Fix primefaces#11426: 13.0.6 Spring Security CSRF (primefaces#11428)

melloware · Feb 13, 2024 · c175946 · c175946
1 parent 311d2ed
commit c175946
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/primefaces/src/main/resources/META-INF/resources/primefaces/core/core.ajax.js b/primefaces/src/main/resources/META-INF/resources/primefaces/core/core.ajax.js
@@ -742,11 +742,16 @@ if (!PrimeFaces.ajax) {
 
                     //add form state if necessary
                     if (!formProcessed) {
+                        // Faces
                         PrimeFaces.ajax.Request.addParamFromInput(postParams, PrimeFaces.VIEW_STATE, form, parameterPrefix);
                         PrimeFaces.ajax.Request.addParamFromInput(postParams, PrimeFaces.CLIENT_WINDOW, form, parameterPrefix);
+                        // PrimeFaces
                         PrimeFaces.ajax.Request.addParamFromInput(postParams, PrimeFaces.csp.NONCE_INPUT, form, parameterPrefix);
+                        // DeltaSpike
                         PrimeFaces.ajax.Request.addParamFromInput(postParams, 'dsPostWindowId', form, parameterPrefix);
                         PrimeFaces.ajax.Request.addParamFromInput(postParams, 'dspwid', form, parameterPrefix);
+                        // Spring Security
+                        PrimeFaces.ajax.Request.addParamFromInput(postParams, '_csrf', form, parameterPrefix);
                     }
 
                 }
@@ -1142,11 +1147,16 @@ if (!PrimeFaces.ajax) {
                     PrimeFaces.ajax.Request.addFormData(formData, PrimeFaces.PARTIAL_UPDATE_PARAM, update, parameterPrefix);
                 }
 
+                // Faces
                 PrimeFaces.ajax.Request.addFormDataFromInput(formData, PrimeFaces.VIEW_STATE, form, parameterPrefix);
                 PrimeFaces.ajax.Request.addFormDataFromInput(formData, PrimeFaces.CLIENT_WINDOW, form, parameterPrefix);
+                // PrimeFaces
                 PrimeFaces.ajax.Request.addFormDataFromInput(formData, PrimeFaces.csp.NONCE_INPUT, form, parameterPrefix);
+                // DeltaSpike
                 PrimeFaces.ajax.Request.addFormDataFromInput(formData, 'dsPostWindowId', form, parameterPrefix);
                 PrimeFaces.ajax.Request.addFormDataFromInput(formData, 'dspwid', form, parameterPrefix);
+                // Spring Security
+                PrimeFaces.ajax.Request.addFormDataFromInput(formData, '_csrf', form, parameterPrefix);
 
                 return formData;
             }