fix: improve quote escaping

fix show / hide of fields under conditions

Signed-off-by: Thierry Bugier <tbugier@teclib.com>

Author: btry

inc/fields.class.php

@@ -183,8 +183,6 @@ public static function isVisible($id, $fields) {
          }
 
          // TODO: find the best behavior if the question does not exists
-         $conditionQuestion = new PluginFormcreatorQuestion();
-         $conditionQuestion->getFromDB($condition['field']);
          $conditionField = $fields[$condition['field']];
 
          switch ($condition['operator']) {

inc/fields/checkboxesfield.class.php

@@ -60,7 +60,7 @@ public function displayField($canEdit = true) {
                      'name'          => htmlentities($fieldName, ENT_QUOTES) . '[]',
                      'value'         => htmlentities($value, ENT_QUOTES),
                      'zero_on_empty' => false,
-                     'checked' => in_array($value, $this->value)
+                     'checked'       => in_array($value, $this->value)
                   ]);
                   echo '<label for="' . $domId . '_' . $i . '">';
                   echo '&nbsp;' . $value;
@@ -124,7 +124,7 @@ public function parseAnswerValues($input) {
          }
       }
 
-      $this->value = $input[$key];
+      $this->value = Toolbox::stripslashes_deep($input[$key]);
       return true;
    }
 
@@ -208,7 +208,7 @@ public function getValueForTargetText($richText) {
 
       foreach ($this->value as $input) {
          if (in_array($input, $values)) {
-            $value[] = Toolbox::addslashes_deep($input);
+            $value[] = $input;
          }
       }
 

inc/fields/radiosfield.class.php

@@ -59,7 +59,7 @@ public function displayField($canEdit = true) {
                   echo '<input type="radio" class="form-control"
                         name="' . $fieldName . '"
                         id="' . $domId . '_' . $i . '"
-                        value="' . addslashes($value) . '"' . $checked . ' /> ';
+                        value="' . $value . '"' . $checked . ' /> ';
                   echo '<label for="' . $domId . '_' . $i . '">';
                   echo $value;
                   echo '</label>';
@@ -117,7 +117,7 @@ public function parseAnswerValues($input) {
          return true;
       }
 
-       $this->value = $input[$key];
+       $this->value = Toolbox::stripslashes_deep($input[$key]);
        return true;
    }
 
@@ -149,7 +149,7 @@ public function serializeValue() {
          return '';
       }
 
-      return $this->value;
+      return Toolbox::addslashes_deep($this->value);
    }
 
    public function deserializeValue($value) {
@@ -167,7 +167,7 @@ public function getValueForDesign() {
    }
 
    public function getValueForTargetText($richText) {
-      return Toolbox::addslashes_deep($this->value);
+      return $this->value;
    }
 
    public function getDocumentsForTarget() {

inc/fields/textfield.class.php

@@ -61,7 +61,7 @@ public function serializeValue() {
          return '';
       }
 
-      return $this->value;
+      return Toolbox::addslashes_deep($this->value);
    }
 
    public function deserializeValue($value) {
@@ -188,8 +188,9 @@ public function parseAnswerValues($input) {
          return false;
       }
 
-       $this->value = str_replace('\r\n', "\r\n", $input[$key]);
-       return true;
+      $this->value = str_replace('\r\n', "\r\n", $input[$key]);
+      $this->value = Toolbox::stripslashes_deep($this->value);
+      return true;
    }
 
    public function getEmptyParameters() {
@@ -218,15 +219,15 @@ public function getEmptyParameters() {
    }
 
    public function equals($value) {
-      return $this->value == $value;
+      return Toolbox::stripslashes_deep($this->value) == $value;
    }
 
    public function notEquals($value) {
       return !$this->equals($value);
    }
 
    public function greaterThan($value) {
-      return $this->value > $value;
+      return Toolbox::stripslashes_deep($this->value) > $value;
    }
 
    public function lessThan($value) {

inc/formanswer.class.php

@@ -551,7 +551,7 @@ public function showForm($ID, $options = []) {
       $last_section = '';
       $questionsCount = $questions->count();
       $fields = [];
-      while ($question_line = $questions->next()) {
+      foreach ($questions as $question_line) {
          $question = new PluginFormcreatorQuestion();
          $question->getFromDB($question_line['id']);
          $fields[$question_line['id']] = PluginFormcreatorFields::getFieldInstance(
@@ -560,27 +560,28 @@ public function showForm($ID, $options = []) {
          );
          $fields[$question_line['id']]->deserializeValue($question_line['answer']);
       }
-      $questions->rewind();
-      while ($question_line = $questions->current()) {
+      foreach ($questions as $question_line) {
          // Get and display current section if needed
          if ($last_section != $question_line['section_name']) {
             echo '<h2>'.$question_line['section_name'].'</h2>';
             $last_section = $question_line['section_name'];
          }
 
-         if ($canEdit
-            || ($question_line['fieldtype'] != "description"
-                && $question_line['fieldtype'] != "hidden")
-         ) {
-            // if (PluginFormcreatorFields::isVisible($question_line['id'], $fields)) {
-            // }
+         if ($canEdit) {
             $fields[$question_line['id']]->show($canEdit);
+         } else {
+            if (($question_line['fieldtype'] != "description" && $question_line['fieldtype'] != "hidden")) {
+               if (PluginFormcreatorFields::isVisible($question_line['id'], $fields)) {
+                  $fields[$question_line['id']]->show($canEdit);
+               }
+            }
          }
-         $questions->next();
       }
-      echo Html::scriptBlock('$(function() {
-         formcreatorShowFields($("form[name=\'form\']"));
-      })');
+      if ($canEdit) {
+         echo Html::scriptBlock('$(function() {
+            formcreatorShowFields($("form[name=\'form\']"));
+         })');
+      }
 
       //add requester info
       echo '<div class="form-group">';

inc/question_condition.class.php

@@ -157,6 +157,12 @@ public function export($remove_uuid = false) {
       return $condition;
    }
 
+   /**
+    * get show / hide conditions for a question
+    *
+    * @param int $questionId
+    * @return array
+    */
    public function getConditionsFromQuestion($questionId) {
       global $DB;
 
@@ -271,4 +277,4 @@ public function getConditionHtml($form_id, $questionId = 0, $isFirst = false) {
 
       return $html;
    }
-}
+}