[5.4] Fix Blade @parent issue #16033
Conversation
GrahamCampbell
changed the title
|
But the new placeholder can still be abused though, right? |
|
Yeah if you have a |
|
It doesn't fix the potential security problem we have here were users can inject this string. |
|
We've never actually found that this is a "security" problem, tbh. I do agree however that it would be nice if we could just totally eliminate the issue instead of changing to a different string. I've forgotten why that is somewhat difficult. |
|
@taylorotwell well the point is that the replacement of This PR #10122 was trying to fix using This PR replaces a common string |
|
Maybe you could add some random suffix, e.g. |
|
The random token may work to further make it tougher to run into the issue and prevent people from easily guessing the token. Though I'm not sure there is really even a security issue. |
|
I don't think it should be considered as a security issue, I consider it a limitation on using the string |
| * | ||
| * @return string | ||
| */ | ||
| protected function compileParent() |
There was a problem hiding this comment.
This function doesn't seem to be used anywhere?
There was a problem hiding this comment.
|
Refs subsequent 16f72a5 :) |
|
To fit the issue, can you consider somehow putting |
This is an attempt to fix #10068, currently if a variable was passed to the view that contains the string
@parent, Blade tries to compile this string as a@parentdirective causing appending the parent content into the view if a parent section exists, or if not the@parentstring will be stripped from the response.This PR attempts to fix this by replacing the actual
@parentdirective with a different placeholder, the change is breaking because any@parentthat exists in the blade file will be replaced, so for example this echo{{ '@parent' }}won't work.