bolt / boltforms

Bolt 3 Forms extension - Symfony interface and API for Bolt
http://bolt.cm
GNU General Public License v3.0
52 stars 56 forks source link

Error after update bolt to 3.3.6 and boltforms to 4.1.12 #199

Open kutulus opened 7 years ago

kutulus commented 7 years ago

Hi, after updating bolt from 3.2.16 to 3.3.6 and boltforms from 3.1 to 4.1.12 I´m getting this error when loading the page with the form.

Uncaught Exception: Twig_Sandbox_SecurityNotAllowedFunctionError .

Twig_Sandbox_SecurityNotAllowedFunctionError in SecurityPolicy.php line 170:
Function 'boltforms' is not allowed in "__string_template__798ccd2aeed56c3363b655d42933fac2837b80982cad9afeff749367c75ebc5b" at line 16. 

Are there anny aditional migrating steps I missed?

regards Stefano

kutulus commented 7 years ago

Update: The error occurs when putting the Twig Tag in the Textfield "Body" {{ boltforms('contact') }}

The Textfield of the Contenttype is configured with: allowtwig: true

When I put the Twig Tag into the Template it works fine.

regards Stefano

flrvt commented 6 years ago

I'm experiencing this issue as well on Bolt 3.3.6 and Boltforms 3.1.0

rossriley commented 6 years ago

This was indeed a change in Bolt 3.3 itself that changed to a whitelist for twig tags. We'll get working on a fix. thanks for the report.

bobdenotter commented 6 years ago

@rossriley I've once fixed this by using:

    $app['twig.sandbox.policy'] = $app->share(
        $app->extend('twig.sandbox.policy', function ($policy) {
            $policy->addAllowedFunction('boltforms');
            return $policy;
        })
    );

Maybe it's as simple as that.

flrvt commented 6 years ago

I had a slightly different error message so I'm just writing it down here for future reference (and Google).

Uncaught Exception: Twig_Sandbox_SecurityNotAllowedTagError .

Twig_Sandbox_SecurityNotAllowedTagError in SecurityPolicy.php line 158: 
Tag 'form_theme' is not allowed in "forms/_contact.twig" at line 5.
bobdenotter commented 6 years ago

Because i'm a very stubborn individual, i've added the following method to BoltFormsExtension.php, to make it work:

    public function registerServices(Application $app)
    {
        // Set the sandbox policy, but only for Bolt 3.3 and up.
        if (isset($app['twig.sandbox.policy'])) {
            $app['twig.sandbox.policy'] = $app->share(
                $app->extend('twig.sandbox.policy', function ($policy) {
                    $policy->addAllowedFunction('boltforms');
                    $policy->addAllowedFunction('form_end');
                    $policy->addAllowedFunction('form_errors');
                    $policy->addAllowedFunction('form_label');
                    $policy->addAllowedFunction('form_row');
                    $policy->addAllowedFunction('form_start');
                    $policy->addAllowedFunction('form_widget');
                    $policy->addAllowedFunction('include');
                    $policy->addAllowedMethod('FieldBag', 'getoptions');
                    $policy->addAllowedMethod('FieldOptionsBag', 'label');
                    $policy->addAllowedMethod('FieldsBag', 'email');
                    $policy->addAllowedMethod('FieldsBag', 'label');
                    $policy->addAllowedMethod('FieldsBag', 'message');
                    $policy->addAllowedMethod('FieldsBag', 'name');
                    $policy->addAllowedMethod('Form', 'getconfig');
                    $policy->addAllowedMethod('FormBuilder', 'gettype');
                    $policy->addAllowedMethod('FormView', 'setmethodrendered');
                    $policy->addAllowedMethod('Request', 'get');
                    $policy->addAllowedMethod('ResolvedTypeDataCollectorProxy', 'getname');
                    $policy->addAllowedMethod('Result', 'ispass');
                    $policy->addAllowedMethod('TemplateOptionsBag', 'getcss');
                    $policy->addAllowedMethod('TemplateOptionsBag', 'getformtheme');
                    $policy->addAllowedMethod('TemplateOptionsBag', 'getjs');
                    $policy->addAllowedMethod('TemplateOptionsBag', 'getmessages');
                    $policy->addAllowedMethod('TemplateOptionsBag', 'getrecaptcha');
                    $policy->addAllowedProperty('Application', 'request');
                    $policy->addAllowedProperty('FormView', 'vars');
                    $policy->addAllowedTag('form_theme');
                    $policy->addAllowedTag('import');
                    return $policy;
                })
            );
        }
    }

I don't think it's desirable to add that to the extension, because it sort of defeats the entire purpose of the sandbox.

My line of thinking is that we should officially not support {{ boltforms }} tags inside user-entered content.

cdowdy commented 5 years ago

hey all don't mean to bring up a looooong stale thread but do we have to add the security exceptions like @bobdenotter showed above ( https://github.com/bolt/boltforms/issues/199#issuecomment-354464744 )?

For reference the particular error I get is:

Twig_Sandbox_SecurityNotAllowedTagError in SecurityPolicy.php line 158:
Tag 'import' is not allowed  

I just came across this for an image extension and was curious

bobdenotter commented 5 years ago

@cdowdy I’m not in the country right now, but I think you might have a point. Let’s add these! Feel free to either PR a change, or bump me in three weeks when i’m back from Guatemala. :-)