Filament•2y ago

Possible token leak in Dashboard?

I have a question about v3. I dicided to change the account widget in the dashboard to this. When I click on the Youtube button, even though it should technically do nothing, I guess the user token appears in the url bar? Not sure if this is a bug or not

message.txt

11 Replies

dododedodonl•2y ago

The default method of a form is get.

awcodes•2y ago

Don’t use the user widget. It submits a form to log out the user. You should create a custom widget

dododedodonl•2y ago

So the token provided by @csrf puts it in the url if you press the button

awcodes•2y ago

If it’s just a link to YouTube. You don’t need a form at all.

Dan Harrin•2y ago

also, its not even a leak lol the token is accessible in the html

MatthewOP•2y ago

Thats why I said "possible". I wasnt sure if it was supposed to be there but thank you

Dan Harrin•2y ago

its suppost to be in the post request

MatthewOP•2y ago

is threre documentation on <x-filament::button? Because it isnt redirecting me to youtube.

                <x-filament::button
                    color="gray"
                    icon="heroicon-m-arrow-left-on-rectangle"
                    icon-alias="panels::widgets.account.logout-button"
                    labeled-from="sm"
                    tag="button"
                    type="submit"
                    href="https://www.youtube.com/"
                    {{-- class="my-auto -me-2.5 sm:me-0" --}}
                >
                    {{-- {{ __('filament::widgets/account-widget.actions.logout.label') }} --}}
                    Youtube
                </x-filament::button>

                <x-filament::button
                    color="gray"
                    icon="heroicon-m-arrow-left-on-rectangle"
                    icon-alias="panels::widgets.account.logout-button"
                    labeled-from="sm"
                    tag="button"
                    type="submit"
                    href="https://www.youtube.com/"
                    {{-- class="my-auto -me-2.5 sm:me-0" --}}
                >
                    {{-- {{ __('filament::widgets/account-widget.actions.logout.label') }} --}}
                    Youtube
                </x-filament::button>

awcodes•2y ago

change tag = a html buttons don't support href it's also not a type=submit unless it's in a form

LeandroFerreira•2y ago

there is an example here https://discordapp.com/channels/883083792112300104/883083792653381695/1133681019204145183

MatthewOP•2y ago

This works. Thank you Didnt see that one. Thanks

Gaming

Programming

Possible token leak in Dashboard?

Did you find this page helpful?