Commits

Luke Plant committed daf0fef

Wrap CSRF hidden input in a div to make it better for inserting into <form>s

Comments (0)

Files changed (2)

src/Ella/Processors/Security.hs

         requestEnvName = "csrftoken"
         makeCsrfToken = randomStr 20
         getTokenFromReq req = fromJust $ Map.lookup requestEnvName $ environment req
-        mkTokenField req = "<input type=\"hidden\" name=\"" ++ tokenName ++ "\" value=\"" ++ getTokenFromReq req ++ "\" >"
+        mkTokenField req = "<div style=\"display:none\"><input type=\"hidden\" name=\"" ++ tokenName ++ "\" value=\"" ++ getTokenFromReq req ++ "\" ></div>"
         addTokenToReq req token = req { environment = Map.insert requestEnvName token $ environment req }
 
         makeCsrfCookie token = do

testsuite/Tests/Ella/Processors/Security.hs

           -- view that extracts 'csrftoken' from request environment field
           view = \req -> return $ Just $ buildResponse [ addContent $ utf8 $ csrfTokenField csrfProtection $ req ] utf8TextResponse
       Just resp <- (csrfProtectView csrfProtection) view req
-      return (content resp == utf8 ("<input type=\"hidden\" name=\"csrftoken\" value=\"" ++ aCsrfToken ++ "\" >"))
+      return (content resp == utf8 ("<div style=\"display:none\"><input type=\"hidden\" name=\"csrftoken\" value=\"" ++ aCsrfToken ++ "\" ></div>"))
     ) ~? "csrf hidden input field is correct"
 
 
Tip: Filter by directory path e.g. /media app.js to search for public/media/app.js.
Tip: Use camelCasing e.g. ProjME to search for ProjectModifiedEvent.java.
Tip: Filter by extension type e.g. /repo .js to search for all .js files in the /repo directory.
Tip: Separate your search with spaces e.g. /ssh pom.xml to search for src/ssh/pom.xml.
Tip: Use ↑ and ↓ arrow keys to navigate and return to view the file.
Tip: You can also navigate files with Ctrl+j (next) and Ctrl+k (previous) and view the file with Ctrl+o.
Tip: You can also navigate files with Alt+j (next) and Alt+k (previous) and view the file with Alt+o.