-
Notifications
You must be signed in to change notification settings - Fork 11.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[5.4] Fix Blade @parent issue #16033
Conversation
But the new placeholder can still be abused though, right? |
Yeah if you have a |
It doesn't fix the potential security problem we have here were users can inject this string. |
We've never actually found that this is a "security" problem, tbh. I do agree however that it would be nice if we could just totally eliminate the issue instead of changing to a different string. I've forgotten why that is somewhat difficult. |
@taylorotwell well the point is that the replacement of This PR #10122 was trying to fix using This PR replaces a common string |
Maybe you could add some random suffix, e.g. |
The random token may work to further make it tougher to run into the issue and prevent people from easily guessing the token. Though I'm not sure there is really even a security issue. |
I don't think it should be considered as a security issue, I consider it a limitation on using the string |
* | ||
* @return string | ||
*/ | ||
protected function compileParent() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This function doesn't seem to be used anywhere?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Refs subsequent 16f72a5 :) |
To fit the issue, can you consider somehow putting |
This is an attempt to fix #10068, currently if a variable was passed to the view that contains the string
@parent
, Blade tries to compile this string as a@parent
directive causing appending the parent content into the view if a parent section exists, or if not the@parent
string will be stripped from the response.This PR attempts to fix this by replacing the actual
@parent
directive with a different placeholder, the change is breaking because any@parent
that exists in the blade file will be replaced, so for example this echo{{ '@parent' }}
won't work.