EllisLab text mark
Advanced Search
1 of 2
1
   
expression engine 2.7 upgraded now can’t submit any forms
Posted: 03 September 2013 04:58 PM
Avatar
Joined: 2013-02-07
7 posts

Hi all,

i just upgraded to ee 2.7 and now when I submit a form I get this error:

The following errors were encountered

The action you have requested is invalid.

there is a file attached to this post with a print screen of it

any help would be much appreciated

caps1994
Summer Student

2013-09-04 (2 votes) by caps1994

Thanks to Robin from ellislabs

I suspect the problem is related to changed in XID requirements, which are stricter in 2.7.  Any post data is going to require a valid xid.  It IS easy to make custom forms compliant- use the XID_HASH global in a hidden field:

<input type="hidden" name="XID" value="{XID_HASH}" /> 

Try adding that to any custom forms- does that take care of the issue?

that’s fixed it for me

Image Attachments
ee_error.png
 
Posted: 03 September 2013 06:00 PM   [ # 1 ]   [ Rating: 0 ]
Avatar
Joined: 2010-02-12
43 posts

I too am having this same issue after upgrading to 2.7 today. Accessing the page directly from URL works fine, but posting to it (or any other template/page) via a form produces: “The action you have requested is invalid.”

 
Posted: 03 September 2013 06:19 PM   [ # 2 ]   [ Rating: 0 ]
Avatar
Joined: 2013-02-07
7 posts

I don’t know what your form does but you could try this

If you use the new channel form http://ellislab.com/expressionengine/user-guide/modules/channel/channel_form/index.html

this works in my experience but i was enable to get php to work with it

hope this helps

 
Posted: 03 September 2013 06:42 PM   [ # 3 ]   [ Rating: -1 ]
Avatar
Joined: 2010-02-12
43 posts

My form is just a regular POST-type form that submits a value to a search template with PHP enabled that handles the POST value. I tried enabling/disabling PHP and re-creating the template new but the error persists. I even cleared out the template contents completely, and it still gives the same error when submitting a form to it, but no error when accessing it via URL.

 
Posted: 03 September 2013 06:44 PM   [ # 4 ]   [ Rating: 0 ]
Avatar
Joined: 2013-02-07
7 posts

I’ve submited a bug report so with any luck they my get back to me

 
Posted: 04 September 2013 02:09 PM   [ # 5 ]   [ Rating: 2 ]
Avatar
Joined: 2013-02-07
7 posts

Thanks to Robin from ellislabs

I suspect the problem is related to changed in XID requirements, which are stricter in 2.7.  Any post data is going to require a valid xid.  It IS easy to make custom forms compliant- use the XID_HASH global in a hidden field:

<input type="hidden" name="XID" value="{XID_HASH}" /> 

Try adding that to any custom forms- does that take care of the issue?

that’s fixed it for me

 
Posted: 04 September 2013 02:30 PM   [ # 6 ]   [ Rating: 0 ]
Avatar
Joined: 2010-02-12
43 posts

Great! That did it!

Thanks for taking the time to research the issue caps1994, and thanks to Robin too. Hopefully this helps others with the same problem.

 
Posted: 25 October 2013 08:59 AM   [ # 7 ]   [ Rating: 0 ]
Avatar
Joined: 2011-07-18
196 posts

Problem I have is I have an iFrame pop up (page on same site) with a form in it. Setting the XID in this form has no effect on the parent page, so when the form is closed, refreshing the original page causes a internal server error, I suspect due to the XID issue.

I have no idea how to overcome this when using an iFrame. I need the iFrame because its a google map we do not want visible on the first page load, and google maps only work if visible on the page, so putting in an iframe fixed this issue, and now 2.7.2 breaks it.

 Signature 

Using EE2 | Amity Web Solutions

 
Posted: 27 October 2013 07:18 AM   [ # 8 ]   [ Rating: 0 ]
Avatar
Joined: 2011-08-09
81 posts

You could also try diabling Secure Forms by adding this to the config.php file

$config['secure_forms'"n"

Another option is to change the form method to GET so it submits the form via the querystring or get a new version of the XID via AJAX before submitting. There is a good example here: http://expressionengine.stackexchange.com/questions/12673/secure-forms-setting-and-ajaxified-forms

 Signature 

Running an ecommerce site on ExpressionEngine? Give your users the power to find what they’re looking for with the ExpressionEngine Reefine module. Developed by Ralph, Reefine allows users to easily filter, search and refine your entries, in the familiar way of many major ecommerce websites.

