ZF-6753: dijit.Editor should not use textarea by default

git-svn-id: http://framework.zend.com/svn/framework/standard/trunk@19143 44c647ce-9c0f-0410-b52a-842ac1e357ba

documentation/manual/en/module_specs/Zend_Dojo-Form-Elements.xml

@@ -675,6 +675,38 @@ $form->addElement('editor', 'content', array(
 ));
 ]]></programlisting>
         </example>
+
+        <note>
+            <title>Editor Dijit uses div by default</title>
+
+            <para>
+                The Editor dijit uses an <acronym>HTML</acronym> <acronym>DIV</acronym> by default.
+                The <classname>dijit._editor.RichText</classname> documentation indicates that
+                having it built on an HTML <acronym>TEXTAREA</acronym> can potentially have security
+                implications.
+            </para>
+
+            <para>
+                That said, there may be times when you want an Editor widget that can gracefully degrade to a
+                <acronym>TEXTAREA</acronym>. In such situations, you can do so by setting the
+                <varname>degrade</varname> property to <constant>true</constant>:
+            </para>
+
+            <programlisting language="php"><![CDATA[
+// At instantiation:
+$editor = new Zend_Dojo_Form_Element_Editor('foo', array(
+    'degrade' => true,
+));
+
+// Construction via the form:
+$form->addElement('editor', 'content', array(
+    'degrade' => true,
+));
+
+// Or after instantiation:
+$editor->degrade = true;
+]]></programlisting>
+        </note>
     </sect3>
 
     <sect3 id="zend.dojo.form.elements.horizontalSlider">

documentation/manual/en/module_specs/Zend_Dojo-View-Helpers.xml

@@ -657,6 +657,28 @@ echo $view->dateTextBox(
                 <programlisting language="php"><![CDATA[
 echo $view->editor('foo');
 ]]></programlisting>
+
+                <note>
+                    <title>Editor Dijit uses div by default</title>
+
+                    <para>
+                        The Editor dijit uses an <acronym>HTML</acronym> <acronym>DIV</acronym> by
+                        default.  The <classname>dijit._editor.RichText</classname> documentation
+                        indicates that having it built on an HTML <acronym>TEXTAREA</acronym> can
+                        potentially have security implications.
+                    </para>
+
+                    <para>
+                        That said, there may be times when you want an Editor widget that can
+                        gracefully degrade to a <acronym>TEXTAREA</acronym>. In such situations, you
+                        can do so by passing a boolean <constant>true</constant> value to the
+                        <varname>degrade</varname> parameter:
+                    </para>
+
+                    <programlisting language="php"><![CDATA[
+echo $this->editor('foo', '', array('degrade' => true));
+]]></programlisting>
+                </note>
             </listitem>
 
             <listitem>

library/Zend/Dojo/View/Helper/Dijit.php

@@ -220,7 +220,7 @@ abstract class Zend_Dojo_View_Helper_Dijit extends Zend_View_Helper_HtmlElement
                 }
                 break;
             case 'textarea':
-                $stripParams = array('id', 'name', 'type');
+                $stripParams = array('id', 'name', 'type', 'degrade');
                 break;
             default:
         }

library/Zend/Dojo/View/Helper/Editor.php

@@ -20,8 +20,8 @@
  * @version    $Id$
  */
 
-/** Zend_Dojo_View_Helper_Textarea */
-require_once 'Zend/Dojo/View/Helper/Textarea.php';
+/** Zend_Dojo_View_Helper_Dijit */
+require_once 'Zend/Dojo/View/Helper/Dijit.php';
 
 /** Zend_Json */
 require_once 'Zend/Json.php';
@@ -35,7 +35,7 @@ require_once 'Zend/Json.php';
  * @copyright  Copyright (c) 2005-2009 Zend Technologies USA Inc. (http://www.zend.com)
  * @license    http://framework.zend.com/license/new-bsd     New BSD License
  */
-class Zend_Dojo_View_Helper_Editor extends Zend_Dojo_View_Helper_Textarea
+class Zend_Dojo_View_Helper_Editor extends Zend_Dojo_View_Helper_Dijit
 {
     /**
      * @param string Dijit type
@@ -83,6 +83,15 @@ class Zend_Dojo_View_Helper_Editor extends Zend_Dojo_View_Helper_Textarea
             }
         }
 
+        // Use a <div> by default, but allow degradation to <textarea> on request
+        $type = 'div';
+        if (isset($params['degrade'])) {
+            $type = ($params['degrade'])
+                  ? 'textarea'
+                  : 'div';
+            unset($params['degrade']);
+        }
+
         $hiddenName = $id;
         if (array_key_exists('id', $attribs)) {
             $hiddenId = $attribs['id'];
@@ -105,8 +114,18 @@ class Zend_Dojo_View_Helper_Editor extends Zend_Dojo_View_Helper_Textarea
         $this->_createGetParentFormFunction();
         $this->_createEditorOnSubmit($hiddenId, $textareaId);
 
