From 588590bd2c0346e2465ff8f1930580d76a3bf068 Mon Sep 17 00:00:00 2001
From: Yassine Doghri <yassine@doghri.fr>
Date: Sun, 23 Jan 2022 16:53:23 +0000
Subject: [PATCH] fix(xml-editor): escape xml editor's content + restyle form
 sections to prevent overflowing

---
 app/Views/Components/Forms/Section.php   |  6 +++---
 app/Views/Components/Forms/XMLEditor.php | 10 ++++++++--
 themes/cp_admin/_partials/_user_info.php |  2 +-
 themes/cp_admin/episode/create.php       |  6 +++---
 themes/cp_admin/episode/delete.php       |  2 +-
 themes/cp_admin/episode/edit.php         |  8 ++++----
 themes/cp_admin/episode/embed.php        |  2 +-
 themes/cp_admin/episode/publish.php      |  2 +-
 themes/cp_admin/episode/publish_edit.php |  2 +-
 themes/cp_admin/episode/unpublish.php    |  2 +-
 themes/cp_admin/podcast/create.php       |  2 +-
 themes/cp_admin/podcast/edit.php         |  6 +++---
 themes/cp_admin/podcast/import.php       |  2 +-
 themes/cp_admin/settings/general.php     |  4 ++--
 themes/cp_admin/settings/theme.php       |  2 +-
 15 files changed, 32 insertions(+), 26 deletions(-)

diff --git a/app/Views/Components/Forms/Section.php b/app/Views/Components/Forms/Section.php
index cf736744..eedd05a5 100644
--- a/app/Views/Components/Forms/Section.php
+++ b/app/Views/Components/Forms/Section.php
@@ -16,13 +16,13 @@ class Section extends Component
 
     public function render(): string
     {
-        $subtitle = $this->subtitle === null ? '' : '<p class="text-sm clear-left text-skin-muted ' . $this->subtitleClass . '">' . $this->subtitle . '</p>';
+        $subtitle = $this->subtitle === null ? '' : '<p class="text-sm text-skin-muted ' . $this->subtitleClass . '">' . $this->subtitle . '</p>';
 
         return <<<HTML
-            <fieldset class="w-full p-8 bg-elevated border-3 border-subtle rounded-xl {$this->class}">
+            <fieldset class="w-full p-8 bg-elevated border-3 flex flex-col items-start border-subtle rounded-xl {$this->class}">
                 <Heading tagName="legend" class="float-left">{$this->title}</Heading>
                 {$subtitle}
-                <div class="flex flex-col gap-4 py-4 clear-left">{$this->slot}</div>
+                <div class="flex flex-col w-0 min-w-full gap-4 py-4">{$this->slot}</div>
             </fieldset>
         HTML;
     }
diff --git a/app/Views/Components/Forms/XMLEditor.php b/app/Views/Components/Forms/XMLEditor.php
index c3ec19ba..fded2001 100644
--- a/app/Views/Components/Forms/XMLEditor.php
+++ b/app/Views/Components/Forms/XMLEditor.php
@@ -14,11 +14,17 @@ class XMLEditor extends FormComponent
         'class' => 'textarea',
     ];
 
+    protected string $content = '';
+
+    public function setContent(string $value): void
+    {
+        $this->content = htmlspecialchars_decode($value);
+    }
+
     public function render(): string
     {
-        $content = $this->slot;
         $this->attributes['slot'] = 'textarea';
-        $textarea = form_textarea($this->attributes, $content);
+        $textarea = form_textarea($this->attributes, $this->content);
 
         return <<<HTML
             <xml-editor>{$textarea}</time-ago>
diff --git a/themes/cp_admin/_partials/_user_info.php b/themes/cp_admin/_partials/_user_info.php
index eafb73b4..613aea14 100644
--- a/themes/cp_admin/_partials/_user_info.php
+++ b/themes/cp_admin/_partials/_user_info.php
@@ -26,7 +26,7 @@
     <dt class="text-sm font-medium leading-5 text-skin-muted">
     <?= lang('User.form.permissions') ?>
     </dt>
-    <dd class="max-w-xl mt-1 text-sm leading-5">
+    <dd class="w-full max-w-xl mt-1 text-sm leading-5">
     <?= implode(', ', $user->permissions) ?>
     </dd>
 </div>
diff --git a/themes/cp_admin/episode/create.php b/themes/cp_admin/episode/create.php
index 90eb4b7f..bfc2d611 100644
--- a/themes/cp_admin/episode/create.php
+++ b/themes/cp_admin/episode/create.php
@@ -11,7 +11,7 @@
 
