Merge branch '6.x' into fieldset-sections

Author: jackmcdade

resources/js/components/blueprints/ImportField.vue

@@ -8,14 +8,20 @@
                         <div class="flex flex-1 items-center py-2">
                             <ui-icon class="size-4 me-2 text-ui-accent-text/80" name="fieldsets" />
                             <div class="flex items-center gap-2">
-                            <!-- @TODO: Show fieldset.title -->
-                                <button class="cursor-pointer overflow-hidden text-ellipsis text-sm text-ui-accent-text hover:text-ui-accent-text/80" v-text="field.fieldset" @click="$emit('edit')" />
+                                <a class="cursor-pointer overflow-hidden text-ellipsis text-sm text-ui-accent-text hover:text-ui-accent-text/80" :href="fieldsetEditUrl" v-text="fieldsetTitle" v-tooltip="__('Edit fieldset')" />
                                 <ui-icon name="link" class="text-gray-400" />
                                 <span class="text-gray-500 font-mono text-2xs" v-text="__('Fieldset')" />
+                                <ui-badge
+                                    v-if="field.prefix"
+                                    size="sm"
+                                    color="gray"
+                                    :text="`${__('Prefix')}: ${field.prefix}`"
+                                />
                             </div>
                         </div>
-                        <div class="flex items-center gap-2">
-                            <ui-button size="sm" icon="trash" variant="subtle" @click.prevent="$emit('deleted')" v-tooltip="__('Remove')" />
+                        <div class="flex items-center">
+                            <ui-button size="sm" icon="cog" variant="subtle" inset @click.prevent="$emit('edit')" v-tooltip="__('Configure import')" />
+                            <ui-button size="sm" icon="trash" variant="subtle" inset @click.prevent="$emit('deleted')" v-tooltip="__('Remove')" />
                             <ui-stack :open="isEditing" @update:open="editorClosed" inset :show-close-button="false" :wrap-slot="false">
                                 <field-settings
                                     ref="settings"
@@ -50,6 +56,16 @@ export default {
     },
 
     computed: {
+        fieldsetTitle() {
+            const title = this.$page?.props?.fieldsets?.[this.field.fieldset]?.title;
+
+            return title ? __(title) : this.field.fieldset;
+        },
+
+        fieldsetEditUrl() {
+            return cp_url(`fields/fieldsets/${this.field.fieldset}/edit`);
+        },
+
         fieldConfig() {
             const { _id, type, ...config } = this.field;
             return config;

resources/js/components/fieldtypes/bard/Set.vue

@@ -18,9 +18,9 @@
         >
             <div ref="content" hidden />
             <header
-                class="group/header animate-border-color show-focus-within flex items-center rounded-[calc(var(--radius-lg)-1px)] px-1.5 antialiased duration-200 bg-gray-100/50 dark:bg-gray-925 hover:bg-gray-100 dark:hover:bg-gray-950/45 border-gray-300 dark:shadow-md border-b-1 border-b-transparent"
+                class="group/header animate-border-color show-focus-within flex items-center rounded-[calc(var(--radius-lg)-1px)] px-1.5 antialiased duration-200 bg-gray-100/50 dark:bg-gray-925 hover:bg-gray-100 dark:hover:bg-gray-950/45 border-gray-300 dark:shadow-md"
                 :class="{
-                    'bg-gray-200/50 dark:bg-gray-950/35 rounded-b-none border-b-gray-300! dark:border-b-white/10!': !collapsed
+                    'bg-gray-200/50 dark:bg-gray-950/35 rounded-b-none': !collapsed && hasFields
                 }"
             >
                 <span v-if="!isReadOnly" data-drag-handle class="flex cursor-grab" @mousedown="enableDragging">
@@ -77,7 +77,12 @@
                 </div>
             </header>
 
-            <div v-if="index !== undefined" v-show="!collapsed" :class="{ 'contain-paint': collapsed, 'isolate': !collapsed }">
+            <div
+                v-if="index !== undefined && hasFields"
+                v-show="!collapsed"
+                :class="{ 'contain-paint': collapsed, 'isolate': !collapsed }"
+                class="border-t border-t-gray-300! dark:border-t-white/10!"
+            >
                 <FieldsProvider
                     :fields="fields"
                     :as-config="false"
@@ -143,6 +148,12 @@ export default {
             return this.config.fields;
         },
 
