[英]Using X-editable with CodeIgniter 3 CSRF issue
I'm using CodeIgniter 3 with CSRF enabled. 我正在使用启用CSRF的CodeIgniter 3。 I have a page that is using X-editable library http://vitalets.github.io/x-editable/index.html to do inline editing on that page.
我有一个页面正在使用X可编辑库http://vitalets.github.io/x-editable/index.html在该页面上进行内联编辑。
Has anyone used X-editable with CodeIgniter and CSRF turned on? 有人使用CodeIgniter和CSRF使用X-editable吗?
My issue is when I have CSRF enabled I get the following CodeIgniter generated error: 我的问题是,当我启用CSRF时,出现以下CodeIgniter生成的错误:
<h1>An Error Was Encountered</h1>
<p>The action you have requested is not allowed.</p>
It works fine if I disable CSRF in CI. 如果我在CI中禁用CSRF,效果很好。
What I do know is that I can't figure out a way to add a hidden field with the CSRF token when using the X-editable library, because the javascript library adds it's own form and form fields. 我所知道的是,在使用X可编辑库时,我无法找到一种使用CSRF令牌添加隐藏字段的方法,因为javascript库会添加它自己的表单和表单字段。 I know that CI's open_form() method adds the hidden field with the CSRF token automatically, but I have no option to use that with this particular library.
我知道CI的open_form()方法会自动使用CSRF令牌添加隐藏字段,但是我没有选择将其与特定库一起使用。
Any ideas? 有任何想法吗? I have been stuck on this for a few days now.
我已经坚持了几天。
This is the config.php file in my CI project 这是我的CI项目中的config.php文件
$config['csrf_protection'] = TRUE;
$config['csrf_token_name'] = 'mycsrfname';
$config['csrf_cookie_name'] = 'csrfcookiename';
$config['csrf_expire'] = 7200;
$config['csrf_regenerate'] = TRUE;
$config['csrf_exclude_uris'] = array();
This is in the controller 这是在控制器中
$name = $this->input->post('name');
$value = $this->input->post('value');
$pk = $this->input->post('pk');
$result = $this->garage_model->editItem($name,$value,$pk);
It's not a good idea to disable the CSRF token for your ajax call. 禁用ajax调用的CSRF令牌不是一个好主意。 Instead you should send the token via params:
相反,您应该通过params发送令牌:
params: function(params) {
params.csrfToken = $.cookie('csrfCookie');
return params;
}
in my case i've exclude urls CSRF for this script to work; 就我而言,我已排除CSRF网址,以使此脚本正常工作; Look in config file at : $config['csrf_exclude_uris'] = array('thename/ofcontrollertodisable');
在以下位置查看配置文件:$ config ['csrf_exclude_uris'] = array('thename / ofcontrollertodisable');
Tell me if you find better solution ! 告诉我您是否找到更好的解决方案!
If it is still up to date, maybe this could help you. 如果它仍然是最新的,也许这可以为您提供帮助。
To avoid Cross-site request forgery (CSRF) problem with Ajax, you can write following in a global page javascript: 为了避免Ajax的跨站点伪造(CSRF)问题,您可以在全局页面javascript中编写以下内容:
var csfrData = {};
csfrData['<?php echo $this->security->get_csrf_token_name(); ?>'] = '<?php echo $this->security->get_csrf_hash(); ?>';
And then use this in your function: 然后在您的函数中使用它:
// Attach CSFR data token
$.ajaxSetup({ data: csfrData });
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.