diff options
| author | Michael Koziarski <michael@koziarski.com> | 2008-01-08 21:17:08 +0000 |
|---|---|---|
| committer | Michael Koziarski <michael@koziarski.com> | 2008-01-08 21:17:08 +0000 |
| commit | 5ef8a81b846120b51b35503f5c2079036b321630 (patch) | |
| tree | 8b056808c91117c3c8d3b095d947d9aa14861428 /actionpack/test | |
| parent | 934706a8da461a73fe429b3fcaa0e2ab055a9195 (diff) | |
| download | rails-5ef8a81b846120b51b35503f5c2079036b321630.tar.gz rails-5ef8a81b846120b51b35503f5c2079036b321630.tar.bz2 rails-5ef8a81b846120b51b35503f5c2079036b321630.zip | |
Don't append the forgery token to an ajax request if it's serializing a form, prevents duplicate tokens. Closes #10684 [macournoyer]
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8598 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
Diffstat (limited to 'actionpack/test')
| -rw-r--r-- | actionpack/test/controller/request_forgery_protection_test.rb | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb index 4fcdc7ed4a..d0c3c6e224 100644 --- a/actionpack/test/controller/request_forgery_protection_test.rb +++ b/actionpack/test/controller/request_forgery_protection_test.rb @@ -22,6 +22,10 @@ module RequestForgeryProtectionActions render :inline => "<%= button_to('New', '/') {} %>" end + def remote_form + render :inline => "<% form_remote_tag(:url => '/') {} %>" + end + def unsafe render :text => 'pwn' end @@ -75,6 +79,11 @@ module RequestForgeryProtectionTests assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', @token end + def test_should_render_remote_form_with_only_one_token_parameter + get :remote_form + assert_equal 1, @response.body.scan(@token).size + end + def test_should_allow_get get :index assert_response :success |