xml version="1.0" encoding="utf-8"?>
-<section xmlns:image="http://ez.no/namespaces/ezpublish3/image/" xmlns:xhtml="http://ez.no/namespaces/ezpublish3/xhtml/" xmlns:custom="http://ez.no/namespaces/ezpublish3/custom/"><paragraph xmlns:tmp="http://ez.no/namespaces/ezpublish3/temporary/"><custom name="factbox" custom:title="&lt;a href=&amp;quot;#test&amp;quot;&gt;Test&lt;/a&gt;"><paragraph>This is a fact</paragraph></custom></paragraph><paragraph>Text between</paragraph><paragraph xmlns:tmp="http://ez.no/namespaces/ezpublish3/temporary/"><custom name="factbox" custom:title="&lt;a href=&amp;quot;#test&amp;quot;&gt;Test&lt;/a&gt;"><paragraph>This is a fact</paragraph></custom></paragraph></section>',
+<section xmlns:image="http://ez.no/namespaces/ezpublish3/image/" xmlns:xhtml="http://ez.no/namespaces/ezpublish3/xhtml/" xmlns:custom="http://ez.no/namespaces/ezpublish3/custom/"><paragraph xmlns:tmp="http://ez.no/namespaces/ezpublish3/temporary/"><custom name="factbox" custom:title="&lt;a href=&quot;#test&quot;&gt;Test&lt;/a&gt;"><paragraph>This is a fact</paragraph></custom></paragraph><paragraph>Text between</paragraph><paragraph xmlns:tmp="http://ez.no/namespaces/ezpublish3/temporary/"><custom name="factbox" custom:title="&lt;a href=&quot;#test&quot;&gt;Test&lt;/a&gt;"><paragraph>This is a fact</paragraph></custom></paragraph></section>',
             ),
         );
     }
 
+    /**
+     * Test for proper escaping for custom tag attribute values
+     */
+    public function testEscapeAttributeValue()
+    {
+        $xmlData = '<?xml version="1.0" encoding="utf-8"?>';
+        $xmlData .= '<section xmlns:image="http://ez.no/namespaces/ezpublish3/image/" xmlns:xhtml="http://ez.no/namespaces/ezpublish3/xhtml/" xmlns:custom="http://ez.no/namespaces/ezpublish3/custom/">';
+        $xmlData .= "<paragraph>";
+        $xmlData .= '<custom name="factbox" custom:title="&quot;fipsfuchs&quot;" custom:align="&amp;quot;fipsfuchs&amp;quot;"></custom>';
+        $xmlData .= "</paragraph>";
+        $xmlData .= "</section>";
+
+        $folder = new ezpObject( 'folder', 2 );
+        $folder->name = 'Escape Attribute Value';
+        $folder->short_description = '';
+
+        $oeHandler = new eZOEXMLInput( $xmlData, false,  $folder->short_description );
+        $xhtml = $oeHandler->attribute( 'input_xml' );
+        self::assertEquals( '&lt;div class=&quot;ezoeItemCustomTag factbox&quot; type=&quot;custom&quot; customattributes=&quot;title|&amp;quot;fipsfuchs&amp;quot;attribute_separationalign|&amp;amp;quot;fipsfuchs&amp;amp;quot;&quot;&gt;&lt;p&gt;factbox&lt;/p&gt;&lt;/div&gt;&lt;p&gt;&lt;br /&gt;&lt;/p&gt;', $xhtml );
+    }
+
     /**
      * Test for issue #16605: Online Editor adds a lot of Non Breaking spaces (nbsp)
      *