Allow creating <select> inputs, escape instead of filter html

TUM-Dev · Jun 27, 2023 · 49f8cb1 · 49f8cb1
2 parents 8b2451c + 21d7fb7
commit 49f8cb1
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 4 deletions.
diff --git a/internal/web/templates/newTopic.gohtml b/internal/web/templates/newTopic.gohtml
@@ -52,6 +52,7 @@
                                 <option value="textarea">Textarea</option>
                                 <option value="file">File</option>
                                 <option value="files">Files</option>
+                                <option value="select">Select</option>
                             </select>
                         </label>
                         Name:
@@ -82,6 +83,17 @@
                             </label>
                         </label>
 
+                        <template x-if="field.Type === 'select'">
+                            <div>
+                                <template x-for="(f, i) in field.Choices">
+                                    <div>
+                                        <input type="text" x-model="field.Choices[i]">
+                                    </div>
+                                </template>
+                                <button type="button" @click="field.Choices.push('')">+</button>
+                            </div>
+                        </template>
+
                         <label>
                             <span>{{.Tr.T .Lang "required"}}</span>
                             <input type="checkbox" x-model="field.Required">
@@ -92,7 +104,7 @@
                 </template>
                 <button class="button mt-2" type="button"
                         @click="if(topic.Fields==null){topic.Fields=[]};
-                        topic.Fields.push({Description:{de:'', en:''},Name:{de:'', en:''}, Type:'text',Required:false})">
+                        topic.Fields.push({Description:{de:'', en:''},Name:{de:'', en:''}, Type:'text',Required:false, Choices: []})">
                     {{.Tr.T .Lang "add_field"}}
                     <hr class="my-4">
                 </button>

diff --git a/pkg/model/report.go b/pkg/model/report.go
@@ -1,6 +1,7 @@
 package model
 
 import (
+	"html"
 	"html/template"
 	"time"
 
@@ -112,8 +113,9 @@ func (r *Report) DateFmt() string {
 }
 
 func (m *Message) GetBody() template.HTML {
-	html := blackfriday.Run([]byte(m.Content), blackfriday.WithExtensions(blackfriday.CommonExtensions|blackfriday.HardLineBreak))
-	p := bluemonday.NewPolicy()
+	escaped := html.EscapeString(m.Content)
+	html := blackfriday.Run([]byte(escaped), blackfriday.WithExtensions(blackfriday.CommonExtensions|blackfriday.HardLineBreak))
+	p := bluemonday.UGCPolicy()
 	p.AllowStandardURLs()
 	p.AllowAttrs("href").OnElements("a")
 	p.AllowElements("b", "br", "strong", "p", "ul", "li")

diff --git a/pkg/model/topic.go b/pkg/model/topic.go
@@ -1,7 +1,9 @@
 package model
 
 import (
+	"encoding/json"
 	"github.com/TUM-Dev/meldeplattform/pkg/i18n"
+	"gorm.io/gorm"
 )
 
 type Admin struct {
@@ -34,7 +36,27 @@ type Field struct {
 	Description i18n.Translatable `yaml:"description" gorm:"embedded;embeddedPrefix:description_"`
 
 	// For select inputs:
-	Choices *[]string `yaml:"choices" gorm:"-"`
+	Choices    *[]string `yaml:"choices" gorm:"-"`
+	ChoicesStr string    `gorm:"choices"`
+}
+
+func (f *Field) BeforeSave(tx *gorm.DB) error {
+	if f.Choices == nil {
+		f.Choices = &[]string{}
+	}
+	marshal, err := json.Marshal(f.Choices)
+	if err != nil {
+		return err
+	}
+	f.ChoicesStr = string(marshal)
+	return nil
+}
+
+func (f *Field) AfterFind(tx *gorm.DB) error {
+	if f.ChoicesStr == "" {
+		f.ChoicesStr = "[]"
+	}
+	return json.Unmarshal([]byte(f.ChoicesStr), &f.Choices)
 }
 
 func (t *Topic) IsAdmin(userid string) bool {