diff --git a/src/Umbraco.Web.Website/Extensions/HtmlHelperRenderExtensions.cs b/src/Umbraco.Web.Website/Extensions/HtmlHelperRenderExtensions.cs index 13a606b28b..2e44bae31f 100644 --- a/src/Umbraco.Web.Website/Extensions/HtmlHelperRenderExtensions.cs +++ b/src/Umbraco.Web.Website/Extensions/HtmlHelperRenderExtensions.cs @@ -391,6 +391,28 @@ public static class HtmlHelperRenderExtensions string action, string controllerName, object? additionalRouteVals, + IDictionary htmlAttributes) => html.BeginUmbracoForm(action, controllerName, additionalRouteVals, htmlAttributes, FormMethod.Post); + + /// + /// Helper method to create a new form to execute in the Umbraco request pipeline against a locally declared controller + /// + public static MvcForm BeginUmbracoForm( + this IHtmlHelper html, + string action, + string controllerName, + object? additionalRouteVals, + IDictionary htmlAttributes, + FormMethod method) => html.BeginUmbracoForm(action, controllerName, additionalRouteVals, null, htmlAttributes, method); + + /// + /// Helper method to create a new form to execute in the Umbraco request pipeline against a locally declared controller + /// + public static MvcForm BeginUmbracoForm( + this IHtmlHelper html, + string action, + string controllerName, + object? additionalRouteVals, + bool? antiforgery, IDictionary htmlAttributes, FormMethod method) { @@ -418,44 +440,7 @@ public static class HtmlHelperRenderExtensions nameof(controllerName)); } - return html.BeginUmbracoForm(action, controllerName, string.Empty, additionalRouteVals, htmlAttributes, method); - } - - /// - /// Helper method to create a new form to execute in the Umbraco request pipeline against a locally declared controller - /// - public static MvcForm BeginUmbracoForm( - this IHtmlHelper html, - string action, - string controllerName, - object? additionalRouteVals, - IDictionary htmlAttributes) - { - if (action == null) - { - throw new ArgumentNullException(nameof(action)); - } - - if (string.IsNullOrWhiteSpace(action)) - { - throw new ArgumentException( - "Value can't be empty or consist only of white-space characters.", - nameof(action)); - } - - if (controllerName == null) - { - throw new ArgumentNullException(nameof(controllerName)); - } - - if (string.IsNullOrWhiteSpace(controllerName)) - { - throw new ArgumentException( - "Value can't be empty or consist only of white-space characters.", - nameof(controllerName)); - } - - return html.BeginUmbracoForm(action, controllerName, string.Empty, additionalRouteVals, htmlAttributes); + return html.BeginUmbracoForm(action, controllerName, string.Empty, additionalRouteVals, antiforgery, htmlAttributes, method); } /// @@ -477,6 +462,13 @@ public static class HtmlHelperRenderExtensions public static MvcForm BeginUmbracoForm(this IHtmlHelper html, string action, FormMethod method) where T : SurfaceController => html.BeginUmbracoForm(action, typeof(T), method); + /// + /// Helper method to create a new form to execute in the Umbraco request pipeline to a surface controller plugin + /// + /// The type + public static MvcForm BeginUmbracoForm(this IHtmlHelper html, string action, FormMethod method, bool? antiforgery) + where T : SurfaceController => html.BeginUmbracoForm(action, typeof(T), null, antiforgery, new Dictionary(), method); + /// /// Helper method to create a new form to execute in the Umbraco request pipeline to a surface controller plugin /// @@ -524,6 +516,21 @@ public static class HtmlHelperRenderExtensions public static MvcForm BeginUmbracoForm(this IHtmlHelper html, string action, object additionalRouteVals) where T : SurfaceController => html.BeginUmbracoForm(action, typeof(T), additionalRouteVals); + /// + /// Helper method to create a new form to execute in the Umbraco request pipeline to a surface controller plugin + /// + public static MvcForm BeginUmbracoForm( + this IHtmlHelper html, + string action, + Type surfaceType, + object additionalRouteVals, + object htmlAttributes) => + html.BeginUmbracoForm( + action, + surfaceType, + additionalRouteVals, + HtmlHelper.AnonymousObjectToHtmlAttributes(htmlAttributes)); + /// /// Helper method to create a new form to execute in the Umbraco request pipeline to a surface controller plugin /// @@ -549,12 +556,16 @@ public static class HtmlHelperRenderExtensions string action, Type surfaceType, object additionalRouteVals, - object htmlAttributes) => + object htmlAttributes, + FormMethod method, + bool? antiforgery) => html.BeginUmbracoForm( action, surfaceType, additionalRouteVals, - HtmlHelper.AnonymousObjectToHtmlAttributes(htmlAttributes)); + antiforgery, + HtmlHelper.AnonymousObjectToHtmlAttributes(htmlAttributes), + method); /// /// Helper method to create a new form to execute in the Umbraco request pipeline to a surface controller plugin @@ -569,6 +580,20 @@ public static class HtmlHelperRenderExtensions where T : SurfaceController => html.BeginUmbracoForm(action, typeof(T), additionalRouteVals, htmlAttributes, method); + /// + /// Helper method to create a new form to execute in the Umbraco request pipeline to a surface controller plugin + /// + /// The type + public static MvcForm BeginUmbracoForm( + this IHtmlHelper