Merge pull request #1633 from nowackipawel/patch-33

Uses csrf_field and form_hidden instead of inline-html in form_open

Author: lonnieezell

system/Helpers/form_helper.php

@@ -65,6 +65,12 @@ function form_open(string $action = '', $attributes = [], array $hidden = []): s
 			$action = site_url($action);
 		}
 
+		if(is_array($attributes) && array_key_exists('csrf_id', $attributes))
+		{
+			$csrfId = $attributes['csrf_id'];
+			unset($attributes['csrf_id']);
+		}
+
 		$attributes = stringify_attributes($attributes);
 
 		if (stripos($attributes, 'method=') === false)
@@ -82,17 +88,16 @@ function form_open(string $action = '', $attributes = [], array $hidden = []): s
 		// Add CSRF field if enabled, but leave it out for GET requests and requests to external websites
 		$before = Services::filters()->getFilters()['before'];
 
-		if ((in_array('csrf', $before) || array_key_exists('csrf', $before)) && strpos($action, base_url()) !== false && ! stripos($form, 'method="get"')
-		)
+		if ((in_array('csrf', $before) || array_key_exists('csrf', $before)) && strpos($action, base_url()) !== false && ! stripos($form, 'method="get"'))
 		{
-			$hidden[csrf_token()] = csrf_hash();
+			$form .= csrf_field($csrfId ?? null);
 		}
 
 		if (is_array($hidden))
 		{
 			foreach ($hidden as $name => $value)
 			{
-				$form .= '<input type="hidden" name="' . $name . '" value="' . esc($value, 'html') . '" style="display: none;" />' . "\n";
+				$form .= form_hidden($name, $value);
 			}
 		}
 
@@ -167,7 +172,7 @@ function form_hidden($name, $value = '', bool $recursing = false): string
 
 		if (! is_array($value))
 		{
-			$form .= '<input type="hidden" name="' . $name . '" value="' . esc($value, 'html') . "\" />\n";
+			$form .= '<input type="hidden" name="' . $name . '" value="' . esc($value, 'html') . "\" style=\"display:none;\" />\n";
 		}
 		else
 		{

tests/system/Helpers/FormHelperTest.php

@@ -35,7 +35,7 @@ public function testFormOpenBasic()
 			$Name     = csrf_token();
 			$expected = <<<EOH
 <form action="http://example.com/index.php/foo/bar" name="form" id="form" method="POST" accept-charset="utf-8">
-<input type="hidden" name="$Name" value="$Value" style="display: none;" />
+<input type="hidden" name="$Name" value="$Value" style="display:none;" />
 
 EOH;
 		}
@@ -73,7 +73,7 @@ public function testFormOpenWithoutAction()
 			$Name     = csrf_token();
 			$expected = <<<EOH
 <form action="http://example.com/" name="form" id="form" method="POST" accept-charset="utf-8">
-<input type="hidden" name="$Name" value="$Value" style="display: none;" />
+<input type="hidden" name="$Name" value="$Value" style="display:none;" />
 
 EOH;
 		}
@@ -110,7 +110,7 @@ public function testFormOpenWithoutMethod()
 			$Name     = csrf_token();
 			$expected = <<<EOH
 <form action="http://example.com/index.php/foo/bar" name="form" id="form" method="post" accept-charset="utf-8">
-<input type="hidden" name="$Name" value="$Value" style="display: none;" />
+<input type="hidden" name="$Name" value="$Value" style="display:none;" />
 
 EOH;
 		}
@@ -147,16 +147,17 @@ public function testFormOpenWithHidden()
 			$Name     = csrf_token();
 			$expected = <<<EOH
 <form action="http://example.com/index.php/foo/bar" name="form" id="form" method="POST" accept-charset="utf-8">
-<input type="hidden" name="foo" value="bar" style="display: none;" />
-<input type="hidden" name="$Name" value="$Value" style="display: none;" />
+<input type="hidden" name="foo" value="bar" style="display:none;" />
+<input type="hidden" name="$Name" value="$Value" style="display:none;" />
 
 EOH;
 		}
 		else
 		{
 			$expected = <<<EOH
 <form action="http://example.com/index.php/foo/bar" name="form" id="form" method="POST" accept-charset="utf-8">
-<input type="hidden" name="foo" value="bar" style="display: none;" />
+
+<input type="hidden" name="foo" value="bar" style="display:none;" />
 
 EOH;
 		}
@@ -225,7 +226,7 @@ public function testFormOpenMultipart()
 			$Name     = csrf_token();
 			$expected = <<<EOH
 <form action="http://example.com/index.php/foo/bar" name="form" id="form" method="POST" enctype="multipart&#x2F;form-data" accept-charset="utf-8">
-<input type="hidden" name="$Name" value="$Value" style="display: none;" />
+<input type="hidden" name="$Name" value="$Value" style="display:none;" />
 
 EOH;
 		}
@@ -253,7 +254,7 @@ public function testFormHidden()
 	{
 		$expected = <<<EOH
 
-<input type="hidden" name="username" value="johndoe" />\n
+<input type="hidden" name="username" value="johndoe" style="display:none;" />\n
 EOH;
 		$this->assertEquals($expected, form_hidden('username', 'johndoe'));
 	}
@@ -266,7 +267,7 @@ public function testFormHiddenArrayInput()
 		];
 		$expected = <<<EOH
 
-<input type="hidden" name="foo" value="bar" />
+<input type="hidden" name="foo" value="bar" style="display:none;" />
 
 EOH;
 		$this->assertEquals($expected, form_hidden($data, null));
@@ -280,7 +281,7 @@ public function testFormHiddenArrayValues()
 		];
 		$expected = <<<EOH
 
-<input type="hidden" name="name[foo]" value="bar" />
+<input type="hidden" name="name[foo]" value="bar" style="display:none;" />
 
 EOH;
 		$this->assertEquals($expected, form_hidden('name', $data));

user_guide_src/source/helpers/form_helper.rst

@@ -90,6 +90,15 @@ The following functions are available:
 		The above examples would create a form similar to this::
 
 			<form method="post" accept-charset="utf-8" action="http://example.com/index.php/email/send" class="email" id="myform">
+			
+		If CSRF filter is turned on `form_open()` will generate CSRF field at the beginning of the form. You can specify ID of this field by passing csrf_id as one of the $attribute array:
+		
+			form_open('/u/sign-up', ['csrf_id' => 'my-id']);
+			
+		will return:
+		
+			<form action="/u/sign-up" method="post" accept-charset="utf-8">
+			<input type="hidden" id="my-id" name="csrf_field" value="964ede6e0ae8a680f7b8eab69136717d" />
 
 	**Adding Hidden Input Fields**