Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Minor rewords in the CSRF docs#10879

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
javiereguiluz merged 1 commit intosymfony:4.1fromjaviereguiluz:advanced_csrf
Jan 15, 2019
Merged
Show file tree
Hide file tree
Changes fromall commits
Commits
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 5 additions & 3 deletionsreference/twig_reference.rst
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -277,6 +277,8 @@ form_rest
Renders all fields that have not yet been rendered, more information in
:ref:`the Twig Form reference <reference-forms-twig-rest>`.

.. _reference-twig-function-csrf-token:

csrf_token
~~~~~~~~~~

Expand All@@ -285,10 +287,10 @@ csrf_token
{{ csrf_token(intention) }}

``intention``
**type**: ``string``
**type**: ``string`` - an arbitrary string used to generate the token value.

Renders a CSRF token. Use this function if you want CSRF protectionwithout
creating a form.
Renders a CSRF token. Use this function if you want:doc:`CSRF protection</security/csrf>`
in aregular HTMLform not managed by the Symfony Form component.

is_granted
~~~~~~~~~~
Expand Down
20 changes: 13 additions & 7 deletionssecurity/csrf.rst
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -109,22 +109,28 @@ CSRF Protection in Login Forms
See :doc:`/security/form_login_setup` for a login form that is protected from
CSRF attacks.

CSRF Protection in HTML Forms
-----------------------------
.. _csrf-protection-in-html-forms:

Generating and Checking CSRF Tokens Manually
--------------------------------------------

.. versionadded:: 4.1

In Symfony versions prior to 4.1, CSRF support required installing the
Symfony Form component even if you didn't use it.

It's also possible to add CSRF protection to regular HTML forms not managed by
the Symfony Form component, for example the simple forms used to delete items.
First, use the ``csrf_token()`` function in the Twig template to generate a CSRF
token and store it as a hidden field of the form:
Although Symfony Forms provide automatic CSRF protection by default, you may
need to generate and check CSRF tokens manually for example when using regular
HTML forms not managed by the Symfony Form component.

Consider a simple HTML form created to allow deleting items. First, use the
:ref:`csrf_token() Twig function <reference-twig-function-csrf-token>` to
generate a CSRF token in the template and store it as a hidden form field:

.. code-block:: twig

<form action="{{ url('admin_post_delete', { id: post.id }) }}" method="post">
{# the argument of csrf_token() is an arbitraryvalue used to generate the token #}
{# the argument of csrf_token() is an arbitrarystring used to generate the token #}
<input type="hidden" name="token" value="{{ csrf_token('delete-item') }}" />

<button type="submit">Delete item</button>
Expand Down
[8]ページ先頭
©2009-2025 Movatter.jp