It seems the input filter fails when saving Global Configuration with this PR.

PHP Recoverable fatal error:  Object of class stdClass could not be converted to string
in /home/richard/lamp/public_html/joomla-cms-4.0-dev/libraries/vendor/joomla/filter/src/InputFilter.php on line 239,
referer: https://www.joomla-40-dev.vmkubu02.vmnet2.local/administrator/index.php?option=com_config

This sounds like that $source variable seems to be a stdClass here: https://github.com/joomla-framework/filter/blob/2.0-dev/src/InputFilter.php#L239

This sounds like that $source variable seems to be a stdClass here: https://github.com/joomla-framework/filter/blob/2.0-dev/src/InputFilter.php#L239

@zero-24 Yes. And it happens also when updating to 2.0.0-beta3, which doesn't include yet my change for the path filter coming with beta4. So the problem is not related to my recent activities ;-) Currently J4 uses beta2.

I've opened an issue in the filter repo: joomla-framework/filter#41 .

The problem is caused here

https://github.com/joomla/joomla-cms/blob/4.0-dev/libraries/src/Form/FormField.php#L1171

by $value being an object.

The field for which it is happening is the one with $this->name being equal to 'jform[filters]'.

If I add some code like this before that line, saving global configuration works again with the updated filter package:

		if ($value && \is_object($value))
		{
			$value = json_decode(json_encode($value), true);
		}

But that's just a hack and very likely not a valid fix.

@Fedik As you know much about fields: Do you have an idea what would be the right fix? The filter package is more strict regarding the value being either a string or an array and so doesn't accept objects anymore.

Just a side note:

The filter package is more strict regarding the value being either a string or an array and so doesn't accept objects anymore.

Although the InputFilter accepted objects in the past, it did not treat them in a senseful way.

Look like a bug in filter method of FormField https://github.com/joomla/joomla-cms/blob/4.0-dev/libraries/src/Form/FormField.php#L1094

I think we should only filter data of form field if filter is set for that field. Right now, we still call InputFilter::getInstance()->clean($value, $filter) even when $filter = '' (see https://github.com/joomla/joomla-cms/blob/4.0-dev/libraries/src/Form/FormField.php#L1171 ) and it is causing the error here.

I think that line of code should be moved inside if condition check and outside that if check, we just return $value directly (no filter)

@joomdonation Thanks, I meanwhile came to the same conclusion. The field has explicitly set the filter to '' in the XML file for Global Config, and so it says it doesn't want any validation.

@zero-24 @nibra Does anything speak against it regarding security?

This should be the fix 4.0-dev...joomdonation:patch-4 for the issue, I think.

Does anything speak against it regarding security?

Not from my POV. If a field needs filtering, it should state it explicitly in the XML.

This should be the fix 4.0-dev...joomdonation:patch-4 for the issue, I think.

@joomdonation Yes.

@nibra @wilsonge @zero-24 Do you think we should do this fix in this PR here? Or would it be better to have 2 separate PRs?

Ah, No. Might be security issue, I'm afraid of. Right now, when there is no filter set, we are still performing filter (for XSS and other 'bad' code...). Check default case in clean method of libraries/vendor/joomla/filter/src/InputFilter.php on your Joomla 4.0 installation and you will see that. We will have to find a different way to fix this issue.

Found the error and made a PR to framework filter package joomla-framework/filter#42 . Could you please have a look at it?

I'd start the method with something like

if (is_object($value)) {
    return (object) $this->filter((array)$value, $group, $input);
}

Then you send an array to the filter, which is fine, and return an object, which might be expected by the caller.
It's not perfect in case you send objects other than stdClass, but that should not happen in this context, anyway.

@nibra Before or after this if clause?

https://github.com/joomla/joomla-cms/blob/4.0-dev/libraries/src/Form/FormField.php#L1096-L1100

And should we do it with this PR here so we only can test that it works like before? Or should we do 2 separate PRs so we can clearly test what the other PR fixes?

I'd say after that if statement.

Or should we do 2 separate PRs so we can clearly test what the other PR fixes?

I have no strong oppinion about that. Do whatever makes you more confident.

I will update this PR here soon, including the description, but the latter may take a bit. Stay tuned.

@nibra Doesn't work, same error as before at the same place (but maybe for a different field?).

@nibra If I do it like this, it works:

		if (is_object($value))
		{
			return (object) $this->filter(json_decode(json_encode($value), true), $group, $input);
		}

Hard to say, need to debug.
But why Filter does not accept objects anymore? that would fix everything :)

The objects will come when the field has a complex value

I would allow objects for Filter. But I do not know what the story behind of this strange decision.

I would allow objects for Filter.

I've made a PR for the master branch of the filter package, because I think it should be fixed for J3, too: joomla-framework/filter#43 . The same patch applied to the filter package updated by this PR here makes it work here.

@nibra For this one here it needs an upmerge of the master branch to the 2.0-dev branch again in the framework repo, and then a new release 2.0.0-beta5, to which I can update this PR then.

PR is ready for tests since long time.

Merged on review. Thanks!

Thanks!

Now we are safe for #32076 being merged up via 3.10-dev into 4.0-dev.