From 955260c56900284500016ca4bead3b98ed6f3863 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Petr=C3=A1sek?= Date: Wed, 15 Apr 2026 11:29:53 +0200 Subject: [PATCH 1/3] [FIX] support input outside the form --- .../controllers/csrf_protection_controller.js | 21 +++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/symfony/stimulus-bundle/2.24/assets/controllers/csrf_protection_controller.js b/symfony/stimulus-bundle/2.24/assets/controllers/csrf_protection_controller.js index 511fffa5c..d8b1cdaae 100644 --- a/symfony/stimulus-bundle/2.24/assets/controllers/csrf_protection_controller.js +++ b/symfony/stimulus-bundle/2.24/assets/controllers/csrf_protection_controller.js @@ -23,7 +23,8 @@ document.addEventListener('turbo:submit-end', function (event) { }); export function generateCsrfToken (formElement) { - const csrfField = formElement.querySelector('input[data-controller="csrf-protection"], input[name="_csrf_token"]'); + const csrfField = getCsrfField(formElement); + cLog('csrfField', csrfField, generateCsrfToken); if (!csrfField) { return; @@ -46,7 +47,7 @@ export function generateCsrfToken (formElement) { export function generateCsrfHeaders (formElement) { const headers = {}; - const csrfField = formElement.querySelector('input[data-controller="csrf-protection"], input[name="_csrf_token"]'); + const csrfField = getCsrfField(formElement); if (!csrfField) { return headers; @@ -62,7 +63,7 @@ export function generateCsrfHeaders (formElement) { } export function removeCsrfToken (formElement) { - const csrfField = formElement.querySelector('input[data-controller="csrf-protection"], input[name="_csrf_token"]'); + const csrfField = getCsrfField(formElement); if (!csrfField) { return; @@ -77,5 +78,17 @@ export function removeCsrfToken (formElement) { } } +function getCsrfField (formElement) +{ + // Input element is placed inside the form + const qSel = 'input[data-controller="csrf-protection"], input[name="_csrf_token"]'; + const csrfField = formElement.querySelector(qSel); + if (csrfField) {return csrfField;} + + // Input element is placed outside the form + return Array.from(document.querySelectorAll(qSel)) + .find((field) => field.form === formElement) || null; +} + /* stimulusFetch: 'lazy' */ -export default 'csrf-protection-controller'; +export default 'csrf-protection-controller'; \ No newline at end of file From 3599f34beb86532e69ce2baf9b279a39185963e1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Petr=C3=A1sek?= Date: Wed, 15 Apr 2026 12:01:37 +0200 Subject: [PATCH 2/3] new line --- .../2.24/assets/controllers/csrf_protection_controller.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/symfony/stimulus-bundle/2.24/assets/controllers/csrf_protection_controller.js b/symfony/stimulus-bundle/2.24/assets/controllers/csrf_protection_controller.js index d8b1cdaae..befbdf14e 100644 --- a/symfony/stimulus-bundle/2.24/assets/controllers/csrf_protection_controller.js +++ b/symfony/stimulus-bundle/2.24/assets/controllers/csrf_protection_controller.js @@ -91,4 +91,4 @@ function getCsrfField (formElement) } /* stimulusFetch: 'lazy' */ -export default 'csrf-protection-controller'; \ No newline at end of file +export default 'csrf-protection-controller'; From d6fb56e3a4235955768d25f4de41b98ee13d76b1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Petr=C3=A1sek?= Date: Wed, 15 Apr 2026 12:07:24 +0200 Subject: [PATCH 3/3] fix --- .../2.24/assets/controllers/csrf_protection_controller.js | 1 - 1 file changed, 1 deletion(-) diff --git a/symfony/stimulus-bundle/2.24/assets/controllers/csrf_protection_controller.js b/symfony/stimulus-bundle/2.24/assets/controllers/csrf_protection_controller.js index befbdf14e..bcf6b14c8 100644 --- a/symfony/stimulus-bundle/2.24/assets/controllers/csrf_protection_controller.js +++ b/symfony/stimulus-bundle/2.24/assets/controllers/csrf_protection_controller.js @@ -24,7 +24,6 @@ document.addEventListener('turbo:submit-end', function (event) { export function generateCsrfToken (formElement) { const csrfField = getCsrfField(formElement); - cLog('csrfField', csrfField, generateCsrfToken); if (!csrfField) { return;