You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I encountered an issue in the ComponentAttributeBag when manually changing the input field name format in developer tools. This scenario mimics a potential attack where a malicious user manipulates the input names to pass unexpected data types.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
I encountered an issue in the ComponentAttributeBag when manually changing the input field name format in developer tools. This scenario mimics a potential attack where a malicious user manipulates the input names to pass unexpected data types.
Steps to Reproduce
Create a custom input component
<input {{ $attributes->merge(['type' => 'text']) }}/>Use the component in a form :
<x-input name="email" />Open the form in the browser, inspect the email input field using the developer tools, and manually change the name attribute from email to email[].
The following error occurs:
error – trim(): Argument 1 ($string) must be of type string, array given
The error appears to stem from the ComponentAttributeBag class, which seems to be expecting the value to be a string rather than an array.
Environment
Potential Fix
It would be helpful if the ComponentAttributeBag could check whether the input is an array before applying the trim() function.
Beta Was this translation helpful? Give feedback.
All reactions