search

fxmontigny / quill-image-upload

A module for Quill rich text editor to upload images to be selected from toolbar editor.
107 stars 43 forks source link

imageUpload to Codeigniter POST with CSRF #8

Closed kevin-netsrik closed 5 years ago

kevin-netsrik commented 5 years ago

I am trying to use this for image upload, but found that it cannot pass through CI CSRF even with token added in header.

after check the source code and CI CSRF documentation, I found that CI do not use header for CSRF verification. It use form data instead.

so I modified the sendToServer function in order to accept extra data for CI CSRF, and here is the code

sendToServer(file) {
    const url = this.options.url || 'your-url.com',
        method = this.options.method || 'POST',
        headers = this.options.headers || {},
        csrf = this.options.csrf || { token : 'token', hash : '' },  // added this line
        callbackOK = this.options.callbackOK || this.uploadImageCallbackOK.bind(this),
        callbackKO = this.options.callbackKO || this.uploadImageCallbackKO.bind(this),
        fd = new FormData();
    fd.append('image', file);
    fd.append(csrf.token, csrf.hash); // and this line
// ...
var quill = new Quill(editor, {
    // ...
    modules: {
        // ...
        imageUpload: {
            url: "", // server url
            method: "POST", 
            headers: {},

           //added this line, replace YOUR_TOKEN_NAME and YOUR_HASH with your csrf token value
            csrf: { token : YOUR_TOKEN_NAME, hash : YOUR_HASH },

            callbackOK: (serverResponse, next) => {
                next(serverResponse);   
            },
            callbackKO: (serverError) => {
                alert(serverError);
            }
        }
    }
});

and for CI csrf token name & hash, you may create JS variables from CI security class

var YOUR_TOKEN_NAME = '<?php echo $this->security->get_csrf_token_name(); ?>',
YOUR_HASH = '<?php echo $this->security->get_csrf_hash(); ?>';
kevin-netsrik commented 5 years ago

Please note it is not working if you just change the src/image-upload.js.

have to build minified version from bin/release.sh.

fxmontigny commented 5 years ago

Hi,

CSRF it a discovery for me.

I'm perfectly understand your idea. Let's me propose you other solution.

fxmontigny commented 5 years ago

Your proposal are now integrate into the version 0.1.3.

:D