From 7fa270bc10b622a41cd4931fd81eb6c43f3e0db4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michael=20Gro=C3=9Fe?= <grosse@cosmocode.de>
Date: Tue, 27 Mar 2018 20:27:43 +0200
Subject: [PATCH] feat(Form): add parameter to omit security token in forms

This is useful for anonymously useable forms, like the search.
---
 inc/Form/Form.php | 7 +++++--
 inc/Ui/Search.php | 2 +-
 inc/template.php  | 2 +-
 3 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/inc/Form/Form.php b/inc/Form/Form.php
index 91e85d72a..92bbd30f4 100644
--- a/inc/Form/Form.php
+++ b/inc/Form/Form.php
@@ -24,8 +24,9 @@ class Form extends Element {
      * Creates a new, empty form with some default attributes
      *
      * @param array $attributes
+     * @param bool  $unsafe     if true, then the security token is ommited
      */
-    public function __construct($attributes = array()) {
+    public function __construct($attributes = array(), $unsafe = false) {
         global $ID;
 
         parent::__construct('form', $attributes);
@@ -49,7 +50,9 @@ class Form extends Element {
         }
 
         // add the security token by default
-        $this->setHiddenField('sectok', getSecurityToken());
+        if (!$unsafe) {
+            $this->setHiddenField('sectok', getSecurityToken());
+        }
 
         // identify this as a new form based form in HTML
         $this->addClass('doku_form');
diff --git a/inc/Ui/Search.php b/inc/Ui/Search.php
index cbbd9755b..0db71d0a6 100644
--- a/inc/Ui/Search.php
+++ b/inc/Ui/Search.php
@@ -65,7 +65,7 @@ class Search extends Ui
     {
         global $lang, $ID, $INPUT;
 
-        $searchForm = (new Form())->attrs(['method' => 'get'])->addClass('search-results-form');
+        $searchForm = (new Form(['method' => 'get'], true))->addClass('search-results-form');
         $searchForm->setHiddenField('do', 'search');
         $searchForm->setHiddenField('id', $ID);
         $searchForm->setHiddenField('sf', '1');
diff --git a/inc/template.php b/inc/template.php
index 0d46f272a..1d0f91991 100644
--- a/inc/template.php
+++ b/inc/template.php
@@ -667,7 +667,7 @@ function tpl_searchform($ajax = true, $autocomplete = true) {
         'role' => 'search',
         'class' => 'search',
         'id' => 'dw__search',
-    ]);
+    ], true);
     $searchForm->addTagOpen('div')->addClass('no');
     $searchForm->setHiddenField('do', 'search');
     $searchForm->setHiddenField('id', $ID);
-- 
GitLab