Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Don't append the forgery token to an ajax request if it's serializing…

… a form, prevents duplicate tokens. Closes #10684 [macournoyer]

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8598 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
  • Loading branch information...
commit 5ef8a81b846120b51b35503f5c2079036b321630 1 parent 934706a
Michael Koziarski NZKoz authored
4 actionpack/lib/action_view/helpers/prototype_helper.rb
View
@@ -1019,7 +1019,7 @@ def options_for_ajax(options)
js_options['parameters'] = options[:with]
end
- if protect_against_forgery?
+ if protect_against_forgery? && !options[:form]
if js_options['parameters']
js_options['parameters'] << " + '&"
else
@@ -1204,7 +1204,7 @@ def zip(variable, *arguments, &block)
append_enumerable_function!("zip(#{arguments_for_call arguments}")
if block
function_chain[-1] += ", function(array) {"
- yield ::ActiveSupport::JSON::Variable.new('array')
+ yield ActiveSupport::JSON::Variable.new('array')
add_return_statement!
@generator << '});'
else
9 actionpack/test/controller/request_forgery_protection_test.rb
View
@@ -22,6 +22,10 @@ def show_button
render :inline => "<%= button_to('New', '/') {} %>"
end
+ def remote_form
+ render :inline => "<% form_remote_tag(:url => '/') {} %>"
+ end
+
def unsafe
render :text => 'pwn'
end
@@ -75,6 +79,11 @@ def test_should_render_button_to_with_token_tag
assert_select 'form>div>input[name=?][value=?]', 'authenticity_token', @token
end
+ def test_should_render_remote_form_with_only_one_token_parameter
+ get :remote_form
+ assert_equal 1, @response.body.scan(@token).size
+ end
+
def test_should_allow_get
get :index
assert_response :success
Please sign in to comment.
Something went wrong with that request. Please try again.