From 287d050981cc789ca9c330ecd64c199fe49623a7 Mon Sep 17 00:00:00 2001 From: Nicolas Grekas Date: Mon, 6 Jan 2025 15:49:34 +0100 Subject: [PATCH] [stimulus-bundle] Match name="_csrf_token" when looking for CSRF fields --- .../2.20/assets/controllers/csrf_protection_controller.js | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/symfony/stimulus-bundle/2.20/assets/controllers/csrf_protection_controller.js b/symfony/stimulus-bundle/2.20/assets/controllers/csrf_protection_controller.js index 075d06cd5..b4b8ab9f4 100644 --- a/symfony/stimulus-bundle/2.20/assets/controllers/csrf_protection_controller.js +++ b/symfony/stimulus-bundle/2.20/assets/controllers/csrf_protection_controller.js @@ -3,7 +3,7 @@ var tokenCheck = /^[-_/+a-zA-Z0-9]{24,}$/; // Generate and double-submit a CSRF token in a form field and a cookie, as defined by Symfony's SameOriginCsrfTokenManager document.addEventListener('submit', function (event) { - var csrfField = event.target.querySelector('input[data-controller="csrf-protection"]'); + var csrfField = event.target.querySelector('input[data-controller="csrf-protection"], input[name="_csrf_token"]'); if (!csrfField) { return; @@ -26,7 +26,7 @@ document.addEventListener('submit', function (event) { // When @hotwired/turbo handles form submissions, send the CSRF token in a header in addition to a cookie // The `framework.csrf_protection.check_header` config option needs to be enabled for the header to be checked document.addEventListener('turbo:submit-start', function (event) { - var csrfField = event.detail.formSubmission.formElement.querySelector('input[data-controller="csrf-protection"]'); + var csrfField = event.detail.formSubmission.formElement.querySelector('input[data-controller="csrf-protection"], input[name="_csrf_token"]'); if (!csrfField) { return; @@ -41,7 +41,7 @@ document.addEventListener('turbo:submit-start', function (event) { // When @hotwired/turbo handles form submissions, remove the CSRF cookie once a form has been submitted document.addEventListener('turbo:submit-end', function (event) { - var csrfField = event.detail.formSubmission.formElement.querySelector('input[data-controller="csrf-protection"]'); + var csrfField = event.detail.formSubmission.formElement.querySelector('input[data-controller="csrf-protection"], input[name="_csrf_token"]'); if (!csrfField) { return;