tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-01 13:48:37 +02:00
Code Issues Projects Releases Wiki Activity
6348f2e3e8
silverstripe-framework/docs/en
History
Antony Thorpe 6348f2e3e8 Updated Form.php & 04_Form_Security.md 
Changed the `strictFormMethodCheck` protected property from false to true to step out on the front foot with this security setting.  In the documentation under the title [Cross-Site Request Forgery](https://github.com/silverstripe/silverstripe-framework/blob/master/docs/en/02_Developer_Guides/09_Security/04_Secure_Coding.md#cross-site-request-forgery-csrf) it states, "it is also recommended to limit form submissions to the intended HTTP verb (mostly GET or POST) through [api:Form::setStrictFormMethodCheck()]."  The same advice is noted in [Form Security](c2292a4cc1/docs/en/02_Developer_Guides/03_Forms/04_Form_Security.md (strict-form-submission)).

Why not make this the default behaviour?  Is there a scenario where this would cause a problem?  Have manually tested in the CMS (alpha7) and is working fine.

Note: Original commit that establised the API Form::setStrictFormMethodCheck is 14c59be8.
2017-06-06 21:10:49 +12:00
..
_images Resample doc images for react di 2017-05-26 11:08:07 +12:00
00_Getting_Started Only use random_bytes() for RandomGenerator (closes #6397) 2017-05-19 11:18:56 +01:00
01_Tutorials Update 05_Dataobject_Relationship_Management.md 2017-05-29 20:54:50 +12:00
02_Developer_Guides Updated Form.php & 04_Form_Security.md 2017-06-06 21:10:49 +12:00
03_Upgrading DOCS Add note about using dotenv on SilverStripe Platform (#6602) 2017-02-07 17:14:34 +13:00
04_Changelogs API Remove legacy HTMLEditor classes 2017-05-30 11:01:28 +12:00
05_Contributing Docs: Correct Stevie's name on committers page 2017-05-31 12:27:06 +12:00
index.md DOCS 3.2 : fixing api: links now that api: tag parser working 2016-02-17 18:02:38 -07:00