Welcome Guest, Not a member yet? Register   Sign In
Forcing CSRF on a form
#1

[eluser]Clooner[/eluser]
My site is deployed over multiple domains and the form_open function in the form_helper only forces csrf protection when you are posting to the same site_url. Although this might be wanted behavior in some situations it might be useful to generate the csrf token. The form_open function should have a way to force the csrf token . I know we can easily do this by using an hidden array ourselves but the code for the csrf generation is already in the form helper. I suggest to add an option to this helper function like

Code:
if ( ! function_exists('form_open'))
{
function form_open($action = '', $attributes = '', $hidden = array(), $force_csrf = false)
{
  $CI =& get_instance();

  if ($attributes == '')
  {
   $attributes = 'method="post"';
  }

  // If an action is not a full URL then turn it into one
  if ($action && strpos($action, '://') === FALSE)
  {
   $action = $CI->config->site_url($action);
  }

  // If no action is provided then set to the current url
  $action OR $action = $CI->config->site_url($CI->uri->uri_string());

  $form = '<form action="'.$action.'"';

  $form .= _attributes_to_string($attributes, TRUE);

  $form .= '>';

  // Add CSRF field if enabled or when forced, but leave it out for GET requests and requests to external websites
  if ($CI->config->item('csrf_protection') === TRUE AND ! (strpos($action, $CI->config->site_url()) === FALSE OR strpos($form, 'method="get"')) OR $force_csrf)
  {
   $hidden[$CI->security->get_csrf_token_name()] = $CI->security->get_csrf_hash();
  }

  if (is_array($hidden) AND count($hidden) > 0)
  {
   $form .= sprintf("<div>%s</div>", form_hidden($hidden));
  }

  return $form;
}
}




Theme © iAndrew 2016 - Forum software by © MyBB