From 21fedb9051ba74ce97bdb7bea58cf89252100212 Mon Sep 17 00:00:00 2001
From: JT Smith <jt@plainblack.com>
Date: Wed, 10 May 2006 23:01:15 +0000
Subject: [PATCH] added a classname form control for validating classnames and
 do taint checking

---
 lib/WebGUI/Asset.pm                 | 10 +--
 lib/WebGUI/Asset/Post.pm            |  8 +--
 lib/WebGUI/Form/ClassName.pm        | 94 +++++++++++++++++++++++++++++
 lib/WebGUI/Operation/FormHelpers.pm |  6 +-
 lib/WebGUI/Operation/Workflow.pm    |  6 +-
 5 files changed, 109 insertions(+), 15 deletions(-)
 create mode 100644 lib/WebGUI/Form/ClassName.pm

diff --git a/lib/WebGUI/Asset.pm b/lib/WebGUI/Asset.pm
index 9daa6db8b..2764d8135 100644
--- a/lib/WebGUI/Asset.pm
+++ b/lib/WebGUI/Asset.pm
@@ -525,7 +525,7 @@ sub getEditForm {
 			});
 		$tabform->hidden({
 			name=>"class",
-			value=>$self->session->form->process("class")
+			value=>$self->session->form->process("class","className")
 			});
 	} else {
 		my $ac = $self->getAdminConsole;
@@ -1244,7 +1244,7 @@ sub manageAssetsSearch {
 	tie %classes, "Tie::IxHash";
 	%classes = ("any"=>"Any Class", $self->session->db->buildHash("select distinct(className) from asset"));
 	delete $classes{"WebGUI::Asset"}; # don't want to search for the root asset
-	$output .= WebGUI::Form::selectBox($self->session, {name=>"class", value=>$self->session->form->get("class","selectBox"), defaultValue=>"any", options=>\%classes});
+	$output .= WebGUI::Form::selectBox($self->session, {name=>"class", value=>$self->session->form->process("class","className"), defaultValue=>"any", options=>\%classes});
 	$output .= WebGUI::Form::hidden($self->session, {name=>"func", value=>"manageAssets"});
 	$output .= WebGUI::Form::hidden($self->session, {name=>"doit", value=>"1"});
 	$output .= WebGUI::Form::submit($self->session, {value=>"Search"});
@@ -1252,7 +1252,7 @@ sub manageAssetsSearch {
 	$self->session->output->print($output);
 	$output = '';
 	return undef unless ($self->session->form->get("doit"));
-	my $class = $self->session->form->get("class") eq "any" ? undef : $self->session->form->get("class");
+	my $class = $self->session->form->process("class","className") eq "any" ? undef : $self->session->form->process("class","className");
 	my $assets = WebGUI::Search->new($self->session,0)->search({
 		keywords=>$self->session->form->get("keywords"),
 		classes=>[$class]
@@ -1766,7 +1766,7 @@ Adds a new Asset based upon the class of the current form. Returns the Asset cal
 sub www_add {
 	my $self = shift;
 	my %prototypeProperties; 
-	my $class = $self->session->form->process("class");
+	my $class = $self->session->form->process("class","className");
 	unless ($class =~ m/^[A-Za-z0-9\:]+$/) {
 		$self->session->errorHandler->security("tried to call an invalid class ".$class);
 		return "";
@@ -1897,7 +1897,7 @@ sub www_editSave {
 	}
 	my $object;
 	if ($self->session->form->process("assetId") eq "new") {
-		$object = $self->addChild({className=>$self->session->form->process("class")});	
+		$object = $self->addChild({className=>$self->session->form->process("class","className")});	
 		return $self->www_view unless defined $object;
 		$object->{_parent} = $self;
 	} else {
diff --git a/lib/WebGUI/Asset/Post.pm b/lib/WebGUI/Asset/Post.pm
index 1fb68156f..d25d67efe 100644
--- a/lib/WebGUI/Asset/Post.pm
+++ b/lib/WebGUI/Asset/Post.pm
@@ -97,7 +97,7 @@ sub canAdd {
 #-------------------------------------------------------------------
 sub canEdit {
 	my $self = shift;
-	return (($self->session->form->process("func") eq "add" || ($self->session->form->process("assetId") eq "new" && $self->session->form->process("func") eq "editSave" && $self->session->form->process("class") eq "WebGUI::Asset::Post")) && $self->getThread->getParent->canPost) || # account for new posts
