Bug #63576
closed
Remove RemoveXssFilter in form as it didn't worked since 6.0
100%
Description
Since the change https://review.typo3.org/#/c/14178/1/typo3/sysext/form/Classes/Domain/Factory/TypoScriptFactory.php RemoveXss class can't instantiated any more. So this not save RemoveXss can be removed. It works with blacklisting which isn't really secure.
Updated by Helmut Hummel over 9 years ago
additionally, all filters are currently broken in master, as the needed aliases were moved to the compatibility6 extension
the lowercase variants of all filters (and other resolved class names) need to be moved to a ext_autoload.php in ext form
Updated by Helmut Hummel over 9 years ago
\TYPO3\CMS\Form\Domain\Model\Attribute\AcceptcharsetAttribute::class \TYPO3\CMS\Form\Domain\Model\Element\CheckboxgroupElement::class \TYPO3\CMS\Form\Domain\Model\Element\RadiogroupElement::class \TYPO3\CMS\Form\Domain\Model\Json\CheckboxgroupJsonElement::class \TYPO3\CMS\Form\Domain\Model\Json\RadiogroupJsonElement::class \TYPO3\CMS\Form\Filter\RegexpFilter::class \TYPO3\CMS\Form\Filter\RemovexssFilter::class \TYPO3\CMS\Form\Filter\StripnewlinesFilter::class \TYPO3\CMS\Form\Filter\TitlecaseFilter::class \TYPO3\CMS\Form\Filter\UppercaseFilter::class \TYPO3\CMS\Form\Validation\FileallowedtypesValidator::class \TYPO3\CMS\Form\Validation\FilemaximumsizeValidator::class \TYPO3\CMS\Form\Validation\FileminimumsizeValidator::class \TYPO3\CMS\Form\Validation\GreaterthanValidator::class \TYPO3\CMS\Form\Validation\InarrayValidator::class \TYPO3\CMS\Form\Validation\RegexpValidator::class \TYPO3\CMS\Form\View\Confirmation\Element\CheckboxgroupElementView::class \TYPO3\CMS\Form\View\Confirmation\Element\RadiogroupElementView::class \TYPO3\CMS\Form\View\Form\Element\CheckboxgroupElementView::class \TYPO3\CMS\Form\View\Form\Element\RadiogroupElementView::class \TYPO3\CMS\Form\View\Mail\Html\Element\CheckboxgroupElementView::class \TYPO3\CMS\Form\View\Mail\Html\Element\RadiogroupElementView::class \TYPO3\CMS\Form\View\Mail\Plain\Element\CheckboxgroupElementView::class \TYPO3\CMS\Form\View\Mail\Plain\Element\RadiogroupElementView::class
these lines need to be removed from compatibility6 and moved to ext_autoload.php in ext form for it to work properly
Updated by Alexander Opitz over 9 years ago
The issue is in FilterUtility::createFilter(). The "strtolower" function call their will change a request to "removeXss" into "removexss", later on ucfirst and string concatenation will change this to RemovexssFilter.
And why does it work till 6.2?
Why does the hell isn't shown in PHPUnit runs in spite of it is used in constructor of TYPO3\CMS\Form\Utility\FilterUtility ?
Part 1 compatibility6 extension:
A run of
phpunit -c typo3/sysext/core/Build/UnitTests.xml
will include the sysext/compatibility6/Migrations/Code/ClassAliasMap.php which defines an alias from old
'tx_form_System_Filter_Removexss' => \TYPO3\CMS\Form\Filter\RemoveXssFilter::class,
to new name. That's not critical and as you see RemoveXssFilter is written correctly.
Part 2 core ClassLoader:
The alias mapping from compatible6 lets create (if not exists) a cache entry. The entry them self is identified by its real class name.
This identifier will be created with strtolower(str_replace('\\', '_', $className)). So the cache entry looks like
typo3_cms_form_filter_removexssfilter = array(
[0] => 'typo3/sysext/form/Classes/Filter/RemoveXssFilter.php',
[1] => 'TYPO3\CMS\Form\Filter\RemoveXssFilter',
[2] => 'typo3_cms_form_filter_removexssfilter'
);
In class loader we use a cache identifier in the form strtolower(str_replace('\\', '_', $className)) This will change our request for
\TYPO3\CMS\Form\Filter\RemoveXssFilter into typo3_cms_form_filter_removexssfilter
That's why it works but not the expected way.
Updated by Christian Kuhn over 9 years ago
Ah darn. Yes, the unit test bootstrap "activates" all extensions, so their ClassAliasMap.php is loaded, too - basically the unit test bootstrap doesn't do much more than this: Taking care that classes are found. So, in this case the bug would only have been seen if we kicked out compatibility6 from core ...
Updated by Helmut Hummel over 9 years ago
Christian Kuhn wrote:
So, in this case the bug would only have been seen if we kicked out compatibility6 from core ...
yes :)
Updated by Gerrit Code Review over 9 years ago
- Status changed from New to Under Review
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/35070
Updated by Gerrit Code Review over 9 years ago
Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/35070
Updated by Gerrit Code Review over 9 years ago
Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/35070
Updated by Gerrit Code Review over 9 years ago
Patch set 4 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/35070
Updated by Gerrit Code Review over 9 years ago
Patch set 5 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/35070
Updated by Helmut Hummel over 9 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset 0329ccc87b1521e2e2c7f726f976541347006d8e.
Updated by Riccardo De Contardi over 6 years ago
- Status changed from Resolved to Closed