Commit 6b799d39 by Qiang Xue

Fixes #3358: Removed automatic CSRF meta tag generation by `View`. Added…

Fixes #3358: Removed automatic CSRF meta tag generation by `View`. Added `Html::csrfMetaTags()` and its call to main layout files
parent 1bc4fb3c
...@@ -17,6 +17,7 @@ AppAsset::register($this); ...@@ -17,6 +17,7 @@ AppAsset::register($this);
<head> <head>
<meta charset="<?= Yii::$app->charset ?>"/> <meta charset="<?= Yii::$app->charset ?>"/>
<meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="viewport" content="width=device-width, initial-scale=1">
<?= Html::csrfMetaTags() ?>
<title><?= Html::encode($this->title) ?></title> <title><?= Html::encode($this->title) ?></title>
<?php $this->head() ?> <?php $this->head() ?>
</head> </head>
......
...@@ -18,6 +18,7 @@ AppAsset::register($this); ...@@ -18,6 +18,7 @@ AppAsset::register($this);
<head> <head>
<meta charset="<?= Yii::$app->charset ?>"/> <meta charset="<?= Yii::$app->charset ?>"/>
<meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="viewport" content="width=device-width, initial-scale=1">
<?= Html::csrfMetaTags() ?>
<title><?= Html::encode($this->title) ?></title> <title><?= Html::encode($this->title) ?></title>
<?php $this->head() ?> <?php $this->head() ?>
</head> </head>
......
...@@ -17,6 +17,7 @@ AppAsset::register($this); ...@@ -17,6 +17,7 @@ AppAsset::register($this);
<head> <head>
<meta charset="<?= Yii::$app->charset ?>"/> <meta charset="<?= Yii::$app->charset ?>"/>
<meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="viewport" content="width=device-width, initial-scale=1">
<?= Html::csrfMetaTags() ?>
<title><?= Html::encode($this->title) ?></title> <title><?= Html::encode($this->title) ?></title>
<?php $this->head() ?> <?php $this->head() ?>
</head> </head>
......
...@@ -30,6 +30,7 @@ $this->beginPage(); ...@@ -30,6 +30,7 @@ $this->beginPage();
<meta charset="<?= Yii::$app->charset ?>"/> <meta charset="<?= Yii::$app->charset ?>"/>
<meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="language" content="en" /> <meta name="language" content="en" />
<?= Html::csrfMetaTags() ?>
<?php $this->head() ?> <?php $this->head() ?>
<title><?= Html::encode($this->context->pageTitle) ?></title> <title><?= Html::encode($this->context->pageTitle) ?></title>
</head> </head>
......
...@@ -13,6 +13,7 @@ yii\debug\DebugAsset::register($this); ...@@ -13,6 +13,7 @@ yii\debug\DebugAsset::register($this);
<head> <head>
<meta charset="utf-8"> <meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="viewport" content="width=device-width, initial-scale=1">
<?= Html::csrfMetaTags() ?>
<title><?= Html::encode($this->title) ?></title> <title><?= Html::encode($this->title) ?></title>
<?php $this->head() ?> <?php $this->head() ?>
</head> </head>
......
...@@ -15,6 +15,7 @@ $asset = yii\gii\GiiAsset::register($this); ...@@ -15,6 +15,7 @@ $asset = yii\gii\GiiAsset::register($this);
<head> <head>
<meta charset="utf-8"/> <meta charset="utf-8"/>
<meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="viewport" content="width=device-width, initial-scale=1">
<?= Html::csrfMetaTags() ?>
<title><?= Html::encode($this->title) ?></title> <title><?= Html::encode($this->title) ?></title>
<?php $this->head() ?> <?php $this->head() ?>
</head> </head>
......
...@@ -101,6 +101,7 @@ Yii Framework 2 Change Log ...@@ -101,6 +101,7 @@ Yii Framework 2 Change Log
- Chg #2913: RBAC `DbManager` is now initialized via migration (samdark) - Chg #2913: RBAC `DbManager` is now initialized via migration (samdark)
- Chg #3036: Upgraded Twitter Bootstrap to 3.1.x (qiangxue) - Chg #3036: Upgraded Twitter Bootstrap to 3.1.x (qiangxue)
- Chg #3175: InvalidCallException, InvalidParamException, UnknownMethodException are now extended from SPL BadMethodCallException (samdark) - Chg #3175: InvalidCallException, InvalidParamException, UnknownMethodException are now extended from SPL BadMethodCallException (samdark)
- Chg #3358: Removed automatic CSRF meta tag generation by `View`. Added `Html::csrfMetaTags()` and its call to main layout files (qiangxue)
- Chg #3383: Added `$type` parameter to `IdentityInterface::findIdentityByAccessToken()` (qiangxue) - Chg #3383: Added `$type` parameter to `IdentityInterface::findIdentityByAccessToken()` (qiangxue)
- Chg #3531: \yii\grid\GridView now allows any character (except ":") in the attribute part of the shorthand syntax for columns (rawtaz) - Chg #3531: \yii\grid\GridView now allows any character (except ":") in the attribute part of the shorthand syntax for columns (rawtaz)
- Chg #3544: Added `$key` as a parameter to the callable specified via `yii\grid\DataColumn::value` (mdmunir) - Chg #3544: Added `$key` as a parameter to the callable specified via `yii\grid\DataColumn::value` (mdmunir)
......
