mirror of
https://github.com/kamilwylegala/cakephp2-php8.git
synced 2024-11-15 03:18:26 +00:00
Merge branch 'form-secure' into 2.5
Merge pull request #2582 into 2.5. Fixes #2582
This commit is contained in:
commit
24fd23bbdd
2 changed files with 40 additions and 30 deletions
35
lib/Cake/Test/Case/View/Helper/FormHelperTest.php
Normal file → Executable file
35
lib/Cake/Test/Case/View/Helper/FormHelperTest.php
Normal file → Executable file
|
@ -689,9 +689,10 @@ class FormHelperTest extends CakeTestCase {
|
||||||
public function testFormSecurityFields() {
|
public function testFormSecurityFields() {
|
||||||
$key = 'testKey';
|
$key = 'testKey';
|
||||||
$fields = array('Model.password', 'Model.username', 'Model.valid' => '0');
|
$fields = array('Model.password', 'Model.username', 'Model.valid' => '0');
|
||||||
|
$secureAttributes = array('form' => 'MyTestForm');
|
||||||
|
|
||||||
$this->Form->request['_Token'] = array('key' => $key);
|
$this->Form->request['_Token'] = array('key' => $key);
|
||||||
$result = $this->Form->secure($fields);
|
$result = $this->Form->secure($fields, $secureAttributes);
|
||||||
|
|
||||||
$hash = Security::hash(serialize($fields) . Configure::read('Security.salt'));
|
$hash = Security::hash(serialize($fields) . Configure::read('Security.salt'));
|
||||||
$hash .= ':' . 'Model.valid';
|
$hash .= ':' . 'Model.valid';
|
||||||
|
@ -701,28 +702,13 @@ class FormHelperTest extends CakeTestCase {
|
||||||
'div' => array('style' => 'display:none;'),
|
'div' => array('style' => 'display:none;'),
|
||||||
array('input' => array(
|
array('input' => array(
|
||||||
'type' => 'hidden', 'name' => 'data[_Token][fields]',
|
'type' => 'hidden', 'name' => 'data[_Token][fields]',
|
||||||
'value' => $hash, 'id' => 'preg:/TokenFields\d+/'
|
'value' => $hash, 'id' => 'preg:/TokenFields\d+/',
|
||||||
|
'form' => 'MyTestForm',
|
||||||
)),
|
)),
|
||||||
array('input' => array(
|
array('input' => array(
|
||||||
'type' => 'hidden', 'name' => 'data[_Token][unlocked]',
|
'type' => 'hidden', 'name' => 'data[_Token][unlocked]',
|
||||||
'value' => '', 'id' => 'preg:/TokenUnlocked\d+/'
|
'value' => '', 'id' => 'preg:/TokenUnlocked\d+/',
|
||||||
)),
|
'form' => 'MyTestForm',
|
||||||
'/div'
|
|
||||||
);
|
|
||||||
$this->assertTags($result, $expected);
|
|
||||||
|
|
||||||
$path = CAKE . 'Test' . DS . 'test_app' . DS . 'Config' . DS;
|
|
||||||
$this->Form->Html->loadConfig('htmlhelper_tags', $path);
|
|
||||||
$result = $this->Form->secure($fields);
|
|
||||||
$expected = array(
|
|
||||||
'div' => array('class' => 'hidden'),
|
|
||||||
array('input' => array(
|
|
||||||
'type' => 'hidden', 'name' => 'data[_Token][fields]',
|
|
||||||
'value' => $hash, 'id' => 'preg:/TokenFields\d+/'
|
|
||||||
)),
|
|
||||||
array('input' => array(
|
|
||||||
'type' => 'hidden', 'name' => 'data[_Token][unlocked]',
|
|
||||||
'value' => '', 'id' => 'preg:/TokenUnlocked\d+/'
|
|
||||||
)),
|
)),
|
||||||
'/div'
|
'/div'
|
||||||
);
|
);
|
||||||
|
@ -9047,6 +9033,15 @@ class FormHelperTest extends CakeTestCase {
|
||||||
public function testFormEnd() {
|
public function testFormEnd() {
|
||||||
$this->assertEquals('</form>', $this->Form->end());
|
$this->assertEquals('</form>', $this->Form->end());
|
||||||
|
|
||||||
|
$result = $this->Form->end('', array('form' => 'form-name'));
|
||||||
|
$expected = array(
|
||||||
|
'div' => array('class' => 'submit'),
|
||||||
|
'input' => array('type' => 'submit', 'value' => ''),
|
||||||
|
'/div',
|
||||||
|
'/form'
|
||||||
|
);
|
||||||
|
$this->assertTags($result, $expected);
|
||||||
|
|
||||||
$result = $this->Form->end('');
|
$result = $this->Form->end('');
|
||||||
$expected = array(
|
$expected = array(
|
||||||
'div' => array('class' => 'submit'),
|
'div' => array('class' => 'submit'),
|
||||||
|
|
35
lib/Cake/View/Helper/FormHelper.php
Normal file → Executable file
35
lib/Cake/View/Helper/FormHelper.php
Normal file → Executable file
|
@ -498,11 +498,16 @@ class FormHelper extends AppHelper {
|
||||||
* array('label' => 'save', 'name' => 'Whatever', 'div' => array('class' => 'good')); <div class="good"> value="save" name="Whatever"
|
* array('label' => 'save', 'name' => 'Whatever', 'div' => array('class' => 'good')); <div class="good"> value="save" name="Whatever"
|
||||||
* }}}
|
* }}}
|
||||||
*
|
*
|
||||||
|
* If $secureAttributes is set, these html attributes will be merged into the hidden input tags generated for the
|
||||||
|
* Security Component. This is especially useful to set HTML5 attributes like 'form'
|
||||||
|
*
|
||||||
* @param string|array $options as a string will use $options as the value of button,
|
* @param string|array $options as a string will use $options as the value of button,
|
||||||
|
* @param array $secureAttributes will be passed as html attributes into the hidden input elements generated for the
|
||||||
|
* Security Component.
