[RTM] Allow to disable input encoding for a whole dca #708
Conversation
|
Input would still be encoded, right? I mean script tags and null bytes stripped and other "safety checks". We would need to use the request class instead of the input class if the flag is enabled, right? I mean I'm totally fine with the feature, but the name is a bit confusing. It would better be something like |
|
It will use |
|
I guess that's why @aschempp suggested to use the Symfony Request class in this case, which will not alter the input values at all. |
leofeyer
changed the title
|
Ah, I see. Yeah, so we already have our own use case for #674 😄 |
|
You mean the core would apply that if the flag is set? 😂 |
|
I don't have another option I guess :) So we need both, a new |
|
It depends on the implementation. If it means flag all fields with |
|
What do the others think? /cc @contao/developers |
|
I'd do some flag on dca level and forward this to the Widget class. I think we could combine this with my changes from #575, sadly I still did not come around to shift the remaining methods from |
|
Looking at this, I thought we must already have such a flag for the password fields in the backend, but it looks like we haven’t. If I change my password in the backend to I think the name |
|
Request, definately! |
|
Yeah, request for sure but why should I name the |
|
I'm fine with |
|
So am I. |
|
As discussed in Mumble on March 23rd, the flag shall be called |
|
Note to self: Check password fields (they should not strip null bytes etc.) |
…it to either a field or the whole table configuration and fixed encoding on password fields
|
PR is updated and ready for review. |
| @@ -263,6 +265,14 @@ public function __set($strKey, $varValue) | |||
| $this->strPrefix = $varValue; | |||
| break; | |||
|
|
|||
| case 'useRawRequestData': | |||
There was a problem hiding this comment.
Since you have declared the property as a boolean, we should handle the false case as well, shouldn't we?
There was a problem hiding this comment.
Yeah not all attributes do unfortunately. So it's inconsistent already anyway but I added it.
| { | ||
| /** @var Request $request */ | ||
| $request = \System::getContainer()->get('request_stack')->getCurrentRequest(); | ||
| $this->setInputCallback(function() use ($request) { |
There was a problem hiding this comment.
You could (but don't have to) simplify this:
$this->setInputCallback(function () {
return \System::getContainer()->get('request_stack')->getCurrentRequest()->request->get($this->name);
});
| @@ -273,6 +273,12 @@ protected function row($strPalette=null) | |||
| $this->varValue = \StringUtil::insertTagToSrc($this->varValue); | |||
| } | |||
|
|
|||
| // Use raw request if set globally | |||
| if (isset($GLOBALS['TL_DCA'][$this->strTable]['config']['useRawRequestData']) && $GLOBALS['TL_DCA'][$this->strTable]['config']['useRawRequestData'] === true) | |||
There was a problem hiding this comment.
Should we add a !isset($arrData['eval']['useRawRequestData']) check here too? This would make it possible to use the raw request for the whole DCA but opt-out of it for single fields.
There was a problem hiding this comment.
Good idea, added in fd2ef3f.
| /** @var Request $request */ | ||
| $request = \System::getContainer()->get('request_stack')->getCurrentRequest(); | ||
| $this->setInputCallback(function() use ($request) { | ||
| return $request->request->get($this->name); |
There was a problem hiding this comment.
It looks like Widget::getPost() supports array syntax like field[foo][bar], do we need this functionality here too?
There was a problem hiding this comment.
I don't think so. If you want the raw request data you need to handle the array yourself if you need to, no?
There was a problem hiding this comment.
I have no idea where this array syntax is needed, maybe @aschempp can help us here? See Widget.php:781
|
Why did you use $widget->setInputCallback(...);
$widget->useRawRequestData = true;The second line would overwrite the already set input callback. Couldn’t we just add a check for the |
Exactly. Which is the desired workflow. There can only ever be one responsible function fetching the input. If you handle |
|
What about this example: $widget->useRawRequestData = true;
$widget->setInputCallback(null);This would not use the raw request. I think this is a confusing public API, if $widget->setInputCallback(function() {
if ($widget->useRawRequestData) {
...
}
}); |
Which means that you can change the behavior someone else wanted. In my opinion both ways can be confusing. It's just the way it is. |
|
Isn’t this inconsistent? |
|
No idea. Because it's cleaner? :) I changed it. |
Toflar
changed the title
| @@ -83,6 +84,7 @@ | |||
| * @property string $slabel The submit button label | |||
| * @property boolean $preserveTags Preserve HTML tags | |||
| * @property boolean $decodeEntities Decode HTML entities | |||
| * @property boolean useRawRequestData Use the raw request data from the Symfony request | |||
There was a problem hiding this comment.
Should we add useRawRequestData to the switch-case on line 345 too?
| @@ -320,6 +321,8 @@ public function authenticate() | |||
| */ | |||
| public function login() | |||
| { | |||
| /** @var Request $request */ | |||
| $request = System::getContainer()->get('request_stack')->getCurrentRequest(); | |||
There was a problem hiding this comment.
This is a behavior change, shouldn't we use getMasterRequest?
There was a problem hiding this comment.
I think it's almost always wrong to take the master request. The use cases are only very, very limited. So no: the current request is the way to go.
| if ($this->useRawRequestData === true) | ||
| { | ||
| /** @var Request $request */ | ||
| $request = \System::getContainer()->get('request_stack')->getCurrentRequest(); |
There was a problem hiding this comment.
Same here, I think we should use the master request?
Description ----------- While writing tests for #708 I noticed that the `VarDumper` component isn't actually required by the `core-bundle`, even though `\Contao\Template::dumpTemplateVars()` uses it. This PR adds the dependency and also adds a test for it. _Note:_ this needs to be added to the `composer.json` of the `contao/contao` mono repository as well presumably, but I am not sure what the procedure here is? _Note:_ this requirement is not needed for the `4.4` branch - but the test could be added there. I can provide a separate PR for that. Commits ------- 6ee2945c require symfony/var-dumper 61bd510f simplify dumpTemplateVars test c47b9961 remove unused use statements 2db49377 Fix the Travis build 9dbbb302 Sync the composer.json files
Here's another feature for Contao 4.4.
For my own modules I want to be able to disable the input encoding all together and output stuff using twig or encode it myself. I have an application which even doesn't output anything at all but manages content that's fetched through an API. I have to set the
evalattributes on every field which is a bit tedious. I think it can be very helpful to disable this completely and prepare for the future already in your own bundles/applications :-)