Context Navigation

Modify ↓

#5940 closed defect (worksforme)

Chrome._add_form_token does not add tokens to forms generated by wiki macros

Reported by:	ben@…	Owned by:	Jonas Borgström
Priority:	normal	Milestone:
Component:	general	Version:
Severity:	normal	Keywords:
Cc:		Branch:
Release Notes:
API Changes:
Internal Changes:

Description

I wrote a wiki macro that inserts a simple HTML form into a wiki page. This form's method is POST, and therefore it should be given a CSRF form token. The current mechanism for automatically adding such a token (Chrome._add_form_token) does not appear to be catching forms generated by my wiki macro.

I traced through _add_form_token to see what's going on, and the problem appears to be that the stream that _add_form_token operates on does receive START/END events for XML tags inside the wiki page content; instead, the stream merely receives a single TEXT tag for the entire wiki page content, which means that any form tags inside the wiki page are not caught by _add_form_token.

This is what my log output shows:

2007-08-28 18:10:21,881 Trac[chrome] DEBUG: DOCTYPE
2007-08-28 18:10:21,881 Trac[chrome] DEBUG: (u'html', u'-//W3C//DTD XHTML 1.0 Strict//EN', u'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd')
2007-08-28 18:10:21,882 Trac[chrome] DEBUG: ('wiki_view.html', 3, 55)
2007-08-28 18:10:21,882 Trac[chrome] DEBUG: START_NS
2007-08-28 18:10:21,882 Trac[chrome] DEBUG: ('', u'http://www.w3.org/1999/xhtml')
2007-08-28 18:10:21,882 Trac[chrome] DEBUG: ('wiki_view.html', 4, 0)

... much irrelevant output later...

2007-08-28 18:10:22,155 Trac[chrome] DEBUG: TEXT
2007-08-28 18:10:22,155 Trac[chrome] DEBUG: <h1>My test form</h1><form action="" method="post"></form>
2007-08-28 18:10:22,155 Trac[chrome] DEBUG: ('/opt/local/lib/python2.5/site-packages/Trac-0.11dev_r5904-py2.5.egg/trac/wiki/templates/wiki_view.html', 55, 9)

... more irrelevant output ...

Of course, I can work around this by explicitly inserting the form token from my macro's implementation, but this doesn't seem like it was intended to work this way.

I am using Trac 0.11dev-r5904

Attachments (0)

Change History (1)

comment:1 by Christian Boos, 17 years ago

Resolution:	→ worksforme
Status:	new → closed

Later versions of the WikiEngine will not serialize streams or elements returned by macros, so any global filtering like the one done for adding the form token will just work.

In the meantime, I think you can just add the form token yourself (using req.form_token).

Modify Ticket

Change Properties

Summary:
Description:	I wrote a wiki macro that inserts a simple HTML form into a wiki page. This form's method is POST, and therefore it should be given a CSRF form token. The current mechanism for automatically adding such a token (Chrome._add_form_token) does not appear to be catching forms generated by my wiki macro. I traced through _add_form_token to see what's going on, and the problem appears to be that the stream that _add_form_token operates on does receive START/END events for XML tags inside the wiki page content; instead, the stream merely receives a single TEXT tag for the entire wiki page content, which means that any form tags inside the wiki page are not caught by _add_form_token. This is what my log output shows: {{{ 2007-08-28 18:10:21,881 Trac[chrome] DEBUG: DOCTYPE 2007-08-28 18:10:21,881 Trac[chrome] DEBUG: (u'html', u'-//W3C//DTD XHTML 1.0 Strict//EN', u'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd') 2007-08-28 18:10:21,882 Trac[chrome] DEBUG: ('wiki_view.html', 3, 55) 2007-08-28 18:10:21,882 Trac[chrome] DEBUG: START_NS 2007-08-28 18:10:21,882 Trac[chrome] DEBUG: ('', u'http://www.w3.org/1999/xhtml') 2007-08-28 18:10:21,882 Trac[chrome] DEBUG: ('wiki_view.html', 4, 0) ... much irrelevant output later... 2007-08-28 18:10:22,155 Trac[chrome] DEBUG: TEXT 2007-08-28 18:10:22,155 Trac[chrome] DEBUG: <h1>My test form</h1><form action="" method="post"></form> 2007-08-28 18:10:22,155 Trac[chrome] DEBUG: ('/opt/local/lib/python2.5/site-packages/Trac-0.11dev_r5904-py2.5.egg/trac/wiki/templates/wiki_view.html', 55, 9) ... more irrelevant output ... }}} Of course, I can work around this by explicitly inserting the form token from my macro's implementation, but this doesn't seem like it was intended to work this way. I am using Trac 0.11dev-r5904 You may use WikiFormatting here.
Type:		Priority:
Milestone:		Component:
Version:		Severity:
Keywords:		Cc:	Set your email in Preferences
Branch:
Release Notes:
API Changes:
Internal Changes:

Action

leave as closed The owner will remain Jonas Borgström.

reopen The resolution will be deleted. Next status will be 'reopened'.

change ownership to The owner will be changed from Jonas Borgström to the specified user.

Add Comment

Your email or username:

E-mail address and name can be saved in the Preferences .

You may use WikiFormatting here.

Attachments ↑ Description ↑

Note: See TracTickets for help on using tickets.

Download in other formats: