diff options
| author | Michael Koziarski <michael@koziarski.com> | 2008-01-08 21:17:08 +0000 |
|---|---|---|
| committer | Michael Koziarski <michael@koziarski.com> | 2008-01-08 21:17:08 +0000 |
| commit | 5ef8a81b846120b51b35503f5c2079036b321630 (patch) | |
| tree | 8b056808c91117c3c8d3b095d947d9aa14861428 | |
| parent | 934706a8da461a73fe429b3fcaa0e2ab055a9195 (diff) | |
| download | rails-5ef8a81b846120b51b35503f5c2079036b321630.tar.gz rails-5ef8a81b846120b51b35503f5c2079036b321630.tar.bz2 rails-5ef8a81b846120b51b35503f5c2079036b321630.zip | |
Don't append the forgery token to an ajax request if it's serializing a form, prevents duplicate tokens. Closes #10684 [macournoyer]
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8598 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
| -rw-r--r-- | actionpack/lib/action_view/helpers/prototype_helper.rb | 4 | ||||
| -rw-r--r-- | actionpack/test/controller/request_forgery_protection_test.rb | 9 |
2 files changed, 11 insertions, 2 deletions
diff --git a/actionpack/lib/action_view/helpers/prototype_helper.rb b/actionpack/lib/action_view/helpers/prototype_helper.rb index d9c980cd0d..6f5acac137 100644 --- a/actionpack/lib/action_view/helpers/prototype_helper.rb +++ b/actionpack/lib/action_view/helpers/prototype_helper.rb @@ -1019,7 +1019,7 @@ module ActionView js_options['parameters'] = options[:with] end - if protect_against_forgery? + if protect_against_forgery? && !options[:form] if js_options['parameters'] js_options['parameters'] << " + '&" else @@ -1204,7 +1204,7 @@ module ActionView append_enumerable_function!("zip(#{arguments_for_call arguments}") if block function_chain[-1] += ", function(array) {" - yield ::ActiveSupport::JSON::Variable.new('array') + yield ActiveSupport::JSON::Variable.new('array') add_return_statement! @generator << '});' else diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb index 4fcdc7ed4a..d0c3c6e224 100644 --- a/actionpack/test/controller/request_forgery_protection_test.rb +++ b/actionpack/test/controller/request_forgery_protection_test.rb @@ -22,6 +22,10 @@ module RequestForgeryProtectionActions render :inline => "<%= button_to('New', '/') {} %>" end + def remote_form + render :inline => "<% form_remote_tag(:url => '/') {} %>" + end + def unsafe render :text => 'pwn' end @@ -75,6 +79,11 @@ module RequestForgeryProtectionTests assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', @token end + def test_should_render_remote_form_with_only_one_token_parameter + get :remote_form + assert_equal 1, @response.body.scan(@token).size + end + def test_should_allow_get get :index assert_response :success |