 <?= $this->section('content') ?>
 
-<form action="<?= route_to('episode-create', $podcast->id) ?>" method="POST" enctype="multipart/form-data" class="flex flex-col max-w-xl mt-6 gap-y-8">
+<form action="<?= route_to('episode-create', $podcast->id) ?>" method="POST" enctype="multipart/form-data" class="flex flex-col w-full max-w-xl mt-6 gap-y-8">
 <?= csrf_field() ?>
 
 
@@ -53,14 +53,14 @@
 
 <div class="flex flex-col gap-x-2 gap-y-4 md:flex-row">
     <Forms.Field
-        class="flex-1 w-0"
+        class="flex-1 w-full"
         name="season_number"
         label="<?= lang('Episode.form.season_number') ?>"
         type="number"
         value="<?= $currentSeasonNumber ?>"
     />
     <Forms.Field
-        class="flex-1 w-0"
+        class="flex-1 w-full"
         name="episode_number"
         label="<?= lang('Episode.form.episode_number') ?>"
         type="number"
diff --git a/themes/cp_admin/episode/delete.php b/themes/cp_admin/episode/delete.php
index 35a327eb..786ae3ff 100644
--- a/themes/cp_admin/episode/delete.php
+++ b/themes/cp_admin/episode/delete.php
@@ -10,7 +10,7 @@
 
 <?= $this->section('content') ?>
 
-<form action="<?= route_to('episode-delete', $podcast->id, $episode->id) ?>" method="POST" class="flex flex-col max-w-xl mx-auto">
+<form action="<?= route_to('episode-delete', $podcast->id, $episode->id) ?>" method="POST" class="flex flex-col w-full max-w-xl mx-auto">
 <?= csrf_field() ?>
 
 <Alert variant="danger" glyph="alert" class="font-semibold"><?= lang('Episode.delete_form.disclaimer') ?></Alert>
diff --git a/themes/cp_admin/episode/edit.php b/themes/cp_admin/episode/edit.php
index 86a5bc98..8f2cbb19 100644
--- a/themes/cp_admin/episode/edit.php
+++ b/themes/cp_admin/episode/edit.php
@@ -15,7 +15,7 @@
 
 <?= $this->section('content') ?>
 
-<form id="episode-edit-form" action="<?= route_to('episode-edit', $podcast->id, $episode->id) ?>" method="POST" enctype="multipart/form-data" class="flex flex-col max-w-xl mt-6 gap-y-8">
+<form id="episode-edit-form" action="<?= route_to('episode-edit', $podcast->id, $episode->id) ?>" method="POST" enctype="multipart/form-data" class="flex flex-col w-full max-w-xl mt-6 gap-y-8">
 <?= csrf_field() ?>
 
 
@@ -57,14 +57,14 @@
 
 <div class="flex flex-col gap-x-2 gap-y-4 md:flex-row">
     <Forms.Field
-        class="flex-1 w-0"
+        class="flex-1 w-full"
         name="season_number"
         label="<?= lang('Episode.form.season_number') ?>"
         type="number"
         value="<?= $episode->season_number ?>"
     />
     <Forms.Field
-        class="flex-1 w-0"
+        class="flex-1 w-full"
         name="episode_number"
         label="<?= lang('Episode.form.episode_number') ?>"
         type="number"
@@ -267,7 +267,7 @@
     name="custom_rss"
     label="<?= lang('Episode.form.custom_rss') ?>"
     hint="<?= lang('Episode.form.custom_rss_hint') ?>"
-    value="<?= $episode->custom_rss_string ?>"
+    content="<?= esc($episode->custom_rss_string) ?>"
 />
 
