Ensure that form ids are unique

Add an unique prefix to each Form- or FormElement id, unless id protection is disabled explicitly, to prevent id collisions between different containers. fixes #8460
2025-07-26 23:34:08 +02:00 · 2015-02-25 18:00:28 +01:00 · 2015-02-25 18:00:28 +01:00 · 89451f3086
commit 89451f3086
parent cc403806f7
6 changed files with 90 additions and 4 deletions
--- a/application/views/helpers/ProtectId.php
+++ b/application/views/helpers/ProtectId.php
@ -0,0 +1,12 @@
 <?php
 /* Icinga Web 2 | (c) 2013-2015 Icinga Development Team | GPLv2+ */
 /**
 * Class Zend_View_Helper_Util
 */
 class Zend_View_Helper_ProtectId extends Zend_View_Helper_Abstract
 {
    public function protectId($id) {
        return Zend_Controller_Front::getInstance()->getRequest()->protectId($id);
    }
 }
--- a/application/views/scripts/config/authentication/reorder.phtml
+++ b/application/views/scripts/config/authentication/reorder.phtml
@ -2,7 +2,7 @@
  <?= $tabs; ?>
 </div>
 <div class="content" data-base-target="_next">
-  <h1 tabindex="-1" id="authentication-reorder">
+  <h1 tabindex="-1" id="authentication-configuration">
    <?= $this->translate('Authentication Configuration'); ?>
  </h1>
  <h2 tabindex="-1" id="authentication-new-backend" class="sr-only">
--- a/application/views/scripts/mixedPagination.phtml
+++ b/application/views/scripts/mixedPagination.phtml
@ -9,8 +9,8 @@ use Icinga\Web\Url;
 if ($this->pageCount <= 1) return;
-?><p id="paginationlabel" class="audible"><?= t('Pagination') ?></p>
+?><p id="<?= $this->protectId('paginationlabel'); ?>" class="audible"><?= t('Pagination') ?></p>
-<ul class="pagination" aria-labelledby="paginationlabel" role="navigation"
+<ul class="pagination" aria-labelledby="<?= $this->protectId('paginationlabel'); ?>" role="navigation"
 <?php
 $fromto = t('Show rows %u to %u out of %u');
--- a/library/Icinga/Web/Form.php
+++ b/library/Icinga/Web/Form.php
@ -112,6 +112,13 @@ class Form extends Zend_Form
     */
    protected $validatePartial = false;
    /**
     * Whether element ids will be protected against collisions by appending a request-specific unique identifier
     *
     * @var bool
     */
    protected $protectIds = true;
    /**
     * Authentication manager
     *
@ -903,6 +910,28 @@ class Form extends Zend_Form
    public function render(Zend_View_Interface $view = null)
    {
        $this->create();
        if ($this->protectIds) {
            if (null !== $this->getAttrib('id')) {
                $this->setAttrib('id', $this->getRequest()->protectId($this->getAttrib('id')));
            } else {
                $this->setAttrib('id', $this->getRequest()->protectId($this->name));
            }
            /** @var Zend_Form_Element $element */
            foreach ($this->getElements() as $element) {
                if (null !== $element->getAttrib('id')) {
                    $element->setAttrib(
                        'id',
                        $this->getRequest()->protectId($this->getName() . '-' . $element->getAttrib('id'))
                    );
                } else {
                    $element->setAttrib(
                        'id',
                        $this->getRequest()->protectId($this->getName() . '-' . $element->getName())
                    );
                }
            }
        }
        return parent::render($view);
    }
@ -944,4 +973,29 @@ class Form extends Zend_Form
            throw new SecurityException('No permission for %s', $permission);
        }
    }
    /**
     * Enable or disable whether ids should be altered to guard them against duplications
     *
     * @param $value    boolean Whether or not protect ids against collisions through other requests
     */
    public function setProtectIds($value)
    {
        $this->protectIds = $value;
    }
    /**
     * Get the id that is written into the output html when rendering this form
     *
     * This will return the protected id, in case $protectIds is enabled.
     *
     * @return string   The id
     */
    public function getId()
    {
        if ($this->protectIds) {
            return $this->getRequest()->protectId($this->getName());
        }
        return $this->getName();
    }
 }
--- a/library/Icinga/Web/Request.php
+++ b/library/Icinga/Web/Request.php
@ -18,6 +18,11 @@ class Request extends Zend_Controller_Request_Http
     */
    private $user;
    /**
     * @var string
     */
    private $uniqueId;
    private $url;
    public function getUrl()
@ -47,4 +52,19 @@ class Request extends Zend_Controller_Request_Http
    {
        return $this->user;
    }
    /**
     * Makes an ID unique to this request, to prevent id collisions in different containers
     *
     * Call this whenever an ID might show up multiple times in different containers. This function is useful
     * for ensuring unique ids on sites, even if we combine the HTML of different requests into one site,
     * while still being able to reference elements uniquely in the same request.
     */
    public function protectId($id)
    {
        if (! isset($this->uniqueId)) {
            $this->uniqueId = Window::generateId();
        }
        return $id . '-' . $this->uniqueId;
    }
 }
--- a/modules/monitoring/application/controllers/ListController.php
+++ b/modules/monitoring/application/controllers/ListController.php
@ -702,7 +702,7 @@ class Monitoring_ListController extends Controller
    private function setupSortControl(array $columns)
    {
        $this->view->sortControl = new SortBox(
-            $this->getRequest()->getActionName(),
+            'sortbox-' . $this->getRequest()->getActionName(),
            $columns
        );
        $this->view->sortControl->applyRequest($this->getRequest());