From 9a9cb7323c1b04ca95b59c326d40dd25b5f58783 Mon Sep 17 00:00:00 2001 From: Martin Ficzel Date: Fri, 6 Oct 2023 17:42:11 +0200 Subject: [PATCH 1/2] FEATURE: Add to `disableReferrer` and `disableTrustedProperties` to FormDefinition Both settings are disabled by default which does not change the current behavior. - `disableReferrer` avoids rendering referrers for endpoints that do not use flow validation, use method get or - `disableTrustedProperties` avoids rendering rendering trusted properties tokens in cases where property mapping is not used In Addition the RuntimeForm now sets `disableReferrer` because the runtime form only uses trusted properties but will never redirect back to the referrer. --- Classes/Domain/Form.php | 25 +++- .../FormDefinitionImplementation.php | 23 +++- .../RuntimeFormImplementation.php | 6 +- Documentation/FusionReference.rst | 6 + .../Fusion/Prototypes/Definition/Form.fusion | 4 + Tests/Functional/FormTest.php | 128 +++++++++++++++++- 6 files changed, 184 insertions(+), 8 deletions(-) diff --git a/Classes/Domain/Form.php b/Classes/Domain/Form.php index 46e99a8..66c45a5 100644 --- a/Classes/Domain/Form.php +++ b/Classes/Domain/Form.php @@ -66,6 +66,16 @@ class Form extends AbstractFormObject */ protected $encoding; + /** + * @var bool + */ + protected $disableReferrer; + + /** + * @var bool + */ + protected $disableTrustedProperties; + /** * @var string|null */ @@ -89,8 +99,10 @@ class Form extends AbstractFormObject * @param string|null $target * @param string|null $method * @param string|null $encoding + * @param bool $disableReferrer + * @param bool $disableTrustedProperties */ - public function __construct(ActionRequest $request = null, $data = null, ?string $namespace = null, ?string $target = null, ?string $method = "get", ?string $encoding = null) + public function __construct(ActionRequest $request = null, $data = null, ?string $namespace = null, ?string $target = null, ?string $method = "get", ?string $encoding = null, bool $disableReferrer = false, bool $disableTrustedProperties = false) { $this->request = $request; $this->data = $data; @@ -98,6 +110,8 @@ public function __construct(ActionRequest $request = null, $data = null, ?string $this->target = $target; $this->method = $method; $this->encoding = $encoding; + $this->disableReferrer = $disableReferrer; + $this->disableTrustedProperties = $disableTrustedProperties; // determine submitted values and result from request /** @phpstan-ignore-next-line the return type of $request->getInternalArgument is misleading */ @@ -245,7 +259,7 @@ public function calculateHiddenFields(string $content = null): array // forwarded to the previous request where the __submittedArguments and // __submittedArgumentValidationResults can be handled from Form.createField or custom logic. // - if ($request) { + if ($request && ($this->disableReferrer !== true)) { $childRequestArgumentNamespace = null; while ($request instanceof ActionRequest) { $requestArgumentNamespace = $request->getArgumentNamespace(); @@ -335,7 +349,8 @@ public function calculateHiddenFields(string $content = null): array foreach ($formFieldNames as $name) { $path = $this->fieldNameToPath(substr($name, strlen($fieldNamePrefix))); $pathSegments = explode('.', $path); - for ($i = 1; $i < count($pathSegments); $i++) { + $pathSegmentCount = count($pathSegments); + for ($i = 1; $i < $pathSegmentCount; $i++) { $possiblePathes[] = implode('.', array_slice($pathSegments, 0, $i)); } } @@ -357,7 +372,9 @@ public function calculateHiddenFields(string $content = null): array // A signed array of all properties the property mapper is allowed to convert from string to the target type // so no property mapping configuration is needed on the target controller // - $hiddenFields[ $this->prefixFieldName('__trustedProperties', $fieldNamePrefix) ] = $this->mvcPropertyMappingConfigurationService->generateTrustedPropertiesToken($formFieldNames, $fieldNamePrefix); + if ($this->disableTrustedProperties !