From 8e35b9e3fa0b723920f3040e4d17ecfde973d0cd Mon Sep 17 00:00:00 2001
From: Coleman Watts <coleman@civicrm.org>
Date: Fri, 1 Nov 2019 20:57:27 -0400
Subject: [PATCH] Fixes #4 - html encode injected properties and enable test

---
 ext/afform/core/afform.php                    |  2 +-
 .../tests/phpunit/Civi/Afform/FilterTest.php  | 23 ++++++++++---------
 2 files changed, 13 insertions(+), 12 deletions(-)

diff --git a/ext/afform/core/afform.php b/ext/afform/core/afform.php
index a54dd7fa7f2e..7e00dedab56b 100644
--- a/ext/afform/core/afform.php
+++ b/ext/afform/core/afform.php
@@ -329,7 +329,7 @@ function afform_civicrm_alterAngular($angular) {
             continue;
           }
           foreach ($field as &$prop) {
-            $prop = json_encode($prop, JSON_UNESCAPED_SLASHES);
+            $prop = htmlspecialchars(CRM_Utils_JS::encode($prop));
           }
           if ($existingFieldDefn) {
             $field = array_merge($field, CRM_Utils_JS::getRawProps($existingFieldDefn));
diff --git a/ext/afform/core/tests/phpunit/Civi/Afform/FilterTest.php b/ext/afform/core/tests/phpunit/Civi/Afform/FilterTest.php
index ec441c2909eb..8f94f03442a5 100644
--- a/ext/afform/core/tests/phpunit/Civi/Afform/FilterTest.php
+++ b/ext/afform/core/tests/phpunit/Civi/Afform/FilterTest.php
@@ -44,16 +44,17 @@ public function testDefnInjectionNested() {
     $this->assertEquals('First Name', $myField['defn']['title']);
   }
 
-  //public function testDefnOverrideTitle() {
-  //  $inputHtml = sprintf(self::PERSON_TPL,
-  //    '<div af-fieldset="person"><af-field name="first_name" defn="{title: \'Given name\'}" /></div>');
-  //  $filteredHtml = _afform_html_filter('~afform/MyForm.html', $inputHtml);
-  //  $converter = new \CRM_Afform_ArrayHtml(TRUE);
-  //  $parsed = $converter->convertHtmlToArray($filteredHtml);
-  //
-  //  $myField = $parsed[0]['#children'][1]['#children'][0];
-  //  $this->assertEquals('af-field', $myField['#tag']);
-  //  $this->assertEquals('Given name', $myField['defn']['title']);
-  //}
+  public function testDefnOverrideTitle() {
+    $inputHtml = sprintf(self::PERSON_TPL,
+      '<div af-fieldset="person"><af-field name="first_name" defn="{title: \'Given name\'}" /></div>');
+    $filteredHtml = _afform_html_filter('~afform/MyForm.html', $inputHtml);
+    $converter = new \CRM_Afform_ArrayHtml(TRUE);
+    $parsed = $converter->convertHtmlToArray($filteredHtml);
+
+    $myField = $parsed[0]['#children'][1]['#children'][0];
+    $this->assertEquals('af-field', $myField['#tag']);
+    $this->assertEquals('Given name', $myField['defn']['title']);
+    $this->assertEquals('Text', $myField['defn']['input_type']);
+  }
 
 }