During a review of a solution we were delivering on Sitecore 7.1 Update 2 (rev 140324), our Page Editor dialogs no longer allowed users to expand tree lists when adding components. On the server, the logs were showing a CSRF exception, specifically that a CSRF form field was missing.
6708 16:19:44 ERROR Application error. Exception: Sitecore.Security.AntiCsrf.Exceptions.PotentialCsrfException Message: CSRF form field is missing. Source: Sitecore.Security.AntiCsrf at Sitecore.Security.AntiCsrf.SitecoreAntiCsrfModule.RaiseError(Exception ex, HttpContext context) at Sitecore.Security.AntiCsrf.SitecoreAntiCsrfModule.PreRequestHandlerExecute(Object sender, EventArgs e) at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
I discovered that the root cause of this is a missing line in the Sitecore.AntiCsrf.config file which seems to have disappeared from 7.1 as of revision 140130.
Previous versions of the file contained a line to ignore the TreeviewEx:
<ignore contains="TreeviewEx" />
In order to fix this in your installation, you can use a configuration file like the following to patch in the value.:
<configuration xmlns:patch=”http://www.sitecore.net/xmlconfig/”> <sitecore> <AntiCsrf> <rules> <rule name=”shell”> <ignore patch:before=”ignore[@contains='InstantSearch']” contains=”TreeviewEx” /> </rule> </rules> </AntiCsrf> </sitecore> </configuration>