Item1922: CSRF Confirmation Dialog messes up retarded execution macros

Short description

The new CSRF security feature of 1.0.6 which asks for confirmation when saving a topic (see: WhyYouAreAskedToConfirm) can mess up topic content.

How to reproduce

So far we encountered this problem when using retarded macros, e.g. a CALC embedded in a SEARCH. To provoke the CSRF Confirmation Dialog, in our case it't enough to use the browsers back button after a topic was saved and save it again.

Example

Create a test topic with the following content:

%SEARCH{
"form.name ~ '*UserForm'"
type="query"
web="Main"
separator=", "
format="$percntCALC{$PROPERSPACE($topic)}$percnt"
}%

• After saving you will see a comma separated list of users, with spaced-out names.
• Now go back in your browser, save again and click OK in the Confirmation Dialog.
• Now the list of users will only feature the WikiNames without spaces.
• A click on Raw View will show you, that the embedded CALC vanished:

%SEARCH{
"form.name ~ '*UserForm'"
type="query"
web="Main"
separator=", "
format="$topic"
}%

Another nice example is (if you have ForEachPlugin installed):

%FOR{"counta" start="1" stop="10" step="1"}%
   * $percntCALC{$SETIFEMPTY(ind,0) $SETM(ind, + $counta) $GET(ind)}$percnt
%NEXT{"counta"}%

This will result in

%FOR{"counta" start="1" stop="10" step="1"}%
   *   ERROR: syntax error, at EOF
%NEXT{"counta"}%

Strange, isn't it?

System Info

• most recent Debian packages
• {Validation}{Method} is set to strikeone

---

Dupliacte of Item1921.

-- GilmarSantosJr - 13 Aug 2009

Yes. Sorry about that. This was because the browser's back button was used and the topic was saved again, which caused it to be saved thrice...

-- PhilippLeufke - 13 Aug 2009