1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

submit html form security error

Discussion in 'XenForo Development Discussions' started by Alteredd, Nov 3, 2015.

  1. Alteredd

    Alteredd Member

    In an xenforo page using xen:callback under template HTML i'm having some problems submitting a custom form.

    Template HTML:
    <xen:callback class="Calendar_Installer" method="getHtml"><xen:require css="characterinfo.css"/>

    Installer contains this:
    <form action="" method="post">
    <input type="hidden" name="_xfToken" value="{$visitor.csrf_token_page}" />
    <textarea name="wstxt" id="wstxt" cols="40" rows="5"></textarea>
    <input type="submit" name="submit" value="submit" />

    I then use PHP to handle the submission
    if(isset($_POST['submit'])) {
    <<Executes SQL query>;

    When i submit i get the following:

    Security error occurred. Please press back, refresh the page, and try again.

    I had read this was due to csrf_token not being passed in through the form but i added that and still have the same error. Any suggstions or can i provide some additional inforomation that might help?

    *Edit this all works find when calling the php code outside of xenforo.
  2. Jake B.

    Jake B. Well-Known Member

    Your form is missing the _xfToken input with {$visitor.csrf_token_page} as the value. However, you should probably be using XenForo's input classes instead of $_POST
    Brad L likes this.
  3. Alteredd

    Alteredd Member

    @Jake B.
    Is it different from this?
    <input type="hidden" name="_xfToken" value="{$visitor.csrf_token_page}" />

    Is there a place I can find more information on the input classes?
  4. Alteredd

    Alteredd Member

    Do i maybe need to include some template so $visitor.csrf_token_page value is populated?

    If I change the <input type="text" ...> I just see {$visitor.csrf_token_page}

    at the top of the program i have this: $visitor = XenForo_Visitor::getInstance()->toArray();
    Is this incorrect/causing conflict? I do this to grab a custom field ($visitor['customFields']['custom_field])
  5. Jake B.

    Jake B. Well-Known Member

    It should always be populated, missed that you had it in your form. If you inspect element on your form does it show a value?
  6. Alteredd

    Alteredd Member

    Looking at it in source i just see:
    <input type="hidden" name="_xfToken" value="{$visitor.csrf_token_page}">
    I would assume it should be translated to the value, i see another xfToken entry at a different point and it contains a value.
  7. Liam W

    Liam W Well-Known Member

    When you say installer, are you using that form in a template or just outputting text? Template syntax only works in templates...

  8. Alteredd

    Alteredd Member

    Installer is a terrible name on my part, it's just a php program i call that does all of the work/output. no templates being used -- which explains why my value isn't being populated.

    I imagine i can pass this value in using <xen:include template="template_name" /> within the Template HTML box? { Looking more maybe not }

    I'm not at all proficient in PHP but i can usually hack my way through things, however adding in xenforo to the mix I get pretty lost :(

    If I can't get this value into the PHP code, is there a way I can disable it for this specific form? Its only accessible to a very few people.
    Last edited: Nov 3, 2015
  9. Alteredd

    Alteredd Member

    Got it, passed it in as such:

    Page template html:
    <xen:callback class="Calendar_Installer" method="getHtml" params="{$visitor.csrf_token_page}">

    grabbed it using:
    $cftok = func_get_arg(1);
  10. Robust

    Robust Well-Known Member

    Use XenForo_Input tbh, it filters the input data for you and it's the right way to do things.

    $this->_input is already defined in some areas of XF. You can also create a new XenForo_Input based on a request, but models shouldn't be doing filtering of data, controllers should.

Share This Page