Creating correct CSRF tokens when using FormHelper::postLink within a…

…nother form. Fixes #8387
cakephp · Mar 2, 2016 · 7df96b3 · 7df96b3
1 parent bafcba3
commit 7df96b3
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/lib/Cake/View/Helper/FormHelper.php b/lib/Cake/View/Helper/FormHelper.php
@@ -611,11 +611,13 @@ public function secure($fields = array(), $secureAttributes = array()) {
 		$tokenFields = array_merge($secureAttributes, array(
 			'value' => urlencode($fields . ':' . $locked),
 			'id' => 'TokenFields' . mt_rand(),
+			'secure' => static::SECURE_SKIP,
 		));
 		$out = $this->hidden('_Token.fields', $tokenFields);
 		$tokenUnlocked = array_merge($secureAttributes, array(
 			'value' => urlencode($unlocked),
 			'id' => 'TokenUnlocked' . mt_rand(),
+			'secure' => static::SECURE_SKIP,
 		));
 		$out .= $this->hidden('_Token.unlocked', $tokenUnlocked);
 		return $this->Html->useTag('hiddenblock', $out);
@@ -1868,6 +1870,7 @@ public function postLink($title, $url = null, $options = array(), $confirmMessag
 			unset($options['target']);
 		}
 
+		$previousLastAction = $this->_lastAction;
 		$this->_lastAction($url);
 
 		$out = $this->Html->useTag('form', $formUrl, $formOptions);
@@ -1890,6 +1893,8 @@ public function postLink($title, $url = null, $options = array(), $confirmMessag
 		if ($options['block']) {
 			$this->_View->append($options['block'], $out);
 			$out = '';
+			// Reset security-relevant fields for outer form
+			$this->_lastAction = $previousLastAction;
 		}
 		unset($options['block']);