+ Start a Discussion
Alexander TsitsuraAlexander Tsitsura 

Unable to complete Trailhead challenge: "Prevent Cross-Site Request Forgery (CSRF)"

Hi all

I am unable to complete this challenge because whenever I am clicking check button, I receive the error message.
User-added image
"Challenge Not yet complete... here's what's wrong: 
It doesn't appear that you've added protection against CSRF. Make sure you re-write 
the outputlink to a commandlink that is not vulnerable to CSRF, that the action is no longer in the on-load method and the correct method is referenced by the command link"

I don't understand what is wrong. I removed the action handler from the apex:page tag and below the comment "<!-- complete challenge here -->" added command link. 
 
<apex:page controller="CSRF_Challenge" sidebar="false" tabStyle="CSRF_Challenge__tab" > <!-- action="{!approveReq}" -->
<apex:sectionHeader title="CSRF Challenge" />
<apex:form >
    <apex:pageBlock >
        <apex:pageMessages />      
        <apex:pageBlockSection title="Demo" columns="1" id="tableBlock">

            <apex:pageBlockTable value="{!Requisitions }" var="req">
                
                <!-- skipped -->    
                                             
                <apex:column headervalue="Approval Action">
                    <apex:outputLink target="_new" value="/apex/CSRF_Challenge?approve={!req.id}">Approve This Requisition</apex:outputLink>
                </apex:column>
                <apex:column headervalue="Approval Action (NO CSRF)">
                    TBD
                    <!-- complete challenge here -->
                    <apex:commandLink value="Approve This Requisition" action="{!approveReqNOCSRF}"> 
                        <apex:param name="reqId" value="{!req.id}" assignTo="{!approve}"/> 
                    </apex:commandLink>
                </apex:column>                                                                                               
            </apex:pageBlockTable>
       
        </apex:pageBlockSection>
        
        <!-- skipped -->
         
</apex:form>              
</apex:page>



Any advice?

Thanks,
Alex
Best Answer chosen by Alexander Tsitsura
Lajos Kelemen from TampereLajos Kelemen from Tampere
I changed the parameter name to approve and it went through

<apex:param name="reqId" value="{!req.id}" assignTo="{!approve}"/>
to
<apex:param name="approve" value="{!req.id}" assignTo="{!approve}"/>

All Answers

Lajos Kelemen from TampereLajos Kelemen from Tampere
I changed the parameter name to approve and it went through

<apex:param name="reqId" value="{!req.id}" assignTo="{!approve}"/>
to
<apex:param name="approve" value="{!req.id}" assignTo="{!approve}"/>
This was selected as the best answer
Jeff DouglasJeff Douglas
Apologize for this issue Alexandar. We have a fix this week for this issue. 

Jeff Douglas
Trailhead Developer Advocate
Mangesh Khapre 3Mangesh Khapre 3
Hi,

I am doiing the same, but it is not letting me save . getting error as 
Error: Unknown property 'String.Castle__c'

Object has these fields.
I tried commenting. but no use.

Thanks.
azaam ali 1azaam ali 1
Hi,

This worked for me 
<apex:page controller="CSRF_Challenge" sidebar="false" tabStyle="CSRF_Challenge__tab" action="{!approveReq}">
<apex:sectionHeader title="CSRF Challenge" />
<apex:form >
    <apex:pageBlock >
        <apex:pageMessages />      
        <apex:pageBlockSection title="Demo" columns="1" id="tableBlock">

            <apex:pageBlockTable value="{!Requisitions }" var="req">
                <apex:column headervalue="Castle">
                    <apex:outputfield value="{!req.Castle__c}" />
                </apex:column>             
                <apex:column headervalue="Resource">
                    <apex:outputfield value="{!req.Resource__c }" />
                </apex:column> 
                <apex:column headervalue="Quantity">
                    <apex:outputfield value="{!req.Quantity__c}" />
                </apex:column>
                <apex:column headervalue="Name">
                    <apex:outputfield value="{!req.Name}" />
                </apex:column> 
                <apex:column headervalue="Approved">
                    <apex:outputfield value="{!req.Approved__c}" />
                </apex:column>                                                  
                <apex:column headervalue="Approval Action">
                    <apex:outputLink target="_new" value="/apex/CSRF_Challenge?approve={!req.id}">Approve This Requisition</apex:outputLink>
                </apex:column>
                <apex:column headervalue="Approval Action (NO CSRF)">
                    <apex:commandLink value="Approve This Requisition" action="{!approveReqNOCSRF}">
                        <apex:param name="approve" value="{!req.id}" assignTo="{!approve}"/>
                    </apex:commandLink>
                    <!-- complete challenge here -->

                </apex:column>                                                                                               
            </apex:pageBlockTable>
       
        </apex:pageBlockSection>
        <apex:pageBlockSection title="Code links" columns="1">
            <apex:outputPanel >
                <ul>
                    <li><c:codeLink type="Visualforce" namespace="security_thail" name="CSRF_Challenge" description="Visualforce Page"/></li>            
                    <li><c:codeLink type="Apex" namespace="security_thail" name="CSRF_Challenge" description="Apex Controller"/></li>
                </ul>
            </apex:outputPanel>        
        </apex:pageBlockSection>        
    </apex:pageBlock>          
</apex:form>              
</apex:page>