I’m trying to find a way to secure contact forms on Hugo sites with CSRF-tokens. I have read every topic on the forum related to PHP and Hugo. This is what I have tried so far to include PHP code to generate tokens, without any success:
Adding custom mediaTypes and outputFormats to the config file:
I think in this specific case it’s maybe better if you add a sample repo so we can see the whole setup. Try running hugo with verbose and templateMetrics and parameters like that. Also: your sample is too small are you sure it’s not accidentially set to draft:true or a future date?
I made this page in html as it was quicker to iterate the design, but I will eventually make each component into a shortcode and go back to markdown. But I can’t see how this could affect outputting the page as a php-file, other than some unforeseen behavior.
Everything works fine without outputs: - PHP in frontmatter, so I know that the rest of the code is working. I will try running Hugo with the verbose flag, though.
@pointyfar: I already have a php file which handles the submitted content from the contact from, which works fine (I forgot to mention this, sorry). This is a separate file which is placed in the /static-folder.
I don’t want Hugo itself to run the PHP code, I only want to add some PHP to the page which the server can process upon page load. To do this safely, the file cannot use the html-suffix, it has to be use .php to avoid certain attacks.
All I really want is for hugo to produce a .php file instead of a .html, but with the same content in it.
The repo is not public at the moment, but I might put it online in not to long. Have to clean up some loose ends.
After sleeping on it I quickly found the missing pieces. I’ll try to quickly summarize what I had to do:
Make duplicates of every relevant layout file: The baseof.html had to be duplicated with the .php suffix as well, as I use block’s in my templates – and single.php was dependent on baseof.php to render.
Make the $token variable persistent: The random string generated and stored in $token needs to be kept in memory when the submit-button is pressed and the PHP email script is loaded.
To accomplish the latter, you have to add a <?php session_start(); ?>before the HTML code in baseof.php, and store the string in a session variable ($_SESSION['token']). To make use of this variable on the following page load, you also have to include <?php session_start(); ?> at the start of the email script.
I should probably make a more complete and coherent how-to on how to make a contact form with CSRF, but hope the information above can help someone else in a pinch.