News in Nette Forms 3.1

3 years ago by David Grudl  

Protection against CSRF using cookies

The vulnerability of a CSRF is based on the trick that the form is spoofed by an attacker and sent from his site, ie from another domain, against which Nette has always had protection, which is turned on by the method addProtection(). This protection is gradually being replaced by a new and fully automatic cookie protection with the SameSite flag. Forms in Nette Application have been protected this way since version 3.0, and now standalone forms come into play.

The method addProtection () is still important, even though browsers that do not support SameSite are slowly disappearing. The problem could occur when someone takes over a subdomain such as and creates a cookie there. This is because it has the same “site” as the subdomain, and a cookie would be sent to the request on

The standalone form sends the cookie automatically. It is assumed that you are creating a form when the headers have not yet been submitted, because usually the form is successfully processed and redirected to another page, which is done with the header. If for some reason you encounter a problem that the header can no longer be sent, you can do it earlier using Nette\Forms\Form::initialize().

If you want to disable this protection and thus allow the form to be submitted from another domain, use $form->allowCrossOrigin(). This also applies to forms from the Nette Application.

Safer behavior onSuccess, onClick and getValues()

Method setValidationScope() is used to limit the elements to be validated when sending form by a certain button. Only those elements that are validated are now listed in variable $values passed to event handlers onSuccess and onClick. In $values there will be no invalid data.

The same change applies to method $form->getValues(), which now also returns only validated elements. In addition, if you call getValues() before validation, Nette will alert you with a warning.

If for some reason you need to get the values ​​of all elements independently of the validation, as it did getValues() in previous versions, use the new method $form->getUntrustedValues()

By the way, if you do not need a form object but only values ​​in the handler for onSuccess or onClick, you can omit the parameter $form ($values must have a typehint):

public function formSucceeded(array $values): void


For the sake of clarity, the method Checkbox::getSeparatorPrototype() has been renamed to getContainerPrototype() and Form::addImage() to addImageButton(). Of course, the original names still work as aliases.


Rule Form::URL now fills in the missing protocol https instead of http, so if the user enters, the resulting value will be

Method $vals = $form->getValues(FormData::class) returns values ​​mapped to an object of a given class. Hydration can now be used with $vals = $form->getValues(new FormData).

Forms no longer create template variables $_form that are deprecated since Nette 2.4.

The minimum required version of PHP is 7.2.