[BUGFIX] Avoid deprecated FILTER_SANITIZE_STRING in TextValidator

The filter_var() filter FILTER_SANITIZE_STRING is deprecated as of PHP 8.1. Extbase TextValidator uses it. Goal of the text validator is to allow most 'casual' characters and strings as long as they don't contain HTML. The path switches to strip_tags() to validate. Tests are refactored and extended to show more cases. https://wiki.php.net/rfc/deprecations_php_8_1 Change-Id: Ifbf3de7a7200512d1281b694a7a6c2f8fb3ac781 Resolves: #95768 Releases: master Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/71968 Tested-by: Jochen <rothjochen@gmail.com> Tested-by: core-ci <typo3@b13.com> Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de> Reviewed-by: Jochen <rothjochen@gmail.com> Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
TYPO3 · Oct 25, 2021 · 8cc1e21 · 8cc1e21
1 parent 3e27e56
commit 8cc1e21
Show file tree

Hide file tree

Showing 2 changed files with 57 additions and 28 deletions.
diff --git a/typo3/sysext/extbase/Classes/Validation/Validator/TextValidator.php b/typo3/sysext/extbase/Classes/Validation/Validator/TextValidator.php
@@ -1,5 +1,7 @@
 <?php
 
+declare(strict_types=1);
+
 /*
  * This file is part of the TYPO3 CMS project.
  *
@@ -27,13 +29,11 @@ class TextValidator extends AbstractValidator
      * The validated text is not expected to be secure in every circumstance, if you
      * want to be sure of that, use a customized regular expression or filter on output.
      *
-     * See https://php.net/filter_var for details.
-     *
      * @param mixed $value The value that should be validated
      */
     public function isValid($value)
     {
-        if ($value !== filter_var($value, FILTER_SANITIZE_STRING, FILTER_FLAG_NO_ENCODE_QUOTES)) {
+        if ($value !== strip_tags((string)$value)) {
             $this->addError(
                 $this->translateErrorMessage(
                     'validator.text.notvalid',

diff --git a/typo3/sysext/extbase/Tests/Unit/Validation/Validator/TextValidatorTest.php b/typo3/sysext/extbase/Tests/Unit/Validation/Validator/TextValidatorTest.php
@@ -36,38 +36,67 @@ public function setup(): void
             ->getMock();
     }
 
-    /**
-     * @test
-     */
-    public function textValidatorReturnsNoErrorForASimpleString(): void
-    {
-        self::assertFalse($this->validator->validate('this is a very simple string')->hasErrors());
-    }
-
-    /**
-     * @test
-     */
-    public function textValidatorAllowsTheNewLineCharacter(): void
-    {
-        $sampleText = 'Ierd Frot uechter mä get, Kirmesdag Milliounen all en, sinn main Stréi mä och. nVu dan durch jéngt gréng, ze rou Monn voll stolz. nKe kille Minutt d\'Kirmes net. Hir Wand Lann Gaas da, wär hu Heck Gart zënter, Welt Ronn grousse der ke. Wou fond eraus Wisen am. Hu dénen d\'Gaassen eng, eng am virun geplot d\'Lëtzebuerger, get botze rëscht Blieder si. Dat Dauschen schéinste Milliounen fu. Ze riede méngem Keppchen déi, si gét fergiess erwaacht, räich jéngt duerch en nun. Gëtt Gaas d\'Vullen hie hu, laacht Grénge der dé. Gemaacht gehéiert da aus, gutt gudden d\'wäiss mat wa.';
-        self::assertFalse($this->validator->validate($sampleText)->hasErrors());
-    }
-
-    /**
-     * @test
-     */
-    public function textValidatorAllowsCommonSpecialCharacters(): void
+    public function isValidDataProvider(): array
     {
-        $sampleText = '3% of most people tend to use semikolae; we need to check & allow that. And hashes (#) are not evil either, nor is the sign called \'quote\'.';
-        self::assertFalse($this->validator->validate($sampleText)->hasErrors());
+        return [
+            'a simple string' => [
+                false, // expectation: no error
+                'this is a very simple string', // test string
+            ],
+            'allow new line character' => [
+                false,
+                'Ierd Frot uechter mä get, Kirmesdag' . chr(10) . 'Ke kille Minutt',
+            ],
+            'allow single quote' => [
+                false,
+                'foo \' bar',
+            ],
+            'allow double quote' => [
+                false,
+                'foo " bar',
+            ],
+            'slash' => [
+                false,
+                'foo/bar',
+            ],
+            'slash with closing angle bracket' => [
+                false,
+                'foo/>bar',
+            ],
+            'closing angle bracket without opening angle bracket' => [
+                false,
+                '>foo',
+            ],
+            'common special characters' => [
+                false,
+                '3% of most people tend to use semikolae; we need to check & allow that. And hashes (#) are not evil either, nor is the sign called \'quote\'.',
+            ],
+            'nul byte' => [
+                true,
+                'foo' . chr(0) . 'bar',
+            ],
+            'a string with html' => [
+                true,
+                '<span style="color: #BBBBBB;">a nice text</span>',
+            ],
+            'not closed html' => [
+                true,
+                '<foo>bar',
+            ],
+            'opening angle bracket' => [
+                true,
+                '<foo', // @todo: This is odd. It means a simple opening bracket makes this validator fail.
+            ],
+        ];
     }
 
     /**
      * @test
+     * @dataProvider isValidDataProvider
      */
-    public function textValidatorReturnsErrorForAStringWithHtml(): void
+    public function isValidHasNoError(bool $expectation, string $testString): void
     {
-        self::assertTrue($this->validator->validate('<span style="color: #BBBBBB;">a nice text</span>')->hasErrors());
+        self::assertSame($expectation, $this->validator->validate($testString)->hasErrors());
     }
 
     /**