Thread

Hi all,

i just upgraded to ee 2.7 and now when I submit a form I get this error:

The following errors were encountered

The action you have requested is invalid.

there is a file attached to this post with a print screen of it

any help would be much appreciated

I too am having this same issue after upgrading to 2.7 today. Accessing the page directly from URL works fine, but posting to it (or any other template/page) via a form produces: “The action you have requested is invalid.”

I don’t know what your form does but you could try this

If you use the new channel form http://ellislab.com/expressionengine/user-guide/modules/channel/channel_form/index.html

this works in my experience but i was enable to get php to work with it

hope this helps

My form is just a regular POST-type form that submits a value to a search template with PHP enabled that handles the POST value. I tried enabling/disabling PHP and re-creating the template new but the error persists. I even cleared out the template contents completely, and it still gives the same error when submitting a form to it, but no error when accessing it via URL.

I’ve submited a bug report so with any luck they my get back to me

Thanks to Robin from ellislabs

I suspect the problem is related to changed in XID requirements, which are stricter in 2.7.  Any post data is going to require a valid xid.  It IS easy to make custom forms compliant- use the XID_HASH global in a hidden field:

<input type="hidden" name="XID" value="{XID_HASH}" />

Try adding that to any custom forms- does that take care of the issue?

that’s fixed it for me

Great! That did it!

Thanks for taking the time to research the issue caps1994, and thanks to Robin too. Hopefully this helps others with the same problem.

Problem I have is I have an iFrame pop up (page on same site) with a form in it. Setting the XID in this form has no effect on the parent page, so when the form is closed, refreshing the original page causes a internal server error, I suspect due to the XID issue.

I have no idea how to overcome this when using an iFrame. I need the iFrame because its a google map we do not want visible on the first page load, and google maps only work if visible on the page, so putting in an iframe fixed this issue, and now 2.7.2 breaks it.

You could also try diabling Secure Forms by adding this to the config.php file

$config['secure_forms'] = "n";

Another option is to change the form method to GET so it submits the form via the querystring or get a new version of the XID via AJAX before submitting. There is a good example here: http://expressionengine.stackexchange.com/questions/12673/secure-forms-setting-and-ajaxified-forms

Thanks

The form within the iframe is using GET already, but still gives me the issue. I dont really want to disable the security. And I am not sure how to return this via AJAX, we are using a Google Maps plugin and I think I may need to modify that, but dont want to as we update it occasionally.

I have decided we can no longer use the iframe, we will link to an actual template page with the google map in it, so its on the same site and using the same XID. A big shame, EE loses flexibility in this situation.

After the upgrade I also had this problem in most of my forms. The solution caps1994 posted works except that I have a problem on one form that use recaptcha.

If the user fills the incorrect captcha code and clicks back in his browser, he will not see that error because I assume the id is not reloaded. I don´t want to disable the security either, in particular because the solution posted here works, but it breaks the captcha page in this case since if a user clicks back and fills the correct code he will hit the error and cannot proceed.

What would be the solution to this case where a user actually needs to go back to the previous form?

Also if this is related.
This error is now thrown if you have EE as a tab on your Facebook Page as Facebook posts to the page and now that action is also “Invalid” with 2.7. Tested this with page outside of EE at the root of the site and it works fine. Back to EE page. Invalid.

Also if this is related.
This error is now thrown if you have EE as a tab on your Facebook Page as Facebook posts to the page and now that action is also “Invalid” with 2.7. Tested this with page outside of EE at the root of the site and it works fine. Back to EE page. Invalid.

As far a I understand this feature is to protect users from submitting a form and data without actually visiting the original page, this is to avoid spam and other type of automated submissions or even attacks on your websites by executing the form externally.

This protections forces the user to reload the page or make sure its an actual visitor that comes from the original source.

Is there a way a to force a page reload when a back click is detected? That could solve the captch issue for example.

Actually I solved the Facebook issue by serving up the Facebook part of the site through an iframe page outside of Expression Engine. I could have turned off secure forms though I did not want to do that. Upgrading Freeform fixed another error I was having with this on my contact form.

This is the iframe solution here. https://www.facebook.com/YourOnlineStory/app_342150792531981 works fine with some css to make the iframe scroll and be 100% as deep as the page.

Sometimes though in a client job you want to be able to submit a form from a third party site to your EE site. Would be good to have a way of disabling this for specific pages/forms to enable that functionality without having to switch this off overall.

Yes we added the code

<input type="hidden" name="XID" value="{XID_HASH}" />

into our page header as this was affecting our insite search plugin (super search).

Now sorted so thanks