-        $html = '<input' . $this->_htmlAttribs($hiddenAttribs) . $this->getClosingBracket()
-              . $this->textarea($textareaName, $value, $params, $attribs);
+        $attribs = $this->_prepareDijit($attribs, $params, 'textarea');
+
+        $html = '<input' . $this->_htmlAttribs($hiddenAttribs) . $this->getClosingBracket();
+        if ($type == 'textarea') {
+            $html .= '<textarea' . $this->_htmlAttribs($attribs) . '>'
+                   . $value
+                   . "</textarea>\n";
+        } else {
+            $html .= '<div' . $this->_htmlAttribs($attribs) . '>'
+                   . $value
+                   . "</div>\n";
+        }
 
         return $html;
     }
@@ -160,7 +179,7 @@ class Zend_Dojo_View_Helper_Editor extends Zend_Dojo_View_Helper_Textarea
         echo <<<EOJ
 function() {
     var form = zend.findParentForm(dojo.byId('$hiddenId'));
-    dojo.connect(form, 'onsubmit', function () {
+    dojo.connect(form, 'submit', function(e) {
         dojo.byId('$hiddenId').value = dijit.byId('$editorId').getValue(false);
     });
 }

tests/Zend/Dojo/View/Helper/EditorTest.php

@@ -97,11 +97,10 @@ class Zend_Dojo_View_Helper_EditorTest extends PHPUnit_Framework_TestCase
         return $view;
     }
 
-    public function testHelperShouldRenderTextareaWithAlteredId()
+    public function testHelperShouldRenderAlteredId()
     {
         $html = $this->helper->editor('foo');
-        $this->assertRegexp('#<textarea[^>]*(id="foo-Editor")#', $html, $html);
-        $this->assertContains('</textarea>', $html);
+        $this->assertContains('id="foo-Editor"', $html, $html);
     }
 
     public function testHelperShouldRenderHiddenElementWithGivenIdentifier()
@@ -116,7 +115,7 @@ class Zend_Dojo_View_Helper_EditorTest extends PHPUnit_Framework_TestCase
     public function testHelperShouldRenderDojoTypeWhenUsedDeclaratively()
     {
         $html = $this->helper->editor('foo');
-        $this->assertRegexp('#<textarea[^>]*(dojoType="dijit.Editor")#', $html);
+        $this->assertContains('dojoType="dijit.Editor"', $html);
     }
 
     public function testHelperShouldRegisterDijitModule()
@@ -126,15 +125,13 @@ class Zend_Dojo_View_Helper_EditorTest extends PHPUnit_Framework_TestCase
         $this->assertContains('dijit.Editor', $modules);
     }
 
-    public function testHelperShouldNormalizeArrayName()
+    public function testHelperShouldNormalizeArrayId()
     {
         $html = $this->helper->editor('foo[]');
-        $this->assertRegexp('#<textarea[^>]*(name="foo\[Editor\]\[\]")#', $html, $html);
-        $this->assertRegexp('#<textarea[^>]*(id="foo-Editor")#', $html, $html);
+        $this->assertContains('id="foo-Editor"', $html, $html);
 
         $html = $this->helper->editor('foo[bar]');
-        $this->assertRegexp('#<textarea[^>]*(name="foo\[bar\]\[Editor\]")#', $html, $html);
-        $this->assertRegexp('#<textarea[^>]*(id="foo-bar-Editor")#', $html, $html);
+        $this->assertContains('id="foo-bar-Editor"', $html, $html);
     }
 
     public function testHelperShouldJsonifyPlugins()
@@ -143,10 +140,10 @@ class Zend_Dojo_View_Helper_EditorTest extends PHPUnit_Framework_TestCase
         $html = $this->helper->editor('foo', '', array('plugins' => $plugins));
         $pluginsString = Zend_Json::encode($plugins);
         $pluginsString = str_replace('"', "'", $pluginsString);
-        $this->assertRegexp('#<textarea[^>]*(plugins="' . preg_quote($pluginsString) . '")#', $html);
+        $this->assertContains('plugins="' . $pluginsString . '"', $html);
     }
 
-    public function testHelperShouldCreateJavascriptToConnectTextareaToHiddenValue()
+    public function testHelperShouldCreateJavascriptToConnectEditorToHiddenValue()
     {
         $this->helper->editor('foo');
         $onLoadActions = $this->view->dojo()->getOnLoadActions();
@@ -196,6 +193,42 @@ class Zend_Dojo_View_Helper_EditorTest extends PHPUnit_Framework_TestCase
             $this->assertContains('dojo.require("dijit._editor.plugins.' . $plugin . '")', $dojo, $dojo);
         }
     }
+
+    /**
+     * @group ZF-6753
+     */
+    public function testHelperShouldUseDivByDefault()
+    {
+        $html = $this->helper->editor('foo');
+        $this->assertRegexp('#</?div[^>]*>#', $html, $html);
+    }
+
+    /**
+     * @group ZF-6753
+     */
+    public function testHelperShouldNotUseTextareaByDefault()
+    {
+        $html = $this->helper->editor('foo');
+        $this->assertNotRegexp('#</?textarea[^>]*>#', $html, $html);
+    }
+
+    /**
+     * @group ZF-6753
+     */
+    public function testHelperShouldAllowDegradationViaTextareaOnDemand()
+    {
+        $html = $this->helper->editor('foo', '', array('degrade' => true));
+        $this->assertRegexp('#</?textarea[^>]*>#', $html, $html);
+    }
+
+    /**
+     * @group ZF-6753
+     */
+    public function testWhenDegradingHelperShouldUseDijitEditorDojoType()
+    {
+        $html = $this->helper->editor('foo', '', array('degrade' => true));
+        $this->assertRegexp('#</?textarea[^>]*(dojoType="dijit.Editor")[^>]*>#', $html, $html);
+    }
 }
 
 // Call Zend_Dojo_View_Helper_EditorTest::main() if this source file is executed directly.