Permalink
Browse files

CSRF protection added to AJAX calls - Release 2.2.5

git-svn-id: http://svn.code.sf.net/p/formunculous/code/trunk@21 73555b9c-cbee-463b-918c-5b0eed200513
  • Loading branch information...
carsongee committed Feb 12, 2011
1 parent 21264be commit e3c9f499eec6b57d675f7e9ea0f623d334537fbb
View
21 RELEASE
@@ -1,32 +1,45 @@
+Formunculous 2.2.5 Release Notes:
+
+ This is a release in order to correct backwards incompatibilities introduced
+ between version 1.2.4 and 1.2.5 of Django. Because it includes new media,
+ if you are using setuptools/easy_install you will need to relink your media
+ or at least add the csrf.js file to { MEDIA_ROOT }/formunculous/js/ in order
+ to correctly handle Django 1.2.5 with the CSRF middleware
+
+Bug Fixes:
+ * Added csrf.js to the media and included it in all templates that make POST
+ AJAX calls in order to add a CSRF token HTTP header to the request.
+
+
Formunculous 2.2.4 Release Notes:
This is a minor bug fix release with two minor
additional features.
- A big thank you to Leho Kraav ( http://kraav.com/ )
+ A big thank you to @lkraav ( http://leho.kraav.com )
for his help with getting translations working properly
and the split multi value field display code.
New Features:
* CSV Export now includes the application ID as a field
* Added template code to properly display multi-select field responses on
- the thank you and review pages (Courtesy of Leho Kraav)
+ the thank you and review pages (Courtesy of @lkraav)
Bug Fixes:
* Fixed unicode handling in CSV export
* Added URLEncode filter for attached file links in thank you and review
* Fixed several spacing issues and missing trans/ugettext strings
- (Courtesy of Leho Kraav)
+ (Courtesy of @lkraav)
* For additional language support, I setup the apply.html base template to
try and include a language specific date picker from
http://jquery-ui.googlecode.com/svn/trunk/ui/i18n/ if a language other
than en or en-us is selected:
{{ MEDIA_URL }}formunculous/js/jquery.ui.datepicker-{{ LANGUAGE_CODE }}.js
(You must add the specific js to that folder for it to work)
- (Courtesy Leho Kraav)
+ (Courtesy @lkraav)
* File type fields now properly check that the file name is less than the max
length allowed in the model. There is still an edge case where the path plus
View
@@ -17,7 +17,7 @@
# This file is part of formunculous.
# Copyright 2009-2011 Carson Gee
-VERSION = (2, 2, 4, 'final', 0 )
+VERSION = (2, 2, 5, 'final', 0 )
def get_version():
@@ -0,0 +1,23 @@
+jQuery.ajaxSetup({
+ beforeSend: function(xhr, settings) {
+ function getCookie(name) {
+ var cookieValue = null;
+ if (document.cookie && document.cookie != '') {
+ var cookies = document.cookie.split(';');
+ for (var i = 0; i < cookies.length; i++) {
+ var cookie = jQuery.trim(cookies[i]);
+ // Does this cookie string begin with the name we want?
+ if (cookie.substring(0, name.length + 1) == (name + '=')) {
+ cookieValue = decodeURIComponent(cookie.substring(name.length + 1));
+ break;
+ }
+ }
+ }
+ return cookieValue;
+ }
+ if (!(/^http:.*/.test(settings.url) || /^https:.*/.test(settings.url))) {
+ // Only send the token to relative URLs i.e. locally.
+ xhr.setRequestHeader("X-CSRFToken", getCookie('csrftoken'));
+ }
+ }
+});
@@ -33,6 +33,7 @@
{% if history %}
{% if not ad.email_only %}
+<script type="text/javascript" src="{{ MEDIA_URL }}formunculous/js/csrf.js"></script>
<script type="text/javascript" src="{{ MEDIA_URL }}formunculous/js/history.js"></script>
<script type="text/javascript">
var historyURL = '{% url formunculous-apply-history %}'
@@ -12,6 +12,8 @@
{% block extrahead %}{{ block.super }}
<script type="text/javascript" src="{{ MEDIA_URL }}formunculous/js/jquery-1.3.2.min.js"></script>
<script type="text/javascript" src="{{ MEDIA_URL }}formunculous/js/jquery-ui-1.7.2.custom.min.js"></script>
+
+<script type="text/javascript" src="{{ MEDIA_URL }}formunculous/js/csrf.js"></script>
<script type="text/javascript" src="{{ MEDIA_URL }}formunculous/js/urlify.js"></script>
<script type="text/javascript" src="{{ MEDIA_URL }}formunculous/js/ckeditor/ckeditor.js"></script>
<script type="text/javascript" src="{{ MEDIA_URL }}formunculous/js/toggle_ck.js"></script>
@@ -10,6 +10,7 @@
{% block extrahead %}{{ block.super }}
<script type="text/javascript" src="{{ MEDIA_URL }}formunculous/js/jquery-1.3.2.min.js"></script>
<script type="text/javascript" src="{{ MEDIA_URL }}formunculous/js/jquery-ui-1.7.2.custom.min.js"></script>
+<script type="text/javascript" src="{{ MEDIA_URL }}formunculous/js/csrf.js"></script>
<script type="text/javascript">
var current_app_id = 0;
var current_app_slug = '';
@@ -4,6 +4,7 @@
{% block js %}{{ block.super }}
{% if history %}
<script type="text/javascript" src="{{ MEDIA_URL }}formunculous/js/jquery-1.3.2.min.js"></script>
+<script type="text/javascript" src="{{ MEDIA_URL }}formunculous/js/csrf.js"></script>
<script type="text/javascript" src="{{ MEDIA_URL }}formunculous/js/history.js"></script>
<script type="text/javascript">
var historyURL = '{% url formunculous-apply-history %}'
@@ -9,6 +9,8 @@
{% block js %}{{ block.super }}
<script type="text/javascript" src="{{ MEDIA_URL }}formunculous/js/jquery-1.3.2.min.js"></script>
<script type="text/javascript" src="{{ MEDIA_URL }}formunculous/js/jquery-ui-1.7.2.custom.min.js"></script>
+<script type="text/javascript" src="{{ MEDIA_URL }}formunculous/js/csrf.js"></script>
+
<script type="text/javascript">
var delete_url = "{% url reviewer-delete ad.slug %}";
@@ -8,6 +8,7 @@
{% block js %}{{ block.super }}
<script type="text/javascript" src="{{ MEDIA_URL }}formunculous/js/jquery-1.3.2.min.js"></script>
<script type="text/javascript" src="{{ MEDIA_URL }}formunculous/js/jquery-ui-1.7.2.custom.min.js"></script>
+<script type="text/javascript" src="{{ MEDIA_URL }}formunculous/js/csrf.js"></script>
<script type="text/javascript">
var delete_url = "{% url reviewer-delete ad.slug %}";
var app_id = 0

0 comments on commit e3c9f49

Please sign in to comment.