== true) { + $hiddenFields[$this->prefixFieldName('__trustedProperties', $fieldNamePrefix)] = $this->mvcPropertyMappingConfigurationService->generateTrustedPropertiesToken($formFieldNames, $fieldNamePrefix); + } return $hiddenFields; } diff --git a/Classes/FusionObjects/FormDefinitionImplementation.php b/Classes/FusionObjects/FormDefinitionImplementation.php index c6a8dfe..ec2f513 100644 --- a/Classes/FusionObjects/FormDefinitionImplementation.php +++ b/Classes/FusionObjects/FormDefinitionImplementation.php @@ -67,6 +67,23 @@ protected function getEncoding(): ?string { return $this->fusionValue('encoding'); } + + /** + * @return bool + */ + protected function getDisableReferrer(): bool + { + return (bool)$this->fusionValue('disableReferrer'); + } + + /** + * @return bool + */ + protected function getDisableTrustedProperties(): bool + { + return (bool)$this->fusionValue('disableTrustedProperties'); + } + /** * @return Form */ @@ -78,6 +95,8 @@ public function evaluate(): Form $target = $this->getTarget(); $method = $this->getMethod(); $encoding = $this->getEncoding(); + $disableReferrer = $this->getDisableReferrer(); + $disableTrustedProperties = $this->getDisableTrustedProperties(); return new Form( $request, @@ -85,7 +104,9 @@ public function evaluate(): Form $namespace, $target, $method, - $encoding + $encoding, + $disableReferrer, + $disableTrustedProperties ); } } diff --git a/Classes/Runtime/FusionObjects/RuntimeFormImplementation.php b/Classes/Runtime/FusionObjects/RuntimeFormImplementation.php index 643c68f..b6415a1 100644 --- a/Classes/Runtime/FusionObjects/RuntimeFormImplementation.php +++ b/Classes/Runtime/FusionObjects/RuntimeFormImplementation.php @@ -132,13 +132,17 @@ public function evaluate(): string protected function renderForm(ProcessInterface $process, ActionRequest $formRequest, array $attributes) { $data = $process->getData(); + + // @todo adjust after raising min php version to 8+ + // new Form(request:$formRequest, data: $data, method: 'post', encoding:'multipart/form-data', disableReferrer: true); $form = new Form( $formRequest, $data, null, null, 'post', - 'multipart/form-data' + 'multipart/form-data', + true ); $context = $this->runtime->getCurrentContext(); diff --git a/Documentation/FusionReference.rst b/Documentation/FusionReference.rst index b2631cc..cc4c4d9 100644 --- a/Documentation/FusionReference.rst +++ b/Documentation/FusionReference.rst @@ -24,6 +24,8 @@ In addition the form component will also: :form.target: (string, default to `Neos.Fusion:UriBuilder`) The target uri the form will be sent to. :form.method: (string, default to `post`) The form method. :form.encoding: (string, default to `multipart/form-data` when `form.method` == `post`) The form enctype `multipart/form.data` is required for file-uploads.:attributes: (string), all props are rendered as attributes to the form tag +:form.disableReferrer: (bool, defaults to false) Disable generation of hidden `__referrer` fields. Can be used when the `method` is `get` or no flow validation is used +:form.disableTrustedProperties: (bool, defaults to false) Disable generation of hidden `__trustedProperties` fields. Can be used when flow property mapping is not in use :attributes: (`Neos.Fusion:DataStructure`_) form attributes, will override all automatically rendered ones :content: (string, defaults to '') afx content with the form controls @@ -281,6 +283,8 @@ The Form component is a base prototype for rendering forms in afx. The prototype :form.target: (string, default to `Neos.Fusion:UriBuilder`) The target uri the form will be sent to. :form.method: (string, default to `post`) The form method. :form.encoding: (string, default to `multipart/form-data` when `form.method` == `post`) The form enctype `multipart/form.data` is required for file-uploads. +:form.disableReferrer: (bool, defaults to false) Disable generation of hidden `__referrer` fields. Can be used when the `method` is `get` or no flow validation is used +:form.disableTrustedProperties: (bool, defaults to false) Disable generation of hidden `__trustedProperties` fields. Can be used when flow property mapping is not in use :attributes: (`Neos.Fusion:DataStructure`_) form attributes, will override all automatically rendered ones :content: (string) form content, supported where needed @@ -330,6 +334,8 @@ by the `Neos.Fusion.Form:Component.Form`_ prototype. :target: (string, default to `Neos.Fusion:UriBuilder`) The target uri the form will be sent to. :method: (string, default to `post`) The form method. :encoding: (string, default to `multipart/form-data` when `form.method` == `post`) The form enctype `multipart/form.data` is required for file-uploads. +:disableReferrer: (bool, defaults to false) Disable generation of hidden `__referrer` fields. Can be used when the `method` is `get` or no flow validation is used +:disableTrustedProperties: (bool, defaults to false) Disable generation of hidden `__trustedProperties` fields. Can be used when flow property mapping is not in use Neos.Fusion.Form:Definition.Field --------------------------------- diff --git a/Resources/Private/Fusion/Prototypes/Definition/Form.fusion b/Resources/Private/Fusion/Prototypes/Definition/Form.fusion index 8e2a4a3..cee246c 100644 --- a/Resources/Private/Fusion/Prototypes/Definition/Form.fusion +++ b/Resources/Private/Fusion/Prototypes/Definition/Form.fusion @@ -9,6 +9,8 @@ prototype(Neos.Fusion.Form:Definition.Form) { target = ${PropTypes.string} method = ${PropTypes.string} encoding = ${PropTypes.string} + disableReferrer = ${PropTypes.boolean} + disableTrustedProperties = ${PropTypes.boolean} } request = ${request} @@ -17,4 +19,6 @@ prototype(Neos.Fusion.Form:Definition.Form) { target = Neos.Fusion:UriBuilder method = 'post' encoding = ${(String.toLowerCase(this.method) == 'post') ? 'multipart/form-data' : null} + disableReferrer = false + disableTrustedProperties = false } diff --git a/Tests/Functional/FormTest.php b/Tests/Functional/FormTest.php index debcde9..f1ac2bc 100644 --- a/Tests/Functional/FormTest.php +++ b/Tests/Functional/FormTest.php @@ -26,7 +26,7 @@ public function setUp(): void /** * @return Form */ - protected function createForm(): Form + protected function createForm(ActionRequest $request = null, $data = null, ?string $namespace = null, ?string $target = null, ?string $method = "get", ?string $encoding = null, bool $disableReferrer = false, bool $disableTrustedProperties = false): Form { $reflector = new \ReflectionClass(Form::class); $form = $reflector->newInstanceArgs(func_get_args()); @@ -81,6 +81,19 @@ public function calculateHiddenFieldsReturnsOnlyTrustedPropertiesTokenIfNoFormOr $this->assertEquals($expectation, $hiddenFields); } + /** + * @test + */ + public function calculateHiddenFieldsWillSkipTrustedPropertiesTokenIfDisabled() + { + // @todo once php 8 is min version adjust to `$this->createForm(disableTrustedProperties: true);` + $form = $this->createForm(null, null, null, null, null, null, false, true); + $this->mvcPropertyMappingConfigurationService->expects($this->never())->method('generateTrustedPropertiesToken'); + + $hiddenFields = $form->calculateHiddenFields(null); + $this->assertArrayNotHasKey('__trustedProperties', $hiddenFields); + } + /** * @test */ @@ -238,7 +251,72 @@ public function calculateHiddenFieldsAddsReferrerFieldsIfFormWithActionRequestIs /** * @test */ - public function calculateHiddenFieldsAddsReferrerFieldsIfFormWithNestedActionRequestIsGiven() + public function calculateHiddenFieldsDoesNotAddsReferrerFieldsIfFormWithActionRequestWhenDisabled() + { + $request = $this->getMockBuilder(ActionRequest::class)->disableOriginalConstructor()->getMock(); + $request->method('getControllerPackageKey')->willReturn('Vendor.Example'); + $request->method('getControllerSubpackageKey')->willReturn('Application'); + $request->method('getControllerName')->willReturn('Main'); + $request->method('getControllerActionName')->willReturn('List'); + $request->method('isMainRequest')->willReturn(true); + $request->method('getArguments')->willReturn([]); + $request->method('getArgumentNamespace')->willReturn(''); + + // @todo adjust to $this->createForm(request: $request, disableReferrer: true); once php 8 is min version + $form = $this->createForm($request, null, null, null, null, null, true); + + $hiddenFields = $form->calculateHiddenFields(null); + + $this->assertArrayNotHasKey('__referrer[@package]', $hiddenFields); + $this->assertArrayNotHasKey('__referrer[@subpackage]', $hiddenFields); + $this->assertArrayNotHasKey('__referrer[@controller]', $hiddenFields); + $this->assertArrayNotHasKey('__referrer[@action]', $hiddenFields); + $this->assertArrayNotHasKey('__referrer[arguments]', $hiddenFields); + } + + /** + * @test + */ + public function calculateHiddenFieldsDoesNotAddReferrerFieldsIfFormWithNestedActionRequestWhenDisabled() + { + $parentRequest = $this->getMockBuilder(ActionRequest::class)->disableOriginalConstructor()->getMock(); + $parentRequest->method('getControllerPackageKey')->willReturn('Vendor.Foo'); + $parentRequest->method('getControllerSubpackageKey')->willReturn('Application'); + $parentRequest->method('getControllerName')->willReturn('Parent'); + $parentRequest->method('getControllerActionName')->willReturn('Something'); + $parentRequest->method('isMainRequest')->willReturn(true); + + $request = $this->getMockBuilder(ActionRequest::class)->disableOriginalConstructor()->getMock(); + $request->method('getControllerPackageKey')->willReturn('Vendor.Bar'); + $request->method('getControllerSubpackageKey')->willReturn(''); + $request->method('getControllerName')->willReturn('Child'); + $request->method('getControllerActionName')->willReturn('SomethingElse'); + $request->method('getArgumentNamespace')->willReturn('childNamespace'); + $request->method('isMainRequest')->willReturn(false); + $request->method('getParentRequest')->willReturn($parentRequest); + + $form = $this->createForm($request, null, null, null, null, null, true); + + $hiddenFields = $form->calculateHiddenFields(null); + + $this->assertArrayNotHasKey('__referrer[@package]', $hiddenFields); + $this->assertArrayNotHasKey('__referrer[@subpackage]', $hiddenFields); + $this->assertArrayNotHasKey('__referrer[@controller]', $hiddenFields); + $this->assertArrayNotHasKey('__referrer[@action]', $hiddenFields); + + $this->assertArrayNotHasKey('childNamespace[__referrer][@package]', $hiddenFields); + $this->assertArrayNotHasKey('childNamespace[__referrer][@subpackage]', $hiddenFields); + $this->assertArrayNotHasKey('childNamespace[__referrer][@controller]', $hiddenFields); + $this->assertArrayNotHasKey('childNamespace[__referrer][@action]', $hiddenFields); + + $this->assertArrayNotHasKey('__referrer[arguments]', $hiddenFields); + $this->assertArrayNotHasKey('childNamespace[__referrer][arguments]', $hiddenFields); + } + + /** + * @test + */ + public function calculateHiddenFieldsAddsReferrerFieldsIfFormWithNestedActionRequest() { $parentRequest = $this->getMockBuilder(ActionRequest::class)->disableOriginalConstructor()->getMock(); $parentRequest->method('getControllerPackageKey')->willReturn('Vendor.Foo'); @@ -319,6 +397,52 @@ public function calculateHiddenFieldsAddsReferrerFieldArgumentsIfFormWithNestedA $this->assertEquals('--argumentsWithHmac--', $hiddenFields['childNamespace[__referrer][arguments]']); } + /** + * @test + */ + public function calculateHiddenFieldsDoesNotAddReferrerFieldArgumentsIfFormWithNestedActionRequestWhenDisabled() + { + $childRequestArguments = ['foo' => 456, 'bar' => 'another string']; + $parentRequestArguments = ['foo' => 123, 'bar' => 'string']; + $parentWithChildRequestArguments = array_merge($parentRequestArguments, ['childNamespace' => $childRequestArguments]); + + $parentRequest = $this->getMockBuilder(ActionRequest::class)->disableOriginalConstructor()->getMock(); + $parentRequest->method('getControllerPackageKey')->willReturn('Vendor.Foo'); + $parentRequest->method('getControllerSubpackageKey')->willReturn('Application'); + $parentRequest->method('getControllerName')->willReturn('Parent'); + $parentRequest->method('getControllerActionName')->willReturn('Something'); + $parentRequest->method('getArguments')->willReturn($parentWithChildRequestArguments); + $parentRequest->method('getArgumentNamespace')->willReturn(''); + $parentRequest->method('isMainRequest')->willReturn(true); + + $request = $this->getMockBuilder(ActionRequest::class)->disableOriginalConstructor()->getMock(); + $request->method('getControllerPackageKey')->willReturn('Vendor.Bar'); + $request->method('getControllerSubpackageKey')->willReturn(''); + $request->method('getControllerName')->willReturn('Child'); + $request->method('getControllerActionName')->willReturn('SomethingElse'); + $request->method('getArguments')->willReturn($childRequestArguments); + $request->method('getArgumentNamespace')->willReturn('childNamespace'); + $request->method('isMainRequest')->willReturn(false); + $request->method('getParentRequest')->willReturn($parentRequest); + + // only arguments in each requests namespace are passed to the hashing service + // so for the parent request the child request namespace is excluded + $this->hashService + ->method('appendHmac') + ->withConsecutive( + [base64_encode(serialize($childRequestArguments))], + [base64_encode(serialize($parentRequestArguments))] + ) + ->willReturn('--argumentsWithHmac--'); + + // @todo adjust to $this->createForm(request: $request, disableReferrer: true); once php 8 is min version + $form = $this->createForm($request, null, null, null, null, null, true); + $hiddenFields = $form->calculateHiddenFields(null); + + $this->assertArrayNotHasKey('__referrer[arguments]', $hiddenFields); + $this->assertArrayNotHasKey('childNamespace[__referrer][arguments]', $hiddenFields); + } + /** * @test */ From 6ac57cbf350f68d96c356f0a667d74a77a4ba370 Mon Sep 17 00:00:00 2001 From: Martin Ficzel Date: Thu, 2 May 2024 17:09:35 +0200 Subject: [PATCH 2/2] TASK: Use enable instead of disable flags --- Classes/Domain/Form.php | 18 +++++++++--------- .../FormDefinitionImplementation.php | 16 ++++++++-------- .../RuntimeFormImplementation.php | 3 ++- Documentation/FusionReference.rst | 12 ++++++------ .../Fusion/Prototypes/Definition/Form.fusion | 8 ++++---- Tests/Functional/FormTest.php | 10 +++++----- 6 files changed, 34 insertions(+), 33 deletions(-) diff --git a/Classes/Domain/Form.php b/Classes/Domain/Form.php index 66c45a5..c1f5616 100644 --- a/Classes/Domain/Form.php +++ b/Classes/Domain/Form.php @@ -69,12 +69,12 @@ class Form extends AbstractFormObject /** * @var bool */ - protected $disableReferrer; + protected $enableReferrer; /** * @var bool */ - protected $disableTrustedProperties; + protected $enableTrustedProperties; /** * @var string|null @@ -99,10 +99,10 @@ class Form extends AbstractFormObject * @param string|null $target * @param string|null $method * @param string|null $encoding - * @param bool $disableReferrer - * @param bool $disableTrustedProperties + * @param bool $enableReferrer + * @param bool $enableTrustedProperties */ - public function __construct(ActionRequest $request = null, $data = null, ?string $namespace = null, ?string $target = null, ?string $method = "get", ?string $encoding = null, bool $disableReferrer = false, bool $disableTrustedProperties = false) + public function __construct(ActionRequest $request = null, $data = null, ?string $namespace = null, ?string $target = null, ?string $method = "get", ?string $encoding = null, bool $enableReferrer = true, bool $enableTrustedProperties = true) { $this->request = $request; $this->data = $data; @@ -110,8 +110,8 @@ public function __construct(ActionRequest $request = null, $data = null, ?string $this->target = $target; $this->method = $method; $this->encoding = $encoding; - $this->disableReferrer = $disableReferrer; - $this->disableTrustedProperties = $disableTrustedProperties; + $this->enableReferrer = $enableReferrer; + $this->enableTrustedProperties = $enableTrustedProperties; // determine submitted values and result from request /** @phpstan-ignore-next-line the return type of $request->getInternalArgument is misleading */ @@ -259,7 +259,7 @@ public function calculateHiddenFields(string $content = null): array // forwarded to the previous request where the __submittedArguments and // __submittedArgumentValidationResults can be handled from Form.createField or custom logic. // - if ($request && ($this->disableReferrer !== true)) { + if ($request && ($this->enableReferrer === true)) { $childRequestArgumentNamespace = null; while ($request instanceof ActionRequest) { $requestArgumentNamespace = $request->getArgumentNamespace(); @@ -372,7 +372,7 @@ public function calculateHiddenFields(string $content = null): array // A signed array of all properties the property mapper is allowed to convert from string to the target type // so no property mapping configuration is needed on the target controller // - if ($this->disableTrustedProperties !== true) { + if ($this->enableTrustedProperties === true) { $hiddenFields[$this->prefixFieldName('__trustedProperties', $fieldNamePrefix)] = $this->mvcPropertyMappingConfigurationService->generateTrustedPropertiesToken($formFieldNames, $fieldNamePrefix); } diff --git a/Classes/FusionObjects/FormDefinitionImplementation.php b/Classes/FusionObjects/FormDefinitionImplementation.php index ec2f513..0bfd2f6 100644 --- a/Classes/FusionObjects/FormDefinitionImplementation.php +++ b/Classes/FusionObjects/FormDefinitionImplementation.php @@ -71,17 +71,17 @@ protected function getEncoding(): ?string /** * @return bool */ - protected function getDisableReferrer(): bool + protected function getEnableReferrer(): bool { - return (bool)$this->fusionValue('disableReferrer'); + return (bool)$this->fusionValue('enableReferrer'); } /** * @return bool */ - protected function getDisableTrustedProperties(): bool + protected function getEnableTrustedProperties(): bool { - return (bool)$this->fusionValue('disableTrustedProperties'); + return (bool)$this->fusionValue('enableTrustedProperties'); } /** @@ -95,8 +95,8 @@ public function evaluate(): Form $target = $this->getTarget(); $method = $this->getMethod(); $encoding = $this->getEncoding(); - $disableReferrer = $this->getDisableReferrer(); - $disableTrustedProperties = $this->getDisableTrustedProperties(); + $enableReferrer = $this->getEnableReferrer(); + $enableTrustedProperties = $this->getEnableTrustedProperties(); return new Form( $request, @@ -105,8 +105,8 @@ public function evaluate(): Form $target, $method, $encoding, - $disableReferrer, - $disableTrustedProperties + $enableReferrer, + $enableTrustedProperties ); } } diff --git a/Classes/Runtime/FusionObjects/RuntimeFormImplementation.php b/Classes/Runtime/FusionObjects/RuntimeFormImplementation.php index b6415a1..f85dfe7 100644 --- a/Classes/Runtime/FusionObjects/RuntimeFormImplementation.php +++ b/Classes/Runtime/FusionObjects/RuntimeFormImplementation.php @@ -134,7 +134,7 @@ protected function renderForm(ProcessInterface $process, ActionRequest $formRequ $data = $process->getData(); // @todo adjust after raising min php version to 8+ - // new Form(request:$formRequest, data: $data, method: 'post', encoding:'multipart/form-data', disableReferrer: true); + // new Form(request:$formRequest, data: $data, method: 'post', encoding:'multipart/form-data', enableReferrer: false); $form = new Form( $formRequest, $data, @@ -142,6 +142,7 @@ protected function renderForm(ProcessInterface $process, ActionRequest $formRequ null, 'post', 'multipart/form-data', + false, true ); diff --git a/Documentation/FusionReference.rst b/Documentation/FusionReference.rst index cc4c4d9..253f9b4 100644 --- a/Documentation/FusionReference.rst +++ b/Documentation/FusionReference.rst @@ -24,8 +24,8 @@ In addition the form component will also: :form.target: (string, default to `Neos.Fusion:UriBuilder`) The target uri the form will be sent to. :form.method: (string, default to `post`) The form method. :form.encoding: (string, default to `multipart/form-data` when `form.method` == `post`) The form enctype `multipart/form.data` is required for file-uploads.:attributes: (string), all props are rendered as attributes to the form tag -:form.disableReferrer: (bool, defaults to false) Disable generation of hidden `__referrer` fields. Can be used when the `method` is `get` or no flow validation is used -:form.disableTrustedProperties: (bool, defaults to false) Disable generation of hidden `__trustedProperties` fields. Can be used when flow property mapping is not in use +:form.enableReferrer: (bool, defaults to true) Enable the generation of hidden `__referrer` fields. Can be disabled when the `method` is `get` or no flow validation is used +:form.enableTrustedProperties: (bool, defaults to true) Enable the generation of hidden `__trustedProperties` fields. Can be disabled when flow property mapping is not in use :attributes: (`Neos.Fusion:DataStructure`_) form attributes, will override all automatically rendered ones :content: (string, defaults to '') afx content with the form controls @@ -283,8 +283,8 @@ The Form component is a base prototype for rendering forms in afx. The prototype :form.target: (string, default to `Neos.Fusion:UriBuilder`) The target uri the form will be sent to. :form.method: (string, default to `post`) The form method. :form.encoding: (string, default to `multipart/form-data` when `form.method` == `post`) The form enctype `multipart/form.data` is required for file-uploads. -:form.disableReferrer: (bool, defaults to false) Disable generation of hidden `__referrer` fields. Can be used when the `method` is `get` or no flow validation is used -:form.disableTrustedProperties: (bool, defaults to false) Disable generation of hidden `__trustedProperties` fields. Can be used when flow property mapping is not in use +:form.enableReferrer: (bool, defaults to true) Enable the generation of hidden `__referrer` fields. Can be disabled when the `method` is `get` or no flow validation is used +:form.enableTrustedProperties: (bool, defaults to true) Enable the generation of hidden `__trustedProperties` fields. Can be disabled when flow property mapping is not in use :attributes: (`Neos.Fusion:DataStructure`_) form attributes, will override all automatically rendered ones :content: (string) form content, supported where needed @@ -334,8 +334,8 @@ by the `Neos.Fusion.Form:Component.Form`_ prototype. :target: (string, default to `Neos.Fusion:UriBuilder`) The target uri the form will be sent to. :method: (string, default to `post`) The form method. :encoding: (string, default to `multipart/form-data` when `form.method` == `post`) The form enctype `multipart/form.data` is required for file-uploads. -:disableReferrer: (bool, defaults to false) Disable generation of hidden `__referrer` fields. Can be used when the `method` is `get` or no flow validation is used -:disableTrustedProperties: (bool, defaults to false) Disable generation of hidden `__trustedProperties` fields. Can be used when flow property mapping is not in use +:enableReferrer: (bool, defaults to true) Enable the generation of hidden `__referrer` fields. Can be disabled when the `method` is `get` or no flow validation is used +:enableTrustedProperties: (bool, defaults to true) Enable the generation of hidden `__trustedProperties` fields. Can be disabled when flow property mapping is not