Replacing carriage returns in comments with <br />'s

work item: 16596

--HG--
branch : dev

src/Orchard.Specs/Comments.feature

@@ -0,0 +1,44 @@
+Feature: Comments
+    In order to enable simple comment capabilities on my site
+    As an author
+    I want to allow comments to be safely posted on specific content item pages
+
+Scenario: HTML markup in any given comment is encoded
+    Given I have installed Orchard
+    When I go to "admin/blogs/create"
+        And I fill in
+            | name | value |
+            | Routable.Title | My Blog |
+        And I hit "Save"
+        And I go to "admin/blogs"
+        And I follow "My Blog"
+        And I follow "New Post"
+        And I fill in
+            | name | value |
+            | Routable.Title | My Post |
+            | Body.Text | Hi there. |
+        And I hit "Publish Now"
+        And I go to "my-blog/my-post"
+        And I fill in
+            | name | value |
+            | CommentText | This is<br id="bad-br" />a <a href="#">link</a>. |
+        And I hit "Submit Comment"
+        And I am redirected
+        # because the ToUrlString extension method breaks in this specific (test) environment, the returnUrl is broken...
+        And I go to "my-blog/my-post"
+    Then I should see "This is&lt;br id=&quot;bad-br&quot; /&gt;a &lt;a href"
+        And I should not see "<br id="bad-br" />"
+    # another workaround because of ToUrlString in this environment
+    When I go to "Users/Account/LogOff"
+        And I am redirected
+        And I go to "my-blog/my-post"
+        And I fill in
+            | name | value |
+            | Name | Some One |
+            | CommentText | This is<br id="bad-anon-br" />a <a href="#">link</a>. |
+        And I hit "Submit Comment"
+        And I am redirected
+        # because the ToUrlString extension method breaks in this specific (test) environment, the returnUrl is broken...
+        And I go to "my-blog/my-post"
+    Then I should see "This is&lt;br id=&quot;bad-anon-br&quot; /&gt;a &lt;a href"
+        And I should not see "<br id="bad-anon-br" />"

src/Orchard.Specs/Comments.feature.cs

@@ -0,0 +1,152 @@
+// ------------------------------------------------------------------------------
+//  <auto-generated>
+//      This code was generated by SpecFlow (http://www.specflow.org/).
+//      SpecFlow Version:1.4.0.0
+//      Runtime Version:4.0.30319.1
+// 
+//      Changes to this file may cause incorrect behavior and will be lost if
+//      the code is regenerated.
+//  </auto-generated>
+// ------------------------------------------------------------------------------
+#region Designer generated code
+namespace Orchard.Specs
+{
+    using TechTalk.SpecFlow;
+    
+    
+    [System.CodeDom.Compiler.GeneratedCodeAttribute("TechTalk.SpecFlow", "1.4.0.0")]
+    [System.Runtime.CompilerServices.CompilerGeneratedAttribute()]
+    [NUnit.Framework.TestFixtureAttribute()]
+    [NUnit.Framework.DescriptionAttribute("Comments")]
+    public partial class CommentsFeature
+    {
+        
+        private static TechTalk.SpecFlow.ITestRunner testRunner;
+        
+#line 1 "Comments.feature"
+#line hidden
+        
+        [NUnit.Framework.TestFixtureSetUpAttribute()]
+        public virtual void FeatureSetup()
+        {
+            testRunner = TechTalk.SpecFlow.TestRunnerManager.GetTestRunner();
+            TechTalk.SpecFlow.FeatureInfo featureInfo = new TechTalk.SpecFlow.FeatureInfo(new System.Globalization.CultureInfo("en-US"), "Comments", "In order to enable simple comment capabilities on my site\r\nAs an author\r\nI want t" +
+                    "o allow comments to be safely posted on specific content item pages", GenerationTargetLanguage.CSharp, ((string[])(null)));
+            testRunner.OnFeatureStart(featureInfo);
+        }
+        
+        [NUnit.Framework.TestFixtureTearDownAttribute()]
+        public virtual void FeatureTearDown()
+        {
+            testRunner.OnFeatureEnd();
+            testRunner = null;
+        }
+        
+        public virtual void ScenarioSetup(TechTalk.SpecFlow.ScenarioInfo scenarioInfo)
+        {
+            testRunner.OnScenarioStart(scenarioInfo);
+        }
+        
+        [NUnit.Framework.TearDownAttribute()]
+        public virtual void ScenarioTearDown()
+        {
+            testRunner.OnScenarioEnd();
+        }
+        
+        [NUnit.Framework.TestAttribute()]
+        [NUnit.Framework.DescriptionAttribute("HTML markup in any given comment is encoded")]
+        public virtual void HTMLMarkupInAnyGivenCommentIsEncoded()
+        {
+            TechTalk.SpecFlow.ScenarioInfo scenarioInfo = new TechTalk.SpecFlow.ScenarioInfo("HTML markup in any given comment is encoded", ((string[])(null)));
+#line 6
+this.ScenarioSetup(scenarioInfo);
+#line 7
+    testRunner.Given("I have installed Orchard");
+#line 8
+    testRunner.When("I go to \"admin/blogs/create\"");
+#line hidden
+            TechTalk.SpecFlow.Table table1 = new TechTalk.SpecFlow.Table(new string[] {
+                        "name",
+                        "value"});
+            table1.AddRow(new string[] {
+                        "Routable.Title",
+                        "My Blog"});
+#line 9
+        testRunner.And("I fill in", ((string)(null)), table1);
+#line 12
+        testRunner.And("I hit \"Save\"");
+#line 13
+        testRunner.And("I go to \"admin/blogs\"");
+#line 14
+        testRunner.And("I follow \"My Blog\"");
+#line 15
+        testRunner.And("I follow \"New Post\"");
+#line hidden
+            TechTalk.SpecFlow.Table table2 = new TechTalk.SpecFlow.Table(new string[] {
+                        "name",
+                        "value"});
+            table2.AddRow(new string[] {
+                        "Routable.Title",
+                        "My Post"});
+            table2.AddRow(new string[] {
+                        "Body.Text",
+                        "Hi there."});
+#line 16
+        testRunner.And("I fill in", ((string)(null)), table2);
+#line 20
+        testRunner.And("I hit \"Publish Now\"");
+#line 21
+        testRunner.And("I go to \"my-blog/my-post\"");
+#line hidden
+            TechTalk.SpecFlow.Table table3 = new TechTalk.SpecFlow.Table(new string[] {
+                        "name",
+                        "value"});
+            table3.AddRow(new string[] {
+                        "CommentText",
+                        "This is<br id=\"bad-br\" />a <a href=\"#\">link</a>."});
+#line 22
+        testRunner.And("I fill in", ((string)(null)), table3);
+#line 25
+        testRunner.And("I hit \"Submit Comment\"");
+#line 26
+        testRunner.And("I am redirected");
+#line 28
+        testRunner.And("I go to \"my-blog/my-post\"");
+#line 29
+    testRunner.Then("I should see \"This is&lt;br id=&quot;bad-br&quot; /&gt;a &lt;a href\"");
+#line 30
+        testRunner.And("I should not see \"<br id=\"bad-br\" />\"");
+#line 32
+    testRunner.When("I go to \"Users/Account/LogOff\"");
+#line 33
+        testRunner.And("I am redirected");
+#line 34
+        testRunner.And("I go to \"my-blog/my-post\"");
+#line hidden
+            TechTalk.SpecFlow.Table table4 = new TechTalk.SpecFlow.Table(new string[] {
+                        "name",
+                        "value"});
+            table4.AddRow(new string[] {
+                        "Name",
+                        "Some One"});
+            table4.AddRow(new string[] {
+                        "CommentText",
+                        "This is<br id=\"bad-anon-br\" />a <a href=\"#\">link</a>."});
+#line 35
+        testRunner.And("I fill in", ((string)(null)), table4);
+#line 39
+        testRunner.And("I hit \"Submit Comment\"");
+#line 40
+        testRunner.And("I am redirected");
+#line 42
+        testRunner.And("I go to \"my-blog/my-post\"");
+#line 43
+    testRunner.Then("I should see \"This is&lt;br id=&quot;bad-anon-br&quot; /&gt;a &lt;a href\"");
+#line 44
+        testRunner.And("I should not see \"<br id=\"bad-anon-br\" />\"");
+#line hidden
+            testRunner.CollectScenarioErrors();
+        }
+    }
+}
+#endregion

