ButtonTo() doesn't support CSRF #808

neokoenig · 2017-07-15T09:51:58Z

As buttonTo() creates a form, it should automatically include appropriate CSRF tokens if required?

 #buttonTo(
  text="Delete",
  route="myRoute",
  key=id,
  method="delete",
  encode="attributes"                  
 )#

Results in

<form action="/admin/roles/3" method="post">
  <input id="_method" name="_method" type="hidden" value="delete">
  <input class="btn btn-primary" type="submit" value="Delete">
</form>

Without the CSRF token

The text was updated successfully, but these errors were encountered:

chapmandu · 2017-07-21T08:54:22Z

I'm wondering if the startFormTag() could be used here rather than this element helper..

cfwheels/wheels/view/links.cfm

Line 147 in 15b4d91

    
           	return $element(name="form", skip=local.skip, content=local.content, attributes=arguments, encode=local.encode, encodeExcept=local.encodeExcept);

perdjurner · 2017-07-25T14:52:16Z

Using startFormTag would be a good approach for later but for additional beta releases like this one we should minimize any possibility of adding more bugs. Best way to do that is to just add in the authenticityTokenField() call to buttonTo I think, even if it creates some ugly / duplicate code for now.

neokoenig added the bug label Jul 15, 2017

perdjurner added this to the 2.0.0 Beta 2 milestone Jul 15, 2017

perdjurner closed this as completed in b0240ea Aug 5, 2017

perdjurner modified the milestones: 2.0.0 Beta 2, 2.0.0 RC 1 Aug 5, 2017

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ButtonTo() doesn't support CSRF #808

ButtonTo() doesn't support CSRF #808

neokoenig commented Jul 15, 2017

chapmandu commented Jul 21, 2017

perdjurner commented Jul 25, 2017

ButtonTo() doesn't support CSRF #808

ButtonTo() doesn't support CSRF #808

Comments

neokoenig commented Jul 15, 2017

chapmandu commented Jul 21, 2017

perdjurner commented Jul 25, 2017