fix(SFT-2109): resolved a potential security issue with submission titles (#2002)

Author: gustavs-gutmanis

packages/plugin/src/Freeform.php

@@ -105,6 +105,7 @@
 use Solspace\Freeform\Twig\Filters\ImplementsClassFilter;
 use Solspace\Freeform\Variables\FreeformBannersVariable;
 use Solspace\Freeform\Variables\FreeformServicesVariable;
+use Solspace\Freeform\Variables\FreeformSubmissionsVariable;
 use Solspace\Freeform\Variables\FreeformVariable;
 use Symfony\Component\Serializer\Serializer;
 use yii\base\Event;
@@ -481,6 +482,12 @@ function (Event $event) {
                 $event->sender->set('freeform', FreeformVariable::class);
                 $event->sender->set('freeformServices', FreeformServicesVariable::class);
                 $event->sender->set('freeformBanners', FreeformBannersVariable::class);
+
+                if ($event->sender instanceof CraftVariable) {
+                    if ($event->sender->app->request->isCpRequest) {
+                        $event->sender->set('freeformSubmissions', FreeformSubmissionsVariable::class);
+                    }
+                }
             }
         );
 

packages/plugin/src/Services/SubmissionsService.php

@@ -386,7 +386,6 @@ public function renderSubmissionField(
             [
                 'field' => $field,
                 'submission' => $submission,
-                'fieldRenderer' => [$this, 'renderSubmissionField'],
             ]
         );
 

packages/plugin/src/Twig/Filters/FreeformTwigFilters.php

@@ -11,7 +11,6 @@ public function getFilters(): array
     {
         return [
             new TwigFilter('truncater', [$this, 'truncateFilter']),
-            new TwigFilter('call', [$this, 'callUserFunction']),
             new TwigFilter('freeformRegexReplace', [$this, 'regexReplace']),
         ];
     }
@@ -25,15 +24,6 @@ public function truncateFilter($input, $length = 50, $ellipsis = '...'): string
         return substr($input, 0, $length - \strlen($ellipsis)).'...';
     }
 
-    public function callUserFunction(callable $callable, ...$arguments): mixed
-    {
-        if (!\is_callable($callable)) {
-            throw new \Exception('An un-callable function was passed to the "call" filter');
-        }
-
-        return \call_user_func($callable, ...$arguments);
-    }
-
     public function regexReplace($input, $pattern, $replacement = ''): string
     {
         return preg_replace($pattern, $replacement, $input);

packages/plugin/src/Variables/FreeformSubmissionsVariable.php

@@ -0,0 +1,30 @@
+<?php
+
+/**
+ * Freeform for Craft CMS.
+ *
+ * @author        Solspace, Inc.
+ * @copyright     Copyright (c) 2008-2025, Solspace, Inc.
+ *
+ * @see           https://docs.solspace.com/craft/freeform
+ *
+ * @license       https://docs.solspace.com/license-agreement
+ */
+
+namespace Solspace\Freeform\Variables;
+
+use Solspace\Freeform\Elements\Submission;
+use Solspace\Freeform\Fields\FieldInterface;
+use Solspace\Freeform\Freeform;
+use Twig\Markup;
+
+class FreeformSubmissionsVariable
+{
+    public function renderSubmissionField(FieldInterface $field, Submission $submission): Markup
+    {
+        return Freeform::getInstance()
+            ->submissions
+            ->renderSubmissionField($field, $submission)
+        ;
+    }
+}

packages/plugin/src/controllers/SubmissionsController.php

@@ -148,8 +148,6 @@ public function actionEdit(int $id): Response
             $statuses[$statusId] = $status;
         }
 
-        $fieldRenderer = [$submissionsService, 'renderSubmissionField'];
-
         $tabs = array_reduce(
             array_map(
                 fn (Page $page) => [
@@ -176,7 +174,6 @@ function ($result, $item) {
             'statuses' => $statuses,
             'note' => $noteRecord?->note,
             'continueEditingUrl' => 'freeform/submissions/{id}',
-            'fieldRenderer' => $fieldRenderer,
             'tabs' => $tabs,
             'sidebarHtml' => $submission->getSidebarHtml(true),
             'isCraft5' => version_compare(\Craft::$app->version, '5.0', '>='),

packages/plugin/src/templates/submissions/edit.twig

@@ -69,7 +69,7 @@
 		{% for page in layout.pages %}
 			<div class="field tab-content{% if not loop.first %} hidden{% endif %}" id="tab-{{ page.index }}">
 				{% for row in page.layout.allRows %}
-					{{ rowMacro.render(row, submission, fieldRenderer) }}
+					{{ rowMacro.render(row, submission) }}
 				{% endfor %}
 			</div>
 		{% endfor %}

packages/plugin/src/templates/submissions/fields/group.twig

@@ -5,7 +5,7 @@
 
     {% for groupRow in field.layout %}
 
-        {{ rowMacros.render(groupRow, submission, fieldRenderer) }}
+        {{ rowMacros.render(groupRow, submission) }}
 
     {% endfor %}
 

packages/plugin/src/templates/submissions/macros/row.twig

@@ -1,4 +1,4 @@
-{% macro render(row, submission, fieldRenderer) %}
+{% macro render(row, submission) %}
     {% import "_includes/forms" as forms %}
 
     <div class="fields-row">
@@ -14,7 +14,7 @@
                 },
             }) }}
 
-                {{ fieldRenderer|call(field, submission) }}
+                {{ craft.freeformSubmissions.renderSubmissionField(field, submission) }}
 
             {{ field.renderContainerClosingTag }}
         {% endfor %}