New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: Honeypot field appears when CSP is enabled #7029
Merged
Merged
Changes from all commits
Commits
Show all changes
11 commits
Select commit
Hold shift + click to select a range
0a9947e
refactor: remove / before > in input tag
kenjis b7ef46c
fix: inline style "display:none" for honeypot field does not work wit…
kenjis 87a677e
docs: fix section level
kenjis 53380f4
docs: fix text decoration
kenjis 0c25173
docs: update sample Config file
kenjis 184dd46
docs: add config items
kenjis ee49833
docs: add changelog and upgrading guide
kenjis 221b9ac
test: use aliasing with use operator
kenjis 3c339cd
test: update expected
kenjis 4643580
test: add test
kenjis 4a1d91e
docs: fix typo
kenjis File filter
Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,35 +1,40 @@ | ||
===================== | ||
############## | ||
Honeypot Class | ||
===================== | ||
############## | ||
|
||
The Honeypot Class makes it possible to determine when a Bot makes a request to a CodeIgniter4 application, | ||
if it's enabled in ``Application\Config\Filters.php`` file. This is done by attaching form fields to any form, | ||
if it's enabled in **app\Config\Filters.php** file. This is done by attaching form fields to any form, | ||
and this form field is hidden from a human but accessible to a Bot. When data is entered into the field, it's | ||
assumed the request is coming from a Bot, and you can throw a ``HoneypotException``. | ||
|
||
.. contents:: | ||
:local: | ||
:depth: 2 | ||
|
||
***************** | ||
Enabling Honeypot | ||
===================== | ||
***************** | ||
|
||
To enable a Honeypot, changes have to be made to the **app/Config/Filters.php**. Just uncomment honeypot | ||
from the ``$globals`` array, like: | ||
|
||
.. literalinclude:: honeypot/001.php | ||
|
||
A sample Honeypot filter is bundled, as ``system/Filters/Honeypot.php``. | ||
If it is not suitable, make your own at ``app/Filters/Honeypot.php``, | ||
A sample Honeypot filter is bundled, as **system/Filters/Honeypot.php**. | ||
If it is not suitable, make your own at **app/Filters/Honeypot.php**, | ||
and modify the ``$aliases`` in the configuration appropriately. | ||
|
||
******************** | ||
Customizing Honeypot | ||
===================== | ||
******************** | ||
|
||
Honeypot can be customized. The fields below can be set either in | ||
**app/Config/Honeypot.php** or in **.env**. | ||
|
||
* ``hidden`` - true|false to control visibility of the honeypot field; default is ``true`` | ||
* ``label`` - HTML label for the honeypot field, default is 'Fill This Field' | ||
* ``name`` - name of the HTML form field used for the template; default is 'honeypot' | ||
* ``template`` - form field template used for the honeypot; default is '<label>{label}</label><input type="text" name="{name}" value=""/>' | ||
* ``$hidden`` - ``true`` or ``false`` to control visibility of the honeypot field; default is ``true`` | ||
* ``$label`` - HTML label for the honeypot field, default is ``'Fill This Field'`` | ||
* ``$name`` - name of the HTML form field used for the template; default is ``'honeypot'`` | ||
* ``$template`` - form field template used for the honeypot; default is ``'<label>{label}</label><input type="text" name="{name}" value="">'`` | ||
* ``$container`` - container tag for the template; default is ``'<div style="display:none">{template}</div>'``. | ||
If you enables CSP, you can remove ``style="display:none"``. | ||
* ``$containerId`` - [Since v4.3.0] this setting is used only when you enables CSP. You can change the id attribute for the container tag; default is ``'hpc'`` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Because
CodeIgniter\HTTP\ContentSecurityPolicy
depends onconfig('App')
(and
Response
pullsServices::csp()
), we must injectConfig\App
into the Factories.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the explanation! We can also just use the factory version here:
But nothing wrong with the explicit version.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Factories are reset each time during tests, so there is probably no problem with that way.
However, I do not think it is healthy that most framework classes depend on Factories (
config()
).It's not easy to get rid of this dependency now, but I would like to reduce it if possible.