Skip to content

Commit 7df96b3

Browse files
MarkusBauerMarkusBauer
committed
Creating correct CSRF tokens when using FormHelper::postLink within another form. Fixes #8387 
1 parent bafcba3 commit 7df96b3

File tree

1 file changed

+5
-0
lines changed

1 file changed

+5
-0
lines changed

lib/Cake/View/Helper/FormHelper.php

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -611,11 +611,13 @@ public function secure($fields = array(), $secureAttributes = array()) {
611611
$tokenFields = array_merge($secureAttributes, array(
612612
'value' => urlencode($fields . ':' . $locked),
613613
'id' => 'TokenFields' . mt_rand(),
614+
'secure' => static::SECURE_SKIP,
614615
));
615616
$out = $this->hidden('_Token.fields', $tokenFields);
616617
$tokenUnlocked = array_merge($secureAttributes, array(
617618
'value' => urlencode($unlocked),
618619
'id' => 'TokenUnlocked' . mt_rand(),
620+
'secure' => static::SECURE_SKIP,
619621
));
620622
$out .= $this->hidden('_Token.unlocked', $tokenUnlocked);
621623
return $this->Html->useTag('hiddenblock', $out);
@@ -1868,6 +1870,7 @@ public function postLink($title, $url = null, $options = array(), $confirmMessag
18681870
unset($options['target']);
18691871
}
18701872

1873+
$previousLastAction = $this->_lastAction;
18711874
$this->_lastAction($url);
18721875

18731876
$out = $this->Html->useTag('form', $formUrl, $formOptions);
@@ -1890,6 +1893,8 @@ public function postLink($title, $url = null, $options = array(), $confirmMessag
18901893
if ($options['block']) {
18911894
$this->_View->append($options['block'], $out);
18921895
$out = '';
1896+
// Reset security-relevant fields for outer form
1897+
$this->_lastAction = $previousLastAction;
18931898
}
18941899
unset($options['block']);
18951900

0 commit comments

Comments
 (0)