diff --git a/system/Helpers/form_helper.php b/system/Helpers/form_helper.php
index 5855850e8cbc..4f21effbc568 100644
--- a/system/Helpers/form_helper.php
+++ b/system/Helpers/form_helper.php
@@ -65,6 +65,12 @@ function form_open(string $action = '', $attributes = [], array $hidden = []): s
$action = site_url($action);
}
+ if(is_array($attributes) && array_key_exists('csrf_id', $attributes))
+ {
+ $csrfId = $attributes['csrf_id'];
+ unset($attributes['csrf_id']);
+ }
+
$attributes = stringify_attributes($attributes);
if (stripos($attributes, 'method=') === false)
@@ -82,17 +88,16 @@ function form_open(string $action = '', $attributes = [], array $hidden = []): s
// Add CSRF field if enabled, but leave it out for GET requests and requests to external websites
$before = Services::filters()->getFilters()['before'];
- if ((in_array('csrf', $before) || array_key_exists('csrf', $before)) && strpos($action, base_url()) !== false && ! stripos($form, 'method="get"')
- )
+ if ((in_array('csrf', $before) || array_key_exists('csrf', $before)) && strpos($action, base_url()) !== false && ! stripos($form, 'method="get"'))
{
- $hidden[csrf_token()] = csrf_hash();
+ $form .= csrf_field($csrfId ?? null);
}
if (is_array($hidden))
{
foreach ($hidden as $name => $value)
{
- $form .= '' . "\n";
+ $form .= form_hidden($name, $value);
}
}
@@ -167,7 +172,7 @@ function form_hidden($name, $value = '', bool $recursing = false): string
if (! is_array($value))
{
- $form .= '\n";
+ $form .= '\n";
}
else
{
diff --git a/tests/system/Helpers/FormHelperTest.php b/tests/system/Helpers/FormHelperTest.php
index d9069f59cc0f..4c97b0706233 100644
--- a/tests/system/Helpers/FormHelperTest.php
+++ b/tests/system/Helpers/FormHelperTest.php
@@ -35,7 +35,7 @@ public function testFormOpenBasic()
$Name = csrf_token();
$expected = <<
-
+
EOH;
}
@@ -73,7 +73,7 @@ public function testFormOpenWithoutAction()
$Name = csrf_token();
$expected = <<
-
+
EOH;
}
@@ -110,7 +110,7 @@ public function testFormOpenWithoutMethod()
$Name = csrf_token();
$expected = <<
-
+
EOH;
}
@@ -147,8 +147,8 @@ public function testFormOpenWithHidden()
$Name = csrf_token();
$expected = <<
-
-
+
+
EOH;
}
@@ -156,7 +156,8 @@ public function testFormOpenWithHidden()
{
$expected = <<
-
+
+
EOH;
}
@@ -225,7 +226,7 @@ public function testFormOpenMultipart()
$Name = csrf_token();
$expected = <<
-
+
EOH;
}
@@ -253,7 +254,7 @@ public function testFormHidden()
{
$expected = <<\n
+\n
EOH;
$this->assertEquals($expected, form_hidden('username', 'johndoe'));
}
@@ -266,7 +267,7 @@ public function testFormHiddenArrayInput()
];
$expected = <<
+
EOH;
$this->assertEquals($expected, form_hidden($data, null));
@@ -280,7 +281,7 @@ public function testFormHiddenArrayValues()
];
$expected = <<
+
EOH;
$this->assertEquals($expected, form_hidden('name', $data));
diff --git a/user_guide_src/source/helpers/form_helper.rst b/user_guide_src/source/helpers/form_helper.rst
index 89091d08542b..a06489d5d902 100644
--- a/user_guide_src/source/helpers/form_helper.rst
+++ b/user_guide_src/source/helpers/form_helper.rst
@@ -90,6 +90,15 @@ The following functions are available:
The above examples would create a form similar to this::