-
-
Notifications
You must be signed in to change notification settings - Fork 810
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Contenttype field name "token" collides with csrf token #2734
Comments
What about the suggestion you made on IRC to prefix internals with an underscore (or two) and disallow those as contenttype names? |
Is |
Also I can't really find the location where this token is used/compared in our codebase… Ah: https://github.com/bolt/bolt/blob/master/src/Users.php#L334 It seems the token also lives in cookies, named |
Looks like @tobias2k initially added this stuff, but i got some interations meanwhile. |
"bolt_token" would work for me. |
In _csrf_token.twig we have
which badly collides on post when you have a contenttype field named
token
.Possible solutions:
bolt_csrf_token
or something and disallow fieldnames starting withbolt_
token
to the list of not allowed keywords.Any other internal used post names known?
The text was updated successfully, but these errors were encountered: