search

aspnet / Announcements

Subscribe to this repo to be notified about major changes in ASP.NET Core and Entity Framework Core
Other
1.65k stars 80 forks source link

ASP.NET Core MVC 2.0 non asp-* attribute form elements now auto-insert anti-forgery tokens. #233

Open NTaylorMullen opened 7 years ago

NTaylorMullen commented 7 years ago

The change

In ASP.NET Core MVC 2.0 the FormTagHelper from the Microsoft.AspNetCore.Mvc.TagHelpers assembly now injects anti-forgery tokens for plain form elements (elements that don't have asp-*). This happens under the following conditions:

  1. There is a method="post" attribute
  2. The action attribute is empty. e.g. action=""
  3. The action attribute is not supplied

Workarounds

Explicitly turn off anti-forgery

<form method="post" asp-antiforgery="false">
</form>

Opt your form element out of TagHelperification by using the ! symbol.

<!form method="post">
</!form>

Remove the FormTagHelper entirely from the view. @removeTagHelper Microsoft.AspNetCore.Mvc.TagHelpers.FormTagHelper, Microsoft.AspNetCore.Mvc.TagHelpers

NTaylorMullen commented 7 years ago

Issue to discuss: https://github.com/aspnet/Mvc/issues/6204