adulau/cakephp2-php8
1
0
Fork 0
mirror of https://github.com/kamilwylegala/cakephp2-php8.git synced 2024-11-15 11:28:25 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fixed secure form hash for special url.

Browse source 
No htmlspecialchars encode and without fragment identifer.
This commit is contained in:
akiyan 2014-05-19 11:40:21 +09:00 committed by mark_story
parent 270e8774e4
commit 67f256297d
2 changed files with 41 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
lib/Cake/Test/Case/View/Helper/FormHelperTest.php
View file

@ -1417,6 +1417,30 @@ class FormHelperTest extends CakeTestCase {
$this->assertNotContains($expected, $result, 'URL is different'); $this->assertNotContains($expected, $result, 'URL is different');
} }
/**
* URL, HTML and identifier - and "URL + its hash" or "URLs + their hashes".
*
* @return void
*/
public function testSecuredFormUrlHasHtmlEntityAndFragmentIdentifier() {
$this->Form->request['_Token'] = array('key' => 'testKey');
$expected = 'a0c54487c45e8eea45beb318c35fc01e6f87de29%3A';
$this->Form->create('Address', array(
'url' => array('controller' => 'articles', 'action' => 'view', 1, '?' => array('page' => 1, 'limit' => 10), '#' => 'result')
));
$result = $this->Form->secure();
$this->assertContains($expected, $result);
$this->Form->create('Address', array('url' => 'http://localhost/articles/view/1?page=1&limit=10#result'));
$result = $this->Form->secure();
$this->assertContains($expected, $result, 'Full URL should only use path and query.');
$this->Form->create('Address', array('url' => '/articles/view/1?page=1&limit=10#result'));
$result = $this->Form->secure();
$this->assertContains($expected, $result, 'URL path + query should work.');
}
/** /**
* testDisableSecurityUsingForm method * testDisableSecurityUsingForm method
* *

25
lib/Cake/View/Helper/FormHelper.php
View file

@ -436,6 +436,7 @@ class FormHelper extends AppHelper {
$this->requestType = strtolower($options['type']); $this->requestType = strtolower($options['type']);
$action = $this->url($options['action']); $action = $this->url($options['action']);
$this->_lastAction($options['action']);
unset($options['type'], $options['action']); unset($options['type'], $options['action']);
if (!$options['default']) { if (!$options['default']) {
@ -467,13 +468,6 @@ class FormHelper extends AppHelper {
$this->_introspectModel($model, 'fields'); $this->_introspectModel($model, 'fields');
} }
$this->_lastAction = $action;
if (strpos($action, '://')) {
$query = parse_url($action, PHP_URL_QUERY);
$query = $query ? '?' . $query : '';
$this->_lastAction = parse_url($action, PHP_URL_PATH) . $query;
}
return $this->Html->useTag('form', $action, $htmlAttributes) . $append; return $this->Html->useTag('form', $action, $htmlAttributes) . $append;
} }
@ -1828,7 +1822,7 @@ class FormHelper extends AppHelper {
unset($options['target']); unset($options['target']);
} }
$this->_lastAction = $formUrl; $this->_lastAction($url);
$out = $this->Html->useTag('form', $formUrl, $formOptions); $out = $this->Html->useTag('form', $formUrl, $formOptions);
$out .= $this->Html->useTag('hidden', '_method', array( $out .= $this->Html->useTag('hidden', '_method', array(
@ -3007,6 +3001,21 @@ class FormHelper extends AppHelper {
return null; return null;
} }
/**
* Sets the last creaated form action.
*
* @var mixed
* @return void
*/
protected function _lastAction($url) {
$action = Router::url($url, true);
if (strpos($action, '://')) {
$query = parse_url($action, PHP_URL_QUERY);
$query = $query ? '?' . $query : '';
$this->_lastAction = parse_url($action, PHP_URL_PATH) . $query;
}
}
/** /**
* Set/Get inputDefaults for form elements * Set/Get inputDefaults for form elements
* *