Actions
Bug #99703
open
EXT:form: hidden field _trustedProperties: htmlspecialchars conversion not working
Status:
New
Priority:
Should have
Assignee:
-
Category:
Form Framework
Target version:
-
Start date:
2023-01-24
Due date:
% Done:
0%
Estimated time:
TYPO3 Version:
11
PHP Version:
7.4
Tags:
Complexity:
Is Regression:
Sprint Focus:
Description
Hi folks,
I ran into a strange issue where htmlspecialchars does not convert the values of _trustedProperties:
<form enctype="multipart/form-data" method="post" id="kontakt-7" action="/kontakt-jobs?tx_form_formframework%5Baction%5D=perform&tx_form_formframework%5Bcontroller%5D=FormFrontend&cHash=2eeb955eb166619117175e660fd17785#kontakt-7">
<div><input type="hidden" name="tx_form_formframework[kontakt-7][__state]" value="TzozOToiVFlQTzNcQ01TXEZvcm1cRG9tYWluXFJ1bnRpbWVcRm9ybVN0YXRlIjoyOntzOjI1OiIAKgBsYXN0RGlzcGxheWVkUGFnZUluZGV4IjtpOjA7czoxMzoiACoAZm9ybVZhbHVlcyI7YTowOnt9fQ==47e665a7bacbc2014853287e4e8664dd5638d842" />
<input type="hidden" name="tx_form_formframework[__trustedProperties]" value="{"kontakt-7":{"singleselect-1":1,"vorname":1,"text-1":1,"email-1":1,"fileupload-1":{"name":1,"type":1,"tmp_name":1,"error":1,"size":1},"message":1,"X7Y0DUKo":1,"__currentPage":1}}87ae27b389520f34d3248e1a2ce39b28cc3259cc" />
</div>
I was able to track the error down to sysext/fluid/Classes/ViewHelpers/FormViewHelper.php.
In line 468, htmlspecialchars($requestHash) does not escape the double quotes, thereby messing up the hidden field.
Any other form using f:form, rendered on the same page during the same request, works fine, for example
<input type="hidden" name="tx_mindshapecookieconsent_consent[__trustedProperties]" value="{"consent":{"isAjaxRequest":1,"currentUrl":1,"deny":1,"selectAll":1}}3678d30744b7197d750d09fd07b7d1f5c576009f" />
I've tested it using php7.4, 8.0 and 8.1, the behaviour stays the same.
No data to display
Actions