F
Filament17mo ago
Matthew

Possible token leak in Dashboard?

I have a question about v3. I dicided to change the account widget in the dashboard to this. When I click on the Youtube button, even though it should technically do nothing, I guess the user token appears in the url bar? Not sure if this is a bug or not

message.txt

11 Replies
dododedodonl
dododedodonl17mo ago
The default method of a form is get.
awcodes
awcodes17mo ago
Don’t use the user widget. It submits a form to log out the user. You should create a custom widget
dododedodonl
dododedodonl17mo ago
So the token provided by @csrf puts it in the url if you press the button
awcodes
awcodes17mo ago
If it’s just a link to YouTube. You don’t need a form at all.
Dan Harrin
Dan Harrin17mo ago
also, its not even a leak lol the token is accessible in the html
Matthew
MatthewOP17mo ago
Thats why I said "possible". I wasnt sure if it was supposed to be there but thank you
Dan Harrin
Dan Harrin17mo ago
its suppost to be in the post request
Matthew
MatthewOP17mo ago
is threre documentation on <x-filament::button? Because it isnt redirecting me to youtube. 
                <x-filament::button
                    color="gray"
                    icon="heroicon-m-arrow-left-on-rectangle"
                    icon-alias="panels::widgets.account.logout-button"
                    labeled-from="sm"
                    tag="button"
                    type="submit"
                    href="https://www.youtube.com/"
                    {{-- class="my-auto -me-2.5 sm:me-0" --}}
                >
                    {{-- {{ __('filament::widgets/account-widget.actions.logout.label') }} --}}
                    Youtube
                </x-filament::button>
                <x-filament::button
                    color="gray"
                    icon="heroicon-m-arrow-left-on-rectangle"
                    icon-alias="panels::widgets.account.logout-button"
                    labeled-from="sm"
                    tag="button"
                    type="submit"
                    href="https://www.youtube.com/"
                    {{-- class="my-auto -me-2.5 sm:me-0" --}}
                >
                    {{-- {{ __('filament::widgets/account-widget.actions.logout.label') }} --}}
                    Youtube
                </x-filament::button>
awcodes
awcodes17mo ago
change tag = a html buttons don't support href it's also not a type=submit unless it's in a form
LeandroFerreira
LeandroFerreira17mo ago
Matthew
MatthewOP17mo ago
This works. Thank you Didnt see that one. Thanks
Want results from more Discord servers?
Add your server