我有一个Symfony 2表单,其中POST数据可以更改用户的密码。但是在测试期间,我发现在密码字段中输入的一些字符在遇到验证器时会被转义。
例如:
用户输入密码,如RzB&EUgbrhqJRt$Y2
在验证器中,此值变为RzB&EUgbrhqJRt$Y2
请注意,&
逃到了&
这简直打破了我的一些验证规则。我找不到为什么以及如何禁用这个逃逸的东西。 Symfony相当新,并寻求有关此事的一些帮助。
构建表单代码:
public function buildForm(FormBuilderInterface $builder, array $options)
{
$builder->add('currentPassword', PasswordType::class, [
'constraints' => new UserPassword(['groups' => [UserProfile::VALIDATION_PASSWORD], 'message' => 'Current password is invalid.']),
'mapped' => false,
'attr' => [
'placeholder' => 'Current Login Password',
'required' => 'true',
'data-parsley-required-message' => 'Please enter your current login password',
'autocomplete' => 'disabled'
]
]);
$builder->add(self::FORM_NEW_PASSWORD, RepeatedType::class, [
'type' => PasswordType::class,
'mapped' => false,
'constraints' => [
new NewPassword(['groups' => [UserProfile::VALIDATION_PASSWORD]])
],
'first_options' => [
'attr' => [
'id' => 'change_password_newPassword_first',
'maxlength' => 40,
'minlength' => 10,
'data-parsley-password' => '',
'placeholder' => 'New Password',
'data-parsley-required-message' => 'Please enter your new password',
'autocomplete' => 'disabled'
]
],
'second_options' => [
'attr' => [
'data-parsley-equalto' => '#change_password_newPassword_first',
'placeholder' => 'Confirm New Password',
'data-parsley-required-message' => 'Please re-enter your new password',
'autocomplete' => 'disabled'
]
]
]);
$builder->add('change', SubmitType::class, [
'attr' => [
'class' => 'btn-full-width',
'data-parsley-validate' => 1,
'disabled' => 'disabled'
]
]);
$builder->addEventListener(FormEvents::POST_SUBMIT, [$this, 'onPostSubmit']);
}
表单验证约束:
public function validate($value, Constraint $constraint)
{
//$value HERE IS ESCAPED
$zxcvbn = new Zxcvbn();
$strength = $zxcvbn->passwordStrength($value);
$pp = new PwnedPasswords();
if (!preg_match(NewPassword::REGEX, $value)) {
// Match password pattern
$this->context->buildViolation($constraint->messagePasswordNotValid)
->setParameter('{{ value }}', $this->formatValue($value))
->addViolation();
} else if ($strength["score"] < 3) {
// Calculate password strength
$this->context->buildViolation($constraint->messagePasswordNotStrong)
->setParameter('{{ value }}', $this->formatValue($value))
->addViolation();
} else if ($pp->isInsecure($value)) {
// Check to see if the password is breached
$this->context->buildViolation($constraint->messagePasswordBreached)
->setParameter('{{ value }}', $this->formatValue($value))
->addViolation();
}
}
固定:
由表单配置中的html_purifier_extension引起的问题。禁用修复此问题。虽然extended_type: Symfony\Component\Form\Extension\Core\Type\TextType
,不知道为什么它影响密码字段也是如此。需要进一步调查。
这可能是原因:不要htmlspecialchars()
数据,你没有回应。这可能是原因。 htmlspecialchars()
用于清理要打印到HTML解析器的数据。
我认为穆罕默德建议使用qazxsw poi是正确的。
当有人在密码中使用htmlspecialchars_decode($value);
时,例如
&
,验证器将收到的Zdv5&rwv)
将$value
标志编码为&
的&
,使其成为&
,因此整个密码将最终成为
&amp;
检查Zdv5&amp;rwv)
以获取代码示例。