+	return (($self->session->form->process("func") eq "add" || ($self->session->form->process("assetId") eq "new" && $self->session->form->process("func") eq "editSave" && $self->session->form->process("class","className") eq "WebGUI::Asset::Post")) && $self->getThread->getParent->canPost) || # account for new posts
 
 		($self->isPoster && $self->getThread->getParent->get("editTimeout") > ($self->session->datetime->time() - $self->get("dateUpdated"))) ||
 		$self->getThread->getParent->canEdit;
@@ -919,12 +919,12 @@ sub www_edit {
 				})
 			.WebGUI::Form::hidden($self->session, {
 				name=>"class",
-				value=>$self->session->form->process("class")
+				value=>$self->session->form->process("class","className")
 				});
         	$var{'isNewPost'} = 1;
 		$content = $self->session->form->process("content");
 		$title = $self->session->form->process("title");
-		if ($self->session->form->process("class") eq "WebGUI::Asset::Post") { # new reply
+		if ($self->session->form->process("class","className") eq "WebGUI::Asset::Post") { # new reply
 			$self->{_thread} = $self->getParent->getThread;
 			return $self->session->privilege->insufficient() unless ($self->getThread->canReply);
 			$var{isReply} = 1;
@@ -943,7 +943,7 @@ sub www_edit {
 				name=>"subscribe",
 				value=>$self->session->form->process("subscribe")
 				});
-		} elsif ($self->session->form->process("class") eq "WebGUI::Asset::Post::Thread") { # new thread
+		} elsif ($self->session->form->process("class","className") eq "WebGUI::Asset::Post::Thread") { # new thread
 			return $self->session->privilege->insufficient() unless ($self->getThread->getParent->canPost);
 			$var{isNewThread} = 1;
                 	if ($self->getThread->getParent->canEdit) {
diff --git a/lib/WebGUI/Form/ClassName.pm b/lib/WebGUI/Form/ClassName.pm
new file mode 100644
index 000000000..c6f018499
--- /dev/null
+++ b/lib/WebGUI/Form/ClassName.pm
@@ -0,0 +1,94 @@
+package WebGUI::Form::ClassName;
+
+=head1 LEGAL
+
+ -------------------------------------------------------------------
+  WebGUI is Copyright 2001-2006 Plain Black Corporation.
+ -------------------------------------------------------------------
+  Please read the legal notices (docs/legal.txt) and the license
+  (docs/license.txt) that came with this distribution before using
+  this software.
+ -------------------------------------------------------------------
+  http://www.plainblack.com                     info@plainblack.com
+ -------------------------------------------------------------------
+
+=cut
+
+use strict;
+use base 'WebGUI::Form::Text';
+use WebGUI::International;
+
+=head1 NAME
+
+Package WebGUI::Form::ClassName
+
+=head1 DESCRIPTION
+
+Creates a field for typing in perl class names which is validated for taint safety.
+
+=head1 SEE ALSO
+
+This is a subclass of WebGUI::Form::Text.
+
+=head1 METHODS 
+
+The following methods are specifically available from this class. Check the superclass for additional methods.
+
+=cut
+
+#-------------------------------------------------------------------
+
+=head2 definition ( [ additionalTerms ] )
+
+See the super class for additional details.
+
+=cut
+
+sub definition {
+	my $class = shift;
+	my $session = shift;
+	my $definition = shift || [];
+	my $i18n = WebGUI::International->new($session);
+	push(@{$definition}, {
+		formName=>{
+			defaultValue=>"Class Name"
+			},
+		profileEnabled=>{
+			defaultValue=>1
+			},
+		});
+        return $class->SUPER::definition($session, $definition);
+}
+
+#-------------------------------------------------------------------
+
+=head2 getValueFromPost ( )
+
+Returns a class name which has been taint checked.
+
+=cut
+
+sub getValueFromPost {
+	my $self = shift;
+	my $value = $self->session->form->param($self->get("name"));
+	$value =~ s/[^\w\d\s]//g;
+        return $value;
+}
+
+#-------------------------------------------------------------------
+
+=head2 toHtml ( )
+
+Renders a class name field.