...@@ -49,4 +49,7 @@ Upgrade from Yii 2.0 Beta ...@@ -49,4 +49,7 @@ Upgrade from Yii 2.0 Beta
You can add it with `ALTER TABLE log ADD COLUMN prefix TEXT AFTER log_time;`. You can add it with `ALTER TABLE log ADD COLUMN prefix TEXT AFTER log_time;`.
* The `fileinfo` PHP extension is now required by Yii. If you use `yii\helpers\FileHelper::getMimeType()`, make sure * The `fileinfo` PHP extension is now required by Yii. If you use `yii\helpers\FileHelper::getMimeType()`, make sure
you have enabled this extension. This extension is [builtin](http://www.php.net/manual/en/fileinfo.installation.php) in php above `5.3`. you have enabled this extension. This extension is [builtin](http://www.php.net/manual/en/fileinfo.installation.php) in php above `5.3`.
\ No newline at end of file
* Please update your main layout file by adding this line in the `<head>` section: `<?= Html::csrfMetaTags() ?>`.
This change is needed because `yii\web\View` no longer automatically generates CSRF meta tags due to issue #3358.
...@@ -249,6 +249,22 @@ class BaseHtml ...@@ -249,6 +249,22 @@ class BaseHtml
} }
/** /**
* Generates the meta tags containing CSRF token information.
* @return string the generated meta tags
* @see Request::enableCsrfValidation
*/
public static function csrfMetaTags()
{
$request = Yii::$app->getRequest();
if ($request instanceof Request && $request->enableCsrfValidation) {
return static::tag('meta', '', ['name' => 'csrf-param', 'content' => $request->csrfParam]) . "\n "
. static::tag('meta', '', ['name' => 'csrf-token', 'content' => $request->getCsrfToken()]) . "\n";
} else {
return '';
}
}
/**
* Generates a form start tag. * Generates a form start tag.
* @param array|string $action the form action URL. This parameter will be processed by [[Url::to()]]. * @param array|string $action the form action URL. This parameter will be processed by [[Url::to()]].
* @param string $method the form submission method, such as "post", "get", "put", "delete" (case-insensitive). * @param string $method the form submission method, such as "post", "get", "put", "delete" (case-insensitive).
......
...@@ -104,6 +104,7 @@ class Request extends \yii\base\Request ...@@ -104,6 +104,7 @@ class Request extends \yii\base\Request
* *
* In JavaScript, you may get the values of [[csrfParam]] and [[csrfToken]] via `yii.getCsrfParam()` and * In JavaScript, you may get the values of [[csrfParam]] and [[csrfToken]] via `yii.getCsrfParam()` and
* `yii.getCsrfToken()`, respectively. The [[\yii\web\YiiAsset]] asset must be registered. * `yii.getCsrfToken()`, respectively. The [[\yii\web\YiiAsset]] asset must be registered.
* You also need to include CSRF meta tags in your pages by using [[\yii\helpers\Html::csrfMetaTags()]].
* *
* @see Controller::enableCsrfValidation * @see Controller::enableCsrfValidation
* @see http://en.wikipedia.org/wiki/Cross-site_request_forgery * @see http://en.wikipedia.org/wiki/Cross-site_request_forgery
......
...@@ -460,12 +460,6 @@ class View extends \yii\base\View ...@@ -460,12 +460,6 @@ class View extends \yii\base\View
$lines[] = implode("\n", $this->metaTags); $lines[] = implode("\n", $this->metaTags);
} }
$request = Yii::$app->getRequest();
if ($request instanceof \yii\web\Request && $request->enableCsrfValidation && !$request->getIsAjax()) {
$lines[] = Html::tag('meta', '', ['name' => 'csrf-param', 'content' => $request->csrfParam]);
$lines[] = Html::tag('meta', '', ['name' => 'csrf-token', 'content' => $request->getCsrfToken()]);
}
if (!empty($this->linkTags)) { if (!empty($this->linkTags)) {
$lines[] = implode("\n", $this->linkTags); $lines[] = implode("\n", $this->linkTags);
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment