From a0c4348188559596f292ea03983171bde29d9870 Mon Sep 17 00:00:00 2001 From: Ralf Zimmermann Date: Tue, 22 Jan 2019 09:42:31 +0100 Subject: [PATCH] [SECURITY] Use a fluid template for the ConfirmationFinisher message The ConfirmationFinisher message is now rendered within a fluid template to allow styling of the message. Furthermore, the FormRuntime (and thus all form element values) and the finisherVariableProvider are available in the template. Custom variables can be added globally within the form setup or at form level in the form definition. By using a fluid template and the associated html escaping, the display of the ConfirmationFinisher message is protected against XSS / html injection attacks. Resolves: #84902 Releases: master, 9.5, 8.7 Security-Commit: e73ae7cae8ccc3450d850f554ab50bc09b57e716 Security-Bulletin: TYPO3-CORE-SA-2019-007 Change-Id: Id8aa02d92f6b89a3008e8c91cf8ab318a05e7489 Reviewed-on: https://review.typo3.org/59532 Reviewed-by: Oliver Hader Tested-by: Oliver Hader --- ...-83405-AddConfirmationFinisherTemplate.rst | 80 +++++++++++ .../Domain/Finishers/ConfirmationFinisher.php | 49 ++++++- .../form/Configuration/Yaml/BaseSetup.yaml | 6 +- .../Config/configuration/Index.rst | 4 + .../finishers/Confirmation.rst | 127 ++++++++++++++++++ .../Finishers/Confirmation/Confirmation.html | 3 + 6 files changed, 264 insertions(+), 5 deletions(-) create mode 100644 typo3/sysext/core/Documentation/Changelog/8.7.x/Feature-83405-AddConfirmationFinisherTemplate.rst create mode 100644 typo3/sysext/form/Resources/Private/Frontend/Templates/Finishers/Confirmation/Confirmation.html diff --git a/typo3/sysext/core/Documentation/Changelog/8.7.x/Feature-83405-AddConfirmationFinisherTemplate.rst b/typo3/sysext/core/Documentation/Changelog/8.7.x/Feature-83405-AddConfirmationFinisherTemplate.rst new file mode 100644 index 000000000000..482cfaef08c6 --- /dev/null +++ b/typo3/sysext/core/Documentation/Changelog/8.7.x/Feature-83405-AddConfirmationFinisherTemplate.rst @@ -0,0 +1,80 @@ +.. include:: ../../Includes.txt + +=================================================== +Feature: #83405 - add ConfirmationFinisher template +=================================================== + +See :issue:`83405` + +Description +=========== + +The ConfirmationFinisher message is now rendered within a fluid template to allow styling of the message. +Furthermore, the FormRuntime (and thus all form element values) and the finisherVariableProvider are available in the template [1]. +Custom variables can be added globally within the form setup or at form level in the form definition [2]. +By using a fluid template and the associated html escaping, the display of the ConfirmationFinisher message is protected against XSS / html injection attacks. +The ext: form supplied fluid template does not include any HTML wrapping to remain compatible with existing installations, but it is possible to implement your own template [3]. + +[1] Template variables +---------------------- + +* :html:`{form}` - Object for access to submitted form element values (https://docs.typo3.org/typo3cms/extensions/form/Concepts/FrontendRendering/Index.html#accessing-form-values) +* :html:`{finisherVariableProvider}` - Object with data from previous finishers (https://docs.typo3.org/typo3cms/extensions/form/Concepts/FrontendRendering/Index.html#share-data-between-finishers) +* :html:`{message}` - The confirmation message + +[2] custom template variables +----------------------------- + +global within the form setup: + +.. code-block:: yaml + + TYPO3: + CMS: + Form: + prototypes: + standard: + finishersDefinition: + Confirmation: + options: + variables: + foo: bar + +per form within the form definition: + +.. code-block:: yaml + + finishers: + - + identifier: Confirmation + options: + message: 'Thx' + variables: + foo: bar + +[3] custom Template +------------------- + +form setup: + +.. code-block:: yaml + + TYPO3: + CMS: + Form: + prototypes: + standard: + finishersDefinition: + Confirmation: + options: + templateRootPaths: + 20: 'EXT:my_site_package/Resources/Private/Templates/Form/Finishers/Confirmation/' + +Impact +====== + +Integrators can use a ConfirmationFinisher message within a fluid template. +Integrators can use additional information such as form element values within the template. +The ConfirmationFinisher message is protected against XSS / html injection attacks. + +.. index:: Frontend, ext:form, NotScanned diff --git a/typo3/sysext/form/Classes/Domain/Finishers/ConfirmationFinisher.php b/typo3/sysext/form/Classes/Domain/Finishers/ConfirmationFinisher.php index afe6557d764e..fe820101045a 100644 --- a/typo3/sysext/form/Classes/Domain/Finishers/ConfirmationFinisher.php +++ b/typo3/sysext/form/Classes/Domain/Finishers/ConfirmationFinisher.php @@ -5,8 +5,6 @@ /* * This file is part of the TYPO3 CMS project. * - * It originated from the Neos.Form package (www.neos.io) - * * It is free software; you can redistribute it and/or modify it under * the terms of the GNU General Public License, either version 2 * of the License, or any later version. @@ -19,15 +17,19 @@ use TYPO3\CMS\Core\Utility\GeneralUtility; use TYPO3\CMS\Extbase\Configuration\ConfigurationManagerInterface; +use TYPO3\CMS\Fluid\View\StandaloneView; use TYPO3\CMS\Form\Domain\Finishers\Exception\FinisherException; +use TYPO3\CMS\Form\Domain\Runtime\FormRuntime; +use TYPO3\CMS\Form\ViewHelpers\RenderRenderableViewHelper; use TYPO3\CMS\Frontend\ContentObject\ContentObjectRenderer; /** - * A simple finisher that outputs a given text + * A finisher that outputs a given text * * Options: * * - message: A hard-coded message to be rendered + * - contentElementUid: A content element uid to be rendered * * Usage: * //... @@ -113,6 +115,45 @@ protected function executeInternal() $message = $this->parseOption('message'); } - return $message; + $standaloneView = $this->initializeStandaloneView( + $this->finisherContext->getFormRuntime() + ); + + $standaloneView->assign('message', $message); + + return $standaloneView->render(); + } + + /** + * @param FormRuntime $formRuntime + * @return StandaloneView + * @throws FinisherException + */ + protected function initializeStandaloneView(FormRuntime $formRuntime): StandaloneView + { + $standaloneView = $this->objectManager->get(StandaloneView::class); + + if (!isset($this->options['templateName'])) { + throw new FinisherException( + 'The option "templateName" must be set for the ConfirmationFinisher.', + 1521573955 + ); + } + + $standaloneView->setTemplate($this->options['templateName']); + $standaloneView->getTemplatePaths()->fillFromConfigurationArray($this->options); + + if (isset($this->options['variables']) && is_array($this->options['variables'])) { + $standaloneView->assignMultiple($this->options['variables']); + } + + $standaloneView->assign('form', $formRuntime); + $standaloneView->assign('finisherVariableProvider', $this->finisherContext->getFinisherVariableProvider()); + + $standaloneView->getRenderingContext() + ->getViewHelperVariableContainer() + ->addOrUpdate(RenderRenderableViewHelper::class, 'formRuntime', $formRuntime); + + return $standaloneView; } } diff --git a/typo3/sysext/form/Configuration/Yaml/BaseSetup.yaml b/typo3/sysext/form/Configuration/Yaml/BaseSetup.yaml index f7046e704ac4..ef9eebb2c0b5 100644 --- a/typo3/sysext/form/Configuration/Yaml/BaseSetup.yaml +++ b/typo3/sysext/form/Configuration/Yaml/BaseSetup.yaml @@ -296,10 +296,14 @@ TYPO3: Confirmation: implementationClassName: 'TYPO3\CMS\Form\Domain\Finishers\ConfirmationFinisher' - #options: + options: #message: '' #contentElementUid: 0 #typoscriptObjectPath: 'lib.tx_form.contentElementRendering' + #variables: + templateName: 'Confirmation' + templateRootPaths: + 10: 'EXT:form/Resources/Private/Frontend/Templates/Finishers/Confirmation/' EmailToSender: __inheritances: diff --git a/typo3/sysext/form/Documentation/Config/configuration/Index.rst b/typo3/sysext/form/Documentation/Config/configuration/Index.rst index 500380a7965a..6d8e940b9e52 100644 --- a/typo3/sysext/form/Documentation/Config/configuration/Index.rst +++ b/typo3/sysext/form/Documentation/Config/configuration/Index.rst @@ -3529,6 +3529,10 @@ Full default configuration closure: '' Confirmation: implementationClassName: