[eluser]Clooner[/eluser]
My site is deployed over multiple domains and the form_open function in the form_helper only forces csrf protection when you are posting to the same site_url. Although this might be wanted behavior in some situations it might be useful to generate the csrf token. The form_open function should have a way to force the csrf token . I know we can easily do this by using an hidden array ourselves but the code for the csrf generation is already in the form helper. I suggest to add an option to this helper function like
Code:
if ( ! function_exists('form_open'))
{
function form_open($action = '', $attributes = '', $hidden = array(), $force_csrf = false)
{
$CI =& get_instance();
if ($attributes == '')
{
$attributes = 'method="post"';
}
// If an action is not a full URL then turn it into one
if ($action && strpos($action, '://') === FALSE)
{
$action = $CI->config->site_url($action);
}
// If no action is provided then set to the current url
$action OR $action = $CI->config->site_url($CI->uri->uri_string());
$form = '<form action="'.$action.'"';
$form .= _attributes_to_string($attributes, TRUE);
$form .= '>';
// Add CSRF field if enabled or when forced, but leave it out for GET requests and requests to external websites
if ($CI->config->item('csrf_protection') === TRUE AND ! (strpos($action, $CI->config->site_url()) === FALSE OR strpos($form, 'method="get"')) OR $force_csrf)
{
$hidden[$CI->security->get_csrf_token_name()] = $CI->security->get_csrf_hash();
}
if (is_array($hidden) AND count($hidden) > 0)
{
$form .= sprintf("<div>%s</div>", form_hidden($hidden));
}
return $form;
}
}