From 3b9604d543c71f5626b62d8a72763020e6658132 Mon Sep 17 00:00:00 2001 From: Alexander Ebert Date: Sun, 16 Jun 2024 13:31:00 +0200 Subject: [PATCH] Simplify the generation of HTML node identifiers We do not to generate completely random identifiers, the original intention was to prevent collisions with existing tag names. Using a per-request random prefix together with a counter is sufficient to generate unique tag names without paying the CSPRNG tax for ever node. --- .../node/AbstractHtmlNodeProcessor.class.php | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/wcfsetup/install/files/lib/system/html/node/AbstractHtmlNodeProcessor.class.php b/wcfsetup/install/files/lib/system/html/node/AbstractHtmlNodeProcessor.class.php index 6ef44f7e32..c082a869db 100644 --- a/wcfsetup/install/files/lib/system/html/node/AbstractHtmlNodeProcessor.class.php +++ b/wcfsetup/install/files/lib/system/html/node/AbstractHtmlNodeProcessor.class.php @@ -370,18 +370,17 @@ abstract class AbstractHtmlNodeProcessor implements IHtmlNodeProcessor */ public function getWcfNodeIdentifer(): array { - static $engine = null; - - if ($engine === null) { - if (\class_exists(\Random\Engine\Xoshiro256StarStar::class, false)) { - $randomizer = new \Random\Randomizer(new \Random\Engine\Xoshiro256StarStar()); - $engine = static fn () => \bin2hex($randomizer->getBytes(16)); - } else { - $engine = static fn () => \bin2hex(\random_bytes(16)); - } + static $counter = 0; + static $prefix = null; + + if ($prefix === null) { + // The `x` is appended to visually separate the prefix and the + // counter to aid in debugging in case the random prefix ends with + // one or more numeric characters. + $prefix = \bin2hex(\random_bytes(16)) . 'x'; } - $identifier = $engine(); + $identifier = $prefix . $counter++; return [$identifier, "wcfNode-{$identifier}"]; } -- 2.20.1