UI: Strip Tags in New Input Implementation

src/UI/Implementation/Component/Input/Field/Input.php

@@ -427,6 +427,9 @@ private function getOperations() {
 	 * @inheritdoc
 	 */
 	final public function getContent() {
+		if (is_null($this->content)) {
+			throw new \LogicException("No content of this field has been evaluated yet. Seems withInput was not called.");
+		}
 		return $this->content;
 	}
 }

src/UI/Implementation/Component/Input/Field/InputInternal.php

@@ -45,7 +45,7 @@ public function withInput(PostData $input);
 	/**
 	 * Get the current content of the input.
 	 *
-	 * @return    Result|null
+	 * @return    Result
 	 */
 	public function getContent();
 }

src/UI/Implementation/Component/Input/Field/Text.php

@@ -5,11 +5,29 @@
 namespace ILIAS\UI\Implementation\Component\Input\Field;
 
 use ILIAS\UI\Component as C;
+use ILIAS\Data\Factory as DataFactory;
+use ILIAS\Transformation\Factory as TransformationFactory;
+use ILIAS\Validation\Factory as ValidationFactory;
 
 /**
  * This implements the text input.
  */
 class Text extends Input implements C\Input\Field\Text {
+	/**
+	 * @inheritdoc
+	 */
+	public function __construct(
+		DataFactory $data_factory,
+		ValidationFactory $validation_factory,
+		TransformationFactory $transformation_factory,
+		$label,
+		$byline
+	) {
+		parent::__construct($data_factory, $validation_factory, $transformation_factory, $label, $byline);
+		$this->setAdditionalTransformation($transformation_factory->custom(function($v) {
+			return strip_tags($v);
+		}));
+	}
 
 	/**
 	 * @inheritdoc

src/UI/Implementation/Component/Input/Field/Textarea.php

@@ -6,17 +6,35 @@
 
 use ILIAS\UI\Component as C;
 use ILIAS\UI\Implementation\Component\JavaScriptBindable;
+use ILIAS\Data\Factory as DataFactory;
+use ILIAS\Transformation\Factory as TransformationFactory;
+use ILIAS\Validation\Factory as ValidationFactory;
 
 /**
  * This implements the textarea input.
  */
 class Textarea extends Input implements C\Input\Field\Textarea {
-
 	use JavaScriptBindable;
 
 	protected $max_limit;
 	protected $min_limit;
 
+	/**
+	 * @inheritdoc
+	 */
+	public function __construct(
+		DataFactory $data_factory,
+		ValidationFactory $validation_factory,
+		TransformationFactory $transformation_factory,
+		$label,
+		$byline
+	) {
+		parent::__construct($data_factory, $validation_factory, $transformation_factory, $label, $byline);
+		$this->setAdditionalTransformation($transformation_factory->custom(function($v) {
+			return strip_tags($v);
+		}));
+	}
+
 	/**
 	 * set maximum number of characters
 	 * @param $max_limit

tests/UI/Component/Input/Field/InputTest.php

@@ -166,7 +166,9 @@ public function test_withError() {
 
 
 	public function test_getContent() {
-		$this->assertEquals(null, $this->input->getContent());
+		$this->expectException(\LogicException::class);
+
+		$this->input->getContent();
 	}
 
 

tests/UI/Component/Input/Field/TextInputTest.php

@@ -134,4 +134,15 @@ public function test_value_required() {
 		$value2 = $text2->getContent();
 		$this->assertTrue($value2->isError());
 	}
+
+	public function test_stripsTags() {
+		$f = $this->buildFactory();
+		$name = "name_0";
+		$text = $f->text("")
+			->withNameFrom($this->name_source)
+			->withInput(new DefPostData([$name => "<script>alert()</script>"]));
+
+		$content = $text->getContent();
+		$this->assertEquals("alert()", $content->value());
+	}
 }

tests/UI/Component/Input/Field/TextareaTest.php

@@ -245,4 +245,15 @@ public function test_renderer_with_error()
 		$expected = trim(preg_replace('/\t+/', '', $expected));
 		$this->assertEquals($expected, $html);
 	}
-}
+
+	public function test_stripsTags() {
+		$f = $this->buildFactory();
+		$name = "name_0";
+		$text = $f->textarea("")
+			->withNameFrom($this->name_source)
+			->withInput(new DefPostData([$name => "<script>alert()</script>"]));
+
+		$content = $text->getContent();
+		$this->assertEquals("alert()", $content->value());
+	}
+}