Form_with - first field value is overriden with a token-like string

I have recently been having to include a dummy field in forms generated by form_with. The first hidden field value is overwritten by some token-like string. Here is an example of the code:

And of the result:

I’m running the rails master branch (6.1.0alpha) and I attempted to fix it for a while before deciding the easiest course of action was to just include a dummy field to serve as a sacrificial victim to whatever programming god is overriding the values of the first field in my form_with. I’m sure I am doing something silly to cause this, but for about 5 hours of debugging, I couldn’t figure out what. This was my most WTF Rails story of late, maybe this isn’t the right venue for it, but it felt in the spirit of things when I thought of it.

3 Likes

This is exactly the kind of thing we’re looking for here. Thanks for reporting it!

2 Likes

I have seen this too — most commonly my hidden “method” fields are zapped.

I think it may be to do with Turbolinks, but can’t confirm. I have watched a correctly-formatted form bubble up from form_with (or form_for) using debugger, only to have it show up wrong by the time it arrives in the browser.

1 Like

I also might wonder about Turbolinks here, or rails-ujs.

My guess is that something Javascripty is trying to insert a fresh CSRF token (or similar) into the form. There’s a classic Rails security error that pops up when folks are trying to avoid hard browser refreshes, where the CSRF token in the meta tag doesn’t change so form submission gets you expired authenticity token errors. Whatever is causing this seems like it’s trying to remove this issue by inserting a fresh CSRF token, but misidentifying the hidden field to target. My next guess is that the token insertion code is assuming that it owns the first hidden field in the form, which works great under assumed conditions but works poorly when working with forms created outside of this code’s assumed form creation path.

1 Like

I am used to this.

Always setting method params in forms

Kudos

@fordfischer From your inspector screenshot, it looks like you are using Firefox, yes? If so, I believe you are experiencing this Firefox bug, which has been unfortunately marked as stale:

But if you and others share your experiences there, maybe we could get some more attention on it.

1 Like

I am indeed using Firefox for local development - thank you for bringing this up, I would have never thought of this, browser autocomplete overriding hidden fields.

So I assume FireFox is seeing authenticity tokens get set per form and then on page reloads if there is a hidden field, maybe Firefox sets the value of the hidden form via autocomplete the the value of the old authenticity token before the new authenticity token field is added? If that is not what’s happening, I’m not quite sure I can describe it accurately in enough detail to communicate how to replicate.

I can’t say for sure, but I assume that’s what is happening as well. However, at this point, I think just describing the circumstances that produce the bug would be helpful to the Mozilla folks. Once they can reliably reproduce it, I’m sure they will track down the root cause.

I have also experienced this with Firefox. It is maddening. Can’t figure it out.

When using Firefox hidden input values are seemingly arbitrarily overwritten. Sometimes it happens, sometimes it doesn’t. And, after I added the dummy abc123 input, it got the same crazy value that the provider had previously.

      = simple_form_for @api_key do |f|
          = hidden_field_tag :abc123
          = f.input :provider, as: :hidden, wrapper: false

Rails 6.1.3.1 Using Firefox see the issue but it is not the first field it is the second, but the first STRING field.

At first I thought it might be because the field name was called video_key, like “key” was causing some magic to happen, but I switched the order with another string field and the first string field is what gets corrupted.

Onething I noticed is I only see the issue when I click a LINK to get to the form page… if I type the url directly I don’t. This is a Hotwire/Stimulus enabled app.

Rails CAN do something simple and easy… I wonder if Rails ought to start ADDING “autocomplete”=“OFF” to any rails generated hidden fields? Never hurts, and might save a zillion developer debugging hours when the auto-added “authenticity_token” or “_method=patch” get corrupted… real live example shown below.

It gets worse (IMO)… how about this example with Firefox on the LEFT overwriting the _method hidden field added by Rails, whereas Chrome (on the right) sows _method = “patch”

This has been the source of incredibly confusing

ActionController::RoutingError (No route matches [POST] “/accounts/xxxx/yyyyy”)

So even though not a Rails bug, it woefully affects developers using Rails.

I’ll add an issue on Gihub.