Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
In PlUploadFile::preRenderPlUploadFile(), the plupload url token is generated using the path "plupload-handle-uploads". This assumes the route has no been altered to another path.
D8 core already calculates the token when "_csrf" is set on the route.
See https://www.drupal.org/docs/8/api/routing-system/access-checking-on-rout...
Comment | File | Size | Author |
---|---|---|---|
#2 | plupload-let-drupal-create-token-2832225-2.patch | 652 bytes | recrit |
Comments
Comment #2
recrit CreditAttribution: recrit commentedThe patch attached removes the custom query parameter for the token to allow Drupal to auto generate it.
Comment #3
recrit CreditAttribution: recrit commentedComment #4
budalokko CreditAttribution: budalokko commentedActually the patch didn't work for me in a Drupal 8.2 clean install.
Instead of the CSRF token, a placehold is added that will be replaced at render time. But we don't render that URL on an HTML page just add it to Javascript settings array so it will never be replaced.
Its the same problem as stated in #2793109: [PP-1] _csrf_token in route breaks custom #ajax url so I think its better we generate the CSRF token on our own until core finds a solution for this situation.
Comment #5
budalokko CreditAttribution: budalokko commentedComment #6
budalokko CreditAttribution: budalokko commented