Permalink
Browse files

Don't append the forgery token to an ajax request if it's serializing…

… a form, prevents duplicate tokens. References #10684 [macournoyer]

git-svn-id: http://svn-commit.rubyonrails.org/rails/branches/2-0-stable@8601 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
  • Loading branch information...
1 parent b2eca73 commit 002e73a1ee9bfc0e1e9a982c69293586b809296e @NZKoz NZKoz committed Jan 8, 2008
@@ -1019,7 +1019,7 @@ def options_for_ajax(options)
js_options['parameters'] = options[:with]
end
- if protect_against_forgery?
+ if protect_against_forgery? && !options[:form]
if js_options['parameters']
js_options['parameters'] << " + '&"
else
@@ -22,6 +22,10 @@ def show_button
render :inline => "<%= button_to('New', '/') {} %>"
end
+ def remote_form
+ render :inline => "<% form_remote_tag(:url => '/') {} %>"
+ end
+
def unsafe
render :text => 'pwn'
end
@@ -75,6 +79,11 @@ def test_should_render_button_to_with_token_tag
assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', @token
end
+ def test_should_render_remote_form_with_only_one_token_parameter
+ get :remote_form
+ assert_equal 1, @response.body.scan(@token).size
+ end
+
def test_should_allow_get
get :index
assert_response :success

0 comments on commit 002e73a

Please sign in to comment.