Allow to disable input encoding for a whole DCA (see #708).

contao · Apr 21, 2017 · 750cac6 · 750cac6
1 parent 927894b
commit 750cac6
Show file tree

Hide file tree

Showing 6 changed files with 37 additions and 11 deletions.
diff --git a/src/Resources/contao/classes/DataContainer.php b/src/Resources/contao/classes/DataContainer.php
@@ -298,6 +298,15 @@ protected function row($strPalette=null)
 			$this->varValue = \StringUtil::insertTagToSrc($this->varValue);
 		}
 
+		// Use raw request if set globally but allow opting out setting useRawRequestData to false explicitly
+		$useRawGlobally = isset($GLOBALS['TL_DCA'][$this->strTable]['config']['useRawRequestData']) && $GLOBALS['TL_DCA'][$this->strTable]['config']['useRawRequestData'] === true;
+		$notRawForField = isset($arrData['eval']['useRawRequestData']) && $arrData['eval']['useRawRequestData'] === false;
+
+		if ($useRawGlobally && !$notRawForField)
+		{
+			$arrData['eval']['useRawRequestData'] = true;
+		}
+
 		/** @var Widget $objWidget */
 		$objWidget = new $strClass($strClass::getAttributesFromDca($arrData, $this->strInputName, $this->varValue, $this->strField, $this->strTable, $this));
 

diff --git a/src/Resources/contao/controllers/BackendPassword.php b/src/Resources/contao/controllers/BackendPassword.php
@@ -11,6 +11,7 @@
 namespace Contao;
 
 use Patchwork\Utf8;
+use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
 
 
@@ -50,13 +51,16 @@ public function __construct()
 	 */
 	public function run()
 	{
+		/** @var Request $request */
+		$request = System::getContainer()->get('request_stack')->getCurrentRequest();
+
 		/** @var BackendTemplate|object $objTemplate */
 		$objTemplate = new \BackendTemplate('be_password');
 
 		if (\Input::post('FORM_SUBMIT') == 'tl_password')
 		{
-			$pw = \Input::postUnsafeRaw('password');
-			$cnf = \Input::postUnsafeRaw('confirm');
+			$pw = $request->request->get('password');
+			$cnf = $request->request->get('confirm');
 
 			// The passwords do not match
 			if ($pw != $cnf)

diff --git a/src/Resources/contao/forms/FormPassword.php b/src/Resources/contao/forms/FormPassword.php
@@ -56,14 +56,14 @@ class FormPassword extends \Widget
 
 
 	/**
-	 * Always decode entities
+	 * Always use raw request data.
 	 *
 	 * @param array $arrAttributes An optional attributes array
 	 */
 	public function __construct($arrAttributes=null)
 	{
 		parent::__construct($arrAttributes);
-		$this->decodeEntities = true;
+		$this->useRawRequestData = true;
 	}
 
 

diff --git a/src/Resources/contao/library/Contao/User.php b/src/Resources/contao/library/Contao/User.php
@@ -10,6 +10,7 @@
 
 namespace Contao;
 
+use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\Security\Http\Session\SessionAuthenticationStrategy;
 
 
@@ -320,6 +321,8 @@ public function authenticate()
 	 */
 	public function login()
 	{
+		/** @var Request $request */
+		$request = System::getContainer()->get('request_stack')->getCurrentRequest();
 		\System::loadLanguageFile('default');
 
 		// Do not continue if username or password are missing
@@ -339,7 +342,7 @@ public function login()
 				foreach ($GLOBALS['TL_HOOKS']['importUser'] as $callback)
 				{
 					$this->import($callback[0], 'objImport', true);
-					$blnLoaded = $this->objImport->{$callback[1]}(\Input::post('username', true), \Input::postUnsafeRaw('password'), $this->strTable);
+					$blnLoaded = $this->objImport->{$callback[1]}(\Input::post('username', true), $request->request->get('password'), $this->strTable);
 
 					// Load successfull
 					if ($blnLoaded === true)
@@ -399,17 +402,17 @@ public function login()
 		// The password has been generated with crypt()
 		if (\Encryption::test($this->password))
 		{
-			$blnAuthenticated = \Encryption::verify(\Input::postUnsafeRaw('password'), $this->password);
+			$blnAuthenticated = \Encryption::verify($request->request->get('password'), $this->password);
 		}
 		else
 		{
 			list($strPassword, $strSalt) = explode(':', $this->password);
-			$blnAuthenticated = ($strSalt == '') ? ($strPassword === sha1(\Input::postUnsafeRaw('password'))) : ($strPassword === sha1($strSalt . \Input::postUnsafeRaw('password')));
+			$blnAuthenticated = ($strSalt == '') ? ($strPassword === sha1($request->request->get('password'))) : ($strPassword === sha1($strSalt . $request->request->get('password')));
 
 			// Store a SHA-512 encrpyted version of the password
 			if ($blnAuthenticated)
 			{
-				$this->password = \Encryption::hash(\Input::postUnsafeRaw('password'));
+				$this->password = \Encryption::hash($request->request->get('password'));
 			}
 		}
 
@@ -419,7 +422,7 @@ public function login()
 			foreach ($GLOBALS['TL_HOOKS']['checkCredentials'] as $callback)
 			{
 				$this->import($callback[0], 'objAuth', true);
-				$blnAuthenticated = $this->objAuth->{$callback[1]}(\Input::post('username', true), \Input::postUnsafeRaw('password'), $this);
+				$blnAuthenticated = $this->objAuth->{$callback[1]}(\Input::post('username', true), $request->request->get('password'), $this);
 
 				// Authentication successfull
 				if ($blnAuthenticated === true)

diff --git a/src/Resources/contao/library/Contao/Widget.php b/src/Resources/contao/library/Contao/Widget.php
@@ -12,6 +12,7 @@
 
 use Doctrine\DBAL\Types\Type;
 use Patchwork\Utf8;
+use Symfony\Component\HttpFoundation\Request;
 
 
 /**
@@ -83,6 +84,7 @@
  * @property string                  $slabel            The submit button label
  * @property boolean                 $preserveTags      Preserve HTML tags
  * @property boolean                 $decodeEntities    Decode HTML entities
+ * @property boolean                 useRawRequestData  Use the raw request data from the Symfony request
  * @property integer                 $minlength         The minimum length
  * @property integer                 $maxlength         The maximum length
  * @property integer                 $minval            The minimum value
@@ -340,6 +342,7 @@ public function __set($strKey, $varValue)
 			case 'trailingSlash':
 			case 'spaceToUnderscore':
 			case 'doNotTrim':
+			case 'useRawRequestData':
 				$this->arrConfiguration[$strKey] = $varValue ? true : false;
 				break;
 
@@ -793,6 +796,13 @@ public function validate()
 	 */
 	protected function getPost($strKey)
 	{
+		if ($this->useRawRequestData === true)
+		{
+			/** @var Request $request */
+			$request = \System::getContainer()->get('request_stack')->getCurrentRequest();
+			return $request->request->get($strKey);
+		}
+
 		$strMethod = $this->allowHtml ? 'postHtml' : 'post';
 
 		if ($this->preserveTags)

diff --git a/src/Resources/contao/widgets/Password.php b/src/Resources/contao/widgets/Password.php
@@ -46,14 +46,14 @@ class Password extends \Widget
 
 
 	/**
-	 * Always decode entities
+	 * Always use raw request data.
 	 *
 	 * @param array $arrAttributes
 	 */
 	public function __construct($arrAttributes=null)
 	{
 		parent::__construct($arrAttributes);
-		$this->decodeEntities = true;
+		$this->useRawRequestData = true;
 	}