boltforms icon indicating copy to clipboard operation
boltforms copied to clipboard

Published 20 hours ago verified publisher icon bolt

Error after update bolt to 3.3.6 and boltforms to 4.1.12

Open kutulus opened this issue 7 years ago • 8 comments

Hi, after updating bolt from 3.2.16 to 3.3.6 and boltforms from 3.1 to 4.1.12 I´m getting this error when loading the page with the form.

Uncaught Exception: Twig_Sandbox_SecurityNotAllowedFunctionError .

Twig_Sandbox_SecurityNotAllowedFunctionError in SecurityPolicy.php line 170:
Function 'boltforms' is not allowed in "__string_template__798ccd2aeed56c3363b655d42933fac2837b80982cad9afeff749367c75ebc5b" at line 16.

Are there anny aditional migrating steps I missed?

regards Stefano

kutulus avatar Oct 09 '17 23:10 kutulus

Update: The error occurs when putting the Twig Tag in the Textfield "Body" {{ boltforms('contact') }}

The Textfield of the Contenttype is configured with: allowtwig: true

When I put the Twig Tag into the Template it works fine.

regards Stefano

kutulus avatar Oct 11 '17 09:10 kutulus

I'm experiencing this issue as well on Bolt 3.3.6 and Boltforms 3.1.0

flrvt avatar Nov 08 '17 13:11 flrvt

This was indeed a change in Bolt 3.3 itself that changed to a whitelist for twig tags. We'll get working on a fix. thanks for the report.

rossriley avatar Nov 08 '17 13:11 rossriley

@rossriley I've once fixed this by using:

    $app['twig.sandbox.policy'] = $app->share(
        $app->extend('twig.sandbox.policy', function ($policy) {
            $policy->addAllowedFunction('boltforms');
            return $policy;
        })
    );

Maybe it's as simple as that.

bobdenotter avatar Nov 08 '17 13:11 bobdenotter

I had a slightly different error message so I'm just writing it down here for future reference (and Google).

Uncaught Exception: Twig_Sandbox_SecurityNotAllowedTagError .

Twig_Sandbox_SecurityNotAllowedTagError in SecurityPolicy.php line 158: 
Tag 'form_theme' is not allowed in "forms/_contact.twig" at line 5.

flrvt avatar Nov 08 '17 13:11 flrvt

Because i'm a very stubborn individual, i've added the following method to BoltFormsExtension.php, to make it work:

    public function registerServices(Application $app)
    {
        // Set the sandbox policy, but only for Bolt 3.3 and up.
        if (isset($app['twig.sandbox.policy'])) {
            $app['twig.sandbox.policy'] = $app->share(
                $app->extend('twig.sandbox.policy', function ($policy) {
                    $policy->addAllowedFunction('boltforms');
                    $policy->addAllowedFunction('form_end');
                    $policy->addAllowedFunction('form_errors');
                    $policy->addAllowedFunction('form_label');
                    $policy->addAllowedFunction('form_row');
                    $policy->addAllowedFunction('form_start');
                    $policy->addAllowedFunction('form_widget');
                    $policy->addAllowedFunction('include');
                    $policy->addAllowedMethod('FieldBag', 'getoptions');
                    $policy->addAllowedMethod('FieldOptionsBag', 'label');
                    $policy->addAllowedMethod('FieldsBag', 'email');
                    $policy->addAllowedMethod('FieldsBag', 'label');
                    $policy->addAllowedMethod('FieldsBag', 'message');
                    $policy->addAllowedMethod('FieldsBag', 'name');
                    $policy->addAllowedMethod('Form', 'getconfig');
                    $policy->addAllowedMethod('FormBuilder', 'gettype');
                    $policy->addAllowedMethod('FormView', 'setmethodrendered');
                    $policy->addAllowedMethod('Request', 'get');
                    $policy->addAllowedMethod('ResolvedTypeDataCollectorProxy', 'getname');
                    $policy->addAllowedMethod('Result', 'ispass');
                    $policy->addAllowedMethod('TemplateOptionsBag', 'getcss');
                    $policy->addAllowedMethod('TemplateOptionsBag', 'getformtheme');
                    $policy->addAllowedMethod('TemplateOptionsBag', 'getjs');
                    $policy->addAllowedMethod('TemplateOptionsBag', 'getmessages');
                    $policy->addAllowedMethod('TemplateOptionsBag', 'getrecaptcha');
                    $policy->addAllowedProperty('Application', 'request');
                    $policy->addAllowedProperty('FormView', 'vars');
                    $policy->addAllowedTag('form_theme');
                    $policy->addAllowedTag('import');
                    return $policy;
                })
            );
        }
    }

I don't think it's desirable to add that to the extension, because it sort of defeats the entire purpose of the sandbox.

My line of thinking is that we should officially not support {{ boltforms }} tags inside user-entered content.

bobdenotter avatar Dec 29 '17 16:12 bobdenotter

hey all don't mean to bring up a looooong stale thread but do we have to add the security exceptions like @bobdenotter showed above ( https://github.com/bolt/boltforms/issues/199#issuecomment-354464744 )?

For reference the particular error I get is:

Twig_Sandbox_SecurityNotAllowedTagError in SecurityPolicy.php line 158:
Tag 'import' is not allowed

I just came across this for an image extension and was curious

cdowdy avatar Feb 08 '19 17:02 cdowdy

@cdowdy I’m not in the country right now, but I think you might have a point. Let’s add these! Feel free to either PR a change, or bump me in three weeks when i’m back from Guatemala. :-)

bobdenotter avatar Feb 08 '19 21:02 bobdenotter