Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[5.0] FormRequest sanitized input not being passed into commands with dispatchFrom #6922

Closed
JosephSilber opened this issue Jan 6, 2015 · 4 comments
Closed

[5.0] FormRequest sanitized input not being passed into commands with dispatchFrom #6922

JosephSilber opened this issue Jan 6, 2015 · 4 comments

Comments

@JosephSilber
Copy link
Member

The FormRequest object now supports sanitizing the user's input.

To get the sanitized input, you have to call the sanitized method:

$request->sanitized(); // returns [...], like Input::all();

// or...
$request->sanitized('foo'); // returns what Input::get('foo') would, sanitized.

However, when populating a command with dispatchFrom:

$this->dispatchFrom(Command::class, $request);

...it'll just iterate over the $request object, which will return the raw unsanitized input.

To solve this problem, we could check for an instance of FormRequest in the marshal method and call $source->sanitized(), but that's an ugly hack.

Even without this problem, it would make more sense to somehow replace the default input with the sanitized input, and instead have a raw method to get the unsanitized input. This is more secure by default, and would also help with this dispatchFrom problem.

Taylor told me a while ago that this is actually how he would prefer it, and that I should change it to default to the sanitized input. Alas, implementing this proved rather challenging. I've tried it a few times, but have always come up empty.

The input itself can come from many different sources (get data, post data, post json data etc.), and repopulating all those sources, respectively, is nigh impossible. They can also be accessed through a myriad of methods (get, input, all etc.). Overwriting all those methods isn't really feasible either.

Ideas?
@MartijnThomas
Copy link

Taylor removed the sanitization feature: 924a7fc

@JosephSilber
Copy link
Member Author

😢

He removed it because it was "incomplete". I think he means exactly what's been outlined above: the default value is not sanitized.

We need a better solution. And before L5 is done...

@GrahamCampbell
Copy link
Member

You should probably just implement your own solutions here. Perhaps a decorator for the request object would do it for you? It's not like we're removing a feature laravel ever actually had here. No tagged release contains this.

@joshhornby
Copy link
Contributor

Does anyone have an example of this working with a decorator request object? The solutions posts at the bottom of this commit seem a little clunky 924a7fc

@JosephSilber JosephSilber mentioned this issue Apr 8, 2016
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@JosephSilber @GrahamCampbell @MartijnThomas @joshhornby