added a way to activate CSRF protection from the configuration

src/Symfony/Bundle/FrameworkBundle/DependencyInjection/WebExtension.php

@@ -52,6 +52,12 @@ class WebExtension extends Extension
             $container->setParameter('debug.file_link_format', 'txmt://open?url=file://%%f&line=%%l');
         }
 
+        foreach (array('csrf_secret', 'csrf-secret') as $key) {
+            if (isset($config[$key])) {
+                $container->setParameter('csrf_secret', $config[$key]);
+            }
+        }
+
         if (isset($config['router'])) {
             if (!$container->hasDefinition('router')) {
                 $loader->load($this->resources['routing']);

src/Symfony/Bundle/FrameworkBundle/FrameworkBundle.php

@@ -3,6 +3,7 @@
 namespace Symfony\Bundle\FrameworkBundle;
 
 use Symfony\Framework\Bundle\Bundle;
+use Symfony\Component\Form\Form;
 
 /*
  * This file is part of the Symfony framework.
@@ -20,4 +21,14 @@ use Symfony\Framework\Bundle\Bundle;
  */
 class FrameworkBundle extends Bundle
 {
+    /**
+     * Boots the Bundle.
+     */
+    public function boot()
+    {
+        if ($secret = $this->container->getParameter('csrf_secret')) {
+            Form::setDefaultCsrfSecret($secret);
+            Form::enableDefaultCsrfProtection();
+        }
+    }
 }

src/Symfony/Bundle/FrameworkBundle/Resources/config/schema/symfony-1.0.xsd

@@ -17,6 +17,7 @@
         </xsd:sequence>
 
         <xsd:attribute name="ide" type="xsd:string" />
+        <xsd:attribute name="csrf-secret" type="xsd:string" />
     </xsd:complexType>
 
     <xsd:complexType name="profiler">

src/Symfony/Bundle/FrameworkBundle/Resources/skeleton/application/php/config/config.php

@@ -6,8 +6,9 @@ $container->loadFromExtension('kernel', 'config', array(
 ));
 
 $container->loadFromExtension('web', 'config', array(
-    'router'     => array('resource' => '%kernel.root_dir%/config/routing.php'),
-    'validation' => array('enabled' => true, 'annotations' => true),
+    'csrf-secret' => 'xxxxxxxxxx',
+    'router'      => array('resource' => '%kernel.root_dir%/config/routing.php'),
+    'validation'  => array('enabled' => true, 'annotations' => true),
 ));
 
 $container->loadFromExtension('web', 'templating', array(

src/Symfony/Bundle/FrameworkBundle/Resources/skeleton/application/xml/config/config.xml

@@ -20,7 +20,7 @@
         error_handler="null"
     />
 
-    <web:config>
+    <web:config csrf-secret="xxxxxxxxxx">
         <web:router resource="%kernel.root_dir%/config/routing.xml" />
         <web:validation enabled="true" annotations="true" />
     </web:config>

src/Symfony/Bundle/FrameworkBundle/Resources/skeleton/application/yml/config/config.yml

@@ -3,8 +3,9 @@ kernel.config:
     error_handler: null
 
 web.config:
-    router:     { resource: "%kernel.root_dir%/config/routing.yml" }
-    validation: { enabled: true, annotations: true }
+    csrf_secret: xxxxxxxxxx
+    router:      { resource: "%kernel.root_dir%/config/routing.yml" }
+    validation:  { enabled: true, annotations: true }
 
 web.templating:
     escaping:       htmlspecialchars

src/Symfony/Component/Form/Form.php

@@ -32,7 +32,7 @@ class Form extends FieldGroup
 {
     protected static $defaultCsrfSecret = null;
     protected static $defaultCsrfProtection = false;
-    protected static $defaultCsrfFieldName = '_csrf_token';
+    protected static $defaultCsrfFieldName = '_token';
     protected static $defaultLocale = null;
     protected static $defaultTranslator = null;