 </Forms.Section>
diff --git a/themes/cp_admin/episode/embed.php b/themes/cp_admin/episode/embed.php
index 099b40b8..16057d97 100644
--- a/themes/cp_admin/episode/embed.php
+++ b/themes/cp_admin/episode/embed.php
@@ -24,7 +24,7 @@
     <?php endforeach; ?>
 </div>
 
-<iframe name="embed" id="embed" class="w-full max-w-xl mt-6 h-36" frameborder="0" scrolling="no" style="width: 100%;  overflow: hidden;" src="<?= $episode->embed_url ?>"></iframe>
+<iframe name="embed" id="embed" class="w-full max-w-xl mt-6 h-28" frameborder="0" scrolling="no" style="width: 100%;  overflow: hidden;" src="<?= $episode->embed_url ?>"></iframe>
 
 <div class="flex items-center mt-8 gap-x-2">
     <Forms.Textarea readonly="true" class="w-full max-w-xl" name="iframe" rows="2" value="<?= esc("<iframe width=\"100%\" height=\"280\" frameborder=\"0\" scrolling=\"no\" style=\"width: 100%; height: 280px; overflow: hidden;\" src=\"{$episode->embed_url}\"></iframe>") ?>" />
diff --git a/themes/cp_admin/episode/publish.php b/themes/cp_admin/episode/publish.php
index 26d22f6a..09c3212d 100644
--- a/themes/cp_admin/episode/publish.php
+++ b/themes/cp_admin/episode/publish.php
@@ -18,7 +18,7 @@
     ],
 ) ?>
 
-<form action="<?= route_to('episode-publish', $podcast->id, $episode->id) ?>" method="POST" class="flex flex-col items-start max-w-xl mx-auto" data-submit="validate-message">
+<form action="<?= route_to('episode-publish', $podcast->id, $episode->id) ?>" method="POST" class="flex flex-col items-start w-full max-w-lg mx-auto mt-4" data-submit="validate-message">
 <?= csrf_field() ?>
 <input type="hidden" name="client_timezone" value="UTC" />
 
diff --git a/themes/cp_admin/episode/publish_edit.php b/themes/cp_admin/episode/publish_edit.php
index 0e63bc71..efe4d586 100644
--- a/themes/cp_admin/episode/publish_edit.php
+++ b/themes/cp_admin/episode/publish_edit.php
@@ -18,7 +18,7 @@
     ],
 ) ?>
 
-<form action="<?= route_to('episode-publish_edit', $podcast->id, $episode->id) ?>" method="POST" class="flex flex-col items-start max-w-xl mx-auto" data-submit="validate-message">
+<form action="<?= route_to('episode-publish_edit', $podcast->id, $episode->id) ?>" method="POST" class="flex flex-col items-start w-full max-w-lg mx-auto mt-4" data-submit="validate-message">
 <?= csrf_field() ?>
 <input type="hidden" name="client_timezone" value="UTC" />
 <input type="hidden" name="post_id" value="<?= $post->id ?>" />
diff --git a/themes/cp_admin/episode/unpublish.php b/themes/cp_admin/episode/unpublish.php
index a6d42082..e0fb7aa8 100644
--- a/themes/cp_admin/episode/unpublish.php
+++ b/themes/cp_admin/episode/unpublish.php
@@ -10,7 +10,7 @@
 
 <?= $this->section('content') ?>
 
-<form action="<?= route_to('episode-unpublish', $podcast->id, $episode->id) ?>" method="POST" class="flex flex-col max-w-xl mx-auto">
+<form action="<?= route_to('episode-unpublish', $podcast->id, $episode->id) ?>" method="POST" class="flex flex-col max-w-lg mx-auto">
 <?= csrf_field() ?>
 
 <Alert variant="danger" glyph="alert" class="font-semibold"><?= lang('Episode.unpublish_form.disclaimer') ?></Alert>
diff --git a/themes/cp_admin/podcast/create.php b/themes/cp_admin/podcast/create.php
index 938121c1..f42576cb 100644
--- a/themes/cp_admin/podcast/create.php
+++ b/themes/cp_admin/podcast/create.php
@@ -14,7 +14,7 @@
 
