Open kutulus opened 7 years ago
Update:
The error occurs when putting the Twig Tag in the Textfield "Body"
{{ boltforms('contact') }}
The Textfield of the Contenttype is configured with:
allowtwig: true
When I put the Twig Tag into the Template it works fine.
regards Stefano
I'm experiencing this issue as well on Bolt 3.3.6 and Boltforms 3.1.0
This was indeed a change in Bolt 3.3 itself that changed to a whitelist for twig tags. We'll get working on a fix. thanks for the report.
@rossriley I've once fixed this by using:
$app['twig.sandbox.policy'] = $app->share(
$app->extend('twig.sandbox.policy', function ($policy) {
$policy->addAllowedFunction('boltforms');
return $policy;
})
);
Maybe it's as simple as that.
I had a slightly different error message so I'm just writing it down here for future reference (and Google).
Uncaught Exception: Twig_Sandbox_SecurityNotAllowedTagError .
Twig_Sandbox_SecurityNotAllowedTagError in SecurityPolicy.php line 158:
Tag 'form_theme' is not allowed in "forms/_contact.twig" at line 5.
Because i'm a very stubborn individual, i've added the following method to BoltFormsExtension.php, to make it work:
public function registerServices(Application $app)
{
// Set the sandbox policy, but only for Bolt 3.3 and up.
if (isset($app['twig.sandbox.policy'])) {
$app['twig.sandbox.policy'] = $app->share(
$app->extend('twig.sandbox.policy', function ($policy) {
$policy->addAllowedFunction('boltforms');
$policy->addAllowedFunction('form_end');
$policy->addAllowedFunction('form_errors');
$policy->addAllowedFunction('form_label');
$policy->addAllowedFunction('form_row');
$policy->addAllowedFunction('form_start');
$policy->addAllowedFunction('form_widget');
$policy->addAllowedFunction('include');
$policy->addAllowedMethod('FieldBag', 'getoptions');
$policy->addAllowedMethod('FieldOptionsBag', 'label');
$policy->addAllowedMethod('FieldsBag', 'email');
$policy->addAllowedMethod('FieldsBag', 'label');
$policy->addAllowedMethod('FieldsBag', 'message');
$policy->addAllowedMethod('FieldsBag', 'name');
$policy->addAllowedMethod('Form', 'getconfig');
$policy->addAllowedMethod('FormBuilder', 'gettype');
$policy->addAllowedMethod('FormView', 'setmethodrendered');
$policy->addAllowedMethod('Request', 'get');
$policy->addAllowedMethod('ResolvedTypeDataCollectorProxy', 'getname');
$policy->addAllowedMethod('Result', 'ispass');
$policy->addAllowedMethod('TemplateOptionsBag', 'getcss');
$policy->addAllowedMethod('TemplateOptionsBag', 'getformtheme');
$policy->addAllowedMethod('TemplateOptionsBag', 'getjs');
$policy->addAllowedMethod('TemplateOptionsBag', 'getmessages');
$policy->addAllowedMethod('TemplateOptionsBag', 'getrecaptcha');
$policy->addAllowedProperty('Application', 'request');
$policy->addAllowedProperty('FormView', 'vars');
$policy->addAllowedTag('form_theme');
$policy->addAllowedTag('import');
return $policy;
})
);
}
}
I don't think it's desirable to add that to the extension, because it sort of defeats the entire purpose of the sandbox.
My line of thinking is that we should officially not support {{ boltforms }}
tags inside user-entered content.
hey all don't mean to bring up a looooong stale thread but do we have to add the security exceptions like @bobdenotter showed above ( https://github.com/bolt/boltforms/issues/199#issuecomment-354464744 )?
For reference the particular error I get is:
Twig_Sandbox_SecurityNotAllowedTagError in SecurityPolicy.php line 158:
Tag 'import' is not allowed
I just came across this for an image extension and was curious
@cdowdy I’m not in the country right now, but I think you might have a point. Let’s add these! Feel free to either PR a change, or bump me in three weeks when i’m back from Guatemala. :-)
Hi, after updating bolt from 3.2.16 to 3.3.6 and boltforms from 3.1 to 4.1.12 I´m getting this error when loading the page with the form.
Are there anny aditional migrating steps I missed?
regards Stefano