Merge branch '5.3' into 5.x

config/services.yaml

@@ -1150,6 +1150,7 @@ services:
             - '@twig'
             - '@contao.twig.filesystem_loader'
             - '@contao.csrf.token_manager'
+            - '@contao.twig.global.variable'
 
     contao.twig.fail_tolerant_filesystem_loader:
         class: Contao\CoreBundle\Twig\Loader\FailTolerantFilesystemLoader
@@ -1201,6 +1202,13 @@ services:
         arguments:
             - '@contao.framework'
 
+    contao.twig.global.variable:
+        class: Contao\CoreBundle\Twig\Global\ContaoVariable
+        arguments:
+            - '@request_stack'
+            - '@contao.security.token_checker'
+            - '@contao.csrf.token_manager'
+
     contao.twig.highlighter_runtime:
         class: Contao\CoreBundle\Twig\Runtime\HighlighterRuntime
 

contao/classes/DataContainer.php

@@ -1268,7 +1268,7 @@ public function initPicker(PickerInterface $picker)
 		$this->objPicker = $picker;
 		$this->strPickerFieldType = $attributes['fieldType'];
 
-		$this->objPickerCallback = static function ($value) use ($picker, $provider) {
+		$this->objPickerCallback = static function ($value) use ($provider, $picker) {
 			return $provider->convertDcaValue($picker->getConfig(), $value);
 		};
 

contao/dca/tl_templates.php

@@ -316,7 +316,7 @@ public function addNewTemplate()
 				$filesystem->dumpFile($targetFile, $content);
 			};
 
-			$createLegacyTemplate = static function (string $strOriginal, $strTarget) use ($arrAllTemplates, &$strError): void {
+			$createLegacyTemplate = static function (string $strOriginal, $strTarget) use (&$strError, $arrAllTemplates): void {
 				$projectDir = System::getContainer()->getParameter('kernel.project_dir');
 
 				// Validate the target path

contao/drivers/DC_Table.php

@@ -311,7 +311,7 @@ private function findPtable(): string|null
 			$mode = Input::get('mode');
 
 			// For these actions the id parameter refers to the parent record (or the old record for copy and cut), so they need to be excluded
-			if ($this->intId && ($act !== 'paste' || $mode !== 'create') && !\in_array($act, array(null, 'copy', 'cut', 'create', 'select', 'editAll', 'overrideAll', 'deleteAll'), true))
+			if ($this->intId && ($act !== 'paste' || $mode !== 'create') && !\in_array($act, array(null, 'copy', 'cut', 'create', 'select', 'copyAll', 'cutAll', 'editAll', 'overrideAll', 'deleteAll'), true))
 			{
 				$currentRecord = $this->getCurrentRecord($this->intId);
 

contao/library/Contao/Combiner.php

@@ -451,7 +451,7 @@ protected function fixPaths($content, $arrFile)
 
 		return preg_replace_callback(
 			'/url\(("[^"\n]+"|\'[^\'\n]+\'|[^"\'\s()]+)\)/',
-			static function ($matches) use ($strDirname, $strGlue) {
+			static function ($matches) use ($strGlue, $strDirname) {
 				$strData = $matches[1];
 
 				if ($strData[0] == '"' || $strData[0] == "'")

contao/library/Contao/Input.php

@@ -639,7 +639,7 @@ private static function stripAttributes($strHtml, $strAllowedTags, $arrAllowedAt
 		// Match every single starting and closing tag or special characters outside of tags
 		return preg_replace_callback(
 			'@</?([^\s<>/]*)([^<>]*)>?|-->|[>"\'=]+@',
-			static function ($matches) use ($strAllowedTags, $arrAllowedAttributes, &$blnCommentOpen, &$strOpenRawtext) {
+			static function ($matches) use (&$strOpenRawtext, &$blnCommentOpen, $strAllowedTags, $arrAllowedAttributes) {
 				$strTagName = strtolower($matches[1] ?? '');
 
 				if ($strOpenRawtext === $strTagName && '/' === $matches[0][1])
@@ -700,7 +700,7 @@ static function ($matches) use ($strAllowedTags, $arrAllowedAttributes, &$blnCom
 				// Only keep allowed attributes
 				$arrAttributes = array_filter(
 					$arrAttributes,
-					static function ($strAttribute) use ($strTagName, $arrAllowedAttributes) {
+					static function ($strAttribute) use ($arrAllowedAttributes, $strTagName) {
 						// Skip if all attributes are allowed
 						if (\in_array('*', $arrAllowedAttributes[$strTagName] ?? array(), true))
 						{

