Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Image Upload not setting appropriate headers in XMLHttpRequest

See original GitHub issue

Hi, I am trying to configure my editor to point to a url to upload images as described here:

images_upload_url: '/images/upload',

I need to pass along a csrf token along with the XMLHttpRequest otherwise the server will deny it. I am manually setting an additional header on any XHR as defined here:

tinymce.util.XHR.on('beforeSend', function (e) {
    e.xhr.setRequestHeader('X-CSRF-TOKEN', window.csrfToken);
});

which works just fine when using the spellchecker plugin. However, when the image upload request is sent via the file browser, the X-CSRF-TOKEN header is missing:

tinymce

According to the images_upload_handler option, when not set, the default action would be to use a XHR to upload the images. This does not appear to be the case as the X-Requested-With:XMLHttpRequest is also missing from the headers.

Issue Analytics

State:
Created 6 years ago
Comments:9 (1 by maintainers)

Top GitHub Comments

3reactions

Stetzoncommented, Sep 22, 2017

I have a workaround by using the images_upload_handler option instead of the images_upload_url and modifying the example to manually set the XHR request header:

imagesUploadHandler(blobInfo, success, failure) {
    let xhr = new XMLHttpRequest();
    xhr.open('POST', '/images/upload');
    xhr.setRequestHeader('X-CSRF-TOKEN', window.csrfToken); // manually set header

    xhr.onload = function() {
        if (xhr.status !== 200) {
            failure('HTTP Error: ' + xhr.status);
            return;
        }

        let json = JSON.parse(xhr.responseText);

        if (!json || typeof json.location !== 'string') {
            failure('Invalid JSON: ' + xhr.responseText);
            return;
        }

        success(json.location);
    };

    let formData = new FormData();
    formData.append('file', blobInfo.blob(), blobInfo.filename());

    xhr.send(formData);
}

tinymce2

1reaction

sumon4skfcommented, Dec 3, 2020

I have a workaround by using the images_upload_handler option instead of the images_upload_url and modifying the example to manually set the XHR request header:

imagesUploadHandler(blobInfo, success, failure) {
    let xhr = new XMLHttpRequest();
    xhr.open('POST', '/images/upload');
    xhr.setRequestHeader('X-CSRF-TOKEN', window.csrfToken); // manually set header

    xhr.onload = function() {
        if (xhr.status !== 200) {
            failure('HTTP Error: ' + xhr.status);
            return;
        }

        let json = JSON.parse(xhr.responseText);

        if (!json || typeof json.location !== 'string') {
            failure('Invalid JSON: ' + xhr.responseText);
            return;
        }

        success(json.location);
    };

    let formData = new FormData();
    formData.append('file', blobInfo.blob(), blobInfo.filename());

    xhr.send(formData);
}

tinymce2

Works for me, TinyMCE Version: 5.1.5 (2019-12-19)

Thanks,

Top Results From Across the Web

AJAX File Upload with XMLHttpRequest - Stack Overflow

I'm trying to upload a file with XMLHttpRequest, so I developed the code below: var sendFiles = function(url,onload,onerror,file,headers){ ...

Using XMLHttpRequest - Web APIs | MDN

In this guide, we'll take a look at how to use XMLHttpRequest to issue HTTP requests in order to exchange data between the...

XMLHttpRequest - The Modern JavaScript Tutorial

We can upload/download files, track progress and much more. ... Gets the response header with the given name (except Set-Cookie and ...

Image & file options | Docs - TinyMCE

These settings affect TinyMCE's image and file handling capabilities. ... When this option is not set, TinyMCE utilizes an XMLHttpRequest to upload images...

Browser APIs and Protocols: XMLHttpRequest

As a result, short of manually splitting an upload into smaller, individual XHRs, there is no API for streaming data from client to...