Posted by Heine on September 13, 2009 at 7:56pm
Jump to:
| Project: | Drupal core |
| Version: | 8.x-dev |
| Component: | forms system |
| Category: | feature request |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | active |
Issue Summary
Right now, there are two unsafe places to take actions (form builder, form validate handler) and one safe place (form submit handler). If we would abort the rest of the form validation after the token validation fails, we would automatically protect our validation handlers from CSRF as well, and we'd have TWO safe places, one unsafe.
The arguments for continuing validation are not strong; we can show errors on more fields. Okay, but the user will not be able to submit anyway, as the token is incorrect.
Comments
#1
+1
#2
A bit late in the game now, imo :)
#3
Heine, I've incorporated this change into my patch for #240828: "This form is outdated. Reload the page and try again" is incorrect and confuses users