+        hasFields() {
+            return Array.isArray(this.fields)
+                ? this.fields.length > 0
+                : Object.keys(this.fields || {}).length > 0;
+        },
+
         display() {
             return __(this.config.display || this.values.type);
         },

resources/js/components/fieldtypes/replicator/Set.vue

@@ -48,6 +48,7 @@ const {
 const fieldPathPrefix = computed(() => `${props.fieldPath}.${props.index}`);
 const metaPathPrefix = computed(() => `${props.metaPath}.existing.${props.id}`);
 const isInvalid = computed(() => Object.keys(props.config).length === 0);
+const hasFields = computed(() => Array.isArray(props.config.fields) ? props.config.fields.length > 0 : Object.keys(props.config.fields || {}).length > 0);
 
 const setGroup = computed(() => {
     if (replicatorSets.length < 1) return null;
@@ -140,9 +141,9 @@ reveal.use(rootEl, () => emit('expanded'));
             :data-type="config.handle"
         >
             <header
-                class="group/header animate-border-color flex items-center show-focus-within rounded-[calc(var(--radius-lg)-1px)] px-1.5 antialiased duration-200 bg-gray-100/50 dark:bg-gray-925 hover:bg-gray-100 dark:hover:bg-gray-950/45 border-gray-300 dark:shadow-md border-b-1 border-b-transparent"
+                class="group/header animate-border-color flex items-center show-focus-within rounded-[calc(var(--radius-lg)-1px)] px-1.5 antialiased duration-200 bg-gray-100/50 dark:bg-gray-925 hover:bg-gray-100 dark:hover:bg-gray-950/45 border-gray-300 dark:shadow-md"
                 :class="{
-                    'bg-gray-200/50 dark:bg-gray-950/35 rounded-b-none border-b-gray-300! dark:border-b-white/10!': !collapsed
+                    'bg-gray-200/50 dark:bg-gray-950/35 rounded-b-none': !collapsed && hasFields
                 }"
             >
                 <Icon
@@ -201,7 +202,11 @@ reveal.use(rootEl, () => emit('expanded'));
                 </div>
             </header>
 
-            <div v-show="!collapsed" :class="{ 'contain-paint': collapsed, 'isolate': !collapsed }">
+            <div
+                v-show="!collapsed && hasFields"
+                :class="{ 'contain-paint': collapsed, 'isolate': !collapsed }"
+                class="border-t border-t-gray-300! dark:border-t-white/10!"
+            >
                 <div :tabindex="collapsed ? -1 : undefined" :inert="collapsed">
                     <FieldsProvider
                         :fields="config.fields"

resources/js/components/fieldtypes/replicator/SetPicker.vue

@@ -14,7 +14,9 @@
         class="xl:max-w-3xl 2xl:max-w-page"
     >
         <template #trigger>
-            <slot name="trigger" />
+            <Primitive @click.capture="onTriggerClick">
+                <slot name="trigger" />
+            </Primitive>
         </template>
 
         <template #default>
@@ -90,7 +92,9 @@
         inset
     >
         <template #trigger>
-            <slot name="trigger" />
+            <Primitive @click.capture="onTriggerClick">
+                <slot name="trigger" />
+            </Primitive>
         </template>
 
         <template #default>
@@ -449,6 +453,13 @@ export default {
             this.isOpen = true;
         },
 
+        onTriggerClick(e) {
+            if (!this.enabled) {
+                e.stopPropagation();
+                e.preventDefault();
+            }
+        },
+
         getStoredMode() {
             try {
                 return localStorage.getItem('statamic.replicator.setPicker.mode') || 'list';

src/Facades/Endpoint/URL.php

@@ -274,7 +274,7 @@ public function isExternalToApplication(?string $url): bool
             ->filter(fn ($siteUrl) => $urlDomain === $siteUrl)
             ->isEmpty();
 
-        $isExternalToCurrentRequestDomain = ! Str::startsWith($url, self::getDomainFromAbsolute(url()->to('/')));
+        $isExternalToCurrentRequestDomain = $urlDomain !== self::getDomainFromAbsolute(url()->to('/'));
 
         return self::$externalAppUrlsCache[$url] = $isExternalToSites && $isExternalToCurrentRequestDomain;
     }
@@ -386,7 +386,7 @@ private function getAbsoluteSiteUrls(): Collection
      */
     private function getDomainFromAbsolute(string $url): string
     {
-        return preg_replace('/(https*:\/\/[^\/]+)(.*)/', '$1', $url);
+        return parse_url($url, PHP_URL_HOST) ?? $url;
     }
 
     /**

tests/Facades/Concerns/ProvidesExternalUrls.php

@@ -67,6 +67,21 @@ public static function externalUrlProvider()
             ['http://subdomain.this-site.com.au/some-slug', true],
             ['http://subdomain.this-site.com.au/some-slug?foo', true],
             ['http://subdomain.this-site.com.au/some-slug#anchor', true],
+
+            // Credential injection
+            ['http://this-site.com@evil.com', true],
+            ['http://this-site.com@evil.com/', true],
+            ['http://this-site.com@evil.com/path', true],
+            ['http://this-site.com@evil.com/path?query', true],
+            ['http://this-site.com:password@evil.com', true],
+            ['http://user:pass@evil.com', true],
+            ['http://absolute-url-resolved-from-request.com@evil.com', true],
+            ['http://absolute-url-resolved-from-request.com@evil.com/path', true],
+            ['http://subdomain.this-site.com@evil.com', true],
+            ['http://subdomain.this-site.com@evil.com/path', true],
+            ['http://this-site.com:8000@evil.com', true],
+            ['http://this-site.com:8000@evil.com/path', true],
+            ['http://this-site.com:8000@webhook.site/token', true],
         ];
     }
 }