|
||||||
* @return string a closing FORM tag optional submit button.
|
* @return string a closing FORM tag optional submit button.
|
||||||
* @link http://book.cakephp.org/2.0/en/core-libraries/helpers/form.html#closing-the-form
|
* @link http://book.cakephp.org/2.0/en/core-libraries/helpers/form.html#closing-the-form
|
||||||
*/
|
*/
|
||||||
public function end($options = null) {
|
public function end($options = null, $secureAttributes = array()) {
|
||||||
$out = null;
|
$out = null;
|
||||||
$submit = null;
|
$submit = null;
|
||||||
|
|
||||||
|
@ -524,7 +529,7 @@ class FormHelper extends AppHelper {
|
||||||
isset($this->request['_Token']) &&
|
isset($this->request['_Token']) &&
|
||||||
!empty($this->request['_Token'])
|
!empty($this->request['_Token'])
|
||||||
) {
|
) {
|
||||||
$out .= $this->secure($this->fields);
|
$out .= $this->secure($this->fields, $secureAttributes);
|
||||||
$this->fields = array();
|
$this->fields = array();
|
||||||
}
|
}
|
||||||
$this->setEntity(null);
|
$this->setEntity(null);
|
||||||
|
@ -536,19 +541,27 @@ class FormHelper extends AppHelper {
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Generates a hidden field with a security hash based on the fields used in the form.
|
* Generates a hidden field with a security hash based on the fields used in
|
||||||
|
* the form.
|
||||||
*
|
*
|
||||||
* @param array $fields The list of fields to use when generating the hash
|
* If $secureAttributes is set, these html attributes will be merged into
|
||||||
|
* the hidden input tags generated for the Security Component. This is
|
||||||
|
* especially useful to set HTML5 attributes like 'form'.
|
||||||
|
*
|
||||||
|
* @param array|null $fields If set specifies the list of fields to use when
|
||||||
|
* generating the hash, else $this->fields is being used.
|
||||||
|
* @param array $secureAttributes will be passed as html attributes into the hidden
|
||||||
|
* input elements generated for the Security Component.
|
||||||
* @return string A hidden input field with a security hash
|
* @return string A hidden input field with a security hash
|
||||||
* @link http://book.cakephp.org/2.0/en/core-libraries/helpers/form.html#FormHelper::secure
|
* @link http://book.cakephp.org/2.0/en/core-libraries/helpers/form.html#FormHelper::secure
|
||||||
*/
|
*/
|
||||||
public function secure($fields = array()) {
|
public function secure($fields = array(), $secureAttributes = array()) {
|
||||||
if (!isset($this->request['_Token']) || empty($this->request['_Token'])) {
|
if (!isset($this->request['_Token']) || empty($this->request['_Token'])) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
$locked = array();
|
$locked = array();
|
||||||
$unlockedFields = $this->_unlockedFields;
|
$unlockedFields = $this->_unlockedFields;
|
||||||
|
|
||||||
foreach ($fields as $key => $value) {
|
foreach ($fields as $key => $value) {
|
||||||
if (!is_int($key)) {
|
if (!is_int($key)) {
|
||||||
$locked[$key] = $value;
|
$locked[$key] = $value;
|
||||||
|
@ -565,14 +578,16 @@ class FormHelper extends AppHelper {
|
||||||
$unlocked = implode($unlockedFields, '|');
|
$unlocked = implode($unlockedFields, '|');
|
||||||
$fields = Security::hash(serialize($fields) . $unlocked . Configure::read('Security.salt'), 'sha1');
|
$fields = Security::hash(serialize($fields) . $unlocked . Configure::read('Security.salt'), 'sha1');
|
||||||
|
|
||||||
$out = $this->hidden('_Token.fields', array(
|
$tokenFields = array_merge($secureAttributes, array(
|
||||||
'value' => urlencode($fields . ':' . $locked),
|
'value' => urlencode($fields . ':' . $locked),
|
||||||
'id' => 'TokenFields' . mt_rand()
|
'id' => 'TokenFields' . mt_rand(),
|
||||||
));
|
));
|
||||||
$out .= $this->hidden('_Token.unlocked', array(
|
$out = $this->hidden('_Token.fields', $tokenFields);
|
||||||
|
$tokenUnlocked = array_merge($secureAttributes, array(
|
||||||
'value' => urlencode($unlocked),
|
'value' => urlencode($unlocked),
|
||||||
'id' => 'TokenUnlocked' . mt_rand()
|
'id' => 'TokenUnlocked' . mt_rand(),
|
||||||
));
|
));
|
||||||
|
$out .= $this->hidden('_Token.unlocked', $tokenUnlocked);
|
||||||
return $this->Html->useTag('hiddenblock', $out);
|
return $this->Html->useTag('hiddenblock', $out);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue