topic: Forbid double addition of forms

And properly escape and display form title and instructions

topic: Forbid double addition of forms
a14aa610 · Jared Hancock · 8bdfa04f · a14aa610 · a14aa610 · a14aa610
Commit a14aa610 authored 10 years ago by Jared Hancock
--- a/include/class.topic.php
+++ b/include/class.topic.php
@@ -449,12 +449,14 @@ class Topic extends VerySimpleModel {
        };

        // Consider all the forms in the request
+        $current = array();
        if (is_array($form_ids = $vars['forms'])) {
            $forms = TopicFormModel::objects()
                ->select_related('form')
                ->filter(array('topic_id' => $this->getId()));
            foreach ($forms as $F) {
                if (false !== ($idx = array_search($F->form_id, $form_ids))) {
+                    $current[] = $F->form_id;
                    $F->sort = $idx + 1;
                    $F->extra = JsonDataEncoder::encode(
                        array('disable' => $find_disabled($F->form))
@@ -470,6 +472,10 @@ class Topic extends VerySimpleModel {
                if (!($form = DynamicForm::lookup($id))) {
                    continue;
                }
+                elseif (in_array($id, $current)) {
+                    // Don't add a form more than once
+                    continue;
+                }
                TopicFormModel::create(array(
                    'topic_id' => $this->getId(),
                    'form_id' => $id,

--- a/include/client/templates/dynamic-form.tmpl.php
+++ b/include/client/templates/dynamic-form.tmpl.php
@@ -8,7 +8,7 @@
    <?php print ($form instanceof DynamicFormEntry)
        ? $form->getForm()->getMedia() : $form->getMedia(); ?>
    <h3><?php echo Format::htmlchars($form->getTitle()); ?></h3>
-    <em><?php echo Format::htmlchars($form->getInstructions()); ?></em>
+    <div><?php echo Format::display($form->getInstructions()); ?></div>
    </div>
    </td></tr>
    <?php

--- a/include/staff/helptopic.inc.php
+++ b/include/staff/helptopic.inc.php
@@ -337,13 +337,16 @@ $info=Format::htmlchars(($errors && $_POST)?$_POST:$info);
 <div class="hidden tab_content" id="forms">
 <table id="topic-forms" class="table" border="0" cellspacing="0" cellpadding="2">

-<?php foreach ($forms as $F) { ?>
+<?php
+$current_forms = array();
+foreach ($forms as $F) {
+    $current_forms[] = $F->id; ?>
    <tbody data-form-id="<?php echo $F->get('id'); ?>">
        <tr>
            <td class="handle" colspan="6">
                <input type="hidden" name="forms[]" value="<?php echo $F->get('id'); ?>" />
                <div class="pull-right">
-                <i class="icon-2x icon-move icon-muted"></i>
+                <i class="icon-large icon-move icon-muted"></i>
 <?php if ($F->get('type') != 'T') { ?>
                <a href="#" title="<?php echo __('Delete'); ?>" onclick="javascript:
                if (confirm(__('You sure?')))
@@ -352,11 +355,11 @@ $info=Format::htmlchars(($errors && $_POST)?$_POST:$info);
                    $(this).closest('form')
                        .find('[name=form_id] [value=' + tbody.data('formId') + ']')
                        .prop('disabled', false);
-                return false;"><i class="icon-2x icon-trash"></i></a>
+                return false;"><i class="icon-large icon-trash"></i></a>
 <?php } ?>
                </div>
-                <div><strong><?php echo $F->getLocal('title'); ?></strong></div>
-                <div><?php echo $F->getLocal('instructions'); ?></div>
+                <div><strong><?php echo Format::htmlchars($F->getLocal('title')); ?></strong></div>
+                <div><?php echo Format::display($F->getLocal('instructions')); ?></div>
            </td>
        </tr>
        <tr>
@@ -402,6 +405,8 @@ $info=Format::htmlchars(($errors && $_POST)?$_POST:$info);
    <option value=""><?php echo '— '.__('Add a custom form') . ' —'; ?></option>
    <?php foreach (DynamicForm::objects()->filter(array('type'=>'G')) as $F) { ?>
        <option value="<?php echo $F->get('id'); ?>"
+           <?php if (in_array($F->id, $current_forms))
+               echo 'disabled="disabled"'; ?>
           <?php if ($F->get('id') == $info['form_id'])
                echo 'selected="selected"'; ?>>
           <?php echo $F->getLocal('title'); ?>
@@ -448,5 +453,5 @@ $('table#topic-forms').sortable({
    ui=ui.clone().css({'background-color':'white', 'opacity':0.8});
    return ui;
  }
-});
+}).disableSelection();
 </script>
--- a/include/staff/templates/dynamic-form.tmpl.php
+++ b/include/staff/templates/dynamic-form.tmpl.php
@@ -20,8 +20,7 @@ if (isset($options['entry']) && $options['mode'] == 'edit') { ?>
 <?php } ?>
 <?php if ($form->getTitle()) { ?>
    <tr><th colspan="2">
-        <em><strong><?php echo Format::htmlchars($form->getTitle()); ?></strong>:
-        <?php echo Format::htmlchars($form->getInstructions()); ?>
+        <em>
 <?php if ($options['mode'] == 'edit') { ?>
        <div class="pull-right">
    <?php if ($options['entry']
@@ -32,7 +31,10 @@ if (isset($options['entry']) && $options['mode'] == 'edit') { ?>
    <?php } ?>
            <i class="icon-sort" title="Drag to Sort"></i>
        </div>
-<?php } ?></em>
+<?php } ?>
+        <strong><?php echo Format::htmlchars($form->getTitle()); ?></strong>:
+        <div><?php echo Format::display($form->getInstructions()); ?></div>
+        </em>
    </th></tr>
    <?php
    }