 
Posted: 27 October 2013 09:50 AM   [ # 9 ]   [ Rating: 0 ]
Avatar
Joined: 2011-07-18
196 posts

Thanks

The form within the iframe is using GET already, but still gives me the issue. I dont really want to disable the security. And I am not sure how to return this via AJAX, we are using a Google Maps plugin and I think I may need to modify that, but dont want to as we update it occasionally.

I have decided we can no longer use the iframe, we will link to an actual template page with the google map in it, so its on the same site and using the same XID. A big shame, EE loses flexibility in this situation.

 Signature 

Using EE2 | Amity Web Solutions

 
Posted: 16 November 2013 01:37 AM   [ # 10 ]   [ Rating: 0 ]
Joined: 2012-06-03
108 posts

After the upgrade I also had this problem in most of my forms. The solution caps1994 posted works except that I have a problem on one form that use recaptcha.

If the user fills the incorrect captcha code and clicks back in his browser, he will not see that error because I assume the id is not reloaded. I donĀ“t want to disable the security either, in particular because the solution posted here works, but it breaks the captcha page in this case since if a user clicks back and fills the correct code he will hit the error and cannot proceed.

What would be the solution to this case where a user actually needs to go back to the previous form?

 
Posted: 23 November 2013 01:02 AM   [ # 11 ]   [ Rating: 0 ]
Joined: 2007-11-02
28 posts

Also if this is related.
This error is now thrown if you have EE as a tab on your Facebook Page as Facebook posts to the page and now that action is also “Invalid” with 2.7. Tested this with page outside of EE at the root of the site and it works fine. Back to EE page. Invalid.

 
Posted: 23 November 2013 12:12 PM   [ # 12 ]   [ Rating: 0 ]
Joined: 2012-06-03
108 posts
VirgilAtBeingVirgilDotCom - 23 November 2013 01:02 AM

Also if this is related.
This error is now thrown if you have EE as a tab on your Facebook Page as Facebook posts to the page and now that action is also “Invalid” with 2.7. Tested this with page outside of EE at the root of the site and it works fine. Back to EE page. Invalid.

As far a I understand this feature is to protect users from submitting a form and data without actually visiting the original page, this is to avoid spam and other type of automated submissions or even attacks on your websites by executing the form externally.

This protections forces the user to reload the page or make sure its an actual visitor that comes from the original source.

Is there a way a to force a page reload when a back click is detected? That could solve the captch issue for example.

 
Posted: 24 November 2013 03:35 AM   [ # 13 ]   [ Rating: 0 ]
Joined: 2007-11-02
28 posts

Actually I solved the Facebook issue by serving up the Facebook part of the site through an iframe page outside of Expression Engine. I could have turned off secure forms though I did not want to do that. Upgrading Freeform fixed another error I was having with this on my contact form.

This is the iframe solution here. https://www.facebook.com/YourOnlineStory/app_342150792531981 works fine with some css to make the iframe scroll and be 100% as deep as the page.

Sometimes though in a client job you want to be able to submit a form from a third party site to your EE site. Would be good to have a way of disabling this for specific pages/forms to enable that functionality without having to switch this off overall.

 
Posted: 03 December 2013 12:59 PM   [ # 14 ]   [ Rating: 0 ]
Joined: 2007-11-07
21 posts

Yes we added the code

<input type="hidden" name="XID" value="{XID_HASH}" /> 

into our page header as this was affecting our insite search plugin (super search).

Now sorted so thanks

 
Posted: 03 December 2013 05:38 PM   [ # 15 ]   [ Rating: 0 ]
Joined: 2012-06-03
108 posts

Yes, this works, but not perfectly. Even the own EE modules and features have some problems with it. For example in the Wiki module when someone searches and is hit with this error and clicks back, he cannot search anymore, because the page is not reloaded.

Like I said, this does not work in any scenario where the user hits the back button. What is buggy about this is that EE actually recommends to do so (go back in errors). When EE shows an error caused from this protection it tells the user to go back with a link in JavaScript that is basically history back.

So the user clicks that and goes back to the page, but the form will not work anymore, because the user has to actually reload the whole page in order to get a new XID (which he does not know).

This means he will try to input a new search or a new captcha code, or anything that requires again a re-try submission and he will hit the error over and over again.

The solution is to EE in the back link to actually not only send the user back but as well reload the page automatically or generate a new XID someway.

Lets be clear, most users actually do hit the back button when something goes wrong in a form, so this is a stopper for them. It will work fine only in the first submission and if there are no errors. For some things like search or captcha, etc, this does not work.

Let me put a simple example. Someone enter 2 letters in a search field in EE, using EE search feature, the minimum is 3, so EE will show the error that it requires at least 3 letters and with an option to go back. The user will click that link or go back with this browser and then he cannot search anything anymore unless he reloads the page which nobody does. So the search then stops working.

 
1 of 2
1