• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

submit html form security error

#1
In an xenforo page using xen:callback under template HTML i'm having some problems submitting a custom form.

Template HTML:
<xen:callback class="Calendar_Installer" method="getHtml"><xen:require css="characterinfo.css"/>
</xen:callback>


Installer contains this:
<form action="" method="post">
<input type="hidden" name="_xfToken" value="{$visitor.csrf_token_page}" />
<textarea name="wstxt" id="wstxt" cols="40" rows="5"></textarea>
<input type="submit" name="submit" value="submit" />
</form>


I then use PHP to handle the submission
<?php
if(isset($_POST['submit'])) {
<<Executes SQL query>;
}
?>


When i submit i get the following:

Security error occurred. Please press back, refresh the page, and try again.


I had read this was due to csrf_token not being passed in through the form but i added that and still have the same error. Any suggstions or can i provide some additional inforomation that might help?

*Edit this all works find when calling the php code outside of xenforo.
 

Jake B.

Well-known member
#2
Your form is missing the _xfToken input with {$visitor.csrf_token_page} as the value. However, you should probably be using XenForo's input classes instead of $_POST
 
#3
@Jake B.
Is it different from this?
<input type="hidden" name="_xfToken" value="{$visitor.csrf_token_page}" />

Is there a place I can find more information on the input classes?
 
#4
Do i maybe need to include some template so $visitor.csrf_token_page value is populated?

If I change the <input type="text" ...> I just see {$visitor.csrf_token_page}

at the top of the program i have this: $visitor = XenForo_Visitor::getInstance()->toArray();
Is this incorrect/causing conflict? I do this to grab a custom field ($visitor['customFields']['custom_field])
 

Jake B.

Well-known member
#5
Do i maybe need to include some template so $visitor.csrf_token_page value is populated?

If I change the <input type="text" ...> I just see {$visitor.csrf_token_page}

at the top of the program i have this: $visitor = XenForo_Visitor::getInstance()->toArray();
Is this incorrect/causing conflict? I do this to grab a custom field ($visitor['customFields']['custom_field])
It should always be populated, missed that you had it in your form. If you inspect element on your form does it show a value?
 
#6
Looking at it in source i just see:
<input type="hidden" name="_xfToken" value="{$visitor.csrf_token_page}">
I would assume it should be translated to the value, i see another xfToken entry at a different point and it contains a value.
 

Liam W

Well-known member
#7
When you say installer, are you using that form in a template or just outputting text? Template syntax only works in templates...

Liam
 
#8
Installer is a terrible name on my part, it's just a php program i call that does all of the work/output. no templates being used -- which explains why my value isn't being populated.

I imagine i can pass this value in using <xen:include template="template_name" /> within the Template HTML box? { Looking more maybe not }

I'm not at all proficient in PHP but i can usually hack my way through things, however adding in xenforo to the mix I get pretty lost :(


If I can't get this value into the PHP code, is there a way I can disable it for this specific form? Its only accessible to a very few people.
 
Last edited:
#9
Got it, passed it in as such:

Page template html:
<xen:callback class="Calendar_Installer" method="getHtml" params="{$visitor.csrf_token_page}">
</xen:callback>

Installer.php
grabbed it using:
$cftok = func_get_arg(1);
 

Robust

Well-known member
#10
Use XenForo_Input tbh, it filters the input data for you and it's the right way to do things.

$this->_input is already defined in some areas of XF. You can also create a new XenForo_Input based on a request, but models shouldn't be doing filtering of data, controllers should.