cst1/openstreetmap-website
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Use form_tag instead of building forms by hand

Browse source 
In order for CSRF protection to work we need to use form_for or form_tag
to build all forms so that the authenticity token is added.
This commit is contained in:
Tom Hughes 2010-09-03 16:53:01 +01:00
parent 09e5528ecd
commit 2bc44dfddc
2 changed files with 4 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

4
app/views/user/confirm.html.erb
View file

@ -6,11 +6,11 @@ $("content").style.display = "none";
<p><%= t 'user.confirm.press confirm button' %></p>
<form id="confirm" method="post">
<%= form_tag({}, { :id => "confirm" }) do %>
<input type="display_name" name="confirm_string" value="<%= params[:display_name] %>">
<input type="hidden" name="confirm_string" value="<%= params[:confirm_string] %>">
<input type="submit" name="confirm_action" value="<%= t 'user.confirm.button' %>">
</form>
<% end %>
<script>
$("confirm").submit();

4
app/views/user/confirm_email.html.erb
View file

@ -6,10 +6,10 @@ $("content").style.display = "none";
<p><%= t 'user.confirm_email.press confirm button' %></p>
<form id="confirm" method="post">
<%= form_tag({}, { :id => "confirm" }) do %>
<input type="hidden" name="confirm_string" value="<%= params[:confirm_string] %>">
<input type="submit" name="confirm_action" value="<%= t 'user.confirm_email.button' %>">
</form>
<% end %>
<script>
$("confirm").submit();