+
+=cut
+
+sub toHtml {
+        my $self = shift;
+	$self->session->style->setScript($self->session->url->extras('inputCheck.js'),{ type=>'text/javascript' });
+        $self->set("extras", $self->get('extras') . ' onkeyup="doInputCheck(document.getElementById(\''.$self->get("id").'\'),\'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890:_\')" ');
+	return $self->SUPER::toHtml;
+}
+
+1;
+
diff --git a/lib/WebGUI/Operation/FormHelpers.pm b/lib/WebGUI/Operation/FormHelpers.pm
index dbb09c1b2..d32c0fd7e 100644
--- a/lib/WebGUI/Operation/FormHelpers.pm
+++ b/lib/WebGUI/Operation/FormHelpers.pm
@@ -42,7 +42,7 @@ sub www_formAssetTree {
 	my $ancestors = $base->getLineage(["self","ancestors"],{returnObjects=>1});
 	foreach my $ancestor (@{$ancestors}) {
 		my $url = $ancestor->getUrl("op=formAssetTree;formId=".$session->form->process("formId"));
-		$url .= ";classLimiter=".$session->form->process("classLimiter") if ($session->form->process("classLimiter"));
+		$url .= ";classLimiter=".$session->form->process("classLimiter","className") if ($session->form->process("classLimiter","className"));
 		push(@crumb,'<a href="'.$url.'" class="crumb">'.$ancestor->get("menuTitle").'</a>');
 	}
 	my $output = '
@@ -79,7 +79,7 @@ sub www_formAssetTree {
 		<div class="crumbTrail">'.join(" &gt; ", @crumb)."</div><br />\n";
 	my $children = $base->getLineage(["children"],{returnObjects=>1});
 	my $i18n = WebGUI::International->new($session);
-	my $limit = $session->form->process("classLimiter");
+	my $limit = $session->form->process("classLimiter","className");
 	foreach my $child (@{$children}) {
 		next unless $child->canView;
 		if ($limit eq "" || $child->get("className") =~ /^$limit/) {
@@ -90,7 +90,7 @@ sub www_formAssetTree {
 			$output .= '<span class="selectLink">['.$i18n->get("select").']</span> ';
 		}
 		my $url = $child->getUrl("op=formAssetTree;formId=".$session->form->process("formId"));
-		$url .= ";classLimiter=".$session->form->process("classLimiter") if ($session->form->process("classLimiter"));
+		$url .= ";classLimiter=".$session->form->process("classLimiter","className") if ($session->form->process("classLimiter","className"));
 		$output .= '<a href="'.$url.'" class="traverse">'.$child->get("menuTitle").'</a>'."<br />\n";	
 	}
 	$output .= '</div></body></html>';
diff --git a/lib/WebGUI/Operation/Workflow.pm b/lib/WebGUI/Operation/Workflow.pm
index be53e2cf7..a1e258f31 100644
--- a/lib/WebGUI/Operation/Workflow.pm
+++ b/lib/WebGUI/Operation/Workflow.pm
@@ -264,8 +264,8 @@ sub www_editWorkflowActivity {
 	my $session = shift;
         return $session->privilege->insufficient() unless ($session->user->isInGroup("pbgroup000000000000015"));
 	my $activity = '';
-	if ($session->form->get("className")) {
-		$activity = WebGUI::Workflow::Activity->newByPropertyHashRef($session, {activityId=>"new",className=>$session->form->get("className")});
+	if ($session->form->process("className","className")) {
+		$activity = WebGUI::Workflow::Activity->newByPropertyHashRef($session, {activityId=>"new",className=>$session->form->process("className","className")});
 	} else {
 		$activity = WebGUI::Workflow::Activity->new($session, $session->form->get("activityId"));
 	}
@@ -296,7 +296,7 @@ sub www_editWorkflowActivitySave {
 		my $activityId = $session->form->get("activityId");
 		my $activity = '';
 		if ($activityId eq "new") {
-			$activity = $workflow->addActivity($session->form->get("className"));
+			$activity = $workflow->addActivity($session->form->process("className","className"));
 		} else {
 			$activity = $workflow->getActivity($activityId);
 		}