Merge pull request #3 from kurozumi/replace-full-width-character

kurozumi · web-flow · commit 1bcd114b5755 · 2021-07-11T11:23:45.000+09:00
攻撃性のある特定の文字列を入力してサブミットしたらその文字列は全角に変換
diff --git a/Form/EventListener/HTMLPurifierListener.php b/Form/EventListener/HTMLPurifierListener.php
@@ -34,8 +34,6 @@ public static function getSubscribedEvents(): array
      */
     public function purifySubmittedData(FormEvent $event): void
     {
-        if ('&' === $event->getData()) {
-            $event->setData(mb_convert_kana($event->getData(), 'A'));
-        }
+        $event->setData(str_replace(['<', '>', '&'], ['＜', '＞', '＆'], $event->getData()));
     }
 }
diff --git a/Tests/Web/EntryControllerTest.php b/Tests/Web/EntryControllerTest.php
@@ -15,28 +15,10 @@
 
 class EntryControllerTest extends \Eccube\Tests\Web\EntryControllerTest
 {
-    public function test住所に攻撃性のある文字列を入力してサブミットしたらその文字列は削除される未入力エラーが発生するか()
+    public function test攻撃性のある特定の文字列を入力してサブミットしたらその文字列は全角に変換される()
     {
         $formData = $this->createFormData();
-        $formData['address']['addr01'] = '<script>alert()</script>';
-
-        $crawler = $this->client->request('POST',
-            $this->generateUrl('entry'),
-            [
-                'entry' => $formData,
-                'mode' => 'confirm',
-            ]
-        );
-
-        self::assertEquals('新規会員登録', $crawler->filter('.ec-pageHeader > h1')->text());
-        self::assertCount(1, $crawler->filter('.ec-errorMessage'));
-        self::assertTrue($this->client->getResponse()->isSuccessful());
-    }
-
-    public function testアンパサンドを入力してサブミットしたら全角に変換されるか()
-    {
-        $formData = $this->createFormData();
-        $formData['company_name'] = '&';
+        $formData['company_name'] = '<script&>';
 
         $crawler = $this->client->request('POST',
             $this->generateUrl('entry'),
@@ -47,6 +29,6 @@ public function testアンパサンドを入力してサブミットしたら全
         );
 
         self::assertEquals('新規会員登録(確認)', $crawler->filter('.ec-pageHeader > h1')->text());
-        self::assertEquals('＆', $crawler->filter('#entry_company_name')->attr('value'));
+        self::assertEquals('＜script＆＞', $crawler->filter('#entry_company_name')->attr('value'));
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -34,8 +34,6 @@ public static function getSubscribedEvents(): array`
`34`	`34`	`*/`
`35`	`35`	`public function purifySubmittedData(FormEvent $event): void`
`36`	`36`	`{`
`37`		`- if ('&' === $event->getData()) {`
`38`		`- $event->setData(mb_convert_kana($event->getData(), 'A'));`
`39`		`- }`
	`37`	`+ $event->setData(str_replace(['<', '>', '&'], ['＜', '＞', '＆'], $event->getData()));`
`40`	`38`	`}`
`41`	`39`	`}`