From 361babe2004d0d55b76278f7b76e50e74aea5a5f Mon Sep 17 00:00:00 2001
From: frozenstupidity <frozenstupidity@users.noreply.github.com>
Date: Mon, 17 Jan 2022 21:51:52 +0100
Subject: [PATCH 1/2] Include CSRF Token when Required

If a security context is available then the CSRF token is required, this implements the fusion input if the user is authenticated
---
 Resources/Private/Fusion/Core/Form.fusion | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/Resources/Private/Fusion/Core/Form.fusion b/Resources/Private/Fusion/Core/Form.fusion
index 55fd736..ff93791 100644
--- a/Resources/Private/Fusion/Core/Form.fusion
+++ b/Resources/Private/Fusion/Core/Form.fusion
@@ -39,6 +39,15 @@ prototype(Neos.Form.FusionRenderer:FormStateHiddenField) < prototype(Neos.Fusion
     }
 }
 
+prototype(Neos.Form.FusionRenderer:CsrfHiddenField) < prototype(Neos.Fusion:Tag) {
+    tagName = 'input'
+    attributes {
+        type = 'hidden'
+        name = ${'--' + formRuntime.identifier + '[__csrfToken]'}
+        value = ${Security.csrfToken()}
+    }
+    @if.isAuthenticated = ${Security.isAuthenticated()}
+}
 
 prototype(Neos.Form.FusionRenderer:RenderCallbacks) {
     @class = 'Neos\\Form\\FusionRenderer\\Fusion\\RenderCallbacksImplementation'
@@ -47,4 +56,4 @@ prototype(Neos.Form.FusionRenderer:RenderCallbacks) {
 
 neos_form = Neos.Fusion:Renderer {
     type = ${formRuntime.type}
-}
\ No newline at end of file
+}

From 2a9b78568f606b3bd4868261c067e6ad4bd3a6b6 Mon Sep 17 00:00:00 2001
From: frozenstupidity <frozenstupidity@users.noreply.github.com>
Date: Mon, 17 Jan 2022 21:53:40 +0100
Subject: [PATCH 2/2] Include the CSRF Token by default

This includes the CsrfHiddenField by default in the form hidden fields
---
 Resources/Private/Fusion/Core/Form.fusion | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Resources/Private/Fusion/Core/Form.fusion b/Resources/Private/Fusion/Core/Form.fusion
index ff93791..08d97c8 100644
--- a/Resources/Private/Fusion/Core/Form.fusion
+++ b/Resources/Private/Fusion/Core/Form.fusion
@@ -11,6 +11,7 @@ prototype(Neos.Form:Form) < prototype(Neos.Fusion:Tag) {
     content = Neos.Fusion:Array {
         formHiddenFields = Neos.Fusion:Array {
             formStateHiddenField = Neos.Form.FusionRenderer:FormStateHiddenField
+            formCsrfTokenHiddenField = Neos.Form.FusionRenderer:CsrfHiddenField
             @process.wrap = ${'<div style="display:none">' + value + '</div>'}
         }
         pages = Neos.Fusion:Collection {