src/Orchard.Specs/Orchard.Specs.csproj

@@ -137,6 +137,11 @@
       <DesignTime>True</DesignTime>
       <DependentUpon>Blogs.feature</DependentUpon>
     </Compile>
+    <Compile Include="Comments.feature.cs">
+      <AutoGen>True</AutoGen>
+      <DesignTime>True</DesignTime>
+      <DependentUpon>Comments.feature</DependentUpon>
+    </Compile>
     <Compile Include="ContentRights.feature.cs">
       <AutoGen>True</AutoGen>
       <DesignTime>True</DesignTime>
@@ -234,6 +239,10 @@
       <Generator>SpecFlowSingleFileGenerator</Generator>
       <LastGenOutput>Blogs.feature.cs</LastGenOutput>
     </None>
+    <None Include="Comments.feature">
+      <Generator>SpecFlowSingleFileGenerator</Generator>
+      <LastGenOutput>Comments.feature.cs</LastGenOutput>
+    </None>
     <None Include="ContentRights.feature">
       <Generator>SpecFlowSingleFileGenerator</Generator>
       <LastGenOutput>ContentRights.feature.cs</LastGenOutput>

src/Orchard.Web/Modules/Orchard.Comments/Controllers/CommentController.cs

@@ -23,7 +23,7 @@ namespace Orchard.Comments.Controllers {
 
         public Localizer T { get; set; }
 
-        [HttpPost]
+        [HttpPost, ValidateInput(false)]
         public ActionResult Create(string returnUrl) {
             if (!Services.Authorizer.Authorize(Permissions.AddComment, T("Couldn't add comment")))
                 return !String.IsNullOrEmpty(returnUrl)

src/Orchard.Web/Modules/Orchard.Comments/Views/ListOfComments.cshtml

@@ -1,6 +1,6 @@
 @model IEnumerable<Orchard.Comments.Models.CommentPart>
 @using Orchard.Comments.Models;
-
+@using Orchard.Utility.Extensions;
 <ul class="comments">
 @foreach (var comment in Model) {
     <li>
@@ -13,9 +13,9 @@
                     </span>
                 </h4>
             </header>
-            <p class="text">@comment.Record.CommentText</p>
+            <p class="text">@(new MvcHtmlString(Html.Encode(comment.Record.CommentText).ReplaceNewLinesWith("<br />$1")))</p>
         </article>
     </li>
-} 
+}
 </ul>