From 5424f0fd7ddcc88b6745ab8b8ab77fdb9d14636d Mon Sep 17 00:00:00 2001
From: Nicolas Grekas <nicolas.grekas@gmail.com>
Date: Sun, 29 Dec 2024 17:11:26 +0100
Subject: [PATCH] [stimulus-bundle] Use get/setAttribute() to change the value
 of hidden CSRF fields

---
 .../assets/controllers/csrf_protection_controller.js | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/symfony/stimulus-bundle/2.20/assets/controllers/csrf_protection_controller.js b/symfony/stimulus-bundle/2.20/assets/controllers/csrf_protection_controller.js
index 6d42e5c9f..731dc8862 100644
--- a/symfony/stimulus-bundle/2.20/assets/controllers/csrf_protection_controller.js
+++ b/symfony/stimulus-bundle/2.20/assets/controllers/csrf_protection_controller.js
@@ -10,11 +10,11 @@ document.addEventListener('submit', function (event) {
     }
 
     var csrfCookie = csrfField.getAttribute('data-csrf-protection-cookie-value');
-    var csrfToken = csrfField.value;
+    var csrfToken = csrfField.getAttribute('value');
 
     if (!csrfCookie && nameCheck.test(csrfToken)) {
         csrfField.setAttribute('data-csrf-protection-cookie-value', csrfCookie = csrfToken);
-        csrfField.value = csrfToken = btoa(String.fromCharCode.apply(null, (window.crypto || window.msCrypto).getRandomValues(new Uint8Array(18))));
+        csrfField.setAttribute('value', csrfToken = btoa(String.fromCharCode.apply(null, (window.crypto || window.msCrypto).getRandomValues(new Uint8Array(18)))));
     }
 
     if (csrfCookie && tokenCheck.test(csrfToken)) {
@@ -34,8 +34,8 @@ document.addEventListener('turbo:submit-start', function (event) {
 
     var csrfCookie = csrfField.getAttribute('data-csrf-protection-cookie-value');
 
-    if (tokenCheck.test(csrfField.value) && nameCheck.test(csrfCookie)) {
-        event.detail.formSubmission.fetchRequest.headers[csrfCookie] = csrfField.value;
+    if (tokenCheck.test(csrfField.getAttribute('value')) && nameCheck.test(csrfCookie)) {
+        event.detail.formSubmission.fetchRequest.headers[csrfCookie] = csrfField.getAttribute('value');
     }
 });
 
@@ -49,8 +49,8 @@ document.addEventListener('turbo:submit-end', function (event) {
 
     var csrfCookie = csrfField.getAttribute('data-csrf-protection-cookie-value');
 
-    if (tokenCheck.test(csrfField.value) && nameCheck.test(csrfCookie)) {
-        var cookie = csrfCookie + '_' + csrfField.value + '=0; path=/; samesite=strict; max-age=0';
+    if (tokenCheck.test(csrfField.getAttribute('value')) && nameCheck.test(csrfCookie)) {
+        var cookie = csrfCookie + '_' + csrfField.getAttribute('value') + '=0; path=/; samesite=strict; max-age=0';
 
         document.cookie = window.location.protocol === 'https:' ? '__Host-' + cookie + '; secure' : cookie;
     }