search

paragonie / airship

Secure Content Management for the Modern Web - "The sky is only the beginning"
https://cspr.ng
Other
418 stars 41 forks source link

Generic Form Building #126

Open paragonie-scott opened 8 years ago

paragonie-scott commented 8 years ago

I'd like the reduce the code footprint (and therefore liability) by creating a generic form framework in a future version of Airship.

Ideally, we would turn templates like this one into something like:

$form = (new Form())
    ->addLabel('Cabin', $cabin)
    ->addLabel('Page Name', $dir . '/' . $url)
    ->addGroup(
        (new FormGroup())
            ->addElement(new CheckBox('cache', 'Cache this page?', $pageInfo['cache']))
            ->addElement(new CheckBox('raw', 'View raw? (Don't run through HTMLPurifier - Doesn't affect preview  - Increases risk of XSS)', $pageInfo['raw']))
    )
    ->addElement(new RichTextFormat())
    ->addElement(new RichTextEditor('page_body', $latest['body']))
    ->addGroup(
        (new FieldsetGroup())
            ->addElement(/* ... */)
            /* ... */
    )
    ->addGroup(
        new SubmitButton(),
        (new LinkButton('/return/path'))
            ->setClass('pure_button_tertiary')
    );

And then on the template:

{{ render_form(object_passed_from_php) }}

This will afford us several advantages:

  1. We can reduce the boilerplate by making input filters and CSRF protection baked-in to each form.
  2. If we have to change how a form element is displayed, we only have to make the change in one place.
  3. It should become much easier for users to add/extend forms to their Cabins and Gadgets
  4. Less redundant code means less to audit, and likely a significantly reduced attack surface

I'm not quite ready to commit to having this ready for version 2.0.0, but it's an idea I'd like to think about. The actual implementation details (how to handle conditional form requirements) and edge cases (file uploading, element-bound JavaScript) need to be hammered out.

geggleto commented 8 years ago

I kinda wanted the same thing... so I started here.

https://github.com/geggleto/form-builder

paragonie-scott commented 8 years ago

There are a ton of benefits (especially for making the new motif configuration system easier to develop for), but I'll need to do research and design a system that makes this as simple as possible.