developer.jelix.org n'est plus utilisée, et existe uniquement pour son historique. Postez les nouveaux tickets sur le compte github.
#828 closed task (wontfix)
formurlparam and __JFORMS_TOKEN__
Reported by: | foxmask | Owned by: | |
---|---|---|---|
Priority: | normal | Milestone: | |
Component: | jelix:plugins:tpl | Version: | 1.1RC3 |
Severity: | normal | Keywords: | |
Cc: | Blocked By: | ||
Blocking: | Documentation needed: | no | |
Hosting Provider: | Php version: |
Description
this code
{formurlparam 'module~controller:action'}
should add the hidden JFORMS_TOKEN with the other hidden input
<input type="hidden" name="action" value="controller:action"/>
actually we dont have this hidden input like with {form $form...}
Change History (6)
comment:1 Changed 12 years ago by bballizlife
comment:2 Changed 12 years ago by foxmask
agree
but shouldnt we provide a feature like JFORMS_TOKEN for jTpl ?
comment:3 Changed 12 years ago by bballizlife
It's not about just providing an enhancement of a jtpl plugin, this means having everything to deal with the fonctionnality : generating the token in session, being able to check it when the form is submitted,...
So why not but we will have to provide all the necessary stuff around the fonctionality.
comment:4 Changed 12 years ago by foxmask
- Milestone changed from jelix 1.1 to Jelix 1.2
comment:5 Changed 12 years ago by laurentj
- Component changed from jelix:forms to jelix:plugins:tpl
- Milestone Jelix 1.2 deleted
- Resolution set to wontfix
- Status changed from new to closed
I think Jelix is big enough. If you want CSRF features, use jforms.
comment:6 Changed 12 years ago by foxmask
The matter is not what i want but if you say that to secure our app we have to use jforms then i am afraid that the jacl2admin is exposed to this kind of things as you didnt use jforms too Now as it is your requirements i will try again to use jforms but i still spent 3days to integrate a form that manages the rights access for one forum and that was so complicate that i decided to use the shortcut formurl like you did for jacl2admin module
Now il undersrand that this feature is too heavy to be implemented in jtpl.
But the jtpl plugin {formurlparam} is to use when you do not use jForms. So, according to me, this has nothing to deal with JFORMS_TOKEN.