in use Neos.Fusion.Form:Definition.Field --------------------------------- diff --git a/Resources/Private/Fusion/Prototypes/Definition/Form.fusion b/Resources/Private/Fusion/Prototypes/Definition/Form.fusion index cee246c..d40852d 100644 --- a/Resources/Private/Fusion/Prototypes/Definition/Form.fusion +++ b/Resources/Private/Fusion/Prototypes/Definition/Form.fusion @@ -9,8 +9,8 @@ prototype(Neos.Fusion.Form:Definition.Form) { target = ${PropTypes.string} method = ${PropTypes.string} encoding = ${PropTypes.string} - disableReferrer = ${PropTypes.boolean} - disableTrustedProperties = ${PropTypes.boolean} + enableReferrer = ${PropTypes.boolean} + enableTrustedProperties = ${PropTypes.boolean} } request = ${request} @@ -19,6 +19,6 @@ prototype(Neos.Fusion.Form:Definition.Form) { target = Neos.Fusion:UriBuilder method = 'post' encoding = ${(String.toLowerCase(this.method) == 'post') ? 'multipart/form-data' : null} - disableReferrer = false - disableTrustedProperties = false + enableReferrer = true + enableTrustedProperties = true } diff --git a/Tests/Functional/FormTest.php b/Tests/Functional/FormTest.php index f1ac2bc..bc47f15 100644 --- a/Tests/Functional/FormTest.php +++ b/Tests/Functional/FormTest.php @@ -26,7 +26,7 @@ public function setUp(): void /** * @return Form */ - protected function createForm(ActionRequest $request = null, $data = null, ?string $namespace = null, ?string $target = null, ?string $method = "get", ?string $encoding = null, bool $disableReferrer = false, bool $disableTrustedProperties = false): Form + protected function createForm(ActionRequest $request = null, $data = null, ?string $namespace = null, ?string $target = null, ?string $method = "get", ?string $encoding = null, bool $enableReferrer = true, bool $enableTrustedProperties = true): Form { $reflector = new \ReflectionClass(Form::class); $form = $reflector->newInstanceArgs(func_get_args()); @@ -87,7 +87,7 @@ public function calculateHiddenFieldsReturnsOnlyTrustedPropertiesTokenIfNoFormOr public function calculateHiddenFieldsWillSkipTrustedPropertiesTokenIfDisabled() { // @todo once php 8 is min version adjust to `$this->createForm(disableTrustedProperties: true);` - $form = $this->createForm(null, null, null, null, null, null, false, true); + $form = $this->createForm(null, null, null, null, null, null, true, false); $this->mvcPropertyMappingConfigurationService->expects($this->never())->method('generateTrustedPropertiesToken'); $hiddenFields = $form->calculateHiddenFields(null); @@ -263,7 +263,7 @@ public function calculateHiddenFieldsDoesNotAddsReferrerFieldsIfFormWithActionRe $request->method('getArgumentNamespace')->willReturn(''); // @todo adjust to $this->createForm(request: $request, disableReferrer: true); once php 8 is min version - $form = $this->createForm($request, null, null, null, null, null, true); + $form = $this->createForm($request, null, null, null, null, null, false); $hiddenFields = $form->calculateHiddenFields(null); @@ -295,7 +295,7 @@ public function calculateHiddenFieldsDoesNotAddReferrerFieldsIfFormWithNestedAct $request->method('isMainRequest')->willReturn(false); $request->method('getParentRequest')->willReturn($parentRequest); - $form = $this->createForm($request, null, null, null, null, null, true); + $form = $this->createForm($request, null, null, null, null, null, false); $hiddenFields = $form->calculateHiddenFields(null); @@ -436,7 +436,7 @@ public function calculateHiddenFieldsDoesNotAddReferrerFieldArgumentsIfFormWithN ->willReturn('--argumentsWithHmac--'); // @todo adjust to $this->createForm(request: $request, disableReferrer: true); once php 8 is min version - $form = $this->createForm($request, null, null, null, null, null, true); + $form = $this->createForm($request, null, null, null, null, null, false); $hiddenFields = $form->calculateHiddenFields(null); $this->assertArrayNotHasKey('__referrer[arguments]', $hiddenFields);