[3.0] [Form] Ensure that the input of basic fields is a string #4102
Comments
|
i will work on that |
|
I spent some time again today trying to figure out how to do this. Basically, we want to check whether the submitted data matches some given type and either
This protects the application from arrays being passed to the model through simple types such as "text", which might facilitate exploits. The submitted data types in core are:
We already have a similar facility for checking the type of the view data: The "data_class" option, which lets you configure the expected class. Extending this option to accept any type (i.e. suffixes of the Problems:
Unsure what to do. |
|
By the way, a related issue is the "input" option of the date, time and datetime types. This could also better be named "model_data_type" (even though it is not always strictly a data type, like "datetime"). |
|
Whatever solution you come up with, please don't raise exception that can indirectly be invoked by submitting unexpected data. See #5334. |
|
You are right. So instead of "abort with an exception" the field should be dealt with as if it was empty (i.e. initialized with "empty_data"). |
|
ref #7917 |
|
@webmozart any news about this ? |
|
\o/ |
…kas) This PR was merged into the 3.4 branch. Discussion ---------- [Form] Filter arrays out of scalar form types | Q | A | ------------- | --- | Branch? | 3.4 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | #4102 | License | MIT | Doc PR | - Replaces fix #20935 Commits ------- 000e4aa [Form] Filter arrays out of scalar form types
…kas) This PR was merged into the 3.4 branch. Discussion ---------- [Form] Filter arrays out of scalar form types | Q | A | ------------- | --- | Branch? | 3.4 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | symfony/symfony#4102 | License | MIT | Doc PR | - Replaces fix symfony/symfony#20935 Commits ------- 000e4aab5e [Form] Filter arrays out of scalar form types
The PR #2421 tries to fix the case where the browser sends an array for a text field. Before this change, the Form framework did not check the data and passed it through to the model layer.
The idea is correct, but the implementation is not. Data fixing is no transformation. Furthermore, the transformer needs to be removed every time someone wants to add a custom transformer.
Thus #2421 should be reverted and replaced by an
EnsureStringInputListener, that simply casts the data to string or leaves it null (happens if the field was not submitted). This listener should be connected with the BIND_CLIENT_DATA event of all types that expect a string as input (for example by waiting for #4046 to be merged and adding the listener in FormType if "primitive" is set to true).The text was updated successfully, but these errors were encountered: