Skip to content

Commit 2af68c9

Browse files
dunglasdunglas
authored
Add a warning regarding CSRF attacks when using form-data (#396)
* Update form-data.md * Update form-data.md * Update form-data.md * Update form-data.md
1 parent 2efdb6f commit 2af68c9

File tree

1 file changed

+2
-0
lines changed

1 file changed

+2
-0
lines changed

core/form-data.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,8 @@
33
API Platform only supports raw documents as request input (encoded in JSON, XML, YAML...). This has many advantages including support of types and the ability to send back to the API documents originally retrieved through a `GET` request.
44
But sometimes - for instance, to support legacy clients - it is necessary to accept inputs encoded in the traditional [`application/x-www-form-urlencoded`](https://www.w3.org/TR/html401/interact/forms.html#h-17.13.4.1) format (HTML form content type). This can easily be done using [the powerful event system](events.md) of the framework.
55

6+
**⚠ Adding support for `application/x-www-form-urlencoded` makes your API vulnerable to [CSRF attacks](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)). Be sure to enable proper countermeasures [such as DunglasAngularCsrfBundle](https://github.com/dunglas/DunglasAngularCsrfBundle).**
7+
68
In this tutorial, we will decorate the default `DeserializeListener` class to handle form data if applicable, and delegate to the built-in listener for other cases.
79

810
## Create your `DeserializeListener` Decorator

0 commit comments

Comments
 (0)