Validate form field names better (see #8403).

contao · Aug 15, 2016 · 3222512 · 3222512
1 parent ddceb0f
commit 3222512
Show file tree

Hide file tree

Showing 5 changed files with 28 additions and 1 deletion.
diff --git a/system/docs/CHANGELOG.md b/system/docs/CHANGELOG.md
@@ -4,6 +4,9 @@ Contao Open Source CMS changelog
 Version 3.5.16 (2016-XX-XX)
 ---------------------------
 
+### Fixed
+Validate form field names better (see #8403).
+
 ### Fixed
 Correctly show the ctime, mtime and atime of a folder (see #8408).
 

diff --git a/system/modules/core/dca/tl_form_field.php b/system/modules/core/dca/tl_form_field.php
@@ -175,7 +175,7 @@
 			'exclude'                 => true,
 			'search'                  => true,
 			'inputType'               => 'text',
-			'eval'                    => array('mandatory'=>true, 'rgxp'=>'extnd', 'spaceToUnderscore'=>true, 'maxlength'=>64, 'tl_class'=>'w50'),
+			'eval'                    => array('mandatory'=>true, 'rgxp'=>'fieldname', 'spaceToUnderscore'=>true, 'maxlength'=>64, 'tl_class'=>'w50'),
 			'sql'                     => "varchar(64) NOT NULL default ''"
 		),
 		'label' => array

diff --git a/system/modules/core/languages/en/default.xlf b/system/modules/core/languages/en/default.xlf
@@ -200,6 +200,9 @@
       <trans-unit id="ERR.invalidGoogleId">
         <source>Please enter a numeric Google+ ID or vanity name!</source>
       </trans-unit>
+      <trans-unit id="ERR.invalidFieldName">
+        <source>Please enter only the following characters: A-Z0-9[]_-</source>
+      </trans-unit>
       <trans-unit id="SEC.question1">
         <source>Please add %d and %d.</source>
       </trans-unit>

diff --git a/system/modules/core/library/Contao/Validator.php b/system/modules/core/library/Contao/Validator.php
@@ -437,4 +437,17 @@ public static function isValidFileName($strName)
 
 		return true;
 	}
+
+
+	/**
+	 * Valid form field name
+	 *
+	 * @param mixed $strName The form field name
+	 *
+	 * @return boolean True if the form field name is valid
+	 */
+	public static function isFieldName($strName)
+	{
+		return preg_match('/^[A-Za-z0-9[\]_-]+$/', $strName);
+	}
 }
diff --git a/system/modules/core/library/Contao/Widget.php b/system/modules/core/library/Contao/Widget.php
@@ -1120,6 +1120,14 @@ protected function validator($varInput)
 					}
 					break;
 
+				// Check whether the current value is a field name
+				case 'fieldname':
+					if (!\Validator::isFieldName($varInput))
+					{
+						$this->addError(sprintf($GLOBALS['TL_LANG']['ERR']['invalidFieldName'], $this->strLabel));
+					}
+					break;
+
 				// HOOK: pass unknown tags to callback functions
 				default:
 					if (isset($GLOBALS['TL_HOOKS']['addCustomRegexp']) && is_array($GLOBALS['TL_HOOKS']['addCustomRegexp']))