Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FormHelper does not reset requestType when creating PostLink #2308

Closed
rachel-walker opened this issue Nov 12, 2013 · 1 comment
Closed

FormHelper does not reset requestType when creating PostLink #2308

rachel-walker opened this issue Nov 12, 2013 · 1 comment
Assignees
@markstory
Labels
defect view
Milestone
2.4.3

Comments

@rachel-walker
Copy link

In CakePHP version 2.3, and possibly newer versions as well, I've discovered a problem where if you create a form that uses get as its method, then immediately create a postLink, the FormHelper's property requestType will remain as get while you create the postLink, which causes a number of problems with CakePHP's csrf features. For example, do the following:

echo $this->Form->create('foo', array('type' => 'get'));
echo $this->Form->end();
echo $this->Form->postLink('test link', array('action' => 'test', 'foo'));

The resulting postLink will have its hidden inputs with an incorrect name of just "_Token" rather than "data[_Token][unlocked]", and "data[_Token][fields]", and then the postLink will fail checks for csrf.

I suggest adding a line in FormHelper's postLink function that sets FormHelper's requestType to null.
@ghost ghost assigned markstory Nov 12, 2013
@markstory
Copy link
Member

Thanks, I will take a look.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@markstory markstory

Labels
defect view
Projects
None yet
Milestone
2.4.3
Development

No branches or pull requests
2 participants
@markstory @rachel-walker