Contao: Remove form action

Created on 10 Jan 2020  路  3Comments  路  Source: contao/contao

Generally speaking, echoing the current request URL into the page content is insecure, one of the issues we fixed in the latest security release.

Currently, the Form component does exactly that. The input is _protected_ through the Input class, but that class is kinda deprecated and the security/encoding wouldn't work with the Request class.

There is one very simple solution though: Simply do not add a form action, if it should be the current page. Thats valid by HTML5, and e.g. suggested in https://stackoverflow.com/questions/1131781/is-it-a-good-practice-to-use-an-empty-url-for-a-html-forms-action-attribute-a

bug
Source
picture aschempp
👍4

Most helpful comment

I will research how older browsers handle action="" for the case of customized templates.

picture ausi on 16 Jan 2020
👍3

All 3 comments

I will research how older browsers handle action="" for the case of customized templates.

ausi picture ausi on 16 Jan 2020
👍3

action="" works as expected in all browsers I tested (including IE6)

ausi picture ausi on 16 Jan 2020
👍1

See #1201

leofeyer picture leofeyer on 16 Jan 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

mathContao picture mathContao  路  3Comments
leofeyer picture leofeyer  路  3Comments
issue-bot picture issue-bot  路  4Comments
Mynyx picture Mynyx  路  3Comments
Alibi-Contao picture Alibi-Contao  路  3Comments