Form Builder duplicates hidden input with csrf_token_name value when CSRF protection is enabled

Dinchar · January 2013

I did try to search if this was reported but could not find anything in the forums, so decided to start a new thread.

I noticed that when I create a form with Form Builder and have the CSRF protection enabled, the hidden input containing the csrf_token_name value is duplicated before the closing form tag.

After browsing the code I noticed that it is generated first in "Form_builder.php" on lines 432-435 (in case the render_format is div, see code below) or line 672 (in case render_format is table, see code below)

But afterwards it is generated once again in Form.php on lines (125-129).

Commenting lines 432-435 and 672 in "Form_builder.php" fixes the issue.

Both files are located in "./application/libraries/".
Fuel CMS ver 0.9.3

P.S.
The code between lines 432-435 of "Form_builder.php" that needs to be commented is:
==Qt==
if (!empty($this->key_check))
{
$this->_html .= $this->create_hidden(array('name' => $this->key_check_name, 'value' => $this->key_check));
}
==Unqt==

The code on line 672 of "Form_builder.php" that needs to be commented is:
==Qt==
if (!empty($this->key_check)) $this->_html .= $this->create_hidden(array('name' => $this->key_check_name, 'value' => $this->key_check));
==Unqt==

admin · January 2013

Thanks for the report. I believe that issue is already fixed in the 1.0 beta:
https://github.com/daylightstudio/FUEL-CMS/tree/1.0

Howdy, Stranger!

Categories

Form Builder duplicates hidden input with csrf_token_name value when CSRF protection is enabled

Comments