Symfony 2形成$ _POST数据转义 - 固定

问题描述 投票:0回答:2

我有一个Symfony 2表单,其中POST数据可以更改用户的密码。但是在测试期间,我发现在密码字段中输入的一些字符在遇到验证器时会被转义。

例如:

用户输入密码,如RzB&EUgbrhqJRt$Y2

在验证器中,此值变为RzB&EUgbrhqJRt$Y2

请注意,&逃到了&

这简直打破了我的一些验证规则。我找不到为什么以及如何禁用这个逃逸的东西。 Symfony相当新,并寻求有关此事的一些帮助。

构建表单代码:

public function buildForm(FormBuilderInterface $builder, array $options)
    {
        $builder->add('currentPassword', PasswordType::class, [
            'constraints' => new UserPassword(['groups' => [UserProfile::VALIDATION_PASSWORD], 'message' => 'Current password is invalid.']),
            'mapped' => false,
            'attr' => [
                'placeholder' => 'Current Login Password',
                'required' => 'true',
                'data-parsley-required-message' => 'Please enter your current login password',
                'autocomplete' => 'disabled'
            ]
        ]);

        $builder->add(self::FORM_NEW_PASSWORD, RepeatedType::class, [
            'type' => PasswordType::class,
            'mapped' => false,
            'constraints' => [
                new NewPassword(['groups' => [UserProfile::VALIDATION_PASSWORD]])
            ],
            'first_options' => [
                'attr' => [
                    'id' => 'change_password_newPassword_first',
                    'maxlength' => 40,
                    'minlength' => 10,
                    'data-parsley-password' => '',
                    'placeholder' => 'New Password',
                    'data-parsley-required-message' => 'Please enter your new password',
                    'autocomplete' => 'disabled'
                ]
            ],
            'second_options' => [
                'attr' => [
                    'data-parsley-equalto' => '#change_password_newPassword_first',
                    'placeholder' => 'Confirm New Password',
                    'data-parsley-required-message' => 'Please re-enter your new password',
                    'autocomplete' => 'disabled'
                ]
            ]
        ]);

        $builder->add('change', SubmitType::class, [
            'attr' => [
                'class' => 'btn-full-width',
                'data-parsley-validate' => 1,
                'disabled' => 'disabled'
            ]
        ]);

        $builder->addEventListener(FormEvents::POST_SUBMIT, [$this, 'onPostSubmit']);
    }

表单验证约束:

    public function validate($value, Constraint $constraint) 
        {
            //$value HERE IS ESCAPED
            $zxcvbn = new Zxcvbn();
            $strength = $zxcvbn->passwordStrength($value);

            $pp = new PwnedPasswords();
            if (!preg_match(NewPassword::REGEX, $value)) {
                // Match password pattern
                $this->context->buildViolation($constraint->messagePasswordNotValid)
                    ->setParameter('{{ value }}', $this->formatValue($value))
                    ->addViolation();
            } else if ($strength["score"] < 3) {
                // Calculate password strength
                $this->context->buildViolation($constraint->messagePasswordNotStrong)
                    ->setParameter('{{ value }}', $this->formatValue($value))
                    ->addViolation();
            } else if ($pp->isInsecure($value)) {
                // Check to see if the password is breached
                $this->context->buildViolation($constraint->messagePasswordBreached)
                    ->setParameter('{{ value }}', $this->formatValue($value))
                    ->addViolation();
            }
        }

固定:

由表单配置中的html_purifier_extension引起的问题。禁用修复此问题。虽然extended_type: Symfony\Component\Form\Extension\Core\Type\TextType,不知道为什么它影响密码字段也是如此。需要进一步调查。

php html symfony post change-password
2个回答
0
投票

这可能是原因:不要htmlspecialchars()数据,你没有回应。这可能是原因。 htmlspecialchars()用于清理要打印到HTML解析器的数据。


0
投票

我认为穆罕默德建议使用qazxsw poi是正确的。

当有人在密码中使用htmlspecialchars_decode($value);时,例如

&amp;

,验证器将收到的Zdv5&amp;rwv) $value标志编码为&&amp;,使其成为&amp;,因此整个密码将最终成为

&amp;amp;

检查Zdv5&amp;amp;rwv) 以获取代码示例。

© www.soinside.com 2019 - 2024. All rights reserved.