CODEWITHSUNDEEP
javascriptphpcodeignitercsrfx-editable
ja408
ja408

Reputation: 808

Using X-editable with CodeIgniter 3 CSRF issue

I'm using CodeIgniter 3 with CSRF enabled. I have a page that is using X-editable library http://vitalets.github.io/x-editable/index.html to do inline editing on that page.

Has anyone used X-editable with CodeIgniter and CSRF turned on?

My issue is when I have CSRF enabled I get the following CodeIgniter generated error:

<h1>An Error Was Encountered</h1>
<p>The action you have requested is not allowed.</p>

It works fine if I disable CSRF in CI.

What I do know is that I can't figure out a way to add a hidden field with the CSRF token when using the X-editable library, because the javascript library adds it's own form and form fields. I know that CI's open_form() method adds the hidden field with the CSRF token automatically, but I have no option to use that with this particular library.

Any ideas? I have been stuck on this for a few days now.

This is the config.php file in my CI project

$config['csrf_protection'] = TRUE;
$config['csrf_token_name'] = 'mycsrfname';
$config['csrf_cookie_name'] = 'csrfcookiename';
$config['csrf_expire'] = 7200;
$config['csrf_regenerate'] = TRUE;
$config['csrf_exclude_uris'] = array();

This is in the controller

$name = $this->input->post('name');
$value = $this->input->post('value');
$pk = $this->input->post('pk');
$result = $this->garage_model->editItem($name,$value,$pk);

Upvotes: 0

Views: 723

Answers (3)

Arkona
Arkona

Reputation: 11

If it is still up to date, maybe this could help you.

To avoid Cross-site request forgery (CSRF) problem with Ajax, you can write following in a global page javascript:

var csfrData = {};
csfrData['<?php echo $this->security->get_csrf_token_name(); ?>'] = '<?php echo $this->security->get_csrf_hash(); ?>';

And then use this in your function:

// Attach CSFR data token
$.ajaxSetup({ data: csfrData });

Upvotes: 0

Joerg
Joerg

Reputation: 3101

It's not a good idea to disable the CSRF token for your ajax call. Instead you should send the token via params:

params: function(params) {
           params.csrfToken = $.cookie('csrfCookie');
           return params;
}

Upvotes: 1

user2105941
user2105941

Reputation: 11

in my case i've exclude urls CSRF for this script to work; Look in config file at : $config['csrf_exclude_uris'] = array('thename/ofcontrollertodisable');

Tell me if you find better solution !

Upvotes: 0

Related Questions