Implement #10078: Allow disabling csrf hidden input generation on a form

2025-08-13 22:06:51 +08:00 · 2015-11-18 10:22:31 +01:00
parent 1a48d24830
commit cca500083e
3 changed files with 24 additions and 1 deletions
--- a/framework/CHANGELOG.md
+++ b/framework/CHANGELOG.md
@ -63,6 +63,7 @@ Yii Framework 2 Change Log
 - Chg #9411: `DetailView` now automatically sets container tag ID in case it's not specified (samdark)
 - Chg #9953: `TimestampBehavior::getValue()` changed to make value processing consistent with `AttributeBehavior::getValue()` (silverfire)
 - New #10083: Added wrapper for PHP webserver (samdark)
+- Enh #10078: Added `csrf` option to `Html::beginForm()` to allow disabling the hidden csrf field generation. (machour)
 - Enh #10098: Changed `yii.confirm` context bind to triggered dom element. (lichunqiang)

 2.0.6 August 05, 2015
--- a/framework/helpers/BaseHtml.php
+++ b/framework/helpers/BaseHtml.php
@ -300,6 +300,7 @@ class BaseHtml
     * the attributes of the resulting tag. The values will be HTML-encoded using [[encode()]].
     * If a value is null, the corresponding attribute will not be rendered.
     * See [[renderTagAttributes()]] for details on how attributes are being rendered.
+     * The "csrf" special option can be set to FALSE to prevent the form from generating the CSRF hidden field.
     * @return string the generated form start tag.
     * @see endForm()
     */
@ -316,7 +317,9 @@ class BaseHtml
                $hiddenInputs[] = static::hiddenInput($request->methodParam, $method);
                $method = 'post';
            }
-            if ($request->enableCsrfValidation && !strcasecmp($method, 'post')) {
+            $csrf = ArrayHelper::remove($options, 'csrf', true);
+
+            if ($csrf && $request->enableCsrfValidation && !strcasecmp($method, 'post')) {
                $hiddenInputs[] = static::hiddenInput($request->csrfParam, $request->getCsrfToken());
            }
        }
--- a/tests/framework/helpers/HtmlTest.php
+++ b/tests/framework/helpers/HtmlTest.php
@ -859,6 +859,25 @@ EOD;
        $model->description = $value;
        $this->assertEquals($expectedHtml, Html::activeTextArea($model, 'description', $options));
    }
+
+    /**
+     * Fixes #10078
+     */
+    public function testCsrfDisable()
+    {
+        Yii::$app->request->enableCsrfValidation = true;
+        Yii::$app->request->cookieValidationKey = 'foobar';
+
+        $csrfForm = Html::beginForm('/index.php', 'post', ['id' => 'mycsrfform']);
+        $this->assertEquals(
+            '<form id="mycsrfform" action="/index.php" method="post">'
+            . "\n" . '<input type="hidden" name="_csrf" value="' . Yii::$app->request->getCsrfToken() . '">',
+            $csrfForm
+        );
+
+        $noCsrfForm = Html::beginForm('/index.php', 'post', ['csrf' => false, 'id' => 'myform']);
+        $this->assertEquals('<form id="myform" action="/index.php" method="post">', $noCsrfForm);
+    }
 }

 class HtmlTestModel extends Model