From d84c57ba923fc557d362658b43e0c570efa0ccb4 Mon Sep 17 00:00:00 2001 From: Andy Miller Date: Mon, 10 Jul 2023 15:55:49 -0600 Subject: [PATCH 1/5] file inline errors --- CHANGELOG.md | 6 ++++++ templates/forms/fields/file/file.html.twig | 7 +++++++ 2 files changed, 13 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7c88629..021eab7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,9 @@ +# v7.2.2 +## mm/dd/2023 + +1. [](#improved) + * Add _inline errors_ for `file` field. Useful in combination with `form: no-validate: true` form setting. + # v7.2.1 ## 06/27/2023 diff --git a/templates/forms/fields/file/file.html.twig b/templates/forms/fields/file/file.html.twig index 96ac87e..a4b9d47 100644 --- a/templates/forms/fields/file/file.html.twig +++ b/templates/forms/fields/file/file.html.twig @@ -89,7 +89,14 @@ {{ macro.preview(path, file, _context) }} {% endfor %} {% include 'forms/fields/hidden/hidden.html.twig' with {field: {name: '_json.' ~ field.name}, value: (value ?? [])|json_encode } %} + + + {% if inline_errors and errors %} +
+

{{ errors|first|raw }}

+
+ {% endif %} {% if grav.browser.browser == 'msie' and grav.browser.version < 12 %} {% do assets.addJs('plugin://form/assets/object.assign.polyfill.js') %} From aeb9cb529443648db09e523412bf96546d8e4544 Mon Sep 17 00:00:00 2001 From: Andy Miller Date: Tue, 22 Aug 2023 11:58:04 +0100 Subject: [PATCH 2/5] validate filename against dangerous extensions --- CHANGELOG.md | 1 + form.php | 6 ++++++ 2 files changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 021eab7..c72389c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ 1. [](#improved) * Add _inline errors_ for `file` field. Useful in combination with `form: no-validate: true` form setting. + * Validate filename against `uploads_dangerous_extensions` when using the `save:` action # v7.2.1 ## 06/27/2023 diff --git a/form.php b/form.php index 02eae7a..ee2405e 100644 --- a/form.php +++ b/form.php @@ -667,6 +667,12 @@ public function onFormProcessed(Event $event): void $filename = $prefix . $this->udate($format, $raw_format) . $postfix . $ext; } + $extension = Utils::pathinfo($filename, PATHINFO_EXTENSION); + $dangerous_extensions = Grav::instance()['config']->get('security.uploads_dangerous_extensions', []); + if (in_array($extension, $dangerous_extensions, true)) { + throw new RuntimeException(sprintf('Form save: File extension "%s" is not allowed', $extension)); + } + /** @var Twig $twig */ $twig = $this->grav['twig']; $vars = [ From 1697d0cd4c3fdddf92d0c6798729b33069fdbe98 Mon Sep 17 00:00:00 2001 From: Andy Miller Date: Tue, 22 Aug 2023 13:32:46 +0100 Subject: [PATCH 3/5] simpler fix --- form.php | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/form.php b/form.php index ee2405e..aa17c1a 100644 --- a/form.php +++ b/form.php @@ -667,10 +667,9 @@ public function onFormProcessed(Event $event): void $filename = $prefix . $this->udate($format, $raw_format) . $postfix . $ext; } - $extension = Utils::pathinfo($filename, PATHINFO_EXTENSION); - $dangerous_extensions = Grav::instance()['config']->get('security.uploads_dangerous_extensions', []); - if (in_array($extension, $dangerous_extensions, true)) { - throw new RuntimeException(sprintf('Form save: File extension "%s" is not allowed', $extension)); + // Handle bad filenames. + if (!Utils::checkFilename($filename)) { + throw new RuntimeException(sprintf('Form save: File with extension not allowed: %s', $filename)); } /** @var Twig $twig */ From 93b0ed8927c819fb64937684d25bf12d2f8e3096 Mon Sep 17 00:00:00 2001 From: Andy Miller Date: Wed, 13 Dec 2023 14:21:43 -0700 Subject: [PATCH 4/5] clear basic-captha value on invalid value --- CHANGELOG.md | 2 ++ form.php | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c72389c..42d57c0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,8 @@ 1. [](#improved) * Add _inline errors_ for `file` field. Useful in combination with `form: no-validate: true` form setting. * Validate filename against `uploads_dangerous_extensions` when using the `save:` action +1. [](#bugfix) + * Cleared 'basic captcha' value when invalid # v7.2.1 ## 06/27/2023 diff --git a/form.php b/form.php index aa17c1a..8355a03 100644 --- a/form.php +++ b/form.php @@ -518,7 +518,7 @@ public function onFormProcessed(Event $event): void $captcha_value = trim($form->value('basic-captcha')); if (!$captcha->validateCaptcha($captcha_value)) { $message = $params['message'] ?? $this->grav['language']->translate('PLUGIN_FORM.ERROR_BASIC_CAPTCHA'); - + $form->setData('basic-captcha', ''); $this->grav->fireEvent('onFormValidationError', new Event([ 'form' => $form, 'message' => $message From b163edef825b3e59f7872a5224640fe712c84657 Mon Sep 17 00:00:00 2001 From: Andy Miller Date: Wed, 13 Dec 2023 14:27:29 -0700 Subject: [PATCH 5/5] prepare for release --- CHANGELOG.md | 2 +- blueprints.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 42d57c0..e9ab078 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,5 @@ # v7.2.2 -## mm/dd/2023 +## 12/13/2023 1. [](#improved) * Add _inline errors_ for `file` field. Useful in combination with `form: no-validate: true` form setting. diff --git a/blueprints.yaml b/blueprints.yaml index 4a7ec33..3c33671 100644 --- a/blueprints.yaml +++ b/blueprints.yaml @@ -1,7 +1,7 @@ name: Form slug: form type: plugin -version: 7.2.1 +version: 7.2.2 description: Enables forms handling and processing icon: check-square author: