Closed
Description
I have been trying to follow this snippet of code.
http://symfony.com/doc/current/cookbook/routing/method_parameters.html#faking-the-method-with-method
But it doesn't tell me I can't use it outside of a form.
There seems to be a conflict in the documentation, as it states:
Forms automatically include a hidden field for this parameter if their submission method is not GET or POST
Which, to me, implies it with GET or POST requests.
but code says:
/**
* Enables support for the _method request parameter to determine the intended HTTP method.
*
* Be warned that enabling this feature might lead to CSRF issues in your code.
* Check that you are using CSRF tokens when required.
* If the HTTP method parameter override is enabled, an html-form with method "POST" can be altered
* and used to send a "PUT" or "DELETE" request via the _method request parameter.
* If these methods are not protected against CSRF, this presents a possible vulnerability.
*
* The HTTP method can only be overridden when the real HTTP method is POST.
*/
public static function enableHttpMethodParameterOverride()
{
self::$httpMethodParameterOverride = true;
}
Specifically The HTTP method can only be overridden when the real HTTP method is POST.
Metadata
Metadata
Assignees
Labels
No labels