You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In CakePHP version 2.3, and possibly newer versions as well, I've discovered a problem where if you create a form that uses get as its method, then immediately create a postLink, the FormHelper's property requestType will remain as get while you create the postLink, which causes a number of problems with CakePHP's csrf features. For example, do the following:
The resulting postLink will have its hidden inputs with an incorrect name of just "_Token" rather than "data[_Token][unlocked]", and "data[_Token][fields]", and then the postLink will fail checks for csrf.
I suggest adding a line in FormHelper's postLink function that sets FormHelper's requestType to null.
The text was updated successfully, but these errors were encountered:
In CakePHP version 2.3, and possibly newer versions as well, I've discovered a problem where if you create a form that uses get as its method, then immediately create a postLink, the FormHelper's property requestType will remain as get while you create the postLink, which causes a number of problems with CakePHP's csrf features. For example, do the following:
echo $this->Form->create('foo', array('type' => 'get'));
echo $this->Form->end();
echo $this->Form->postLink('test link', array('action' => 'test', 'foo'));
The resulting postLink will have its hidden inputs with an incorrect name of just "_Token" rather than "data[_Token][unlocked]", and "data[_Token][fields]", and then the postLink will fail checks for csrf.
I suggest adding a line in FormHelper's postLink function that sets FormHelper's requestType to null.
The text was updated successfully, but these errors were encountered: