[TASK] Fix wrong reference to a non-existing __hmac f:form field

garvinhicking · garvinhicking · commit 83d135a1698e · 2025-03-20T12:02:14.000+01:00
Closes #113 Releases: main, 13.4, 12.4
diff --git a/Documentation/Global/Form/Index.rst b/Documentation/Global/Form/Index.rst
@@ -70,13 +70,47 @@ of seeing an empty form.
 Security in Fluid forms
 =======================
 
-Fluid automatically adds a hidden field to forms, including an `__hmac`
-value. This value lists all allowed fields. If fields are added or
-removed via attacks, Extbase detects the mismatch and blocks submission.
-
-Form fields can be grouped in an array for efficient processing. The
-receiving action maps the data to a model, where validation occurs if
-rules are defined. Only valid data is passed to the action and stored in
+Fluid automatically adds several hidden field to forms:
+
+*  `__referrer[]` with an array of items `@extension`, `@controller`,
+   `@action`, `arguments` and `@request`. This holds information about
+   where the form has been created, so that in case of errors,
+   redirection to the originating Extbase controller and action
+   (and extension) is possible.
+*  `__trustedProperties` (string) holds information about all used properties
+   of all Extbase domain models that have been utilized within the
+   related `<f:form>` context. This is used to ensure only properties
+   will be evaluated for persistence that have an editable form field
+   associated with them.
+
+To prevent tampering with this vital data, the important fields
+(`__referrer[arguments]`, `__referrer[@request]`, `__trustedProperties`)
+are signed with the private TYPO3 encryption key using an HMAC
+hash.
+
+An example would look like this:
+
+..  code-block:: html
+    :caption: Example HTML rendered after Fluid processing
+
+    <form action="/admin/update?token=328190ab378fe49af07d8b6b4ec31f87bd910efc" method="post">
+      <div>
+        <input type="hidden" name="__referrer[@extension]" value="Beuser">
+        <input type="hidden" name="__referrer[@controller]" value="BackendUser">
+        <input type="hidden" name="__referrer[@action]" value="list">
+        <input type="hidden" name="__referrer[arguments]" value="YTozOntzOjEwOiJjb250cm9sbGVyIjtzOjExOiJCYWNrZW5kVXNlciI7czo2OiJhY3Rpb24iO3M6NToiaW5kZXgiO3M6NToidG9rZW4iO3M6NDA6IjgxNWZhOGI0OGYyZDg0N2NkMzcwYWIzYTkyMjhlNDY2OWI4OTI0MmUiO30=b305f0773528375502f167cde7c6c63f6ba988f9">
+        <input type="hidden" name="__referrer[@request]" value="{&quot;@extension&quot;:&quot;Beuser&quot;,&quot;@controller&quot;:&quot;BackendUser&quot;,&quot;@action&quot;:&quot;list&quot;}51b024523b594011fa9054f7fc82c03ead78061b">
+        <input type="hidden" name="__trustedProperties" value="{&quot;demand&quot;:{&quot;userName&quot;:1,&quot;userType&quot;:1,&quot;status&quot;:1,&quot;logins&quot;:1,&quot;backendUserGroup&quot;:1},&quot;operation&quot;:1}c25fc9eb44fc0e40e8ec5cf39fc5d21022172ebf">
+      </div>
+    </form>
+
+If form fields are added or removed via attacks, Extbase detects the
+mismatch and blocks further processing.
+
+Form fields can be grouped in an array for efficient processing. An
+internal Extbase processing action maps the received data to a model,
+where (optional and configurable) validation occurs.
+Only valid data is passed on to the action and stored in
 the database.
 
 ..  _typo3-fluid-form-arguments:
