From a8a6c0c520d7dc2ec88f3ed8b019a46f175538bb Mon Sep 17 00:00:00 2001 From: Djamil Legato Date: Thu, 6 Apr 2023 10:29:35 -0700 Subject: [PATCH 01/21] Better and generic ignore pattern for `security.yaml` (fixes #3706) --- .gitignore | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index f77e8763ce..a2a78f5f2a 100644 --- a/.gitignore +++ b/.gitignore @@ -25,8 +25,7 @@ user/plugins/* !user/plugins/.* user/themes/* !user/themes/.* -user/localhost/config/security.yaml -user/config/security.yaml +user/**/config/security.yaml # Environments .env @@ -49,4 +48,3 @@ tests/cache/* tests/error.log system/templates/testing/* /user/config/versions.yaml -/user/cli/config/security.yaml From e1019c4420f648b3ef66942ad960b28ab10db440 Mon Sep 17 00:00:00 2001 From: Andy Miller Date: Mon, 8 May 2023 12:21:09 -0600 Subject: [PATCH 02/21] remove FILTER_SANITIZE_STRING as deprecated --- CHANGELOG.md | 7 + composer.lock | 349 ++++++++---------- system/defines.php | 3 + .../Flex/Types/UserGroups/UserGroupObject.php | 13 + .../Common/Service/TaskServiceProvider.php | 4 +- .../Common/Twig/Extension/GravExtension.php | 11 +- system/src/Grav/Common/Uri.php | 8 +- 7 files changed, 188 insertions(+), 207 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a134907f4a..0d0873bdf9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,10 @@ +# v1.7.41 +## mm/dd/2023 + +1. [](#improved) + * Removed `FILTER_SANITIZE_STRING` input filter in favor of `htmlspecialchars(strip_tags())` + * Added `GRAV_SANITIZE_STRING` constant to replace `FILTER_SANITIZE_STRING` + # v1.7.40 ## 03/22/2023 diff --git a/composer.lock b/composer.lock index 842d0731ca..19998413d9 100644 --- a/composer.lock +++ b/composer.lock @@ -593,16 +593,16 @@ }, { "name": "filp/whoops", - "version": "2.14.6", + "version": "2.15.2", "source": { "type": "git", "url": "https://github.com/filp/whoops.git", - "reference": "f7948baaa0330277c729714910336383286305da" + "reference": "aac9304c5ed61bf7b1b7a6064bf9806ab842ce73" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/filp/whoops/zipball/f7948baaa0330277c729714910336383286305da", - "reference": "f7948baaa0330277c729714910336383286305da", + "url": "https://api.github.com/repos/filp/whoops/zipball/aac9304c5ed61bf7b1b7a6064bf9806ab842ce73", + "reference": "aac9304c5ed61bf7b1b7a6064bf9806ab842ce73", "shasum": "" }, "require": { @@ -652,7 +652,7 @@ ], "support": { "issues": "https://github.com/filp/whoops/issues", - "source": "https://github.com/filp/whoops/tree/2.14.6" + "source": "https://github.com/filp/whoops/tree/2.15.2" }, "funding": [ { @@ -660,7 +660,7 @@ "type": "github" } ], - "time": "2022-11-02T16:23:29+00:00" + "time": "2023-04-12T12:00:00+00:00" }, { "name": "getgrav/cache", @@ -775,16 +775,16 @@ }, { "name": "guzzlehttp/psr7", - "version": "1.9.0", + "version": "1.9.1", "source": { "type": "git", "url": "https://github.com/guzzle/psr7.git", - "reference": "e98e3e6d4f86621a9b75f623996e6bbdeb4b9318" + "reference": "e4490cabc77465aaee90b20cfc9a770f8c04be6b" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/guzzle/psr7/zipball/e98e3e6d4f86621a9b75f623996e6bbdeb4b9318", - "reference": "e98e3e6d4f86621a9b75f623996e6bbdeb4b9318", + "url": "https://api.github.com/repos/guzzle/psr7/zipball/e4490cabc77465aaee90b20cfc9a770f8c04be6b", + "reference": "e4490cabc77465aaee90b20cfc9a770f8c04be6b", "shasum": "" }, "require": { @@ -803,11 +803,6 @@ "laminas/laminas-httphandlerrunner": "Emit PSR-7 responses" }, "type": "library", - "extra": { - "branch-alias": { - "dev-master": "1.9-dev" - } - }, "autoload": { "files": [ "src/functions_include.php" @@ -865,7 +860,7 @@ ], "support": { "issues": "https://github.com/guzzle/psr7/issues", - "source": "https://github.com/guzzle/psr7/tree/1.9.0" + "source": "https://github.com/guzzle/psr7/tree/1.9.1" }, "funding": [ { @@ -881,7 +876,7 @@ "type": "tidelift" } ], - "time": "2022-06-20T21:43:03+00:00" + "time": "2023-04-17T16:00:37+00:00" }, { "name": "itsgoingd/clockwork", @@ -1401,38 +1396,39 @@ }, { "name": "nyholm/psr7", - "version": "1.5.1", + "version": "1.8.0", "source": { "type": "git", "url": "https://github.com/Nyholm/psr7.git", - "reference": "f734364e38a876a23be4d906a2a089e1315be18a" + "reference": "3cb4d163b58589e47b35103e8e5e6a6a475b47be" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/Nyholm/psr7/zipball/f734364e38a876a23be4d906a2a089e1315be18a", - "reference": "f734364e38a876a23be4d906a2a089e1315be18a", + "url": "https://api.github.com/repos/Nyholm/psr7/zipball/3cb4d163b58589e47b35103e8e5e6a6a475b47be", + "reference": "3cb4d163b58589e47b35103e8e5e6a6a475b47be", "shasum": "" }, "require": { - "php": ">=7.1", - "php-http/message-factory": "^1.0", + "php": ">=7.2", "psr/http-factory": "^1.0", - "psr/http-message": "^1.0" + "psr/http-message": "^1.1 || ^2.0" }, "provide": { + "php-http/message-factory-implementation": "1.0", "psr/http-factory-implementation": "1.0", "psr/http-message-implementation": "1.0" }, "require-dev": { "http-interop/http-factory-tests": "^0.9", + "php-http/message-factory": "^1.0", "php-http/psr7-integration-tests": "^1.0", - "phpunit/phpunit": "^7.5 || 8.5 || 9.4", + "phpunit/phpunit": "^7.5 || ^8.5 || ^9.4", "symfony/error-handler": "^4.4" }, "type": "library", "extra": { "branch-alias": { - "dev-master": "1.4-dev" + "dev-master": "1.8-dev" } }, "autoload": { @@ -1462,7 +1458,7 @@ ], "support": { "issues": "https://github.com/Nyholm/psr7/issues", - "source": "https://github.com/Nyholm/psr7/tree/1.5.1" + "source": "https://github.com/Nyholm/psr7/tree/1.8.0" }, "funding": [ { @@ -1474,7 +1470,7 @@ "type": "github" } ], - "time": "2022-06-22T07:13:36+00:00" + "time": "2023-05-02T11:26:24+00:00" }, { "name": "nyholm/psr7-server", @@ -1542,60 +1538,6 @@ ], "time": "2021-05-12T11:11:27+00:00" }, - { - "name": "php-http/message-factory", - "version": "v1.0.2", - "source": { - "type": "git", - "url": "https://github.com/php-http/message-factory.git", - "reference": "a478cb11f66a6ac48d8954216cfed9aa06a501a1" - }, - "dist": { - "type": "zip", - "url": "https://api.github.com/repos/php-http/message-factory/zipball/a478cb11f66a6ac48d8954216cfed9aa06a501a1", - "reference": "a478cb11f66a6ac48d8954216cfed9aa06a501a1", - "shasum": "" - }, - "require": { - "php": ">=5.4", - "psr/http-message": "^1.0" - }, - "type": "library", - "extra": { - "branch-alias": { - "dev-master": "1.0-dev" - } - }, - "autoload": { - "psr-4": { - "Http\\Message\\": "src/" - } - }, - "notification-url": "https://packagist.org/downloads/", - "license": [ - "MIT" - ], - "authors": [ - { - "name": "Márk Sági-Kazár", - "email": "mark.sagikazar@gmail.com" - } - ], - "description": "Factory interfaces for PSR-7 HTTP Message", - "homepage": "http://php-http.org", - "keywords": [ - "factory", - "http", - "message", - "stream", - "uri" - ], - "support": { - "issues": "https://github.com/php-http/message-factory/issues", - "source": "https://github.com/php-http/message-factory/tree/master" - }, - "time": "2015-12-19T14:08:53+00:00" - }, { "name": "pimple/pimple", "version": "v3.5.0", @@ -1748,21 +1690,21 @@ }, { "name": "psr/http-factory", - "version": "1.0.1", + "version": "1.0.2", "source": { "type": "git", "url": "https://github.com/php-fig/http-factory.git", - "reference": "12ac7fcd07e5b077433f5f2bee95b3a771bf61be" + "reference": "e616d01114759c4c489f93b099585439f795fe35" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/php-fig/http-factory/zipball/12ac7fcd07e5b077433f5f2bee95b3a771bf61be", - "reference": "12ac7fcd07e5b077433f5f2bee95b3a771bf61be", + "url": "https://api.github.com/repos/php-fig/http-factory/zipball/e616d01114759c4c489f93b099585439f795fe35", + "reference": "e616d01114759c4c489f93b099585439f795fe35", "shasum": "" }, "require": { "php": ">=7.0.0", - "psr/http-message": "^1.0" + "psr/http-message": "^1.0 || ^2.0" }, "type": "library", "extra": { @@ -1782,7 +1724,7 @@ "authors": [ { "name": "PHP-FIG", - "homepage": "http://www.php-fig.org/" + "homepage": "https://www.php-fig.org/" } ], "description": "Common interfaces for PSR-7 HTTP message factories", @@ -1797,31 +1739,31 @@ "response" ], "support": { - "source": "https://github.com/php-fig/http-factory/tree/master" + "source": "https://github.com/php-fig/http-factory/tree/1.0.2" }, - "time": "2019-04-30T12:38:16+00:00" + "time": "2023-04-10T20:10:41+00:00" }, { "name": "psr/http-message", - "version": "1.0.1", + "version": "1.1", "source": { "type": "git", "url": "https://github.com/php-fig/http-message.git", - "reference": "f6561bf28d520154e4b0ec72be95418abe6d9363" + "reference": "cb6ce4845ce34a8ad9e68117c10ee90a29919eba" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/php-fig/http-message/zipball/f6561bf28d520154e4b0ec72be95418abe6d9363", - "reference": "f6561bf28d520154e4b0ec72be95418abe6d9363", + "url": "https://api.github.com/repos/php-fig/http-message/zipball/cb6ce4845ce34a8ad9e68117c10ee90a29919eba", + "reference": "cb6ce4845ce34a8ad9e68117c10ee90a29919eba", "shasum": "" }, "require": { - "php": ">=5.3.0" + "php": "^7.2 || ^8.0" }, "type": "library", "extra": { "branch-alias": { - "dev-master": "1.0.x-dev" + "dev-master": "1.1.x-dev" } }, "autoload": { @@ -1850,27 +1792,27 @@ "response" ], "support": { - "source": "https://github.com/php-fig/http-message/tree/master" + "source": "https://github.com/php-fig/http-message/tree/1.1" }, - "time": "2016-08-06T14:39:51+00:00" + "time": "2023-04-04T09:50:52+00:00" }, { "name": "psr/http-server-handler", - "version": "1.0.1", + "version": "1.0.2", "source": { "type": "git", "url": "https://github.com/php-fig/http-server-handler.git", - "reference": "aff2f80e33b7f026ec96bb42f63242dc50ffcae7" + "reference": "84c4fb66179be4caaf8e97bd239203245302e7d4" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/php-fig/http-server-handler/zipball/aff2f80e33b7f026ec96bb42f63242dc50ffcae7", - "reference": "aff2f80e33b7f026ec96bb42f63242dc50ffcae7", + "url": "https://api.github.com/repos/php-fig/http-server-handler/zipball/84c4fb66179be4caaf8e97bd239203245302e7d4", + "reference": "84c4fb66179be4caaf8e97bd239203245302e7d4", "shasum": "" }, "require": { "php": ">=7.0", - "psr/http-message": "^1.0" + "psr/http-message": "^1.0 || ^2.0" }, "type": "library", "extra": { @@ -1890,7 +1832,7 @@ "authors": [ { "name": "PHP-FIG", - "homepage": "http://www.php-fig.org/" + "homepage": "https://www.php-fig.org/" } ], "description": "Common interface for HTTP server-side request handler", @@ -1906,28 +1848,27 @@ "server" ], "support": { - "issues": "https://github.com/php-fig/http-server-handler/issues", - "source": "https://github.com/php-fig/http-server-handler/tree/master" + "source": "https://github.com/php-fig/http-server-handler/tree/1.0.2" }, - "time": "2018-10-30T16:46:14+00:00" + "time": "2023-04-10T20:06:20+00:00" }, { "name": "psr/http-server-middleware", - "version": "1.0.1", + "version": "1.0.2", "source": { "type": "git", "url": "https://github.com/php-fig/http-server-middleware.git", - "reference": "2296f45510945530b9dceb8bcedb5cb84d40c5f5" + "reference": "c1481f747daaa6a0782775cd6a8c26a1bf4a3829" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/php-fig/http-server-middleware/zipball/2296f45510945530b9dceb8bcedb5cb84d40c5f5", - "reference": "2296f45510945530b9dceb8bcedb5cb84d40c5f5", + "url": "https://api.github.com/repos/php-fig/http-server-middleware/zipball/c1481f747daaa6a0782775cd6a8c26a1bf4a3829", + "reference": "c1481f747daaa6a0782775cd6a8c26a1bf4a3829", "shasum": "" }, "require": { "php": ">=7.0", - "psr/http-message": "^1.0", + "psr/http-message": "^1.0 || ^2.0", "psr/http-server-handler": "^1.0" }, "type": "library", @@ -1948,7 +1889,7 @@ "authors": [ { "name": "PHP-FIG", - "homepage": "http://www.php-fig.org/" + "homepage": "https://www.php-fig.org/" } ], "description": "Common interface for HTTP server-side middleware", @@ -1964,9 +1905,9 @@ ], "support": { "issues": "https://github.com/php-fig/http-server-middleware/issues", - "source": "https://github.com/php-fig/http-server-middleware/tree/master" + "source": "https://github.com/php-fig/http-server-middleware/tree/1.0.2" }, - "time": "2018-10-30T17:12:04+00:00" + "time": "2023-04-11T06:14:47+00:00" }, { "name": "psr/log", @@ -2160,16 +2101,16 @@ }, { "name": "rockettheme/toolbox", - "version": "1.6.3", + "version": "1.6.4", "source": { "type": "git", "url": "https://github.com/rockettheme/toolbox.git", - "reference": "8c751e96269aee4b42bf10c8d39f2121b7b7859c" + "reference": "4d1021492385117323b50e3370626da613dd6c16" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/rockettheme/toolbox/zipball/8c751e96269aee4b42bf10c8d39f2121b7b7859c", - "reference": "8c751e96269aee4b42bf10c8d39f2121b7b7859c", + "url": "https://api.github.com/repos/rockettheme/toolbox/zipball/4d1021492385117323b50e3370626da613dd6c16", + "reference": "4d1021492385117323b50e3370626da613dd6c16", "shasum": "" }, "require": { @@ -2208,9 +2149,9 @@ ], "support": { "issues": "https://github.com/rockettheme/toolbox/issues", - "source": "https://github.com/rockettheme/toolbox/tree/1.6.3" + "source": "https://github.com/rockettheme/toolbox/tree/1.6.4" }, - "time": "2023-02-19T19:28:53+00:00" + "time": "2023-03-24T18:58:25+00:00" }, { "name": "seld/cli-prompt", @@ -4063,22 +4004,22 @@ }, { "name": "guzzlehttp/guzzle", - "version": "7.5.0", + "version": "7.5.1", "source": { "type": "git", "url": "https://github.com/guzzle/guzzle.git", - "reference": "b50a2a1251152e43f6a37f0fa053e730a67d25ba" + "reference": "b964ca597e86b752cd994f27293e9fa6b6a95ed9" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/guzzle/guzzle/zipball/b50a2a1251152e43f6a37f0fa053e730a67d25ba", - "reference": "b50a2a1251152e43f6a37f0fa053e730a67d25ba", + "url": "https://api.github.com/repos/guzzle/guzzle/zipball/b964ca597e86b752cd994f27293e9fa6b6a95ed9", + "reference": "b964ca597e86b752cd994f27293e9fa6b6a95ed9", "shasum": "" }, "require": { "ext-json": "*", "guzzlehttp/promises": "^1.5", - "guzzlehttp/psr7": "^1.9 || ^2.4", + "guzzlehttp/psr7": "^1.9.1 || ^2.4.5", "php": "^7.2.5 || ^8.0", "psr/http-client": "^1.0", "symfony/deprecation-contracts": "^2.2 || ^3.0" @@ -4171,7 +4112,7 @@ ], "support": { "issues": "https://github.com/guzzle/guzzle/issues", - "source": "https://github.com/guzzle/guzzle/tree/7.5.0" + "source": "https://github.com/guzzle/guzzle/tree/7.5.1" }, "funding": [ { @@ -4187,7 +4128,7 @@ "type": "tidelift" } ], - "time": "2022-08-28T15:39:27+00:00" + "time": "2023-04-17T16:30:08+00:00" }, { "name": "guzzlehttp/promises", @@ -4275,16 +4216,16 @@ }, { "name": "myclabs/deep-copy", - "version": "1.11.0", + "version": "1.11.1", "source": { "type": "git", "url": "https://github.com/myclabs/DeepCopy.git", - "reference": "14daed4296fae74d9e3201d2c4925d1acb7aa614" + "reference": "7284c22080590fb39f2ffa3e9057f10a4ddd0e0c" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/myclabs/DeepCopy/zipball/14daed4296fae74d9e3201d2c4925d1acb7aa614", - "reference": "14daed4296fae74d9e3201d2c4925d1acb7aa614", + "url": "https://api.github.com/repos/myclabs/DeepCopy/zipball/7284c22080590fb39f2ffa3e9057f10a4ddd0e0c", + "reference": "7284c22080590fb39f2ffa3e9057f10a4ddd0e0c", "shasum": "" }, "require": { @@ -4322,7 +4263,7 @@ ], "support": { "issues": "https://github.com/myclabs/DeepCopy/issues", - "source": "https://github.com/myclabs/DeepCopy/tree/1.11.0" + "source": "https://github.com/myclabs/DeepCopy/tree/1.11.1" }, "funding": [ { @@ -4330,20 +4271,20 @@ "type": "tidelift" } ], - "time": "2022-03-03T13:19:32+00:00" + "time": "2023-03-08T13:26:56+00:00" }, { "name": "nikic/php-parser", - "version": "v4.15.3", + "version": "v4.15.4", "source": { "type": "git", "url": "https://github.com/nikic/PHP-Parser.git", - "reference": "570e980a201d8ed0236b0a62ddf2c9cbb2034039" + "reference": "6bb5176bc4af8bcb7d926f88718db9b96a2d4290" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/nikic/PHP-Parser/zipball/570e980a201d8ed0236b0a62ddf2c9cbb2034039", - "reference": "570e980a201d8ed0236b0a62ddf2c9cbb2034039", + "url": "https://api.github.com/repos/nikic/PHP-Parser/zipball/6bb5176bc4af8bcb7d926f88718db9b96a2d4290", + "reference": "6bb5176bc4af8bcb7d926f88718db9b96a2d4290", "shasum": "" }, "require": { @@ -4384,9 +4325,9 @@ ], "support": { "issues": "https://github.com/nikic/PHP-Parser/issues", - "source": "https://github.com/nikic/PHP-Parser/tree/v4.15.3" + "source": "https://github.com/nikic/PHP-Parser/tree/v4.15.4" }, - "time": "2023-01-16T22:05:37+00:00" + "time": "2023-03-05T19:49:14+00:00" }, { "name": "phar-io/manifest", @@ -4501,16 +4442,16 @@ }, { "name": "phpstan/phpstan", - "version": "1.9.18", + "version": "1.10.14", "source": { "type": "git", "url": "https://github.com/phpstan/phpstan.git", - "reference": "f2d5cf71be91172a57c649770b73c20ebcffb0bf" + "reference": "d232901b09e67538e5c86a724be841bea5768a7c" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/phpstan/phpstan/zipball/f2d5cf71be91172a57c649770b73c20ebcffb0bf", - "reference": "f2d5cf71be91172a57c649770b73c20ebcffb0bf", + "url": "https://api.github.com/repos/phpstan/phpstan/zipball/d232901b09e67538e5c86a724be841bea5768a7c", + "reference": "d232901b09e67538e5c86a724be841bea5768a7c", "shasum": "" }, "require": { @@ -4539,8 +4480,11 @@ "static analysis" ], "support": { + "docs": "https://phpstan.org/user-guide/getting-started", + "forum": "https://github.com/phpstan/phpstan/discussions", "issues": "https://github.com/phpstan/phpstan/issues", - "source": "https://github.com/phpstan/phpstan/tree/1.9.18" + "security": "https://github.com/phpstan/phpstan/security/policy", + "source": "https://github.com/phpstan/phpstan-src" }, "funding": [ { @@ -4556,25 +4500,25 @@ "type": "tidelift" } ], - "time": "2023-02-17T15:01:27+00:00" + "time": "2023-04-19T13:47:27+00:00" }, { "name": "phpstan/phpstan-deprecation-rules", - "version": "1.1.1", + "version": "1.1.3", "source": { "type": "git", "url": "https://github.com/phpstan/phpstan-deprecation-rules.git", - "reference": "2c6792eda026d9c474c14aa018aed312686714db" + "reference": "a22b36b955a2e9a3d39fe533b6c1bb5359f9c319" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/phpstan/phpstan-deprecation-rules/zipball/2c6792eda026d9c474c14aa018aed312686714db", - "reference": "2c6792eda026d9c474c14aa018aed312686714db", + "url": "https://api.github.com/repos/phpstan/phpstan-deprecation-rules/zipball/a22b36b955a2e9a3d39fe533b6c1bb5359f9c319", + "reference": "a22b36b955a2e9a3d39fe533b6c1bb5359f9c319", "shasum": "" }, "require": { "php": "^7.2 || ^8.0", - "phpstan/phpstan": "^1.9.3" + "phpstan/phpstan": "^1.10" }, "require-dev": { "php-parallel-lint/php-parallel-lint": "^1.2", @@ -4602,29 +4546,29 @@ "description": "PHPStan rules for detecting usage of deprecated classes, methods, properties, constants and traits.", "support": { "issues": "https://github.com/phpstan/phpstan-deprecation-rules/issues", - "source": "https://github.com/phpstan/phpstan-deprecation-rules/tree/1.1.1" + "source": "https://github.com/phpstan/phpstan-deprecation-rules/tree/1.1.3" }, - "time": "2022-12-13T14:26:20+00:00" + "time": "2023-03-17T07:50:08+00:00" }, { "name": "phpunit/php-code-coverage", - "version": "9.2.24", + "version": "9.2.26", "source": { "type": "git", "url": "https://github.com/sebastianbergmann/php-code-coverage.git", - "reference": "2cf940ebc6355a9d430462811b5aaa308b174bed" + "reference": "443bc6912c9bd5b409254a40f4b0f4ced7c80ea1" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/sebastianbergmann/php-code-coverage/zipball/2cf940ebc6355a9d430462811b5aaa308b174bed", - "reference": "2cf940ebc6355a9d430462811b5aaa308b174bed", + "url": "https://api.github.com/repos/sebastianbergmann/php-code-coverage/zipball/443bc6912c9bd5b409254a40f4b0f4ced7c80ea1", + "reference": "443bc6912c9bd5b409254a40f4b0f4ced7c80ea1", "shasum": "" }, "require": { "ext-dom": "*", "ext-libxml": "*", "ext-xmlwriter": "*", - "nikic/php-parser": "^4.14", + "nikic/php-parser": "^4.15", "php": ">=7.3", "phpunit/php-file-iterator": "^3.0.3", "phpunit/php-text-template": "^2.0.2", @@ -4639,8 +4583,8 @@ "phpunit/phpunit": "^9.3" }, "suggest": { - "ext-pcov": "*", - "ext-xdebug": "*" + "ext-pcov": "PHP extension that provides line coverage", + "ext-xdebug": "PHP extension that provides line coverage as well as branch and path coverage" }, "type": "library", "extra": { @@ -4673,7 +4617,7 @@ ], "support": { "issues": "https://github.com/sebastianbergmann/php-code-coverage/issues", - "source": "https://github.com/sebastianbergmann/php-code-coverage/tree/9.2.24" + "source": "https://github.com/sebastianbergmann/php-code-coverage/tree/9.2.26" }, "funding": [ { @@ -4681,7 +4625,7 @@ "type": "github" } ], - "time": "2023-01-26T08:26:55+00:00" + "time": "2023-03-06T12:58:08+00:00" }, { "name": "phpunit/php-file-iterator", @@ -4926,16 +4870,16 @@ }, { "name": "phpunit/phpunit", - "version": "9.6.3", + "version": "9.6.7", "source": { "type": "git", "url": "https://github.com/sebastianbergmann/phpunit.git", - "reference": "e7b1615e3e887d6c719121c6d4a44b0ab9645555" + "reference": "c993f0d3b0489ffc42ee2fe0bd645af1538a63b2" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/sebastianbergmann/phpunit/zipball/e7b1615e3e887d6c719121c6d4a44b0ab9645555", - "reference": "e7b1615e3e887d6c719121c6d4a44b0ab9645555", + "url": "https://api.github.com/repos/sebastianbergmann/phpunit/zipball/c993f0d3b0489ffc42ee2fe0bd645af1538a63b2", + "reference": "c993f0d3b0489ffc42ee2fe0bd645af1538a63b2", "shasum": "" }, "require": { @@ -4968,8 +4912,8 @@ "sebastian/version": "^3.0.2" }, "suggest": { - "ext-soap": "*", - "ext-xdebug": "*" + "ext-soap": "To be able to generate mocks based on WSDL files", + "ext-xdebug": "PHP extension that provides line coverage as well as branch and path coverage" }, "bin": [ "phpunit" @@ -5008,7 +4952,8 @@ ], "support": { "issues": "https://github.com/sebastianbergmann/phpunit/issues", - "source": "https://github.com/sebastianbergmann/phpunit/tree/9.6.3" + "security": "https://github.com/sebastianbergmann/phpunit/security/policy", + "source": "https://github.com/sebastianbergmann/phpunit/tree/9.6.7" }, "funding": [ { @@ -5024,25 +4969,25 @@ "type": "tidelift" } ], - "time": "2023-02-04T13:37:15+00:00" + "time": "2023-04-14T08:58:40+00:00" }, { "name": "psr/http-client", - "version": "1.0.1", + "version": "1.0.2", "source": { "type": "git", "url": "https://github.com/php-fig/http-client.git", - "reference": "2dfb5f6c5eff0e91e20e913f8c5452ed95b86621" + "reference": "0955afe48220520692d2d09f7ab7e0f93ffd6a31" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/php-fig/http-client/zipball/2dfb5f6c5eff0e91e20e913f8c5452ed95b86621", - "reference": "2dfb5f6c5eff0e91e20e913f8c5452ed95b86621", + "url": "https://api.github.com/repos/php-fig/http-client/zipball/0955afe48220520692d2d09f7ab7e0f93ffd6a31", + "reference": "0955afe48220520692d2d09f7ab7e0f93ffd6a31", "shasum": "" }, "require": { "php": "^7.0 || ^8.0", - "psr/http-message": "^1.0" + "psr/http-message": "^1.0 || ^2.0" }, "type": "library", "extra": { @@ -5062,7 +5007,7 @@ "authors": [ { "name": "PHP-FIG", - "homepage": "http://www.php-fig.org/" + "homepage": "https://www.php-fig.org/" } ], "description": "Common interface for HTTP clients", @@ -5074,9 +5019,9 @@ "psr-18" ], "support": { - "source": "https://github.com/php-fig/http-client/tree/master" + "source": "https://github.com/php-fig/http-client/tree/1.0.2" }, - "time": "2020-06-29T06:28:15+00:00" + "time": "2023-04-10T20:12:12+00:00" }, { "name": "sebastian/cli-parser", @@ -6044,16 +5989,16 @@ }, { "name": "symfony/browser-kit", - "version": "v5.4.19", + "version": "v5.4.21", "source": { "type": "git", "url": "https://github.com/symfony/browser-kit.git", - "reference": "572b9e03741051b97c316f65f8c361eed08fdb14" + "reference": "a866ca7e396f15d7efb6d74a8a7d364d4e05b704" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/symfony/browser-kit/zipball/572b9e03741051b97c316f65f8c361eed08fdb14", - "reference": "572b9e03741051b97c316f65f8c361eed08fdb14", + "url": "https://api.github.com/repos/symfony/browser-kit/zipball/a866ca7e396f15d7efb6d74a8a7d364d4e05b704", + "reference": "a866ca7e396f15d7efb6d74a8a7d364d4e05b704", "shasum": "" }, "require": { @@ -6096,7 +6041,7 @@ "description": "Simulates the behavior of a web browser, allowing you to make requests, click on links and submit forms programmatically", "homepage": "https://symfony.com", "support": { - "source": "https://github.com/symfony/browser-kit/tree/v5.4.19" + "source": "https://github.com/symfony/browser-kit/tree/v5.4.21" }, "funding": [ { @@ -6112,20 +6057,20 @@ "type": "tidelift" } ], - "time": "2023-01-01T08:32:19+00:00" + "time": "2023-02-14T08:03:56+00:00" }, { "name": "symfony/css-selector", - "version": "v5.4.19", + "version": "v5.4.21", "source": { "type": "git", "url": "https://github.com/symfony/css-selector.git", - "reference": "f4a7d150f5b9e8f974f6f127d8167e420d11fc62" + "reference": "95f3c7468db1da8cc360b24fa2a26e7cefcb355d" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/symfony/css-selector/zipball/f4a7d150f5b9e8f974f6f127d8167e420d11fc62", - "reference": "f4a7d150f5b9e8f974f6f127d8167e420d11fc62", + "url": "https://api.github.com/repos/symfony/css-selector/zipball/95f3c7468db1da8cc360b24fa2a26e7cefcb355d", + "reference": "95f3c7468db1da8cc360b24fa2a26e7cefcb355d", "shasum": "" }, "require": { @@ -6162,7 +6107,7 @@ "description": "Converts CSS selectors to XPath expressions", "homepage": "https://symfony.com", "support": { - "source": "https://github.com/symfony/css-selector/tree/v5.4.19" + "source": "https://github.com/symfony/css-selector/tree/v5.4.21" }, "funding": [ { @@ -6178,7 +6123,7 @@ "type": "tidelift" } ], - "time": "2023-01-01T08:32:19+00:00" + "time": "2023-02-14T08:03:56+00:00" }, { "name": "symfony/deprecation-contracts", @@ -6249,16 +6194,16 @@ }, { "name": "symfony/dom-crawler", - "version": "v5.4.19", + "version": "v5.4.23", "source": { "type": "git", "url": "https://github.com/symfony/dom-crawler.git", - "reference": "224a1820e7669babdd85970230ed72bd6e342ad4" + "reference": "4a286c916b74ecfb6e2caf1aa31d3fe2a34b7e08" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/symfony/dom-crawler/zipball/224a1820e7669babdd85970230ed72bd6e342ad4", - "reference": "224a1820e7669babdd85970230ed72bd6e342ad4", + "url": "https://api.github.com/repos/symfony/dom-crawler/zipball/4a286c916b74ecfb6e2caf1aa31d3fe2a34b7e08", + "reference": "4a286c916b74ecfb6e2caf1aa31d3fe2a34b7e08", "shasum": "" }, "require": { @@ -6304,7 +6249,7 @@ "description": "Eases DOM navigation for HTML and XML documents", "homepage": "https://symfony.com", "support": { - "source": "https://github.com/symfony/dom-crawler/tree/v5.4.19" + "source": "https://github.com/symfony/dom-crawler/tree/v5.4.23" }, "funding": [ { @@ -6320,20 +6265,20 @@ "type": "tidelift" } ], - "time": "2023-01-14T19:14:44+00:00" + "time": "2023-04-08T21:20:19+00:00" }, { "name": "symfony/finder", - "version": "v5.4.19", + "version": "v5.4.21", "source": { "type": "git", "url": "https://github.com/symfony/finder.git", - "reference": "6071aebf810ad13fe8200c224f36103abb37cf1f" + "reference": "078e9a5e1871fcfe6a5ce421b539344c21afef19" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/symfony/finder/zipball/6071aebf810ad13fe8200c224f36103abb37cf1f", - "reference": "6071aebf810ad13fe8200c224f36103abb37cf1f", + "url": "https://api.github.com/repos/symfony/finder/zipball/078e9a5e1871fcfe6a5ce421b539344c21afef19", + "reference": "078e9a5e1871fcfe6a5ce421b539344c21afef19", "shasum": "" }, "require": { @@ -6367,7 +6312,7 @@ "description": "Finds files and directories via an intuitive fluent interface", "homepage": "https://symfony.com", "support": { - "source": "https://github.com/symfony/finder/tree/v5.4.19" + "source": "https://github.com/symfony/finder/tree/v5.4.21" }, "funding": [ { @@ -6383,7 +6328,7 @@ "type": "tidelift" } ], - "time": "2023-01-14T19:14:44+00:00" + "time": "2023-02-16T09:33:00+00:00" }, { "name": "theseer/tokenizer", diff --git a/system/defines.php b/system/defines.php index 6945cd1e7c..c93bd69517 100644 --- a/system/defines.php +++ b/system/defines.php @@ -99,3 +99,6 @@ define('TWIG_CONTENT', 2); define('TWIG_CONTENT_LIST', 3); define('TWIG_TEMPLATES', 4); + +// Filters +define('GRAV_SANITIZE_STRING', 5001); diff --git a/system/src/Grav/Common/Flex/Types/UserGroups/UserGroupObject.php b/system/src/Grav/Common/Flex/Types/UserGroups/UserGroupObject.php index d1e4c4046f..b3d7b237f5 100644 --- a/system/src/Grav/Common/Flex/Types/UserGroups/UserGroupObject.php +++ b/system/src/Grav/Common/Flex/Types/UserGroups/UserGroupObject.php @@ -12,6 +12,7 @@ namespace Grav\Common\Flex\Types\UserGroups; use Grav\Common\Flex\FlexObject; +use Grav\Common\Grav; use Grav\Common\User\Access; use Grav\Common\User\Interfaces\UserGroupInterface; use function is_bool; @@ -74,6 +75,18 @@ public function authorize(string $action, string $scope = null): ?bool return $access->authorize('admin.super') ? true : null; } + public static function groupNames(): array + { + $groups = []; + $user_groups = Grav::instance()['user_groups']; + + foreach ($user_groups as $key => $group) { + $groups[$key] = $group->readableName; + } + + return $groups; + } + /** * @return Access */ diff --git a/system/src/Grav/Common/Service/TaskServiceProvider.php b/system/src/Grav/Common/Service/TaskServiceProvider.php index ce5ec649c7..9dac67a19c 100644 --- a/system/src/Grav/Common/Service/TaskServiceProvider.php +++ b/system/src/Grav/Common/Service/TaskServiceProvider.php @@ -33,7 +33,7 @@ public function register(Container $container) $task = $body['task'] ?? $c['uri']->param('task'); if (null !== $task) { - $task = filter_var($task, FILTER_SANITIZE_STRING); + $task = htmlspecialchars(strip_tags($task), ENT_QUOTES, 'UTF-8'); } return $task ?: null; @@ -46,7 +46,7 @@ public function register(Container $container) $action = $body['action'] ?? $c['uri']->param('action'); if (null !== $action) { - $action = filter_var($action, FILTER_SANITIZE_STRING); + $action = htmlspecialchars(strip_tags($action), ENT_QUOTES, 'UTF-8'); } return $action ?: null; diff --git a/system/src/Grav/Common/Twig/Extension/GravExtension.php b/system/src/Grav/Common/Twig/Extension/GravExtension.php index f3a122ebdc..68bea60351 100644 --- a/system/src/Grav/Common/Twig/Extension/GravExtension.php +++ b/system/src/Grav/Common/Twig/Extension/GravExtension.php @@ -1203,6 +1203,9 @@ public function nonceFieldFunc($action, $nonceParamName = 'nonce') */ public function jsonDecodeFilter($str, $assoc = false, $depth = 512, $options = 0) { + if ($str === null) { + $str = ''; + } return json_decode(html_entity_decode($str, ENT_COMPAT | ENT_HTML401, 'UTF-8'), $assoc, $depth, $options); } @@ -1214,7 +1217,13 @@ public function jsonDecodeFilter($str, $assoc = false, $depth = 512, $options = */ public function getCookie($key) { - return filter_input(INPUT_COOKIE, $key, FILTER_SANITIZE_STRING); + $cookie_value = filter_input(INPUT_COOKIE, $key); + + if ($cookie_value === null) { + return null; + } + + return htmlspecialchars(strip_tags($cookie_value), ENT_QUOTES, 'UTF-8'); } /** diff --git a/system/src/Grav/Common/Uri.php b/system/src/Grav/Common/Uri.php index c192438e2e..0564a6379f 100644 --- a/system/src/Grav/Common/Uri.php +++ b/system/src/Grav/Common/Uri.php @@ -1005,7 +1005,7 @@ public static function extractParams($uri, $delimiter) foreach ($matches as $match) { $param = explode($delimiter, $match[1]); if (count($param) === 2) { - $plain_var = filter_var(rawurldecode($param[1]), FILTER_SANITIZE_STRING); + $plain_var = htmlspecialchars(strip_tags(rawurldecode($param[1])), ENT_QUOTES, 'UTF-8'); $params[$param[0]] = $plain_var; $uri = str_replace($match[0], '', $uri); } @@ -1388,7 +1388,11 @@ public function post($element = null, $filter_type = null) if ($this->post && null !== $element) { $item = Utils::getDotNotation($this->post, $element); if ($filter_type) { - $item = filter_var($item, $filter_type); + if ($filter_type === FILTER_SANITIZE_STRING || $filter_type === GRAV_SANITIZE_STRING) { + $item = htmlspecialchars(strip_tags($item), ENT_QUOTES, 'UTF-8'); + } else { + $item = filter_var($item, $filter_type); + } } return $item; } From 598836d65674306af522465308664b4c44481ebf Mon Sep 17 00:00:00 2001 From: Andy Miller Date: Mon, 8 May 2023 12:39:35 -0600 Subject: [PATCH 03/21] fix parsedown dynamic properties --- CHANGELOG.md | 1 + .../src/Grav/Common/Markdown/ParsedownGravTrait.php | 13 +++++++++++++ 2 files changed, 14 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0d0873bdf9..9e7c865555 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,7 @@ 1. [](#improved) * Removed `FILTER_SANITIZE_STRING` input filter in favor of `htmlspecialchars(strip_tags())` * Added `GRAV_SANITIZE_STRING` constant to replace `FILTER_SANITIZE_STRING` + * Support non-deprecated style dynamic properties in `Parsedown` class via `ParseDownGravTrait` # v1.7.40 ## 03/22/2023 diff --git a/system/src/Grav/Common/Markdown/ParsedownGravTrait.php b/system/src/Grav/Common/Markdown/ParsedownGravTrait.php index b97b129493..7aad35817e 100644 --- a/system/src/Grav/Common/Markdown/ParsedownGravTrait.php +++ b/system/src/Grav/Common/Markdown/ParsedownGravTrait.php @@ -26,6 +26,9 @@ trait ParsedownGravTrait /** @var array */ public $continuable_blocks = []; + /** @var array */ + protected $values = []; + /** @var Excerpts */ protected $excerpts; /** @var array */ @@ -300,4 +303,14 @@ public function __call($method, $args) return null; } + + public function __get($key) + { + return $this->values[$key]; + } + + public function __set($key, $value) + { + $this->values[$key] = $value; + } } From 2412115f41104be5c5649d547b547c90c4afe905 Mon Sep 17 00:00:00 2001 From: Andy Miller Date: Mon, 8 May 2023 17:26:22 -0600 Subject: [PATCH 04/21] TwigDeferredExtension updates --- CHANGELOG.md | 9 ++++--- .../DeferredExtension/DeferredDeclareNode.php | 27 +++++++++++++++++++ ...ionNode.php => DeferredInitializeNode.php} | 2 +- .../DeferredExtension/DeferredNodeVisitor.php | 5 ++-- .../DeferredNodeVisitorCompat.php | 5 ++-- .../DeferredExtension/DeferredResolveNode.php | 27 +++++++++++++++++++ 6 files changed, 67 insertions(+), 8 deletions(-) create mode 100644 system/src/Twig/DeferredExtension/DeferredDeclareNode.php rename system/src/Twig/DeferredExtension/{DeferredExtensionNode.php => DeferredInitializeNode.php} (92%) create mode 100644 system/src/Twig/DeferredExtension/DeferredResolveNode.php diff --git a/CHANGELOG.md b/CHANGELOG.md index 9e7c865555..5a7a7c6f05 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,9 +2,12 @@ ## mm/dd/2023 1. [](#improved) - * Removed `FILTER_SANITIZE_STRING` input filter in favor of `htmlspecialchars(strip_tags())` - * Added `GRAV_SANITIZE_STRING` constant to replace `FILTER_SANITIZE_STRING` - * Support non-deprecated style dynamic properties in `Parsedown` class via `ParseDownGravTrait` + * Removed `FILTER_SANITIZE_STRING` input filter in favor of `htmlspecialchars(strip_tags())` for PHP 8.2+ + * Added `GRAV_SANITIZE_STRING` constant to replace `FILTER_SANITIZE_STRING` for PHP 8.2+ + * Support non-deprecated style dynamic properties in `Parsedown` class via `ParseDownGravTrait` for PHP 8.2+ + * Modified `Truncator` to not use deprecated `mb_convert_encoding()` for PHP 8.2+ + * Fixed passing null into `mb_strpos()` deprecated for PHP 8.2+ + * Updated internal `TwigDeferredExtension` to be PHP 8.2+ compatible # v1.7.40 ## 03/22/2023 diff --git a/system/src/Twig/DeferredExtension/DeferredDeclareNode.php b/system/src/Twig/DeferredExtension/DeferredDeclareNode.php new file mode 100644 index 0000000000..ba0512128f --- /dev/null +++ b/system/src/Twig/DeferredExtension/DeferredDeclareNode.php @@ -0,0 +1,27 @@ + + * + * For the full copyright and license information, please view the LICENSE + * file that was distributed with this source code. + */ + +declare(strict_types=1); + +namespace Twig\DeferredExtension; + +use Twig\Compiler; +use Twig\Node\Node; + +final class DeferredDeclareNode extends Node +{ + public function compile(Compiler $compiler) : void + { + $compiler + ->write("private \$deferred;\n") + ; + } +} \ No newline at end of file diff --git a/system/src/Twig/DeferredExtension/DeferredExtensionNode.php b/system/src/Twig/DeferredExtension/DeferredInitializeNode.php similarity index 92% rename from system/src/Twig/DeferredExtension/DeferredExtensionNode.php rename to system/src/Twig/DeferredExtension/DeferredInitializeNode.php index 1b851b4c24..0653f5c1d5 100644 --- a/system/src/Twig/DeferredExtension/DeferredExtensionNode.php +++ b/system/src/Twig/DeferredExtension/DeferredInitializeNode.php @@ -16,7 +16,7 @@ use Twig\Compiler; use Twig\Node\Node; -final class DeferredExtensionNode extends Node +final class DeferredInitializeNode extends Node { public function compile(Compiler $compiler) : void { diff --git a/system/src/Twig/DeferredExtension/DeferredNodeVisitor.php b/system/src/Twig/DeferredExtension/DeferredNodeVisitor.php index aef7399439..6f614875c1 100644 --- a/system/src/Twig/DeferredExtension/DeferredNodeVisitor.php +++ b/system/src/Twig/DeferredExtension/DeferredNodeVisitor.php @@ -34,8 +34,9 @@ public function enterNode(Node $node, Environment $env) : Node public function leaveNode(Node $node, Environment $env) : ?Node { if ($this->hasDeferred && $node instanceof ModuleNode) { - $node->setNode('constructor_end', new Node([new DeferredExtensionNode(), $node->getNode('constructor_end')])); - $node->setNode('display_end', new Node([new DeferredNode(), $node->getNode('display_end')])); + $node->getNode('constructor_end')->setNode('deferred_initialize', new DeferredInitializeNode()); + $node->getNode('display_end')->setNode('deferred_resolve', new DeferredResolveNode()); + $node->getNode('class_end')->setNode('deferred_declare', new DeferredDeclareNode()); $this->hasDeferred = false; } diff --git a/system/src/Twig/DeferredExtension/DeferredNodeVisitorCompat.php b/system/src/Twig/DeferredExtension/DeferredNodeVisitorCompat.php index 1ff7fd421d..aa61b724af 100644 --- a/system/src/Twig/DeferredExtension/DeferredNodeVisitorCompat.php +++ b/system/src/Twig/DeferredExtension/DeferredNodeVisitorCompat.php @@ -46,8 +46,9 @@ public function enterNode(\Twig_NodeInterface $node, Environment $env): Node public function leaveNode(\Twig_NodeInterface $node, Environment $env): ?Node { if ($this->hasDeferred && $node instanceof ModuleNode) { - $node->setNode('constructor_end', new Node([new DeferredExtensionNode(), $node->getNode('constructor_end')])); - $node->setNode('display_end', new Node([new DeferredNode(), $node->getNode('display_end')])); + $node->getNode('constructor_end')->setNode('deferred_initialize', new DeferredInitializeNode()); + $node->getNode('display_end')->setNode('deferred_resolve', new DeferredResolveNode()); + $node->getNode('class_end')->setNode('deferred_declare', new DeferredDeclareNode()); $this->hasDeferred = false; } diff --git a/system/src/Twig/DeferredExtension/DeferredResolveNode.php b/system/src/Twig/DeferredExtension/DeferredResolveNode.php new file mode 100644 index 0000000000..72e0e297e9 --- /dev/null +++ b/system/src/Twig/DeferredExtension/DeferredResolveNode.php @@ -0,0 +1,27 @@ + + * + * For the full copyright and license information, please view the LICENSE + * file that was distributed with this source code. + */ + +declare(strict_types=1); + +namespace Twig\DeferredExtension; + +use Twig\Compiler; +use Twig\Node\Node; + +final class DeferredResolveNode extends Node +{ + public function compile(Compiler $compiler) : void + { + $compiler + ->write("\$this->deferred->resolve(\$this, \$context, \$blocks);\n") + ; + } +} From 75cd4f430603d422a72f3376a4c00ffe6fdc6c4a Mon Sep 17 00:00:00 2001 From: Andy Miller Date: Mon, 8 May 2023 17:27:03 -0600 Subject: [PATCH 05/21] Various casting fixes for deprecated messages --- .../Grav/Common/Page/Medium/ImageMedium.php | 18 +++++++++--------- system/src/Grav/Common/Page/Page.php | 2 +- .../Common/Twig/Extension/GravExtension.php | 2 +- system/src/Grav/Common/Utils.php | 2 +- .../Object/Access/NestedPropertyTrait.php | 2 +- 5 files changed, 13 insertions(+), 13 deletions(-) diff --git a/system/src/Grav/Common/Page/Medium/ImageMedium.php b/system/src/Grav/Common/Page/Medium/ImageMedium.php index d215465adb..95e6a78130 100644 --- a/system/src/Grav/Common/Page/Medium/ImageMedium.php +++ b/system/src/Grav/Common/Page/Medium/ImageMedium.php @@ -62,8 +62,8 @@ public function __construct($items = [], Blueprint $blueprint = null) if (!($this->offsetExists('width') && $this->offsetExists('height') && $this->offsetExists('mime'))) { $image_info = getimagesize($path); if ($image_info) { - $this->def('width', $image_info[0]); - $this->def('height', $image_info[1]); + $this->def('width', (int) $image_info[0]); + $this->def('height', (int) $image_info[1]); $this->def('mime', $image_info['mime']); } } @@ -299,7 +299,7 @@ public function lightbox($width = null, $height = null, $reset = true) } if ($width && $height) { - $this->__call('cropResize', [$width, $height]); + $this->__call('cropResize', [(int) $width, (int) $height]); } return parent::lightbox($width, $height, $reset); @@ -361,8 +361,8 @@ public function watermark($image = null, $position = null, $scale = null) // Scaling operations $scale = ($scale ?? $config->get('system.images.watermark.scale', 100)) / 100; - $wwidth = (int)$this->get('width') * $scale; - $wheight = (int)$this->get('height') * $scale; + $wwidth = (int) ($this->get('width') * $scale); + $wheight = (int) ($this->get('height') * $scale); $watermark->resize($wwidth, $wheight); // Position operations @@ -392,11 +392,11 @@ public function watermark($image = null, $position = null, $scale = null) break; case 'right': - $positionX = (int)$this->get('width')-$wwidth; + $positionX = (int) ($this->get('width')-$wwidth); break; case 'center': - $positionX = ((int)$this->get('width')/2) - ($wwidth/2); + $positionX = (int) (($this->get('width')/2) - ($wwidth/2)); break; } @@ -431,8 +431,8 @@ public function addFrame(int $border = 10, string $color = '0x000000') return $this; } - $dst_width = $image->width()+2*$border; - $dst_height = $image->height()+2*$border; + $dst_width = (int) ($image->width()+2*$border); + $dst_height = (int) ($image->height()+2*$border); $frame = ImageFile::create($dst_width, $dst_height); diff --git a/system/src/Grav/Common/Page/Page.php b/system/src/Grav/Common/Page/Page.php index 14e7a12a4c..595b7870a5 100644 --- a/system/src/Grav/Common/Page/Page.php +++ b/system/src/Grav/Common/Page/Page.php @@ -1802,7 +1802,7 @@ public function slug($var = null) } if (empty($this->slug)) { - $this->slug = $this->adjustRouteCase(preg_replace(PAGE_ORDER_PREFIX_REGEX, '', $this->folder)) ?: null; + $this->slug = $this->adjustRouteCase(preg_replace(PAGE_ORDER_PREFIX_REGEX, '', (string) $this->folder)) ?: null; } return $this->slug; diff --git a/system/src/Grav/Common/Twig/Extension/GravExtension.php b/system/src/Grav/Common/Twig/Extension/GravExtension.php index 68bea60351..dc530c686e 100644 --- a/system/src/Grav/Common/Twig/Extension/GravExtension.php +++ b/system/src/Grav/Common/Twig/Extension/GravExtension.php @@ -949,7 +949,7 @@ public function translateArray($key, $index, $lang = null) */ public function repeatFunc($input, $multiplier) { - return str_repeat($input, $multiplier); + return str_repeat($input, (int) $multiplier); } /** diff --git a/system/src/Grav/Common/Utils.php b/system/src/Grav/Common/Utils.php index 0b6309c342..c5c7270907 100644 --- a/system/src/Grav/Common/Utils.php +++ b/system/src/Grav/Common/Utils.php @@ -201,7 +201,7 @@ public static function startsWith($haystack, $needle, $case_sensitive = true) $compare_func = $case_sensitive ? 'mb_strpos' : 'mb_stripos'; foreach ((array)$needle as $each_needle) { - $status = $each_needle === '' || $compare_func($haystack, $each_needle) === 0; + $status = $each_needle === '' || $compare_func((string) $haystack, $each_needle) === 0; if ($status) { break; } diff --git a/system/src/Grav/Framework/Object/Access/NestedPropertyTrait.php b/system/src/Grav/Framework/Object/Access/NestedPropertyTrait.php index 87737dcc84..757452c351 100644 --- a/system/src/Grav/Framework/Object/Access/NestedPropertyTrait.php +++ b/system/src/Grav/Framework/Object/Access/NestedPropertyTrait.php @@ -42,7 +42,7 @@ public function hasNestedProperty($property, $separator = null) public function getNestedProperty($property, $default = null, $separator = null) { $separator = $separator ?: '.'; - $path = explode($separator, $property); + $path = explode($separator, (string) $property); $offset = array_shift($path); if (!$this->hasProperty($offset)) { From 60648c43dbdfb39a7fa410bdb8e030eccc953c77 Mon Sep 17 00:00:00 2001 From: Andy Miller Date: Mon, 8 May 2023 17:27:43 -0600 Subject: [PATCH 06/21] Update to latest getgrav/image package --- CHANGELOG.md | 1 + composer.lock | 24 ++++++++++++------------ 2 files changed, 13 insertions(+), 12 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5a7a7c6f05..451bf90832 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,7 @@ * Modified `Truncator` to not use deprecated `mb_convert_encoding()` for PHP 8.2+ * Fixed passing null into `mb_strpos()` deprecated for PHP 8.2+ * Updated internal `TwigDeferredExtension` to be PHP 8.2+ compatible + * Upgraded `getgrav/image` fork to take advantage of various PHP 8.2+ fixes # v1.7.40 ## 03/22/2023 diff --git a/composer.lock b/composer.lock index 19998413d9..6f0f931983 100644 --- a/composer.lock +++ b/composer.lock @@ -715,17 +715,17 @@ }, { "name": "getgrav/image", - "version": "v3.0.0", + "version": "v3.0.1", "target-dir": "Gregwar/Image", "source": { "type": "git", "url": "https://github.com/getgrav/Image.git", - "reference": "02c1bb2c179dd894c4f6610c9c49da364ee7d264" + "reference": "a6a36c24db4b0fd7a7bfd50b86412eaecd5c6370" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/getgrav/Image/zipball/02c1bb2c179dd894c4f6610c9c49da364ee7d264", - "reference": "02c1bb2c179dd894c4f6610c9c49da364ee7d264", + "url": "https://api.github.com/repos/getgrav/Image/zipball/a6a36c24db4b0fd7a7bfd50b86412eaecd5c6370", + "reference": "a6a36c24db4b0fd7a7bfd50b86412eaecd5c6370", "shasum": "" }, "require": { @@ -769,9 +769,9 @@ "image" ], "support": { - "source": "https://github.com/getgrav/Image/tree/v3.0.0" + "source": "https://github.com/getgrav/Image/tree/v3.0.1" }, - "time": "2021-04-20T05:50:18+00:00" + "time": "2023-05-08T21:44:38+00:00" }, { "name": "guzzlehttp/psr7", @@ -5323,16 +5323,16 @@ }, { "name": "sebastian/diff", - "version": "4.0.4", + "version": "4.0.5", "source": { "type": "git", "url": "https://github.com/sebastianbergmann/diff.git", - "reference": "3461e3fccc7cfdfc2720be910d3bd73c69be590d" + "reference": "74be17022044ebaaecfdf0c5cd504fc9cd5a7131" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/sebastianbergmann/diff/zipball/3461e3fccc7cfdfc2720be910d3bd73c69be590d", - "reference": "3461e3fccc7cfdfc2720be910d3bd73c69be590d", + "url": "https://api.github.com/repos/sebastianbergmann/diff/zipball/74be17022044ebaaecfdf0c5cd504fc9cd5a7131", + "reference": "74be17022044ebaaecfdf0c5cd504fc9cd5a7131", "shasum": "" }, "require": { @@ -5377,7 +5377,7 @@ ], "support": { "issues": "https://github.com/sebastianbergmann/diff/issues", - "source": "https://github.com/sebastianbergmann/diff/tree/4.0.4" + "source": "https://github.com/sebastianbergmann/diff/tree/4.0.5" }, "funding": [ { @@ -5385,7 +5385,7 @@ "type": "github" } ], - "time": "2020-10-26T13:10:38+00:00" + "time": "2023-05-07T05:35:17+00:00" }, { "name": "sebastian/environment", From 470b69c775b409965bf1f5ccdf99f3c6a551f5fb Mon Sep 17 00:00:00 2001 From: Andy Miller Date: Mon, 8 May 2023 17:27:54 -0600 Subject: [PATCH 07/21] Use new `groupNames` method --- system/blueprints/user/account.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system/blueprints/user/account.yaml b/system/blueprints/user/account.yaml index ef5f25b045..3b589a08ac 100644 --- a/system/blueprints/user/account.yaml +++ b/system/blueprints/user/account.yaml @@ -140,7 +140,7 @@ form: multiple: true size: large label: PLUGIN_ADMIN.GROUPS - data-options@: '\Grav\Common\User\Group::groupNames' + data-options@: 'Grav\Common\Flex\Types\UserGroups\UserGroupObject::groupNames' classes: fancy help: PLUGIN_ADMIN.GROUPS_HELP validate: From bf175983ec37d17eaa4c5a100f37dea1a4e881c9 Mon Sep 17 00:00:00 2001 From: Andy Miller Date: Mon, 8 May 2023 17:31:15 -0600 Subject: [PATCH 08/21] various deprecated fixes --- CHANGELOG.md | 1 + system/src/Grav/Common/Helpers/Truncator.php | 2 +- system/src/Grav/Common/Session.php | 8 ++++---- system/src/Grav/Common/Twig/Twig.php | 9 +++++++++ 4 files changed, 15 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 451bf90832..c927344dca 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,7 @@ * Fixed passing null into `mb_strpos()` deprecated for PHP 8.2+ * Updated internal `TwigDeferredExtension` to be PHP 8.2+ compatible * Upgraded `getgrav/image` fork to take advantage of various PHP 8.2+ fixes + * Use `UserGroupObject::groupNames` method in blueprints # v1.7.40 ## 03/22/2023 diff --git a/system/src/Grav/Common/Helpers/Truncator.php b/system/src/Grav/Common/Helpers/Truncator.php index 318079c366..d271806dcf 100644 --- a/system/src/Grav/Common/Helpers/Truncator.php +++ b/system/src/Grav/Common/Helpers/Truncator.php @@ -144,7 +144,7 @@ public static function htmlToDomDocument($html) } // Transform multibyte entities which otherwise display incorrectly. - $html = mb_convert_encoding($html, 'HTML-ENTITIES', 'UTF-8'); + $html = htmlspecialchars_decode(iconv('UTF-8', 'ISO-8859-1', htmlentities($html, ENT_COMPAT, 'UTF-8')), ENT_QUOTES); // Internal errors enabled as HTML5 not fully supported. libxml_use_internal_errors(true); diff --git a/system/src/Grav/Common/Session.php b/system/src/Grav/Common/Session.php index 14d09a2270..84b53e1e7e 100644 --- a/system/src/Grav/Common/Session.php +++ b/system/src/Grav/Common/Session.php @@ -122,10 +122,10 @@ public function getFlashObject($name) // Make sure that Forms 3.0+ has been installed. if (null === $object && isset($grav['forms'])) { - user_error( - __CLASS__ . '::' . __FUNCTION__ . '(\'files-upload\') is deprecated since Grav 1.6, use $form->getFlash()->getLegacyFiles() instead', - E_USER_DEPRECATED - ); +// user_error( +// __CLASS__ . '::' . __FUNCTION__ . '(\'files-upload\') is deprecated since Grav 1.6, use $form->getFlash()->getLegacyFiles() instead', +// E_USER_DEPRECATED +// ); /** @var Uri $uri */ $uri = $grav['uri']; diff --git a/system/src/Grav/Common/Twig/Twig.php b/system/src/Grav/Common/Twig/Twig.php index a52bb6de8f..b510ed72b7 100644 --- a/system/src/Grav/Common/Twig/Twig.php +++ b/system/src/Grav/Common/Twig/Twig.php @@ -57,6 +57,15 @@ class Twig /** @var string */ public $template; + /** @var array */ + public $plugins_hooked_nav = []; + /** @var array */ + public $plugins_quick_tray = []; + /** @var array */ + public $plugins_hooked_dashboard_widgets_top = []; + /** @var array */ + public $plugins_hooked_dashboard_widgets_main = []; + /** @var Grav */ protected $grav; /** @var FilesystemLoader */ From adfbd5730b9ad13d3eeac58dc1967ad386599cdf Mon Sep 17 00:00:00 2001 From: Andy Miller Date: Mon, 8 May 2023 17:31:26 -0600 Subject: [PATCH 09/21] changelog updated --- CHANGELOG.