formurlparam and __JFORMS_TOKEN__

[foxmask]

this code

{formurlparam 'module~controller:action'}

should add the hidden JFORMS_TOKEN with the other hidden input

<input type="hidden" name="action" value="controller:action"/>

actually we dont have this hidden input like with {form $form...}

[bballizlife]

But the jtpl plugin {formurlparam} is to use when you do not use jForms. So, according to me, this has nothing to deal with JFORMS_TOKEN.

[foxmask]

agree

but shouldnt we provide a feature like JFORMS_TOKEN for jTpl ?

[bballizlife]

It's not about just providing an enhancement of a jtpl plugin, this means having everything to deal with the fonctionnality : generating the token in session, being able to check it when the form is submitted,...

So why not but we will have to provide all the necessary stuff around the fonctionality.

[laurentj]

I think Jelix is big enough. If you want CSRF features, use jforms.

[foxmask]

The matter is not what i want but if you say that to secure our app we have to use jforms then i am afraid that the jacl2admin is exposed to this kind of things as you didnt use jforms too Now as it is your requirements i will try again to use jforms but i still spent 3days to integrate a form that manages the rights access for one forum and that was so complicate that i decided to use the shortcut formurl like you did for jacl2admin module

Now il undersrand that this feature is too heavy to be implemented in jtpl.