0

我正在使用带有 csurf 和强大功能的 expressjs 4,有时当我使用多部分表单上传时:

错误:在 Layer.handle (/Users/mecha/projects/sherka/maktabi/node_modules/csurf /index.js:59:24) 在 trim_prefix (/Users/mecha/projects/sherka/maktabi/node_modules/express/lib/router/index.js:240:15) 在 /Users/mecha/projects/sherka/maktabi /node_modules/express/lib/router/index.js:208:9 在 Function.proto.process_params (/Users/mecha/projects/sherka/maktabi/node_modules/express/lib/router/index.js:269:12)在下一个 (/Users/mecha/projects/sherka/maktabi/node_modules/express/lib/router/index.js:199:19) 在 /Users/mecha/projects/sherka/maktabi/node_modules/express-session/index. js:226:9 在 Object._onImmediate (/Users/mecha/projects/sherka/maktabi/node_modules/express-session/session/memory.js:58:9) 在 processImmediate [as _immediateCallback] (timers.js:330:15)

但有时它可以正常工作而没有任何错误,知道我做错了什么吗?

这是我的代码

app.use(function(req, res, next){
    res.locals.session = req.session;
    res.locals.messages = req.flash('success');
    res.locals.errors = req.flash('error');
    res.locals.csrftoken = req.csrfToken();
    next();
});

这是一个html表单

<form id="new_desk_form" class="form" method="post" action="/space/{{ space.id}}/add/desk?_csrf={{ csrftoken }}" enctype="multipart/form-data">

这是路线处理程序

app.post('/space/:id/add/desk', helpers.ensureAuth, function(req, res){
    var id = req.params.id;
    var form = new formidable.IncomingForm();
    form.uploadDir = __dirname+'/../public/uploads/spaces/'+id;
    form.keepExtensions = true;
    form.encoding = 'utf-8';
    form.parse(req, function(err, fields, files){
        if(err){
            console.log(err);
            res.render('505.html')
        }
        var name = files.photo1.path.split('/');
        name = name[name.length-1];
        var pathToStore = "/uploads/spaces/"+id+'/'+name;
        var workspace = {};
        workspace.title = req.body.title;
        workspace.type = 'desk';
        workspace.photos = [];
        workspace.photos.push(pathToStore);
        workspace.currency = req.body.currency;
        workspace.quantity = req.body.quantity;
        workspace.prices = {};
        if(req.body.hourly){
            workspace.prices.hourly = req.body.hourly;
        }
        if(req.body.daily){
            workspace.prices.daily = req.body.daily;
        }
        if(req.body.monthly){
            workspace.prices.monthly = req.body.monthly;
        }
        Space.findOne({_id: id}, {}, function(err, space){
            if(err){
                console.log(err);
                    res.render('505.html');
            }
            space.workspaces.push(workspace);
            space.save(function(){
                res.redirect('/edit/'+req.id);
            })
        });
    });
});
4

1 回答 1

4

您遇到的问题是编码问题。当 CSRF 令牌验证失败时,很可能是由于 CSRF 令牌具有正斜杠/或其他需要在 URL 查询字符串中正确编码的字符。这种编码不同于把手对带有两个花括号的变量进行的转义。

我建议改用隐藏输入,然后在提交表单时浏览器应该对其进行正确编码:

<input type="hidden" name="_csrf" value="{{ csrftoken }}">

或者,您还可以确保在包含在表单的属性中之前csrftoken通过encodeURIComponent()运行。action您可能希望使用车把助手来执行此操作,我相信您需要第三方助手来执行此操作,这是一种选择:车把助手

于 2014-06-10T22:35:50.330 回答