validateRequest always returns false at IE8.
Closed this issue · 6 comments
At IE8 (haven't tested other versions) when i submit the form which contains the token, it always return error since the validateRequest returns false.
What could cause this?
(At Chrome,Opera etc. it works ok)
What does $_SESSION look like when you're in IE8? It could be a session cookie issue.
Ok, after some checks, it seems that the problem is caused by the htmlentities function (which is called by the noHTML function). So at IE8 it receives+send e.g. this: xzkl/asd as xzkl/asd. So it never finds the index.
So the solution is either to get rid of this function, or else:
At the validateRequest function i've changed these:
// Let's pull the POST data
$index = $_POST[self::FORM_INDEX];
$token = $_POST[self::FORM_TOKEN];
to:
// Let's pull the POST data
$index = html_entity_decode($_POST[self::FORM_INDEX],ENT_QUOTES | ENT_HTML5, 'UTF-8');
$token = html_entity_decode($_POST[self::FORM_TOKEN],ENT_QUOTES | ENT_HTML5, 'UTF-8');
And now it is ok with IE8 too.
Oh, good catch! Yes, that would cause problems. I'll get a fix in posthaste.
The weird thing is that I have and older version of anti-csrf which was already:
private static function noHTML($untrusted)
{
return \htmlentities($untrusted, ENT_QUOTES | ENT_HTML5, 'UTF-8');
}
And i did the changes (add of html_entity_decode function) at:
$_POST[self::FORM_INDEX];
(or at newer version of v1 branch it would be done at: $this->post[$this->formIndex];)
(or at current version (v2) it would be done at: $index = $_POST[$this->formIndex];)
(and the same at token inputs)
9c7768f was when this flag was dropped.
what for it's needed?
dropping it would fix creating _ entities
Actually, it looks like I misread the output of that 3v4l script. The ENT_HTML5 is the problem. Try upgrading to the latest anti-csrf first and see if the problem still exists.