Bug #29603
__toString() usage for rendering the compiled Fluid template breaks the concept of security exceptions
0%
Description
PHP does not allow to throw exceptions within a __toString() method. Therefore security exception don't work while rendering the Fluid template. We somehow have to call a method to render a node and not just concatenate the objects as string and use the interal __toString() functionality. This is a really stupid PHP behaviour, that is documented here: http://php.net/manual/en/migration52.incompatible.php
Updated by Andreas Förthner over 9 years ago
- Subject changed from __toString() usage for rendering in the compiled Fluid template breaks the concept of security exceptions to __toString() usage for rendering the compiled Fluid template breaks the concept of security exceptions
Updated by Bastian Waidelich over 9 years ago
Do you have an example where objects are concatenated in a compiled template?
Updated by Andreas Förthner over 9 years ago
Ah sorry ;-) This is done in line 322 of the TemplateCompiler.
$initializationPhpCode .= sprintf('%s .= %s;', $outputVariableName, $converted['execution']) . chr(10);
Updated by Sebastian Kurfuerst over 8 years ago
- Status changed from New to Needs Feedback
I fear that I need more feedback in here.
Inside fluid, __toString is definitely never used.
Could it have something to do with the old TypoScript? If yes, that has been quite sure fixed with the new TS.
Updated by Andreas Förthner over 8 years ago
Hi Sebastian,
I'm currently checking this, probably you are right, that this was only a problem with the old TS rendering.
I'll give you more feedback a soosn as I have verified this.
Updated by Andreas Förthner over 8 years ago
- Status changed from Needs Feedback to Closed
After looking at it and discussing it once again with my colleague, this was probably fixed somewhen along the way. When I created the issue view helpers got rendered by an implicit cast of the VH object in a string concatenation. This seems not to be the case anymore, now initializeArgumentsAndReder() is called explicitly. Therefore I consider this issue not present anymore and close this ticket.