Project

General

Profile

Actions

Bug #84308

closed

Submit of RSA encrypted form not working with type="image" in TYPO3 8.7.11

Added by Sven Juergens over 6 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Should have
Assignee:
Category:
-
Target version:
Start date:
2018-03-15
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
8
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

hi,

In TYPO3 8.7.11, sending an RSA encrypted form does not work if an input type = "image" is used as submit.

e.g. felogin

Steps to reproduce:

set felogin on a page and use this plugin: https://pastebin.com/vSzvR4nQ
it's the original felogin template from 8.7.10. only the Login button is replaced the Login Code form here:
https://developer.mozilla.org/en-US/docs/Web/HTML/Element/input/image

<input id="image" type="image" width="100" height="30" alt="Login" 
       src="https://raw.githubusercontent.com/mdn/learning-area/master/html/forms/image-type-example/login.png">

open the Frontend with the login form and just click "LOGIN", the password field is filled with the rsa encrypted code and then nothing happens.
if you clicked a second time the form will be sent

testet with chrome and firefox on macos x


Related issues 2 (0 open2 closed)

Related to TYPO3 Core - Bug #76120: rsaauth does not submit the name of the submit-buttonRejected2016-05-10

Actions
Related to TYPO3 Core - Bug #84503: Streamline RsaAuth login behaviorRejected2018-03-21

Actions
Actions #1

Updated by Stephan Großberndt over 6 years ago

Could you check if this is related to / solved by

https://forge.typo3.org/issues/84253 / https://review.typo3.org/#/c/56142/ ?

Actions #2

Updated by Susanne Moog over 6 years ago

  • Related to Bug #84253: BE Login with 8.7.11 and Firefox Quantum Browser Version 59.0 not possible anymore added
Actions #3

Updated by Sven Juergens over 6 years ago

hi,

no, it seems it's not directly related to that issue.

Because here we have another JavaScript File.

In fe_login e.g we use the File
typo3_src-8.7.11/typo3/sysext/rsaauth/Resources/Public/JavaScript/RsaEncryption.js
and not
typo3_src-8.7.11/typo3/sysext/rsaauth/Resources/Public/JavaScript/RsaEncryptionModule.js

The problem is the way the submit Fields are fetched in Javascript, in this part, in RsaEncryption.js line 130

...
    for (var i = *document.forms*.length; i--;) {
      var form = document.forms[i];
      for (var j = form.elements.length; j--;) {
        var field = form.elements[j];
        if (field.nodeName.toLowerCase() === 'input') {
          var dataAttribute = field.getAttribute('data-rsa-encryption');
          if (dataAttribute || dataAttribute === '' && field.outerHTML.match(/ data-rsa-encryption=""/)) {
            if (!form.rsaEncryption) {

             * form.rsaEncryption = new rsaEncryption(form);*

              if (form.addEventListener) {
                form.addEventListener('submit', form.rsaEncryption.handleFormSubmitRequest, false);
              } else if (form.attachEvent) {
                form.attachEvent('onsubmit', form.rsaEncryption.handleFormSubmitRequest);
              }
            }
            form.rsaEncryption.fields.push(field);
          }
        }
      }
    }

We use "document.forms" to get all forms on page and in which we later search for the submit button
But: type="image" is not part of that

The elements which are included by HTMLFormElement.elements and HTMLFormElement.length are:

<button>
<fieldset>
<input> (with the exception that any whose type is "image" are omitted for historical reasons)
<object>
<output>
<select>
<textarea>
No other elements are included in the list returned by elements, which makes it an excellent way to get at the elements most important when processing forms.

Source:https://developer.mozilla.org/en-US/docs/Web/API/HTMLFormElement/elements

With this commit we changed the submit handling: https://github.com/TYPO3/TYPO3.CMS/commit/a0e51ca70b9d8bc343acc0d178a9ba4b9095b94b

now the form is not simply sent, but it is searched for a submit button and clicked

Actions #4

Updated by Sven Juergens over 6 years ago

hi,

this could be a possible solution:
as descriped here: https://developer.mozilla.org/en-US/docs/Web/API/HTMLFormElement/elements
HTMLFormElement.elements get this fields "button ,fieldset ,input ,object ,output ,select ,textarea".
So we get the fields ourselves with querySelectorAll and use it like this:

    // Submit the form again but now with encrypted values
       var formElements = rsaEncryption.form.querySelectorAll('button ,fieldset ,input ,object ,output ,select ,textarea'); 
      for (var j = formElements.length; j--;) {
        var submitField = formElements[j];
        if ((['input', 'button'].indexOf(submitField.nodeName.toLowerCase()) > -1)
          && (['submit', 'image', 'button'].indexOf(submitField.type.toLowerCase()) > -1)
        ) {
          submitField.click();
        }
      }
Actions #5

Updated by Markus Klein over 6 years ago

  • Related to deleted (Bug #84253: BE Login with 8.7.11 and Firefox Quantum Browser Version 59.0 not possible anymore)
Actions #6

Updated by Markus Klein over 6 years ago

  • Related to Bug #76120: rsaauth does not submit the name of the submit-button added
Actions #7

Updated by Markus Klein over 6 years ago

  • Status changed from New to Accepted

Thanks for your finding. We currently discuss in the core team how we deal with this mess.

Actions #8

Updated by Markus Klein over 6 years ago

  • Status changed from Accepted to Resolved
  • Assignee set to Markus Klein
  • Target version set to 8.7.12

Offending patches have been reverted. Things shall be working again as before.

Actions #9

Updated by Markus Klein over 6 years ago

  • Related to Bug #84503: Streamline RsaAuth login behavior added
Actions #10

Updated by Benni Mack about 6 years ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF