__toString() usage for rendering the compiled Fluid template breaks the concept of security exceptions
PHP does not allow to throw exceptions within a __toString() method. Therefore security exception don't work while rendering the Fluid template. We somehow have to call a method to render a node and not just concatenate the objects as string and use the interal __toString() functionality. This is a really stupid PHP behaviour, that is documented here: http://php.net/manual/en/migration52.incompatible.php
- Subject changed from __toString() usage for rendering in the compiled Fluid template breaks the concept of security exceptions to __toString() usage for rendering the compiled Fluid template breaks the concept of security exceptions
Do you have an example where objects are concatenated in a compiled template?
Ah sorry ;-) This is done in line 322 of the TemplateCompiler.
$initializationPhpCode .= sprintf('%s .= %s;', $outputVariableName, $converted['execution']) . chr(10);
- Target version changed from 1.0.0 to 1.0.1
- Target version changed from 1.0.1 to 1.0.2
- Target version changed from 1.0.2 to 1.0.3
- Target version changed from 1.0.3 to 1.0.4
- Target version changed from 1.0.4 to 1.0.5
- Status changed from New to Needs Feedback
I fear that I need more feedback in here.
Inside fluid, __toString is definitely never used.
Could it have something to do with the old TypoScript? If yes, that has been quite sure fixed with the new TS.
I'm currently checking this, probably you are right, that this was only a problem with the old TS rendering.
I'll give you more feedback a soosn as I have verified this.
- Status changed from Needs Feedback to Closed
After looking at it and discussing it once again with my colleague, this was probably fixed somewhen along the way. When I created the issue view helpers got rendered by an implicit cast of the VH object in a string concatenation. This seems not to be the case anymore, now initializeArgumentsAndReder() is called explicitly. Therefore I consider this issue not present anymore and close this ticket.
Also available in: Atom