From 538bce1f7c676f4a5b3d800ed0f68ec065776a7f Mon Sep 17 00:00:00 2001
From: Aaron Patterson <aaron.patterson@gmail.com>
Date: Mon, 1 Feb 2016 17:17:56 -0800
Subject: Generated engines should protect from forgery

Generated engines should call `protect_from_forgery`.  If this method
isn't called, then the Engine could be susceptible to XSS attacks.
Thanks @tomekr for reporting this to us!
---
 .../app/controllers/%namespaced_name%/application_controller.rb.tt       | 1 +
 1 file changed, 1 insertion(+)

(limited to 'railties/lib')

diff --git a/railties/lib/rails/generators/rails/plugin/templates/app/controllers/%namespaced_name%/application_controller.rb.tt b/railties/lib/rails/generators/rails/plugin/templates/app/controllers/%namespaced_name%/application_controller.rb.tt
index 7fe4e5034d..83807f14b4 100644
--- a/railties/lib/rails/generators/rails/plugin/templates/app/controllers/%namespaced_name%/application_controller.rb.tt
+++ b/railties/lib/rails/generators/rails/plugin/templates/app/controllers/%namespaced_name%/application_controller.rb.tt
@@ -1,5 +1,6 @@
 <%= wrap_in_modules <<-rb.strip_heredoc
   class ApplicationController < ActionController::#{api? ? "API" : "Base"}
+    #{ api? ? '# ' : '' }protect_from_forgery :with => :exception
   end
 rb
 %>
-- 
cgit v1.2.3