Only allow alphanumeric/underscore characters through StringHelper::t…

…oHandle() Resolves #15772
craftcms · Sep 22, 2024 · 979e992 · 979e992
1 parent cbccf95
commit 979e992
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,7 @@
 - Auto-generated handles, slugs, etc. now update immediately when the source input is changed. ([#15754](https://github.com/craftcms/cms/issues/15754))
 - Fixed a bug where Table fields’ Default Values table could lose existing rows if they only consisted of Dropdown columns without configured options.
 - Fixed a bug where custom fields’ `required` properties were always `false`. ([#15752](https://github.com/craftcms/cms/issues/15752))
+- Fixed a bug where `craft\helpers\StringHelper::toHandle()` was allowing non-alphanumeric/underscore characters through. ([#15772](https://github.com/craftcms/cms/pull/15772))
 
 ## 4.12.3 - 2024-09-14
 

diff --git a/src/helpers/StringHelper.php b/src/helpers/StringHelper.php
@@ -1811,6 +1811,9 @@ public static function toHandle(string $str): string
         // Handle must start with a letter
         $handle = preg_replace('/^[^a-z]+/', '', $handle);
 
+        // Replace any remaining non-alphanumeric or underscore characters with spaces
+        $handle = preg_replace('/[^a-z0-9_]/', ' ', $handle);
+
         return static::toCamelCase($handle);
     }
 

diff --git a/tests/unit/helpers/StringHelperTest.php b/tests/unit/helpers/StringHelperTest.php
@@ -2206,6 +2206,10 @@ public function toHandleDataProvider(): array
             ['fooBar', 'Fo’o Bar'],
             ['fooBarBaz', 'Foo Ba’r   Baz'],
             ['fooBar', '0 Foo Bar'],
+            ['fooBar', 'Foo!Bar'],
+            ['fooBar', 'Foo,Bar'],
+            ['fooBar', 'Foo/Bar'],
+            ['fooBar', 'Foo\\Bar'],
         ];
     }