contao/library/Contao/StringUtil.php

@@ -228,7 +228,7 @@ public static function decodeEntities($strString, $strQuoteStyle=ENT_QUOTES)
 	 */
 	public static function convertBasicEntities($strBuffer)
 	{
-		return str_replace(array('&', '<', '>', ' ', '­'), array('[&]', '[lt]', '[gt]', '[nbsp]', '[-]'), $strBuffer);
+		return str_replace(array('&', '<', '>', ' ', '­', '​'), array('[&]', '[lt]', '[gt]', '[nbsp]', '[-]', '[zwsp]'), $strBuffer);
 	}
 
 	/**
@@ -240,7 +240,7 @@ public static function convertBasicEntities($strBuffer)
 	 */
 	public static function restoreBasicEntities($strBuffer)
 	{
-		return str_replace(array('[&]', '[&]', '[lt]', '[gt]', '[nbsp]', '[-]'), array('&', '&', '<', '>', ' ', '­'), $strBuffer);
+		return str_replace(array('[&]', '[&]', '[lt]', '[gt]', '[nbsp]', '[-]', '[zwsp]'), array('&', '&', '<', '>', ' ', '­', '​'), $strBuffer);
 	}
 
 	/**
@@ -820,7 +820,7 @@ public static function specialchars($strString, $blnStripInsertTags=false, $blnD
 			$strString = static::stripInsertTags($strString);
 		}
 
-		return htmlspecialchars((string) $strString, ENT_QUOTES, 'UTF-8', $blnDoubleEncode);
+		return htmlspecialchars((string) $strString, ENT_QUOTES | ENT_HTML5, 'UTF-8', $blnDoubleEncode);
 	}
 
 	/**

contao/library/Contao/TemplateTrait.php

@@ -143,7 +143,7 @@ public function attr(HtmlAttributes|iterable|string|null $attributes = null): Ht
 	/**
 	 * Returns a nonce for the given CSP directive.
 	 */
-	public function nonce(string $directive): ?string
+	public function nonce(string $directive): string|null
 	{
 		$responseContext = System::getContainer()->get('contao.routing.response_context_accessor')->getResponseContext();
 
@@ -216,7 +216,7 @@ public function cspInlineStyle(string $style, string $algorithm = 'sha384'): str
 	 * Extracts all inline CSS style attributes of a given HTML string and automatically adds CSP hashes for those
 	 * to the current response context.
 	 */
-	public function cspInlineStyles(?string $html): ?string
+	public function cspInlineStyles(string|null $html): string|null
 	{
 		if (!$html)
 		{

contao/themes/flexible/entrypoints.json

@@ -2,7 +2,7 @@
   "entrypoints": {
     "backend": {
       "css": [
-        "/system/themes/flexible/backend.c2a75b4f.css"
+        "/system/themes/flexible/backend.a1271bd0.css"
       ]
     },
     "confirm": {

contao/themes/flexible/manifest.json

@@ -1,5 +1,5 @@
 {
-  "backend.css": "/system/themes/flexible/backend.c2a75b4f.css",
+  "backend.css": "/system/themes/flexible/backend.a1271bd0.css",
   "confirm.css": "/system/themes/flexible/confirm.c2996dd4.css",
   "conflict.css": "/system/themes/flexible/conflict.aa6b9c95.css",
   "diff.css": "/system/themes/flexible/diff.171af75f.css",
@@ -8,7 +8,7 @@
   "popup.css": "/system/themes/flexible/popup.4728c2fc.css",
   "tinymce.css": "/system/themes/flexible/tinymce.e5009f94.css",
   "tinymce-dark.css": "/system/themes/flexible/tinymce-dark.596023db.css",
-  "backend.c2a75b4f.css.map": "/system/themes/flexible/backend.c2a75b4f.css.map",
+  "backend.a1271bd0.css.map": "/system/themes/flexible/backend.a1271bd0.css.map",
   "confirm.c2996dd4.css.map": "/system/themes/flexible/confirm.c2996dd4.css.map",
   "conflict.aa6b9c95.css.map": "/system/themes/flexible/conflict.aa6b9c95.css.map",
   "diff.171af75f.css.map": "/system/themes/flexible/diff.171af75f.css.map",

contao/themes/flexible/styles/main.css

@@ -1034,6 +1034,10 @@ h2.sub_headline {
 	margin: 0 15px;
 }
 
+.two-factor .qr-code img {
+	border: 3px solid #fff;
+}
+
 .two-factor .tl_listing_container {
 	margin-top: 6px;
 }

src/Controller/ContentElement/ImagesController.php

@@ -73,12 +73,12 @@ protected function getResponse(FragmentTemplate $template, ContentModel $model,
             $figureBuilder->setOverwriteMetadata($model->getOverwriteMetadata());
         }
 
