An entity form does not need a CSRF token

Mingsong Hu · Mingsong Hu · commit cbdf1d85cd4c · 2023-09-13T15:46:04.000+10:00
diff --git a/DrupalSecurity/Sniffs/Yaml/RoutingAccessSniff.php b/DrupalSecurity/Sniffs/Yaml/RoutingAccessSniff.php
@@ -121,7 +121,9 @@ public function process(File $phpcsFile, $stackPtr) {
           }
 
           // CSRF token test for non-open access route.
-          if (!isset($rout['defaults']['_form']) && !$open_access) {
+          if (!isset($rout['defaults']['_form']) &&
+              !isset($rout['defaults']['_entity_form']) &&
+              !$open_access) {
             // Search for _csrf_token.
             if ($csrf_token = $requirements['_csrf_token'] ?? false) {
               if (!$csrf_token) {