 <?= $this->section('content') ?>
 
-<form action="<?= route_to('podcast-create') ?>" method="POST" enctype='multipart/form-data' class="flex flex-col max-w-xl gap-y-6">
+<form action="<?= route_to('podcast-create') ?>" method="POST" enctype='multipart/form-data' class="flex flex-col w-full max-w-xl gap-y-6">
 <?= csrf_field() ?>
 
 <Forms.Section
diff --git a/themes/cp_admin/podcast/edit.php b/themes/cp_admin/podcast/edit.php
index 7d9c1be5..428a6dde 100644
--- a/themes/cp_admin/podcast/edit.php
+++ b/themes/cp_admin/podcast/edit.php
@@ -36,7 +36,7 @@
     </div>
 </div>
 
-<div class="flex flex-col max-w-xl gap-y-6">
+<div class="flex flex-col w-full max-w-xl gap-y-6">
 
 <Forms.Section
     title="<?= lang('Podcast.form.identity_section_title') ?>"
@@ -217,8 +217,8 @@
     as="XMLEditor"
     name="custom_rss"
     label="<?= lang('Podcast.form.custom_rss') ?>"
-    value="<?= $podcast->custom_rss_string ?>"
-    hint="<?= lang('Podcast.form.custom_rss_hint') ?>" />
+    hint="<?= lang('Podcast.form.custom_rss_hint') ?>"
+    content="<?= esc($podcast->custom_rss_string) ?>" />
 
 </Forms.Section>
 
diff --git a/themes/cp_admin/podcast/import.php b/themes/cp_admin/podcast/import.php
index e7abcf46..bd2ee775 100644
--- a/themes/cp_admin/podcast/import.php
+++ b/themes/cp_admin/podcast/import.php
@@ -12,7 +12,7 @@
 
 <Alert glyph="alert" variant="danger" class="max-w-xl"><?= lang('PodcastImport.warning') ?></Alert>
 
-<form action="<?= route_to('podcast-import') ?>" method="POST" enctype='multipart/form-data' class="flex flex-col max-w-xl mt-6 gap-y-8">
+<form action="<?= route_to('podcast-import') ?>" method="POST" enctype='multipart/form-data' class="flex flex-col w-full max-w-xl mt-6 gap-y-8">
 <?= csrf_field() ?>
 
 <Forms.Section
diff --git a/themes/cp_admin/settings/general.php b/themes/cp_admin/settings/general.php
index 7c6a4a51..396008ce 100644
--- a/themes/cp_admin/settings/general.php
+++ b/themes/cp_admin/settings/general.php
@@ -57,7 +57,7 @@
 
 </form>
 
-<form action="<?= route_to('settings-images-regenerate') ?>" method="POST" class="flex flex-col max-w-xl gap-y-4">
+<form action="<?= route_to('settings-images-regenerate') ?>" method="POST" class="flex flex-col w-full max-w-xl gap-y-4">
 <?= csrf_field() ?>
 
 <Forms.Section
@@ -70,7 +70,7 @@
 
 </form>
 
-<form action="<?= route_to('settings-housekeeping-run') ?>" method="POST" class="flex flex-col max-w-xl gap-y-4">
+<form action="<?= route_to('settings-housekeeping-run') ?>" method="POST" class="flex flex-col w-full max-w-xl gap-y-4">
 <?= csrf_field() ?>
 
 <Forms.Section
diff --git a/themes/cp_admin/settings/theme.php b/themes/cp_admin/settings/theme.php
index 6c43b918..93d321f3 100644
--- a/themes/cp_admin/settings/theme.php
+++ b/themes/cp_admin/settings/theme.php
@@ -10,7 +10,7 @@
 
 <?= $this->section('content') ?>
 
-<form action="<?= route_to('settings-theme') ?>" method="POST" class="flex flex-col max-w-xl gap-y-4" enctype="multipart/form-data">
+<form action="<?= route_to('settings-theme') ?>" method="POST" class="flex flex-col w-full max-w-xl gap-y-4" enctype="multipart/form-data">
 <?= csrf_field() ?>
 <Forms.Section
     title="<?= lang('Settings.theme.accent_section_title') ?>"