URL parameters with some weird patterns

Hey guys, I wrote a get request to search contents in a table. That works perfectly! Thing is there are other parameters in my search term like this
http://127.0.0.1:3333/search?_csrf=jaE7dRDd-XWznYESqqdUahcVHoddgAKaeTmM&searchterm=Javascript

I’m curious to know what is happening here or am I doing anything wrong?

1 Like

From a security perspective, it is not a problem to pass the CSRF token through a URI.
From the UX perspective, it is not a cute thing to see/do, especially for searching.

1 Like

Yeah I totally agree with that but I don’t know why it is happening

You do not know why it is happening ? I thought you explicitly designed it this way … I never stumbled on this situation, can not guess what caused you this, sorry …

So here is my code
Edge:

<form action="{{ route('search') }}" method="GET">
     {{ csrfField() }}
      <input  name="searchterm" type="search" placeholder="Search" >
      <button class="btn btn-outline-success my-2 my-sm-0" type="submit">Search</button>
    </form>

Controller:

async search({ request, view }) {
    const req = request.all();
    const story = await Story.query()
      .where("title", "like", "%" + req.searchterm + "%")
      .orWhere("content", "like", "%" + req.searchterm + "%")
      .fetch();
    return view.render("search", { story: story.toJSON() });
  }

It’s a get request, return results as I wanted but it returns this weird paramaters in URL
/search?_csrf=81awXVpb-aqNVtGPx6Kqjt4Jwt7jIYrMXMco&searchterm=javascript

If the search does not need authentication, I think one way to overcome this issue is to simply ignore the CSRF aspect from the corresponding route:

As mentioned on the documentation, you can ignore that URL/route through the configuration of filterUris:

csrf: {
  enable: true,
  methods: ['POST'],
  filterUris: ['search'], /* Add your search route to this array */
  cookieOptions: {}
}
3 Likes

That worked!. Never knew it before. Big thanks bro.

Glad to hear this option worked for you :slight_smile:

1 Like