vendor/symfony/web-profiler-bundle/EventListener/WebDebugToolbarListener.php line 76

Open in your IDE?
  1. <?php
  3. /*
  4. * This file is part of the Symfony package.
  5. *
  6. * (c) Fabien Potencier <fabien@symfony.com>
  7. *
  8. * For the full copyright and license information, please view the LICENSE
  9. * file that was distributed with this source code.
  10. */
  12. namespace Symfony\Bundle\WebProfilerBundle\EventListener;
  14. use Symfony\Bundle\FullStack;
  15. use Symfony\Bundle\WebProfilerBundle\Csp\ContentSecurityPolicyHandler;
  16. use Symfony\Component\EventDispatcher\EventSubscriberInterface;
  17. use Symfony\Component\HttpFoundation\Request;
  18. use Symfony\Component\HttpFoundation\Response;
  19. use Symfony\Component\HttpFoundation\Session\Flash\AutoExpireFlashBag;
  20. use Symfony\Component\HttpKernel\DataCollector\DumpDataCollector;
  21. use Symfony\Component\HttpKernel\Event\ResponseEvent;
  22. use Symfony\Component\HttpKernel\KernelEvents;
  23. use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
  24. use Twig\Environment;
  26. /**
  27. * WebDebugToolbarListener injects the Web Debug Toolbar.
  28. *
  29. * The onKernelResponse method must be connected to the kernel.response event.
  30. *
  31. * The WDT is only injected on well-formed HTML (with a proper </body> tag).
  32. * This means that the WDT is never included in sub-requests or ESI requests.
  33. *
  34. * @author Fabien Potencier <fabien@symfony.com>
  35. *
  36. * @final
  37. */
  38. class WebDebugToolbarListener implements EventSubscriberInterface
  39. {
  40. public const DISABLED = 1;
  41. public const ENABLED = 2;
  43. protected $twig;
  44. protected $urlGenerator;
  45. protected $interceptRedirects;
  46. protected $mode;
  47. protected $excludedAjaxPaths;
  48. private $cspHandler;
  49. private $dumpDataCollector;
  51. public function __construct(Environment $twig, bool $interceptRedirects = false, int $mode = self::ENABLED, ?UrlGeneratorInterface $urlGenerator = null, string $excludedAjaxPaths = '^/bundles|^/_wdt', ?ContentSecurityPolicyHandler $cspHandler = null, ?DumpDataCollector $dumpDataCollector = null)
  52. {
  53. $this->twig = $twig;
  54. $this->urlGenerator = $urlGenerator;
  55. $this->interceptRedirects = $interceptRedirects;
  56. $this->mode = $mode;
  57. $this->excludedAjaxPaths = $excludedAjaxPaths;
  58. $this->cspHandler = $cspHandler;
  59. $this->dumpDataCollector = $dumpDataCollector;
  60. }
  62. public function isEnabled(): bool
  63. {
  64. return self::DISABLED !== $this->mode;
  65. }
  67. public function setMode(int $mode): void
  68. {
  69. if (self::DISABLED !== $mode && self::ENABLED !== $mode) {
  70. throw new \InvalidArgumentException(sprintf('Invalid value provided for mode, use one of "%s::DISABLED" or "%s::ENABLED".', self::class, self::class));
  71. }
  73. $this->mode = $mode;
  74. }
  76. public function onKernelResponse(ResponseEvent $event)
  77. {
  78. $response = $event->getResponse();
  79. $request = $event->getRequest();
  81. if ($response->headers->has('X-Debug-Token') && null !== $this->urlGenerator) {
  82. try {
  83. $response->headers->set(
  84. 'X-Debug-Token-Link',
  85. $this->urlGenerator->generate('_profiler', ['token' => $response->headers->get('X-Debug-Token')], UrlGeneratorInterface::ABSOLUTE_URL)
  86. );
  87. } catch (\Exception $e) {
  88. $response->headers->set('X-Debug-Error', \get_class($e).': '.preg_replace('/\s+/', ' ', $e->getMessage()));
  89. }
  90. }
  92. if (!$event->isMainRequest()) {
  93. return;
  94. }
  96. $nonces = [];
  97. if ($this->cspHandler) {
  98. if ($this->dumpDataCollector && $this->dumpDataCollector->getDumpsCount() > 0) {
  99. $this->cspHandler->disableCsp();
  100. }
  102. $nonces = $this->cspHandler->updateResponseHeaders($request, $response);
  103. }
  105. // do not capture redirects or modify XML HTTP Requests
  106. if ($request->isXmlHttpRequest()) {
  107. return;
  108. }
  110. if ($response->headers->has('X-Debug-Token') && $response->isRedirect() && $this->interceptRedirects && 'html' === $request->getRequestFormat()) {
  111. if ($request->hasSession() && ($session = $request->getSession())->isStarted() && $session->getFlashBag() instanceof AutoExpireFlashBag) {
  112. // keep current flashes for one more request if using AutoExpireFlashBag
  113. $session->getFlashBag()->setAll($session->getFlashBag()->peekAll());
  114. }
  116. $response->setContent($this->twig->render('@WebProfiler/Profiler/toolbar_redirect.html.twig', ['location' => $response->headers->get('Location')]));
  117. $response->setStatusCode(200);
  118. $response->headers->remove('Location');
  119. }
  121. if (self::DISABLED === $this->mode
  122. || !$response->headers->has('X-Debug-Token')
  123. || $response->isRedirection()
  124. || ($response->headers->has('Content-Type') && !str_contains($response->headers->get('Content-Type') ?? '', 'html'))
  125. || 'html' !== $request->getRequestFormat()
  126. || false !== stripos($response->headers->get('Content-Disposition', ''), 'attachment;')
  127. ) {
  128. return;
  129. }
  131. $this->injectToolbar($response, $request, $nonces);
  132. }
  134. /**
  135. * Injects the web debug toolbar into the given Response.
  136. */
  137. protected function injectToolbar(Response $response, Request $request, array $nonces)
  138. {
  139. $content = $response->getContent();
  140. $pos = strripos($content, '</body>');
  142. if (false !== $pos) {
  143. $toolbar = "\n".str_replace("\n", '', $this->twig->render(
  144. '@WebProfiler/Profiler/toolbar_js.html.twig',
  145. [
  146. 'full_stack' => class_exists(FullStack::class),
  147. 'excluded_ajax_paths' => $this->excludedAjaxPaths,
  148. 'token' => $response->headers->get('X-Debug-Token'),
  149. 'request' => $request,
  150. 'csp_script_nonce' => $nonces['csp_script_nonce'] ?? null,
  151. 'csp_style_nonce' => $nonces['csp_style_nonce'] ?? null,
  152. ]
  153. ))."\n";
  154. $content = substr($content, 0, $pos).$toolbar.substr($content, $pos);
  155. $response->setContent($content);
  156. }
  157. }
  159. public static function getSubscribedEvents(): array
  160. {
  161. return [
  162. KernelEvents::RESPONSE => ['onKernelResponse', -128],
  163. ];
  164. }
  165. }