-        $imageList = array_map(
-            fn (FilesystemItem $filesystemItem): Figure => $figureBuilder
+        $imageList = array_filter(array_map(
+            fn (FilesystemItem $filesystemItem): Figure|null => $figureBuilder
                 ->fromStorage($this->filesStorage, $filesystemItem->getPath())
-                ->build(),
+                ->buildIfResourceExists(),
             iterator_to_array($filesystemItems),
-        );
+        ));
 
         if (!$imageList) {
             return new Response();

src/EventListener/CsrfTokenCookieSubscriber.php

@@ -22,6 +22,8 @@
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\HttpFoundation\ResponseHeaderBag;
+use Symfony\Component\HttpFoundation\Session\Session;
+use Symfony\Component\HttpFoundation\Session\SessionInterface;
 use Symfony\Component\HttpKernel\Event\RequestEvent;
 use Symfony\Component\HttpKernel\Event\ResponseEvent;
 use Symfony\Component\HttpKernel\KernelEvents;
@@ -111,7 +113,21 @@ private function requiresCsrf(Request $request, Response $response): bool
             return true;
         }
 
-        return $request->hasSession() && $request->getSession()->isStarted();
+        return $request->hasSession() && !$this->isSessionEmpty($request->getSession());
+    }
+
+    private function isSessionEmpty(SessionInterface $session): bool
+    {
+        if (!$session->isStarted()) {
+            return true;
+        }
+
+        if ($session instanceof Session) {
+            // Marked @internal but no other way to check all attribute bags
+            return $session->isEmpty();
+        }
+
+        return [] === $session->all();
     }
 
     private function setCookies(Request $request, Response $response): void

src/EventListener/InsecureInstallationListener.php

@@ -23,7 +23,7 @@
 class InsecureInstallationListener
 {
     public function __construct(
-        private readonly string $secret,
+        #[\SensitiveParameter] private readonly string $secret,
         private readonly string $webDir = '/public',
     ) {
     }

src/Filesystem/Dbafs/ChangeSet/ChangeSet.php

@@ -145,7 +145,7 @@ public function getItemsToUpdate(bool $includeLastModified = false): array
         $lastModifiedUpdates = $this->lastModifiedUpdates;
 
         $items = array_map(
-            static function (string|int $existingPath, array $item) use ($includeLastModified, &$lastModifiedUpdates) {
+            static function (int|string $existingPath, array $item) use ($includeLastModified, &$lastModifiedUpdates) {
                 $lastModified = $includeLastModified && \array_key_exists($existingPath, $lastModifiedUpdates)
                     ? $lastModifiedUpdates[$existingPath]
                     : false;
@@ -168,7 +168,7 @@ static function (string|int $existingPath, array $item) use ($includeLastModifie
         }
 
         return [...array_map(
-            static fn (string|int $existingPath, int $lastModified) => new ItemToUpdate(
+            static fn (int|string $existingPath, int $lastModified) => new ItemToUpdate(
                 (string) $existingPath,
                 null,
                 null,
@@ -187,7 +187,7 @@ static function (string|int $existingPath, array $item) use ($includeLastModifie
     public function getItemsToDelete(): array
     {
         return array_map(
-            static fn (string|int $path, int $type): ItemToDelete => new ItemToDelete(
+            static fn (int|string $path, int $type): ItemToDelete => new ItemToDelete(
                 (string) $path,
                 self::TYPE_FILE === $type,
             ),

src/String/HtmlAttributes.php

@@ -58,7 +58,7 @@ public function mergeWith(self|iterable|string|null $attributes = null, mixed $c
         }
 
