[html-formfu] Re: Always HTTP Method POST
Rod Taylor
rod.taylor at gmail.com
Mon Feb 22 16:55:43 GMT 2010
Took a look and it seems to have a couple of fundamental issues.
If you submit a form which fails on a constraint other than
RequestToken, correct the input value, then submit again the second
submission will fail for the RequestToken constraint.
The Plugin seems to remove the token regardless of whether there are
other errors in the form or not meaning users only get one chance to
click submit. It should only remove the token from the session on a
successful submission.
Second issue is setting an error message. By default it sets the error
message to 'form_constraint_requesttoken' which shows up at the bottom
of the form under the submit button and I do not see an easy way to
change it. I suppressed it with
span.error_constraint_requesttoken {display: none;} and added a
template toolkit wrapper to form.render which digs into
form.get_error(name => '_token') to set a good error message at the
top of the form.
This does seem like the right path to be on but the plugin itself
requires a bit of work to be usable.
regards,
Rod
On Sat, Feb 20, 2010 at 20:56, Moritz Onken <onken at houseofdesign.de> wrote:
> The only way to prevent CSRF attacks is to use one-time tokens. Catalyst::Controller::HTML::FormFu supports that already. Have a look at http://search.cpan.org/~cfranks/Catalyst-Controller-HTML-FormFu-0.06001/lib/Catalyst/Controller/HTML/FormFu.pm#request_token_enable.
>
> Don't rely on the referrer! Some browsers and especially some browser plugins do not send the referrer for privacy reasons.
>
> cheers,
>
> moritz
>
>
>
> Am 21.02.2010 um 08:22 schrieb Oleg Kostyuk:
>
>> Hello Rod,
>>
>> As for me, used HTTP method is part of HTTP request, and not part of
>> form's data. And so, I don't see why FormFu should have something like
>> you want. If you use Catalyst, you could look at
>> Catalyst::Action::REST.
>>
>> Good luck!
>>
>> --
>> Sincerely yours,
>> Oleg Kostyuk (CUB-UANIC)
>>
>> _______________________________________________
>> HTML-FormFu mailing list
>> HTML-FormFu at lists.scsys.co.uk
>> http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/html-formfu
>
>
> _______________________________________________
> HTML-FormFu mailing list
> HTML-FormFu at lists.scsys.co.uk
> http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/html-formfu
>
More information about the HTML-FormFu
mailing list