mcndave
/
picea-ui
1
0
Fork 0
Code Issues Pull Requests Projects 1 Releases Wiki Activity

- Implemented CSRF check, some bugfixes also included

This commit is contained in:
Dave M. 2022-02-03 20:06:04 +00:00
parent 362184f81f
commit 97f1f67af1
7 changed files with 72 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
src/Common/UiElement.php
View File

@ -177,8 +177,10 @@ class UiElement implements \ArrayAccess, \Iterator, \JsonSerializable {
}
}
else if ( !is_numeric($key) ) {
# will output something like <tag $key=$value></tag>
$attributesList[] = strpos($value, '"') !== false ? "$key='$value'" : "$key=\"$value\"";
$value = htmlspecialchars($value);
# will output something like <tag $key="$value"></tag>
$attributesList[] = "$key=\"$value\"";
}
else {
# will output something like <tag $value></tag>
@ -285,8 +287,18 @@ class UiElement implements \ArrayAccess, \Iterator, \JsonSerializable {
break;
case 'style' :
foreach($value as $var => $val) {
$this->css($var, $val);
if ( is_string($value) )
{
foreach(array_filter(explode(";", $value)) as $vars) {
list($key, $value) = explode(':', $vars);
$this->css($key, $value);
}
}
elseif ( is_array($value) ) {
foreach($value as $var => $val) {
$this->css($var, $val);
}
}
break;

2
src/Component/UiPopup.php
View File

@ -14,7 +14,7 @@ class UiPopup extends UiElement implements Extension {
public string $tag = "div";
public array $attributes = [
'class' => 'ui-popup',
'class' => 'ui-popup',
];
public function parse(/*\Picae\Compiler\Context*/ &$context, ?string $arguments, string $token) : string

14
src/Form/UiForm.php
View File

@ -66,7 +66,19 @@ class UiForm extends UiElement implements Extension {
$this->attributes([ 'method' => $method, 'action' => $action ] + $attributes);
if ( $method !== "get" ) {
$this->append( ( new UiHidden() )->attributes([ 'name' =>"picea-ui-form[$name]", 'value' => md5( $name . microtime() ) ]) );
$token = md5( $name . microtime());
$key = "picea-ui.form:{$name}";
if (count($_SESSION[$key] ?? []) > 100) {
array_shift($_SESSION[$key]);
}
$_SESSION[$key][] = $token;
$this->append( ( new UiHidden() )->attributes([
'name' => "picea-ui-form[$name]",
'value' => $token,
]));
$this->attributes([ 'enctype' => "multipart/form-data" ]);
}

2
src/Form/UiInput.php
View File

@ -43,7 +43,7 @@ class UiInput extends UiElement implements Extension {
}
if ($attributes['class'] ?? false) {
$attributes['class'] = implode(" ", array_merge((array) $attributes['class'], (array) $this->attributes['class']));
$attributes['class'] .= " {$this->attributes['class']}";
unset($this->attributes['class']);
}

23
src/Form/UiTextarea.php
View File

@ -4,7 +4,7 @@ namespace Picea\Ui\Form;
class UiTextarea extends UiInput {
public string $token = "ui.textarea";
public array $tokens = [ "ui.textarea", "ui.textarea.raw" ];
public string $tag = "textarea";
@ -14,8 +14,27 @@ class UiTextarea extends UiInput {
public array $options = [];
protected bool $echoRaw = false;
public function parse(/*\Picae\Compiler\Context*/ &$context, ?string $arguments, string $token) : string
{
if ($token === 'ui.textarea.raw') {
$this->echoRaw = true;
}
return sprintf("<?php echo ( new \\" . static::class . "() )->echoRaw(%s)->buildHtml($arguments) ?>", $this->echoRaw ? 'true' : 'false');
}
protected function setValue($value) : void
{
$this->html($value);
$this->echoRaw ? $this->html($value) : $this->text($value);
}
public function echoRaw(bool $set) : self
{
$this->echoRaw = $set;
return $this;
}
}

16
src/Method/Form.php
View File

@ -32,22 +32,6 @@ class Form implements Extension {
$context->pushFunction("form", [ $this, 'formClass' ]);
}
public function form_csrf(string $field, string $value) {
$values = $this->session("View.form.csrf.$field") ?: [];
# keeps 20 (from config) latest CSRF key for this form into session,
# allowing more than one tab opened and preventing information loss
if ( count($values) >= 20 ) {
#array_shift($values);
}
$values[] = $value;
$this->session("View.form.csrf.$field", $values);
return $value;
}
public function formClass(FormInterface $form, ? FormContext $formContext = null) : FormHandler
{
return new FormHandler($this->request, $form, $formContext);

20
src/Method/FormHandler.php
View File

@ -5,8 +5,11 @@ namespace Picea\Ui\Method;
use Psr\Http\Message\ServerRequestInterface;
class FormHandler {
public bool $sent = false;
public bool $validateCsrfToken = true;
public ? bool $executionStatus = null;
public FormContext $context;
@ -38,7 +41,20 @@ class FormHandler {
{
if ( false !== $this->context->formSent = $this->sent ) {
if ( $this->context->formName ?? false ) {
$this->sent = $this->context->formSent = (bool) ( $this->request->getParsedBody()['picea-ui-form'][$this->context->formName] ?? false );
$sent = false;
$token = $this->context->{'picea-ui-form'}[$this->context->formName] ?? false;
if ( $token ) {
if ($this->validateCsrfToken) {
$sent = in_array($token, $_SESSION["picea-ui.form:{$this->context->formName}"] ?? []);
}
else {
$sent = (bool) $token;
}
}
$this->sent = $this->context->formSent = $sent;
}
}
}
@ -50,8 +66,6 @@ class FormHandler {
if ( $this->sent ) {
if ( $this->form->validate($this->context) ) {
$this->executionStatus = $this->form->execute($this->context);
$this->context->formExecuted = true;
}
}
}