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c927344dca..4924aa8f3d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,7 +9,9 @@ * Fixed passing null into `mb_strpos()` deprecated for PHP 8.2+ * Updated internal `TwigDeferredExtension` to be PHP 8.2+ compatible * Upgraded `getgrav/image` fork to take advantage of various PHP 8.2+ fixes - * Use `UserGroupObject::groupNames` method in blueprints + * Use `UserGroupObject::groupNames` method in blueprints for PHP 8.2+ + * Comment out `files-upload` deprecated message as this is not going to be removed + * Added various public `Twig` class variables used by admin to address deprecated messages for PHP 8.2+ # v1.7.40 ## 03/22/2023 From ff77d58acba62d8bc9b24bf9432332ec87e285df Mon Sep 17 00:00:00 2001 From: Andy Miller Date: Mon, 8 May 2023 17:37:42 -0600 Subject: [PATCH 10/21] more casting fixes --- system/src/Grav/Common/Twig/Extension/GravExtension.php | 2 +- system/src/Grav/Common/Utils.php | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/system/src/Grav/Common/Twig/Extension/GravExtension.php b/system/src/Grav/Common/Twig/Extension/GravExtension.php index dc530c686e..fdd729f26b 100644 --- a/system/src/Grav/Common/Twig/Extension/GravExtension.php +++ b/system/src/Grav/Common/Twig/Extension/GravExtension.php @@ -468,7 +468,7 @@ public function base32DecodeFilter($str) */ public function base64EncodeFilter($str) { - return base64_encode($str); + return base64_encode((string) $str); } /** diff --git a/system/src/Grav/Common/Utils.php b/system/src/Grav/Common/Utils.php index c5c7270907..2dcb5cc3bf 100644 --- a/system/src/Grav/Common/Utils.php +++ b/system/src/Grav/Common/Utils.php @@ -1874,9 +1874,9 @@ public static function processMarkdown($string, $block = true, $page = null) } if ($block) { - $string = $parsedown->text($string); + $string = $parsedown->text((string) $string); } else { - $string = $parsedown->line($string); + $string = $parsedown->line((string) $string); } return $string; From e1ab15e32314c8c309ba71859ec99ed215278c1f Mon Sep 17 00:00:00 2001 From: Andy Miller Date: Mon, 8 May 2023 17:44:52 -0600 Subject: [PATCH 11/21] another cast fix --- system/src/Grav/Framework/Uri/UriFactory.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system/src/Grav/Framework/Uri/UriFactory.php b/system/src/Grav/Framework/Uri/UriFactory.php index f70194eb9b..c8ba345daf 100644 --- a/system/src/Grav/Framework/Uri/UriFactory.php +++ b/system/src/Grav/Framework/Uri/UriFactory.php @@ -93,7 +93,7 @@ public static function parseUrlFromEnvironment(array $env) } // Support ngnix routes. - if (strpos($query, '_url=') === 0) { + if (strpos((string) $query, '_url=') === 0) { parse_str($query, $q); unset($q['_url']); $query = http_build_query($q); From 9c0477fa52afae6bc1533b07d8da1e8b757df088 Mon Sep 17 00:00:00 2001 From: Andy Miller Date: Mon, 8 May 2023 18:41:04 -0600 Subject: [PATCH 12/21] fix dynamic class value --- system/src/Grav/Framework/Acl/RecursiveActionIterator.php | 2 ++ 1 file changed, 2 insertions(+) diff --git a/system/src/Grav/Framework/Acl/RecursiveActionIterator.php b/system/src/Grav/Framework/Acl/RecursiveActionIterator.php index cbde180622..acf72e7ef9 100644 --- a/system/src/Grav/Framework/Acl/RecursiveActionIterator.php +++ b/system/src/Grav/Framework/Acl/RecursiveActionIterator.php @@ -23,6 +23,8 @@ class RecursiveActionIterator implements RecursiveIterator, \Countable { use Constructor, Iterator, Countable; + public $items; + /** * @see \Iterator::key() * @return string From 95ae35216a88985cce2311c80444da9a279a31e2 Mon Sep 17 00:00:00 2001 From: Andy Miller Date: Mon, 8 May 2023 18:41:19 -0600 Subject: [PATCH 13/21] various cast fixes --- system/src/Grav/Common/Utils.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/system/src/Grav/Common/Utils.php b/system/src/Grav/Common/Utils.php index 2dcb5cc3bf..cadb787189 100644 --- a/system/src/Grav/Common/Utils.php +++ b/system/src/Grav/Common/Utils.php @@ -225,8 +225,8 @@ public static function endsWith($haystack, $needle, $case_sensitive = true) $compare_func = $case_sensitive ? 'mb_strrpos' : 'mb_strripos'; foreach ((array)$needle as $each_needle) { - $expectedPosition = mb_strlen($haystack) - mb_strlen($each_needle); - $status = $each_needle === '' || $compare_func($haystack, $each_needle, 0) === $expectedPosition; + $expectedPosition = mb_strlen((string) $haystack) - mb_strlen($each_needle); + $status = $each_needle === '' || $compare_func((string) $haystack, $each_needle, 0) === $expectedPosition; if ($status) { break; } @@ -250,7 +250,7 @@ public static function contains($haystack, $needle, $case_sensitive = true) $compare_func = $case_sensitive ? 'mb_strpos' : 'mb_stripos'; foreach ((array)$needle as $each_needle) { - $status = $each_needle === '' || $compare_func($haystack, $each_needle) !== false; + $status = $each_needle === '' || $compare_func((string) $haystack, $each_needle) !== false; if ($status) { break; } From 369c2e9ffa67704763e0fe0759b71eccd232fe69 Mon Sep 17 00:00:00 2001 From: Andy Miller Date: Mon, 8 May 2023 18:42:52 -0600 Subject: [PATCH 14/21] remove filter_input in favor of htmlspecialchars + strip_tags --- system/src/Grav/Common/Page/Page.php | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/system/src/Grav/Common/Page/Page.php b/system/src/Grav/Common/Page/Page.php index 595b7870a5..3fc5acb0ae 100644 --- a/system/src/Grav/Common/Page/Page.php +++ b/system/src/Grav/Common/Page/Page.php @@ -1270,9 +1270,14 @@ public function getBlueprint(string $name = '') */ public function blueprintName() { - $blueprint_name = filter_input(INPUT_POST, 'blueprint', FILTER_SANITIZE_STRING) ?: $this->template(); + if (!isset($_POST['blueprint'])) { + return $this->template(); + } + + $post_value = $_POST['blueprint']; + $sanitized_value = htmlspecialchars(strip_tags($post_value), ENT_QUOTES, 'UTF-8'); - return $blueprint_name; + return $sanitized_value ?: $this->template(); } /** From 694ab76d1e7c613cd544e9e080fdae649a1673c7 Mon Sep 17 00:00:00 2001 From: Andy Miller Date: Mon, 8 May 2023 19:03:29 -0600 Subject: [PATCH 15/21] added `parse_url` to the list of Grav Twig functions --- CHANGELOG.md | 1 + system/src/Grav/Common/Twig/Extension/GravExtension.php | 1 + 2 files changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4924aa8f3d..55aafbcf2c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,7 @@ * Use `UserGroupObject::groupNames` method in blueprints for PHP 8.2+ * Comment out `files-upload` deprecated message as this is not going to be removed * Added various public `Twig` class variables used by admin to address deprecated messages for PHP 8.2+ + * Added `parse_url` to list of PHP functions supported in Twig Extension # v1.7.40 ## 03/22/2023 diff --git a/system/src/Grav/Common/Twig/Extension/GravExtension.php b/system/src/Grav/Common/Twig/Extension/GravExtension.php index fdd729f26b..9f54a1733d 100644 --- a/system/src/Grav/Common/Twig/Extension/GravExtension.php +++ b/system/src/Grav/Common/Twig/Extension/GravExtension.php @@ -247,6 +247,7 @@ public function getFunctions(): array new TwigFunction('is_object', 'is_object'), new TwigFunction('count', 'count'), new TwigFunction('array_diff', 'array_diff'), + new TwigFunction('parse_url', 'parse_url'), ]; } From 36afa9d848e168ab97739c2475d411ce431f63d7 Mon Sep 17 00:00:00 2001 From: Andy Miller Date: Mon, 8 May 2023 19:31:37 -0600 Subject: [PATCH 16/21] =?UTF-8?q?won=E2=80=99t=20work=20internally=20in=20?= =?UTF-8?q?Parsedown?