Skip to content

Commit

Permalink
[stimulus-bundle] Use get/setAttribute() to change the value of hidde…
Browse files Browse the repository at this point in the history 
…n CSRF fields
  • Loading branch information
@nicolas-grekas
nicolas-grekas committed Jan 5, 2025
1 parent 5f3e6c5 commit 5424f0f
Showing 1 changed file with 6 additions and 6 deletions.
12 changes: 6 additions & 6 deletions symfony/stimulus-bundle/2.20/assets/controllers/csrf_protection_controller.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,11 +10,11 @@ document.addEventListener('submit', function (event) {
}

var csrfCookie = csrfField.getAttribute('data-csrf-protection-cookie-value');
var csrfToken = csrfField.value;
var csrfToken = csrfField.getAttribute('value');

if (!csrfCookie && nameCheck.test(csrfToken)) {
csrfField.setAttribute('data-csrf-protection-cookie-value', csrfCookie = csrfToken);
csrfField.value = csrfToken = btoa(String.fromCharCode.apply(null, (window.crypto || window.msCrypto).getRandomValues(new Uint8Array(18))));
csrfField.setAttribute('value', csrfToken = btoa(String.fromCharCode.apply(null, (window.crypto || window.msCrypto).getRandomValues(new Uint8Array(18)))));
}

if (csrfCookie && tokenCheck.test(csrfToken)) {
Expand All @@ -34,8 +34,8 @@ document.addEventListener('turbo:submit-start', function (event) {

var csrfCookie = csrfField.getAttribute('data-csrf-protection-cookie-value');

if (tokenCheck.test(csrfField.value) && nameCheck.test(csrfCookie)) {
event.detail.formSubmission.fetchRequest.headers[csrfCookie] = csrfField.value;
if (tokenCheck.test(csrfField.getAttribute('value')) && nameCheck.test(csrfCookie)) {
event.detail.formSubmission.fetchRequest.headers[csrfCookie] = csrfField.getAttribute('value');
}
});

Expand All @@ -49,8 +49,8 @@ document.addEventListener('turbo:submit-end', function (event) {

var csrfCookie = csrfField.getAttribute('data-csrf-protection-cookie-value');

if (tokenCheck.test(csrfField.value) && nameCheck.test(csrfCookie)) {
var cookie = csrfCookie + '_' + csrfField.value + '=0; path=/; samesite=strict; max-age=0';
if (tokenCheck.test(csrfField.getAttribute('value')) && nameCheck.test(csrfCookie)) {
var cookie = csrfCookie + '_' + csrfField.getAttribute('value') + '=0; path=/; samesite=strict; max-age=0';

document.cookie = window.location.protocol === 'https:' ? '__Host-' + cookie + '; secure' : cookie;
}
Expand Down

0 comments on commit 5424f0f

Please sign in to comment.