EasyAdminBundle icon indicating copy to clipboard operation
EasyAdminBundle copied to clipboard
verified publisher icon EasyCorp

CSRF token field generated outside of form tag

Open tcheymol opened this issue 2 years ago • 3 comments

Describe the bug Hi, starting from 4.8.5, the CSRF token field is generated outside of the form tag, so all the forms fail CSRF validation

To Reproduce This problem does not show up on v4.8.4, but starts at v4.8.5, and later versions

(OPTIONAL) Additional context

Screenshot 2024-01-10 at 11 00 54 Screenshot 2024-01-10 at 11 01 13

tcheymol avatar Jan 10 '24 10:01 tcheymol

I can't reproduce this. In my apps, the <input type="hidden"> field with the CSRF token is rendered just before the closing </form>.

Also, if this started failing in 4.8.5 version, we'd receive a ton of feedback about this because we're in 4.8.11 version already.

Can you please investigate a bit more about this? Do you use custom form themes for example? Thanks.

javiereguiluz avatar Jan 25 '24 19:01 javiereguiluz

I just migrated from 4.7.6 to 4.9.1 and this issue also happens

This happens only on one form that has custom widget with {{ form(form) }} - which makes form inside form, and when saving main form, code for some reason validates that inner form

{% block _Object_starttime_widget %}
    {{ form(form) }}
    <input type="button" class="btn datetime-setter" data-target="Object_starttime" value="Now" />
{% endblock %}

On 4.7.6 i can see that code makes form inside form, but when saving main form - CSRF issue doesn't appear.

MikaBeDev avatar Feb 22 '24 10:02 MikaBeDev

I'm afraid that I don't understand how this error happens and I can't reproduce it. If anyone wants to give this a shot, please do it. Thanks.

javiereguiluz avatar Mar 07 '24 19:03 javiereguiluz