Adding parameter ?token=[any], nocache returns the cache token ID - Githubissues

ttempleton / craft-nocache

Craft CMS Twig extension to escape caching inside cache blocks

MIT License

46 stars 6 forks source link

Adding parameter ?token=[any], nocache returns the cache token ID #26

Closed jon-collette closed 10 months ago

jon-collette commented 10 months ago

Description

When viewing a page that uses the nocache plugin, user can add a invalid token to the URL to change the output chunk to a number string.

Steps to reproduce

View a page that uses the nocache plugin but does not have valid x-craft-preview and token
Update the URL to include the parameter token set to anything (e.g., "token=1"). For instance, www.example.com has a news feed with nocache. Update url to www.example.com?token=test
Nocache chunk will be replaced with ID or file name matching /craftcms/storage/runtime/compiled_templates/nocache

Additional information

No-Cache version: 3.0.0
Craft CMS version: Craft Pro 4.5.10
PHP version: 8.0.24

jon-collette commented 10 months ago

If this is intentional, would be ideal to update in the docs and/or change to devmode only.

ttempleton commented 10 months ago

Thanks for reporting that - fixed now in 3.0.1.