html, + string action, + object additionalRouteVals, + object htmlAttributes, + FormMethod method, + bool? antiforgery) + where T : SurfaceController => + html.BeginUmbracoForm(action, typeof(T), additionalRouteVals, htmlAttributes, method, antiforgery); + /// /// Helper method to create a new form to execute in the Umbraco request pipeline to a surface controller plugin /// @@ -588,6 +613,18 @@ public static class HtmlHelperRenderExtensions Type surfaceType, object? additionalRouteVals, IDictionary htmlAttributes, + FormMethod method) => html.BeginUmbracoForm(action, surfaceType, additionalRouteVals, null, htmlAttributes, method); + + /// + /// Helper method to create a new form to execute in the Umbraco request pipeline to a surface controller plugin + /// + public static MvcForm BeginUmbracoForm( + this IHtmlHelper html, + string action, + Type surfaceType, + object? additionalRouteVals, + bool? antiforgery, + IDictionary htmlAttributes, FormMethod method) { if (action == null) @@ -630,6 +667,7 @@ public static class HtmlHelperRenderExtensions metaData.ControllerName, area!, additionalRouteVals, + antiforgery, htmlAttributes, method); } @@ -673,7 +711,7 @@ public static class HtmlHelperRenderExtensions /// Helper method to create a new form to execute in the Umbraco request pipeline to a surface controller plugin /// public static MvcForm BeginUmbracoForm(this IHtmlHelper html, string action, string controllerName, string area, FormMethod method) - => html.BeginUmbracoForm(action, controllerName, area, null, new Dictionary(), method); + => html.BeginUmbracoForm(action, controllerName, area, additionalRouteVals: null, new Dictionary(), method); /// /// Helper method to create a new form to execute in the Umbraco request pipeline to a surface controller plugin @@ -692,6 +730,20 @@ public static class HtmlHelperRenderExtensions object? additionalRouteVals, IDictionary htmlAttributes, FormMethod method) + => html.BeginUmbracoForm(action, controllerName, area, additionalRouteVals, null, htmlAttributes, method); + + /// + /// Helper method to create a new form to execute in the Umbraco request pipeline to a surface controller plugin + /// + public static MvcForm BeginUmbracoForm( + this IHtmlHelper html, + string action, + string? controllerName, + string area, + object? additionalRouteVals, + bool? antiforgery, + IDictionary htmlAttributes, + FormMethod method) { if (action == null) { @@ -718,7 +770,7 @@ public static class HtmlHelperRenderExtensions IUmbracoContextAccessor umbracoContextAccessor = GetRequiredService(html); IUmbracoContext umbracoContext = umbracoContextAccessor.GetRequiredUmbracoContext(); var formAction = umbracoContext.OriginalRequestUrl.PathAndQuery; - return html.RenderForm(formAction, method, htmlAttributes, controllerName, action, area, additionalRouteVals); + return html.RenderForm(formAction, method, htmlAttributes, controllerName, action, area, antiforgery, additionalRouteVals); } /// @@ -753,6 +805,7 @@ public static class HtmlHelperRenderExtensions string surfaceController, string surfaceAction, string area, + bool? antiforgery = null, object? additionalRouteVals = null) { // ensure that the multipart/form-data is added to the HTML attributes @@ -781,7 +834,7 @@ public static class HtmlHelperRenderExtensions HtmlEncoder htmlEncoder = GetRequiredService(htmlHelper); // new UmbracoForm: - var theForm = new UmbracoForm(htmlHelper.ViewContext, htmlEncoder, surfaceController, surfaceAction, area, additionalRouteVals); + var theForm = new UmbracoForm(htmlHelper.ViewContext, htmlEncoder, surfaceController, surfaceAction, area, antiforgery, additionalRouteVals); if (traditionalJavascriptEnabled) { @@ -798,6 +851,7 @@ public static class HtmlHelperRenderExtensions { private readonly string _surfaceControllerInput; private readonly ViewContext _viewContext; + private readonly bool? _antiforgery; /// /// Initializes a new instance of the class. @@ -808,10 +862,12 @@ public static class HtmlHelperRenderExtensions string controllerName, string controllerAction, string area, + bool? antiforgery = null, object? additionalRouteVals = null) : base(viewContext, htmlEncoder) { _viewContext = viewContext; + _antiforgery = antiforgery; _surfaceControllerInput = GetSurfaceControllerHiddenInput( GetRequiredService(viewContext), controllerName, @@ -822,10 +878,13 @@ public static class HtmlHelperRenderExtensions protected override void GenerateEndForm() { - // Always output an anti-forgery token - IAntiforgery antiforgery = _viewContext.HttpContext.RequestServices.GetRequiredService(); - IHtmlContent antiforgeryHtml = antiforgery.GetHtml(_viewContext.HttpContext); - _viewContext.Writer.Write(antiforgeryHtml.ToHtmlString()); + // Always output an anti-forgery token unless explicitly requested to omit. + if (!_antiforgery.HasValue || _antiforgery.Value) + { + IAntiforgery antiforgery = _viewContext.HttpContext.RequestServices.GetRequiredService(); + IHtmlContent antiforgeryHtml = antiforgery.GetHtml(_viewContext.HttpContext); + _viewContext.Writer.Write(antiforgeryHtml.ToHtmlString()); + } // write out the hidden surface form routes _viewContext.Writer.Write(_surfaceControllerInput);