TYPO3\CMS\Form\Domain\Finishers\ConfirmationFinisher + options: + templateName: 'Confirmation' + templateRootPaths: + 10: 'EXT:form/Resources/Private/Frontend/Templates/Finishers/Confirmation/' formEditor: iconIdentifier: t3-form-icon-finisher label: formEditor.elements.Form.finisher.Confirmation.editor.header.label diff --git a/typo3/sysext/form/Documentation/Config/proto/finishersDefinition/finishers/Confirmation.rst b/typo3/sysext/form/Documentation/Config/proto/finishersDefinition/finishers/Confirmation.rst index f9f94f34bad5..ba6c6dbd0f98 100644 --- a/typo3/sysext/form/Documentation/Config/proto/finishersDefinition/finishers/Confirmation.rst +++ b/typo3/sysext/form/Documentation/Config/proto/finishersDefinition/finishers/Confirmation.rst @@ -74,6 +74,133 @@ options.message The text which is shown if the finisher is invoked. +.. _typo3.cms.form.prototypes..finishersdefinition.confirmation.options.contentelementuid: + +options.contentElementUid +------------------------- + +:aspect:`Option path` + TYPO3.CMS.Form.prototypes..finishersDefinition.Confirmation.options.contentElementUid + +:aspect:`Data type` + integer + +:aspect:`Needed by` + Frontend + +:aspect:`Mandatory` + No + +:aspect:`Default value` + undefined + +:aspect:`Description` + The option "contentElementUid" can be used to render a content element. + If contentElementUid is set, the option "message" will be ignored. + + +.. _typo3.cms.form.prototypes..finishersdefinition.confirmation.options.typoscriptobjectpath: + +options.typoscriptObjectPath +---------------------------- + +:aspect:`Option path` + TYPO3.CMS.Form.prototypes..finishersDefinition.Confirmation.options.typoscriptObjectPath + +:aspect:`Data type` + string + +:aspect:`Needed by` + Frontend + +:aspect:`Mandatory` + No + +:aspect:`Default value` + 'lib.tx_form.contentElementRendering' + +:aspect:`Description` + The option "typoscriptObjectPath" can be used to render the content element (options.contentElementUid) through a typoscript lib. + + +.. _typo3.cms.form.prototypes..finishersdefinition.confirmation.options.variables: + +options.variables +----------------- + +:aspect:`Option path` + TYPO3.CMS.Form.prototypes..finishersDefinition.Confirmation.options.variables + +:aspect:`Data type` + array + +:aspect:`Needed by` + Frontend + +:aspect:`Mandatory` + No + +:aspect:`Default value` + undefined + +:aspect:`Description` + Variables which should be available within the template. + + +.. _typo3.cms.form.prototypes..finishersdefinition.confirmation.options.templatename: + +options.templateName +-------------------- + +:aspect:`Option path` + TYPO3.CMS.Form.prototypes..finishersDefinition.Confirmation.options.templateName + +:aspect:`Data type` + string + +:aspect:`Needed by` + Frontend + +:aspect:`Mandatory` + Yes + +:aspect:`Default value` + 'Confirmation' + +:aspect:`Description` + Define a custom template name which should be used. + + +.. _typo3.cms.form.prototypes..finishersdefinition.confirmation.options.templaterootpaths: + +options.templateRootPaths +------------------------- + +:aspect:`Option path` + TYPO3.CMS.Form.prototypes..finishersDefinition.Confirmation.options.templateRootPaths + +:aspect:`Data type` + array + +:aspect:`Needed by` + Frontend + +:aspect:`Mandatory` + Yes + +:aspect:`Default value` + .. code-block:: yaml + :linenos: + + Confirmation: + options: + templateRootPaths: + 10: 'EXT:form/Resources/Private/Frontend/Templates/Finishers/Confirmation/' + +:aspect:`Description` + Used to define several paths for templates, which will be tried in reversed order (the paths are searched from bottom to top). + + .. _typo3.cms.form.prototypes..finishersdefinition.confirmation.options.translation.translationfile: options.translation.translationFile diff --git a/typo3/sysext/form/Resources/Private/Frontend/Templates/Finishers/Confirmation/Confirmation.html b/typo3/sysext/form/Resources/Private/Frontend/Templates/Finishers/Confirmation/Confirmation.html new file mode 100644 index 000000000000..bc13d3644ed0 --- /dev/null +++ b/typo3/sysext/form/Resources/Private/Frontend/Templates/Finishers/Confirmation/Confirmation.html @@ -0,0 +1,3 @@ + +{message} +