CakePHP and Filepond: The Request has been black-holed

Hello guys,

i’m trying to implement filepond into my CakePHP3 Croogo backend. I’m having difficulties with cake’s security features though. The form is my default edit form for a Plugin i wrote, which handles customer profiles. Under the media tab in my backend i use the following code:

 echo $this->Html->tabStart('partner-media');
for ($i=1; $i < 15 ; $i++) {
    $propertyName = "partner_media_$i";

    $file = new File('../files/Partner/partner_media_'.$i.'/'.$partner->$propertyName);
    $extension = pathinfo('../files/Partner/partner_media_'.$i.'/'.$partner->$propertyName, PATHINFO_EXTENSION);
    if (in_array($extension, $allowed)) {
    echo $this->Html->media('../files/Partner/partner_media_'.$i.'/'.$partner->$propertyName, [
         'fullBase' => true,
         'text' => 'Video konnte nicht geladen werden',
         'width' => '300',
    } else {
        echo $this->Html->image('../files/Partner/partner_media_'.$i.'/'.$partner->$propertyName, [
            'alt' => ${$partner->partner_media_.$i},
            'height' => '100'

    echo $this->Form->input('partner_media_'.$i, [
        'label' => __d('partner', 'Media '.$i),
        'type' => 'file',
        'class' => 'filepond',
echo $this->Html->tabEnd();

prefixed by
$this->append(‘form-start’, $this->Form->create($partner, [
‘type’ => ‘file’,
‘class’ => ‘protected-form’,

Filepond initialization:

        allowMultiple: true,
        server: {
            url: '../files',
            process: {
              method: 'POST',
              withCredentials: false,
              headers: {'X-CSRF-Token': $('[name="_csrfToken"]').val()},
      }, ...

At first i faced an csrf token error. I’m now sending the csrf token as a header, which works. But i can’t figure out how to avoid getting the black-holed error.

Thanks for your help

The black-hole issue is from the security component. This basically prevents form tampering by generating a hash of the form fields created with the CakePHP Form helper, and checking what is submitted.

To fix, you need to unlock the fields that filepond uses by calling $this->Form->unlockField('field_name'); in the view

1 Like

Thank you, as my Cake Version is 3.05 this worked for me:

$this->Security->config(‘unlockedActions’, [‘edit’]);