Bug #81351
open
The CSRF protection token for the requested module is missing or invalid
0%
Description
In my module I have a list of all entries in Database.
$this->lebenslageRepository->findAll();
<div class="container" xmlns:f="http://www.w3.org/1999/html">
<f:widget.paginate objects="{lebenslage}" as="lebenslage" configuration="{itemsPerPage: 25, insertAbove: 0, insertBelow: 1, maximumNumberOfLinks: 10}">
<h2>Liste aller Lebenslagen</h2>
<f:link.action action="addForm" class="btn btn-primary">Neu</f:link.action>
<br/><br/>
<table class="table table-striped table-hover">
<thead>
<tr>
<th>
Bezeichnung
</th>
<th></th>
</tr>
</thead>
<tbody>
<kk:widget.sort objects="{lebenslage}" as="lebenslage" property="bezeichnung">
<f:for each="{lebenslage}" as="lebenslage">
<tr>
<td>{lebenslage.bezeichnung}</td>
<td>
<f:link.action action="updateForm" arguments="{lebenslage:lebenslage}" class="btn btn-primary">
Bearbeiten
</f:link.action>
<f:link.action action="deleteForm" arguments="{lebenslage:lebenslage}" class="btn btn-primary">
Löschen
</f:link.action>
</td>
</tr>
</f:for>
</kk:widget.sort>
</tbody>
</table>
</f:widget.paginate>
<f:link.action action="addForm" class="btn btn-primary">Neu</f:link.action>
<f:link.action controller="Backend\Index" action="index" class="btn btn-secondary">Zurück</f:link.action>
</div>
<script>
var ajaxUrl = '<f:uri.action action="sortAjax" controller="{controllerName}" pageType="99"/>';
</script>
Next I wanted to sort all entries when I click on the <th>.
With the Sort-Widget-ViewHelper I wrote, I'm not able to insert the sort-button in my <th>. So I wanted to do it with ajax
var orderIcon = $(this).find('i.orderIcon');
if (!orderIcon.hasClass('ASC') && !orderIcon.hasClass('hide')) {
orderIcon.addClass('ASC');
} else if (orderIcon.hasClass('ASC')) {
orderIcon
.removeClass('ASC')
.addClass('hide');
} else if (orderIcon.hasClass('hide')) {
orderIcon.removeClass('hide');
}
$.ajax({
url: ajaxUrl,
method: 'POST'
...
...
});
But when I now click on my <th>, in WebDeveloper I get the message: 'The CSRF protection token for the requested module is missing or invalid'
With debugging I found the solution:
In the file TYPO3\CMS\Core\FormProtection there's a method 'validateToken(...)'.
My change in the else-part:
$tokenId = $_REQUEST['amp;moduleToken'];
if ((string)$tokenId === $validTokenId) {
$isValid = true;
} else {
$isValid = false;
}
In TYPO3\CMS\Backend\Http, Fct. 'isValidModuleRequest()' the token is searched in
$this->request->getQueryParams()['moduleToken']
but the queryParams look like:
Array
(
[M] => web_KkbaybwKkbaybw
[amp;moduleToken] => fffc6cc341becfcc9aead8b76a887f19fab988f6
[amp;tx_kkbaybw_web_kkbaybwkkbaybw] => Array
(
[action] => sortAjax
[controller] => Backend\Lebenslage
)
)
Updated by Sylwester Szytula over 6 years ago
I had the same problem. For me the solutions was to add f:format.htmlentitiesDecode, like:
<script>
var url: '<f:format.htmlentitiesDecode><f:uri.action action="someActionName" /></f:format.htmlentitiesDecode>';
</script>
Updated by Oliver Hader over 2 years ago
- Status changed from New to In Progress
Looks like regular URL parameters like &moduleToken= is double-encoded to &moduleToken= which explains getting amp;moduleToken as parameter-name. I'll look into that and most probably create test cases for URI ActionViewHelper...