Contrib.social

Support object with __invoke() for #pre_render.

Open on Drupal.org →
Created on 12 January 2025, 6 months ago

Problem/Motivation

Sometimes it can be useful to use an object with a custom __invoke() method as a #pre_render callback.
Currently such a callback is rejected in DoTrustedCallbackTrait::doTrustedCallback().

Steps to reproduce

The below example is a bit pointless, and will cause issues with serialization, but it's ok to reproduce the problem.

$element['#pre_render'][] = new class {
  function __invoke(array $element): array {
    return $element;
  }
};

Proposed resolution

We have two options:

  1. Support _any_ object with __invoke() method as #pre_render callback.
  2. Support object with __invoke() method, _if_ that object implements a specific interface, or the class or __invoke() method has a '#[TrustedCallback]' attribute.

The second option is required if:

  • There is a vector that would allow to inject an instance of an arbitrary class with __invoke() method into #pre_render, AND
  • There is or could be a class with __invoke() method that would cause security-relevant trouble if used in #pre_render.

Remaining tasks

User interface changes

Introduced terminology

API changes

Data model changes

Release notes snippet

📌 Task
Status

Active

Version

11.1 🔥

Component

render system

Created by

🇩🇪Germany donquixote

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024