From fd3b34c7e672b1fd906b1b4089f242cab4aa7df5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20R?= Date: Tue, 14 May 2019 14:18:23 +0200 Subject: [PATCH] EZP-30161: Handle form token in both custom and also for historical reasons default value (#1431) * EZP-30161: Handle form token in both custom and also for historical reasons default value Since 5.0 FormToken code has been operating in two modes: - Default pure legacy mode using `ezxform_token` as form name - Symfony mode using `_token` as form name Hoewever quite some legacy code hard codes the default name. In 5.x this inconsistancy was solved by setting Symfony to use `field_name: ezxform_token` For Platform + legacy bridge that is no longer a good default, so this changes the logic so that ezxFormToken is cable of handling both at the same time. * Apply suggestions from code review Co-Authored-By: Gunnstein Lye --- extension/ezformtoken/event/ezxformtoken.php | 26 +++++++++++++++----- 1 file changed, 20 insertions(+), 6 deletions(-) diff --git a/extension/ezformtoken/event/ezxformtoken.php b/extension/ezformtoken/event/ezxformtoken.php index e429bdfce79..e13416292fc 100755 --- a/extension/ezformtoken/event/ezxformtoken.php +++ b/extension/ezformtoken/event/ezxformtoken.php @@ -38,7 +38,7 @@ class ezxFormToken static protected $intention = 'legacy'; /** - * @var string + * @var string Custom Form field, by default set to system default form field (self::FORM_FIELD). */ static protected $formField = self::FORM_FIELD; @@ -90,6 +90,8 @@ static public function setIntention( $intention ) } /** + * Get the custom form field. + * * @return string */ static protected function getFormField() @@ -98,6 +100,8 @@ static protected function getFormField() } /** + * Set the custom form field. + * * @param string $formField */ static public function setFormField( $formField ) @@ -137,6 +141,11 @@ static public function input( eZURI $uri ) { $token = $_POST[self::getFormField()]; } + // For historical reasons also check the system default form field + else if ( !empty( $_POST[self::FORM_FIELD] ) ) + { + $token = $_POST[self::FORM_FIELD]; + } // allow ajax calls using POST with other formats than forms (such as // json or xml) to still validate using a custom http header else if ( !empty( $_SERVER['HTTP_X_CSRF_TOKEN'] ) ) @@ -188,19 +197,22 @@ static public function output( $templateResult, $filterForms = true ) } $token = self::getToken(); - $field = self::getFormField(); + $customfield = self::getFormField(); + $defaultField = self::FORM_FIELD; $replaceKey = self::REPLACE_KEY; eZDebugSetting::writeDebug( 'ezformtoken', 'Output protected (all forms will be modified)', __METHOD__ ); + // Inject token for programmatical use (also system default for historical reasons) // If document has head tag, insert in a html5 valid and semi standard way if ( strpos( $templateResult, '' ) !== false ) { $templateResult = str_replace( '', "\n" - . "\n" - . "\n", + . "\n" + . "\n" + . ($defaultField !== $customfield ? "\n" : ''), $templateResult ); } @@ -209,16 +221,18 @@ static public function output( $templateResult, $filterForms = true ) { $templateResult = preg_replace( '/(]*>)/i', - '\\1' . "\n\n", + '\\1' . "\n\n" + . ($defaultField !== $customfield ? "\n\n" : ''), $templateResult ); } + // For forms we set the custom field which will be sent back to this class and evaluated if ( $filterForms ) { $templateResult = preg_replace( '/(]*\bmethod=(\'|"|)POST(\'|"|)\b[^>]*>)/i', - '\\1' . "\n\n", + '\\1' . "\n\n", $templateResult ); }