51369b610e
When an include is not surrounded by empty lines, its content is inlined on the same line as the adjacent content. That can lead to broken tags and other display issues. This PR fixes all such includes and introduces a validation step that forbids introducing the same problem again.
88 lines
2.0 KiB
Plaintext
88 lines
2.0 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
== Sensitive Code Example
|
|
|
|
For https://laravel.com/docs/8.x/csrf#csrf-excluding-uris[Laravel VerifyCsrfToken middleware]
|
|
|
|
|
|
----
|
|
use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as Middleware;
|
|
|
|
class VerifyCsrfToken extends Middleware
|
|
{
|
|
protected $except = [
|
|
'api/*'
|
|
]; // Sensitive; disable CSRF protection for a list of routes
|
|
}
|
|
----
|
|
|
|
For https://symfony.com/doc/current/security/csrf.html#csrf-protection-in-symfony-forms[Symfony Forms]
|
|
|
|
|
|
----
|
|
use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
|
|
|
|
class Controller extends AbstractController {
|
|
|
|
public function action() {
|
|
$this->createForm('', null, [
|
|
'csrf_protection' => false, // Sensitive; disable CSRF protection for a single form
|
|
]);
|
|
}
|
|
}
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
For https://laravel.com/docs/8.x/csrf#csrf-excluding-uris[Laravel VerifyCsrfToken middleware]
|
|
|
|
|
|
[source,php]
|
|
----
|
|
use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken as Middleware;
|
|
|
|
class VerifyCsrfToken extends Middleware
|
|
{
|
|
protected $except = []; // Compliant
|
|
}
|
|
----
|
|
Remember to add https://laravel.com/docs/8.x/blade#csrf-field[@csrf] blade directive to the relevant forms when removing an element from $except. Otherwise the form submission will stop working.
|
|
|
|
|
|
For https://symfony.com/doc/current/security/csrf.html#csrf-protection-in-symfony-forms[Symfony Forms]
|
|
|
|
|
|
[source,php]
|
|
----
|
|
use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
|
|
|
|
class Controller extends AbstractController {
|
|
|
|
public function action() {
|
|
$this->createForm('', null, []); // Compliant; CSRF protection is enabled by default
|
|
}
|
|
}
|
|
----
|
|
|
|
include::../see.adoc[]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::../message.adoc[]
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
include::../comments-and-links.adoc[]
|
|
|
|
endif::env-github,rspecator-view[]
|