Only allow alphanumeric/underscore characters through StringHelper::toHandle()

brandonkelly · brandonkelly · commit 979e992010e0 · 2024-09-22T11:49:06.000-07:00
Resolves #15772
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,7 @@
 - Auto-generated handles, slugs, etc. now update immediately when the source input is changed. ([#15754](https://github.com/craftcms/cms/issues/15754))
 - Fixed a bug where Table fields’ Default Values table could lose existing rows if they only consisted of Dropdown columns without configured options.
 - Fixed a bug where custom fields’ `required` properties were always `false`. ([#15752](https://github.com/craftcms/cms/issues/15752))
+- Fixed a bug where `craft\helpers\StringHelper::toHandle()` was allowing non-alphanumeric/underscore characters through. ([#15772](https://github.com/craftcms/cms/pull/15772))
 
 ## 4.12.3 - 2024-09-14
 
diff --git a/src/helpers/StringHelper.php b/src/helpers/StringHelper.php
@@ -1811,6 +1811,9 @@ public static function toHandle(string $str): string
         // Handle must start with a letter
         $handle = preg_replace('/^[^a-z]+/', '', $handle);
 
+        // Replace any remaining non-alphanumeric or underscore characters with spaces
+        $handle = preg_replace('/[^a-z0-9_]/', ' ', $handle);
+
         return static::toCamelCase($handle);
     }
 
diff --git a/tests/unit/helpers/StringHelperTest.php b/tests/unit/helpers/StringHelperTest.php
@@ -2206,6 +2206,10 @@ public function toHandleDataProvider(): array
             ['fooBar', 'Fo’o Bar'],
             ['fooBarBaz', 'Foo Ba’r   Baz'],
             ['fooBar', '0 Foo Bar'],
+            ['fooBar', 'Foo!Bar'],
+            ['fooBar', 'Foo,Bar'],
+            ['fooBar', 'Foo/Bar'],
+            ['fooBar', 'Foo\\Bar'],
         ];
     }
 

Original file line number	Diff line number	Diff line change
`@@ -1811,6 +1811,9 @@ public static function toHandle(string $str): string`
`1811`	`1811`	`// Handle must start with a letter`
`1812`	`1812`	`$handle = preg_replace('/^[^a-z]+/', '', $handle);`
`1813`	`1813`
	`1814`	`+ // Replace any remaining non-alphanumeric or underscore characters with spaces`
	`1815`	`+ $handle = preg_replace('/[^a-z0-9_]/', ' ', $handle);`
	`1816`	`+`
`1814`	`1817`	`return static::toCamelCase($handle);`
`1815`	`1818`	`}`
`1816`	`1819`