Skip to content
This repository
Browse code

Don't append the forgery token to an ajax request if it's serializing…

… a form, prevents duplicate tokens. Closes #10684 [macournoyer]

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8598 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
  • Loading branch information...
commit 5ef8a81b846120b51b35503f5c2079036b321630 1 parent 934706a
Michael Koziarski NZKoz authored
4 actionpack/lib/action_view/helpers/prototype_helper.rb
@@ -1019,7 +1019,7 @@ def options_for_ajax(options)
1019 1019 js_options['parameters'] = options[:with]
1020 1020 end
1021 1021
1022   - if protect_against_forgery?
  1022 + if protect_against_forgery? && !options[:form]
1023 1023 if js_options['parameters']
1024 1024 js_options['parameters'] << " + '&"
1025 1025 else
@@ -1204,7 +1204,7 @@ def zip(variable, *arguments, &block)
1204 1204 append_enumerable_function!("zip(#{arguments_for_call arguments}")
1205 1205 if block
1206 1206 function_chain[-1] += ", function(array) {"
1207   - yield ::ActiveSupport::JSON::Variable.new('array')
  1207 + yield ActiveSupport::JSON::Variable.new('array')
1208 1208 add_return_statement!
1209 1209 @generator << '});'
1210 1210 else
9 actionpack/test/controller/request_forgery_protection_test.rb
@@ -22,6 +22,10 @@ def show_button
22 22 render :inline => "<%= button_to('New', '/') {} %>"
23 23 end
24 24
  25 + def remote_form
  26 + render :inline => "<% form_remote_tag(:url => '/') {} %>"
  27 + end
  28 +
25 29 def unsafe
26 30 render :text => 'pwn'
27 31 end
@@ -75,6 +79,11 @@ def test_should_render_button_to_with_token_tag
75 79 assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', @token
76 80 end
77 81
  82 + def test_should_render_remote_form_with_only_one_token_parameter
  83 + get :remote_form
  84 + assert_equal 1, @response.body.scan(@token).size
  85 + end
  86 +
78 87 def test_should_allow_get
79 88 get :index
80 89 assert_response :success

0 comments on commit 5ef8a81

Please sign in to comment.
Something went wrong with that request. Please try again.