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- system/src/Grav/Common/Markdown/Parsedown.php | 1 + system/src/Grav/Common/Markdown/ParsedownGravTrait.php | 10 ---------- 2 files changed, 1 insertion(+), 10 deletions(-) diff --git a/system/src/Grav/Common/Markdown/Parsedown.php b/system/src/Grav/Common/Markdown/Parsedown.php index 634a174847..c36bf70835 100644 --- a/system/src/Grav/Common/Markdown/Parsedown.php +++ b/system/src/Grav/Common/Markdown/Parsedown.php @@ -18,6 +18,7 @@ */ class Parsedown extends \Parsedown { + use ParsedownGravTrait; /** diff --git a/system/src/Grav/Common/Markdown/ParsedownGravTrait.php b/system/src/Grav/Common/Markdown/ParsedownGravTrait.php index 7aad35817e..4ebf27e63b 100644 --- a/system/src/Grav/Common/Markdown/ParsedownGravTrait.php +++ b/system/src/Grav/Common/Markdown/ParsedownGravTrait.php @@ -26,8 +26,6 @@ trait ParsedownGravTrait /** @var array */ public $continuable_blocks = []; - /** @var array */ - protected $values = []; /** @var Excerpts */ protected $excerpts; @@ -304,13 +302,5 @@ public function __call($method, $args) return null; } - public function __get($key) - { - return $this->values[$key]; - } - public function __set($key, $value) - { - $this->values[$key] = $value; - } } From 3cf67cb2fd195913d1d23357ba338ab8c26fd258 Mon Sep 17 00:00:00 2001 From: Andy Miller Date: Tue, 9 May 2023 11:18:36 -0600 Subject: [PATCH 17/21] deprecation fix --- CHANGELOG.md | 1 + .../Grav/Common/Markdown/ParsedownGravTrait.php | 17 +++++++++++++++-- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 55aafbcf2c..c940cd84f8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,7 @@ * Comment out `files-upload` deprecated message as this is not going to be removed * Added various public `Twig` class variables used by admin to address deprecated messages for PHP 8.2+ * Added `parse_url` to list of PHP functions supported in Twig Extension + * Added support for dynamic functions in `Parsedown` to stop deprecation messages in PHP 8.2+ # v1.7.40 ## 03/22/2023 diff --git a/system/src/Grav/Common/Markdown/ParsedownGravTrait.php b/system/src/Grav/Common/Markdown/ParsedownGravTrait.php index 4ebf27e63b..9b8bb9af84 100644 --- a/system/src/Grav/Common/Markdown/ParsedownGravTrait.php +++ b/system/src/Grav/Common/Markdown/ParsedownGravTrait.php @@ -25,7 +25,7 @@ trait ParsedownGravTrait public $completable_blocks = []; /** @var array */ public $continuable_blocks = []; - + public $plugins = []; /** @var Excerpts */ protected $excerpts; @@ -293,7 +293,12 @@ protected function inlineLink($excerpt) #[\ReturnTypeWillChange] public function __call($method, $args) { - if (isset($this->{$method}) === true) { + + if (isset($this->plugins[$method]) === true) { + $func = $this->plugins[$method]; + + return call_user_func_array($func, $args); + } elseif (isset($this->{$method}) === true) { $func = $this->{$method}; return call_user_func_array($func, $args); @@ -302,5 +307,13 @@ public function __call($method, $args) return null; } + public function __set($name, $value) + { + if (is_callable($value)) { + $this->plugins[$name] = $value; + } + + } + } From 956c2993ae8e3bfa48cf0c54fd996e1227a14a1f Mon Sep 17 00:00:00 2001 From: Andy Miller Date: Tue, 9 May 2023 11:22:28 -0600 Subject: [PATCH 18/21] more filter fixes --- system/src/Grav/Common/Uri.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system/src/Grav/Common/Uri.php b/system/src/Grav/Common/Uri.php index 0564a6379f..8eefd50ab1 100644 --- a/system/src/Grav/Common/Uri.php +++ b/system/src/Grav/Common/Uri.php @@ -1518,7 +1518,7 @@ private function processParams(string $uri, string $delimiter = ':'): string foreach ($matches as $match) { $param = explode($delimiter, $match[1]); if (count($param) === 2) { - $plain_var = filter_var($param[1], FILTER_SANITIZE_STRING); + $plain_var = htmlspecialchars(strip_tags($param[1]), ENT_QUOTES, 'UTF-8'); $this->params[$param[0]] = $plain_var; $uri = str_replace($match[0], '', $uri); } From 66463ddff339c94cb1a232f0300f58bee1b89d83 Mon Sep 17 00:00:00 2001 From: Andy Miller Date: Tue, 9 May 2023 12:13:32 -0600 Subject: [PATCH 19/21] more FILTER_SANITIZE_STRING fixes --- .../Grav/Framework/Flex/Pages/Traits/PageLegacyTrait.php | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/system/src/Grav/Framework/Flex/Pages/Traits/PageLegacyTrait.php b/system/src/Grav/Framework/Flex/Pages/Traits/PageLegacyTrait.php index a36b9f0d06..017891de84 100644 --- a/system/src/Grav/Framework/Flex/Pages/Traits/PageLegacyTrait.php +++ b/system/src/Grav/Framework/Flex/Pages/Traits/PageLegacyTrait.php @@ -366,9 +366,14 @@ public function copy(PageInterface $parent = null) */ public function blueprintName(): string { - $blueprint_name = filter_input(INPUT_POST, 'blueprint', FILTER_SANITIZE_STRING) ?: $this->template(); + if (!isset($_POST['blueprint'])) { + return $this->template(); + } + + $post_value = $_POST['blueprint']; + $sanitized_value = htmlspecialchars(strip_tags($post_value), ENT_QUOTES, 'UTF-8'); - return $blueprint_name; + return $sanitized_value ?: $this->template(); } /** From e5ac37e3cf5d58e353693fd902cbc778e044642c Mon Sep 17 00:00:00 2001 From: Andy Miller Date: Tue, 9 May 2023 12:13:46 -0600 Subject: [PATCH 20/21] FILTER_SANITIZE_STRING + Toolbox 1.6.5 --- composer.lock | 22 +++++++++---------- .../Grav/Common/Errors/SimplePageHandler.php | 2 +- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/composer.lock b/composer.lock index 6f0f931983..a139515034 100644 --- a/composer.lock +++ b/composer.lock @@ -2101,16 +2101,16 @@ }, { "name": "rockettheme/toolbox", - "version": "1.6.4", + "version": "1.6.5", "source": { "type": "git", "url": "https://github.com/rockettheme/toolbox.git", - "reference": "4d1021492385117323b50e3370626da613dd6c16" + "reference": "c5e84deac813da7fcb78cd8a663c8966da9b27bd" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/rockettheme/toolbox/zipball/4d1021492385117323b50e3370626da613dd6c16", - "reference": "4d1021492385117323b50e3370626da613dd6c16", + "url": "https://api.github.com/repos/rockettheme/toolbox/zipball/c5e84deac813da7fcb78cd8a663c8966da9b27bd", + "reference": "c5e84deac813da7fcb78cd8a663c8966da9b27bd", "shasum": "" }, "require": { @@ -2149,9 +2149,9 @@ ], "support": { "issues": "https://github.com/rockettheme/toolbox/issues", - "source": "https://github.com/rockettheme/toolbox/tree/1.6.4" + "source": "https://github.com/rockettheme/toolbox/tree/1.6.5" }, - "time": "2023-03-24T18:58:25+00:00" + "time": "2023-05-09T18:11:17+00:00" }, { "name": "seld/cli-prompt", @@ -4442,16 +4442,16 @@ }, { "name": "phpstan/phpstan", - "version": "1.10.14", + "version": "1.10.15", "source": { "type": "git", "url": "https://github.com/phpstan/phpstan.git", - "reference": "d232901b09e67538e5c86a724be841bea5768a7c" + "reference": "762c4dac4da6f8756eebb80e528c3a47855da9bd" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/phpstan/phpstan/zipball/d232901b09e67538e5c86a724be841bea5768a7c", - "reference": "d232901b09e67538e5c86a724be841bea5768a7c", + "url": "https://api.github.com/repos/phpstan/phpstan/zipball/762c4dac4da6f8756eebb80e528c3a47855da9bd", + "reference": "762c4dac4da6f8756eebb80e528c3a47855da9bd", "shasum": "" }, "require": { @@ -4500,7 +4500,7 @@ "type": "tidelift" } ], - "time": "2023-04-19T13:47:27+00:00" + "time": "2023-05-09T15:28:01+00:00" }, { "name": "phpstan/phpstan-deprecation-rules", diff --git a/system/src/Grav/Common/Errors/SimplePageHandler.php b/system/src/Grav/Common/Errors/SimplePageHandler.php index 4b0db0596f..df28847063 100644 --- a/system/src/Grav/Common/Errors/SimplePageHandler.php +++ b/system/src/Grav/Common/Errors/SimplePageHandler.php @@ -57,7 +57,7 @@ public function handle() $vars = array( 'stylesheet' => file_get_contents($cssFile), 'code' => $code, - 'message' => filter_var(rawurldecode($message), FILTER_SANITIZE_STRING), + 'message' => htmlspecialchars(strip_tags(rawurldecode($message)), ENT_QUOTES, 'UTF-8'), ); $helper->setVariables($vars); From b6179bd2def756185f66cc410d40cc1dde285be0 Mon Sep 17 00:00:00 2001 From: Andy Miller Date: Tue, 9 May 2023 12:44:44 -0600 Subject: [PATCH 21/21] prepare for release --- CHANGELOG.md | 2 +- system/defines.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c940cd84f8..e52d64ec8d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,5 @@ # v1.7.41 -## mm/dd/2023 +## 05/09/2023 1. [](#improved) * Removed `FILTER_SANITIZE_STRING` input filter in favor of `htmlspecialchars(strip_tags())` for PHP 8.2+ diff --git a/system/defines.php b/system/defines.php index c93bd69517..aa9e4d87a9 100644 --- a/system/defines.php +++ b/system/defines.php @@ -9,7 +9,7 @@ // Some standard defines define('GRAV', true); -define('GRAV_VERSION', '1.7.40'); +define('GRAV_VERSION', '1.7.41'); define('GRAV_SCHEMA', '1.7.0_2020-11-20_1'); define('GRAV_TESTING', false);