Spring When using CsrfRequestDataValueProcessor, the hidden field with the CSRF token is put into an unnecessarily created div element [SPR-12707]

Andreas R. opened SPR-12707 and commented

When using CsrfRequestDataValueProcessor (with configuration mentioned in https://jira.spring.io/browse/SPR-6125?focusedCommentId=97055&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-97055), i.e.:

<bean id="springSecurityFilterChain" class="org.springframework.security.web.FilterChainProxy">
    <sec:filter-chain-map path-type="ant">
        <sec:filter-chain pattern="/**" filters="csrfFilter"/>
    </sec:filter-chain-map>
</bean>
<bean id="csrfFilter" class="org.springframework.security.web.csrf.CsrfFilter">
    <constructor-arg>
        <bean class="org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository"/>
    </constructor-arg>
</bean>
<bean id="requestDataValueProcessor" class="org.springframework.security.web.servlet.support.csrf.CsrfRequestDataValueProcessor"/>

to fill the CSRF token automatically into the forms generated by spring form, the hidden field for the CSRF token is put into a div which is unnecessary (and may sometime break the layout):

<form id="..." class="inline" accept-charset="UTF-8" action="..." method="POST">
   ...
<div>
<input type="hidden" name="_csrf" value="361c2a67-271d-43f2-9953-5d7f81f417c9" />
</div></form>

For a GET request there is still a div added, even though CSRF token is not necessary and not included in this case:

<form id="..." action="..." method="GET">
...
    <div>
</div></form>

It would be better if this div would not be created because it is unnecessary (and can cause layout issues).

---

Affects: 4.1.4

Issue Links: - #15554 FormTag generates hidden fields from RequestDataValueProcessor.getExtraHiddenFields(...) without container, resulting in invalid xhtml

2 votes, 7 watchers

Comment From: spring-projects-issues

Rob Winch commented

Thanks for the report Andreas R. I have moved this to Spring Framework which is what renders out the RequestDataValueProcessor inputs

Comment From: spring-projects-issues

Rossen Stoyanchev commented

Given that it's dynamically generated content, it could cause layout issues either way. In fact if we remove the div now it will likely cause layout issues for existing applications.

Comment From: spring-projects-issues

Andrew Landsverk commented

We just hit this "bug" when upgrading to Spring 4. Is it possible to add some configuration option to disable the extra div?

Comment From: spring-projects-issues

Andrew Landsverk commented

Reopening to get more feedback from Spring. If necessary, I can create another ticket for the "enhancement" request I made in my previous comment.

Comment From: spring-projects-issues

Rossen Stoyanchev commented

I don't see a good place to add it. It's such a minor, specific thing. Tags have access to the RequestContext type but this hardly fits any of the methods already there that are much more of very common value. Perhaps we could support checking the presence of a PageContext attribute or something like that and you'll have to figure out how to set it.

Comment From: spring-projects-issues

Andrew Landsverk commented

I think that would be a workable solution. Currently this has messed up most of the forms on our website unfortunately, and we really don't want to have to roll back to Spring 3.2.x if we can help it.

Comment From: spring-projects-issues

Bulk closing outdated, unresolved issues. Please, reopen if still relevant.

Comment From: ghost

Guess there never was an actual fix for this?