         // Merge values if possible, set them otherwise
-        $mergeSet = function (string $name, string|int|bool|\Stringable|null $value): void {
+        $mergeSet = function (string $name, \Stringable|bool|int|string|null $value): void {
             if ('class' === $name) {
                 $this->addClass($value);
             } elseif ('style' === $name) {

src/Twig/Extension/ContaoExtension.php

@@ -16,6 +16,7 @@
 use Contao\CoreBundle\Csrf\ContaoCsrfTokenManager;
 use Contao\CoreBundle\InsertTag\ChunkedText;
 use Contao\CoreBundle\String\HtmlAttributes;
+use Contao\CoreBundle\Twig\Global\ContaoVariable;
 use Contao\CoreBundle\Twig\Inheritance\DynamicExtendsTokenParser;
 use Contao\CoreBundle\Twig\Inheritance\DynamicIncludeTokenParser;
 use Contao\CoreBundle\Twig\Inheritance\DynamicUseTokenParser;
@@ -47,6 +48,7 @@
 use Twig\Extension\AbstractExtension;
 use Twig\Extension\CoreExtension;
 use Twig\Extension\EscaperExtension;
+use Twig\Extension\GlobalsInterface;
 use Twig\Node\Expression\ConstantExpression;
 use Twig\Node\Node;
 use Twig\TwigFilter;
@@ -55,14 +57,15 @@
 /**
  * @experimental
  */
-final class ContaoExtension extends AbstractExtension
+final class ContaoExtension extends AbstractExtension implements GlobalsInterface
 {
     private array $contaoEscaperFilterRules = [];
 
     public function __construct(
         private readonly Environment $environment,
         private readonly TemplateHierarchyInterface $hierarchy,
         ContaoCsrfTokenManager $tokenManager,
+        private readonly ContaoVariable $contaoVariable,
     ) {
         $contaoEscaper = new ContaoEscaper();
 
@@ -89,12 +92,19 @@ public function __construct(private readonly ContaoCsrfTokenManager $tokenManage
 
                 public function __toString(): string
                 {
+                    trigger_deprecation('contao/core-bundle', '5.3', 'The "request_token" Twig variable has been deprecated and will no longer work in Contao 6. Use the "contao.request_token" variable instead.');
+
                     return $this->tokenManager->getDefaultTokenValue();
                 }
             },
         );
     }
 
+    public function getGlobals(): array
+    {
+        return ['contao' => $this->contaoVariable];
+    }
+
     /**
      * Adds a Contao escaper rule.
      *
@@ -160,7 +170,7 @@ function (Environment $env, $context, $template, $variables = [], $withContext =
             ),
             new TwigFunction(
                 'attrs',
-                static fn (iterable|string|HtmlAttributes|null $attributes = null): HtmlAttributes => new HtmlAttributes($attributes),
+                static fn (HtmlAttributes|iterable|string|null $attributes = null): HtmlAttributes => new HtmlAttributes($attributes),
             ),
             new TwigFunction(
                 'figure',

src/Twig/Global/ContaoVariable.php

@@ -0,0 +1,46 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Contao\CoreBundle\Twig\Global;
+
+use Contao\CoreBundle\Csrf\ContaoCsrfTokenManager;
+use Contao\CoreBundle\Security\Authentication\Token\TokenChecker;
+use Contao\PageModel;
+use Symfony\Component\HttpFoundation\RequestStack;
+
+class ContaoVariable
+{
+    public function __construct(
+        private readonly RequestStack $requestStack,
+        private readonly TokenChecker $tokenChecker,
+        private readonly ContaoCsrfTokenManager $tokenManager,
+    ) {
+    }
+
+    public function getPage(): PageModel|null
+    {
+        $pageModel = $this->requestStack->getCurrentRequest()?->attributes->get('pageModel');
+
+        if ($pageModel instanceof PageModel) {
+            return $pageModel;
+        }
+
+        return null;
+    }
+
+    public function getHas_backend_user(): bool
+    {
+        return $this->tokenChecker->hasBackendUser();
+    }
+
+    public function getIs_preview_mode(): bool
+    {
+        return $this->tokenChecker->isPreviewMode();
+    }
+
+    public function getRequest_token(): string
+    {
+        return $this->tokenManager->getDefaultTokenValue();
+    }
+}

src/Twig/Interop/ContaoEscaper.php

@@ -41,10 +41,7 @@ public function escapeHtml(Environment $environment, mixed $string, string|null
 
         $string = (string) $string;
 
-        // Handle uppercase entities
-        $string = str_replace(['&', '"', '<', '>'], ['&', '"', '<', '>'], $string);
-
-        return htmlspecialchars($string, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8', false);
+        return htmlspecialchars($string, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML5, 'UTF-8', false);
     }
 
     /**