From c43e611dce8e98106bdbc65568034cd947d53630 Mon Sep 17 00:00:00 2001 From: Javier Eguiluz Date: Fri, 23 Mar 2018 17:45:02 +0100 Subject: [PATCH 1/2] csrf_token now can be used without installing the Form component --- security/csrf.rst | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/security/csrf.rst b/security/csrf.rst index 853a9fef142..9b4e0fc277b 100644 --- a/security/csrf.rst +++ b/security/csrf.rst @@ -12,12 +12,11 @@ CSRF protection works by adding a hidden field to your form that contains a value that only you and your user know. This ensures that the user - not some other entity - is submitting the given data. -Before using the CSRF protection, install it in your project (which in turn -requires installing the Symfony Form component): +Before using the CSRF protection, install it in your project: .. code-block:: terminal - $ composer require security-csrf form + $ composer require security-csrf Then, enable/disable the CSRF protection with the ``csrf_protection`` option (see the :ref:`CSRF configuration reference ` From a0569b902b55c7381d38b530446e6dfd3ce1b2ab Mon Sep 17 00:00:00 2001 From: Javier Eguiluz Date: Sun, 25 Mar 2018 20:26:13 +0200 Subject: [PATCH 2/2] Added a note about CSRF and Symfony 4.1 --- security/csrf.rst | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/security/csrf.rst b/security/csrf.rst index 9b4e0fc277b..d22fd8323dc 100644 --- a/security/csrf.rst +++ b/security/csrf.rst @@ -277,6 +277,10 @@ After this, you have protected your login form against CSRF attacks. CSRF Protection in HTML Forms ----------------------------- +.. versionadded:: 4.1 + In Symfony versions prior to 4.1, CSRF support required installing the + Symfony Form component even if you didn't use it. + It's also possible to add CSRF protection to regular HTML forms not managed by the Symfony Form component, for example the simple forms used to delete items. First, use the ``csrf_token()`` function in the Twig template to generate a CSRF