search

b13 / trusted-url-params

TYPO3 Extension to ensure that only safe queryParams from TYPO3s Routing are added to generated links
GNU General Public License v2.0
8 stars 1 forks source link

Add whitelist for parameters without routing #7

Open sterborg opened 2 years ago

sterborg commented 2 years ago

If I get the concept right, it is at the moment not possible to use GET parameters without routing configuration. I tried to use _trusted_urlparams for a GET form with several parameters without routing but can't find a way to make it work. I do not even understand how to use includeUntrusted in the pagination template as it is not a supported parameter for e.g. . In this case a configuration for parameter whitelisting could be the solution.

ohader commented 2 years ago

Can you please give one or two examples of the expected URLs to get a better understanding of the scenario in general? Thanks in advance!

sterborg commented 2 years ago

I need a pagination for a filter form with GET parameters. As there are six select elements I don't want to add all combinations in the routing configuration. URLs would be something like this:

https://www.my-page.com/my-page/?tx_myextension_myplugin[filter_1]=value1&tx_myextension_myplugin[filter_2]=value2&tx_myextension_myplugin[@widget_0][currentPage]=2 or https://www.my-page.com/my-page/?tx_myextension_myplugin[filter_2]=value2&tx_myextension_myplugin[filter_4]=value4&tx_myextension_myplugin[filter_6]=value6&tx_myextension_myplugin[@widget_0][currentPage]=12

In the pagination partial I can add addQueryString and addQueryStringMethod but with _trusted_urlparams enabled it won't work.

sterborg commented 2 years ago

When I edit the method getAllowedQueryArguments in class TrustedUrlParamsTrait as follows, it works:

public static $whitelist = [
    'tx_myextension_myplugin'
];
...
protected function getAllowedQueryArguments($request, array $conf): string
{
...
    $allowedQueryArguments = $pageArguments->getRouteArguments();
    if ($conf['includeUntrusted'] ?? false) {
        $allowedQueryArguments = array_replace_recursive($pageArguments->getQueryArguments(), $allowedQueryArguments);
    } else {
        $queryArguments = $pageArguments->getQueryArguments();
        foreach (self::$whitelist as $namespace) {
            if (array_key_exists($namespace, $queryArguments)) {
                $allowedQueryArguments = array_replace_recursive([$namespace => $queryArguments[$namespace]], $allowedQueryArguments);
            }
        }
    }
...