Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSRF token not attached to request upon JQuery form submit #139

Open
StotoV opened this issue Nov 6, 2020 · 0 comments
Open

CSRF token not attached to request upon JQuery form submit #139

StotoV opened this issue Nov 6, 2020 · 0 comments
Labels
bug repro needed

Comments

@StotoV
Copy link

StotoV commented Nov 6, 2020

Describe the bug
I have a form which is submitted with the JQuery $('#form').submit() with a target on a different page. When submitting I get a '403 Access Forbidden by CSRFProtector!' error. After debugging a bit I found that no tokens are being send in the header of the request (but they are send in the cookie). This is caused by the csrfprotector.js not intercepting the submit event and thus not attaching the tokens to the request. In the attached screen shot you can see that the csrfprotector.js is loaded but none of the breakpoints are hit when pressing the submit button.

To Reproduce
There is additional infrastructure that redirects the urls to the correct php files (e.g. /some/path?command=list goes to the list php file). There is also a file where the csrf is initialized.

test list PHP source

<?php

class test_list {

    public function __construct()
    {
        global $sm, $db;
        $this->sm = $sm; //smarty
    }

    public function run() {
        $this->sm->display("test_save.html");
    }
}

?>

test save PHP source

<?php

class test_save {

    public function __construct()
    {
    }

    public function run() {
        echo 'You made it!';
    }
}

?>

test_save.html

<html>
    <head>
        <title>Test case</title>
    </head>
    <body>
        <form id="form" name="form" method="post" action="">
            <input type="text" name="someText" />
        </form>
        <button id="submitButton">Submit</button>
    </body>
    <script type="text/javascript" language="javascript" src="/scripts/jquery-1.12/jquery.js"></script>
    <script type="text/javascript" src="/admin/test/js/save.js"></script>
</html>

save.js

$(document).ready(function() {
    $("#submitButton").click(function(event) {
        $('form#form').submit();
        return false;
    });
});

Expected behavior
The run method of the test_save.php file is executed

Screenshots (Optional)
Screenshot 2020-11-06 at 15 53 05

** Error logs (Optional) **

Additional context

  • Smarty templating service is used
  • Chrome, Safari
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug repro needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@StotoV