During a review of a solution we were delivering on Sitecore 7.1 Update 2 (rev 140324), our Page Editor dialogs no longer allowed users to expand tree lists when adding components. On the server, the logs were showing a CSRF exception,  specifically that a CSRF form field was missing.

6708 16:19:44 ERROR Application error.
Exception: Sitecore.Security.AntiCsrf.Exceptions.PotentialCsrfException
Message: CSRF form field is missing.
Source: Sitecore.Security.AntiCsrf
   at Sitecore.Security.AntiCsrf.SitecoreAntiCsrfModule.RaiseError(Exception ex, HttpContext context)
   at Sitecore.Security.AntiCsrf.SitecoreAntiCsrfModule.PreRequestHandlerExecute(Object sender, EventArgs e)
   at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

The Cause

I discovered that the root cause of this is a missing line in the Sitecore.AntiCsrf.config file which seems to have disappeared from 7.1 as of revision 140130.

Previous versions of the file contained a line to ignore the TreeviewEx:

   <ignore contains="TreeviewEx" />

The Fix

In order to fix this in your installation, you can use a configuration file like the following to patch in the value.:

<configuration xmlns:patch=”http://www.sitecore.net/xmlconfig/”>
   <sitecore>
      <AntiCsrf>
         <rules>
            <rule name=”shell”>
               <ignore patch:before=”ignore[@contains='InstantSearch']” contains=”TreeviewEx” />
            </rule>
         </rules>
      </AntiCsrf>
   </sitecore>
</configuration>