Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
Edit: The problem arises when typing ( inside the form text input ) the src attribute with any tag or any attribute with img tab.
I have this very simple form in posts\create.blade.php
<form action="http://example.com/posts" method="POST">
@csrf
<input type="text" name="title">
<input type="submit" value="SUBMIT">
</form>
and this route in web.php
Route::resource('posts','PostController');
When I enter some text in the text input field named title and submit the form, it submits to the correct method PostController@store since a POST request to http://example.com/events leads to the store() method in a resource controller. It also submits just fine when I enter html tags in the input for e.g <a href=''> or <p> and others. However, if I use the img tag (or any madeup tag) with the src attribute, and JUST this one particular attribute, Laravel doesn't care about the specified request verb i.e POST in this case, and instead submits it using the GET verb which leads to the index() method of the controller.
Cases for different inputs in <input type='text' name='title'>
<a href=''> -- submits with post to store() -> correct!
<p>hello</p> -- submits with post to store() -> correct!
<h2>World</h2> -- submits with post to store() -> correct!
<a href="http://example.com/admin/tests"></a> -- submits with post to store() -> correct!
<img> -- submits with post to store() -> correct!
<src=''> -- submits with post to store() -> correct!
<img src=''> -- submits with GET to index() -> INcorrect!
<gibberish src=''> -- submits with GET to index() -> INcorrect!
P.s: this is happening on a live website on a shared hosting.
Try debugging it using dd(); to see at which point you are getting this problem.
Also try adding
@method("POST")
in the form to indicate that it is a POST request. See if the request you are submitting is sending the same data or not.
Thanks, I added the @method but to no avail. Looking at the network tab The request sends the same data to the post route first BUT that returns a 403 forbbiden response, ONLY when the input string has an html tag with src attribute. After that the network doesn't show any other requests but somehow it still executes index() method. screenshot_of_network_tab
Did you try creating a separate route for this task. Since you are using Resource controller it may be causing the problem. Try making 2 routes 1 for the create and other for storing.
Yes I did exactly that, I made a completely different route Route::post('test','DifferentController@something');
and when I try to submit laravel displays the error. THE GET METHOD IS NOT SUPPORTED FOR THIS ROUTE, SUPPORTED METHOD POST, this shows that laravel is still trying to submit the form as GET instead of POST.
if Route::resource('posts','PostController');is configured properly then
<form action="{{ route('posts.store') }}" method="post">
@csrf
<input type="text" name="title">
<button type="submit">Submit</button>
</form>
should work fine
I simplified the code to ask the question but in my actual I am using exactly this. On top of that I am using laravel html collectives, so I have tried the controller method as action, route name as action AND absolute url as action. none worked yet.
Form::open(['route' => 'route.name'])
I have this already typed out in the code
{!! Form::open(['method' => 'POST', 'route' => ['admin.posts.store'], 'enctype' => 'multipart/form-data', 'file' => true]) !!}
{!! Form::open(['method' => 'POST', 'route' => ['posts.store'], 'enctype' => 'multipart/form-data', 'file' => true]) !!}
what are you trying to show?
firstc check route:list for method name
After a lot of trial and error, I have concluded, this is unsolvable. Good luck to anyone who stumbles upon this, you are doomed.
@RoshanJafri I encountered a similar issue and was happy when I found that you had also asked the question. But felt low when I saw that you didn't get an answer.
With deeper digging, I found out that the error is neither on Laravel nor PHP but a server (Apache) security measure. There's a module called mod_security on Apache that is responsible for preventing users from submitting potentially risky code as input. Go to your Cpanel, search for ModSecurity then turn it OFF. That is it. The form will be submitted as it should. (If you can't turn it OFF you can ask your hosting provider to turn it off for you.)
Note: This leaves your site a little less secure. So you can perform any server-side user input validation where necessary. Although Eloquent already handles user input securely.
Please or to participate in this conversation.