Contenttype field name "token" collides with csrf token

[rarila]

In _csrf_token.twig we have

<input type="hidden" name="token" value="{{ token() }}" />

which badly collides on post when you have a contenttype field named token.

Possible solutions:

• Rename it to something like bolt_csrf_token or something and disallow fieldnames starting withbolt_
• Add token to the list of not allowed keywords.

Any other internal used post names known?

[GwendolenLynch]

What about the suggestion you made on IRC to prefix internals with an underscore (or two) and disallow those as contenttype names?

[rarila]

Is _ allowed for the start of a name attribute? Gotta check.

[rarila]

Also I can't really find the location where this token is used/compared in our codebase…

Ah: https://github.com/bolt/bolt/blob/master/src/Users.php#L334
Is that the only place where it is read/used?

It seems the token also lives in cookies, named bolt_authtoken there. It would heavily reduce the possibilty of a collition with this name, even without prefix and cecking for it. token alone is just too general.

[rarila]

Looks like @tobias2k initially added this stuff, but i got some interations meanwhile.

[bobdenotter]

"bolt_token" would work for me.