similar to: Auto complete plugin and CSRF protection-- do you care?

I have the following in my view: <% form_tag :action => ''detail'' do %> Search for Sales Order Number:<br /> <%= text_field_with_auto_complete :sales_order, :id %>&nbsp; <%= submit_tag " Go "%> <% end %> And I have the following in my controller: auto_complete_for :sales_order, :id This worked fine in 1.5, but

I am running a Rails 4 app in semi-production and I constantly get exceptions from crawler bots that use a HEAD HTTP method, which causes the CSRF protection to kick in. Shouldn''t HEAD requests normally be handled like GET requests? I am not sure if I''m just being stupid or that hit is a bug somewhere. Michiel -- You received this message because you are subscribed to the

I''m setting up a Paypal IPN listener and need the create action to not use rails'' default CSRF protection. I''ve got that working fine & test it actually works with cucumber (where I''ve turned CSRF back on, since it''s full-stack testing) but would like my controller spec to mention the need for protect_from_forgery :except => [:create] (and fail

Dear Rails community, As part of a programming languages/security research group at the University of Maryland, we are building some static analysis tools for Rails applications. These tools work by taking formally specified properties of interest, and then analyzing code to verify that those properties indeed hold. Using these tools, we found some security vulnerabilities in Rails, and we would

Hi all, My team and I are finding ourselves a little in the dark about the "CSRF Protection Bypass in Ruby on Rails" vulnerability that was announced yesterday - http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails 1. Where is the complete Advisory? The Impact section is very unclear. Looking at the comment in the 2.3 patch mentions "Flash animations and

Hello All, I''m a RoR newbiew, trying to experiment with Autocomplete, but I''m having some difficulties. When I start typing in my input box, instead of getting a nice drop down, the styling on my page is getting all out of wack (ie my background colours change, link styling changes, etc) and I''m not seeing any autcompletion data. Here are the steps I''ve taken

Hello all, I''ve been trying to diagnose an issue with CSRF and Firefox specifically. I''ve got an ajax based form, using UJS (yes, I have csrf_meta_tag in my layout and I''ve tried adding the X-CSRF-Token header to the ajax beforeSend events without any luck)... The form just posts some data to an ajax method that creates, saves, and sets the session for a shopper as

Hi all, I would like to use page caching on my homepage, but also want to enable people to sign in via a modal dialog sign in form. I could have a setup in which when a user lands on the cached homepage, an Ajax GET request pulls in the whole login form so that there is a fresh authenticity token. That said, besides the additional hit to the server, the CSRF token in the head area of the page

Hello, I have a tree structure that needs to be converted into a nested set. A great deal of work has already been done on the tree items, so maintaining the integrity of the id''s is mandatory. However I need the ability to access entire branches of the tree, which is what Nested set does. Does anyone have any suggestions on how to efficiently transfer the tree to the nested set and

Hi all, I think CSFR protection broke in rails 2.3.11. As in: it''s turned off now. I tried this in rails 2.3.10 and in 2.3.11 and 2.3.11 seems broken. >rails csrftest >cd csrftest >script/generate scaffold post title:string >rake db:migrate now I visit /posts/new in my browser, use firebug to delete or change the authenticity token, and submit the form. rails 2.3.11: all

Hallo, I want to test the csrf protection of my application but forgery protection is not working with jquery ajax request. I have used Unobtrusive Javascript with jquery I have removed the <%= csrf_meta_tag %> so that my application do not include authenticity token. In my view I have the following code $(function () { $(''#alert'').click(function () { $.ajax({

Hi, http://apidock.com/rails/ActionController/RequestForgeryProtection only maintains one CSRF token at a time. When a user visits some site, he gets a new token in the session. He then might open a linked site of the same rails app in a new browser tab (maybe some info he''d like to read), and again he will get a new token. Then he changes to the first tab again and submits a form

I''m going to go out on a limb here and say the new CSRF protection in Rails is flawed. Why? Forget about caching if you care to use it. Consider the following: <% cache do %> <%= link_to_remote "Add To Favorites", :url => {:controller => "favorites", :action => "create", "movie_id" => 2} %> <% end %> # Output <a

When you generate a default Rails app, it puts this in application.html.erb: <%= csrf_meta_tags %> It does this so the remote forms can be submitted--i.e., so JavaScript can submit a form. When jquery-rails is about to submit a form, it looks for the <meta> tags named "csrf-param" and "csrf-token" and from them it constructs a hidden

Hi all ! I began to develop Rails applications with Aptana Radrails under Windows. For that I had successfully installed auto_complete plugin and succeeded to use it. Now I have an iMac and I''m trying to restart my developments under OS X. My problem is: when I run the command ''script/plugin install auto_complete'', the result is: Plugin not found:

Hi, I''m using scriptaculous to provide an auto complete textbox - and it works perfectly - but I was wondering if there was anyway to let users navigate the choices using the keyboard i.e the curor keys as opposed to having to use the mouse? Apart from that it''s perfect! :) Cheers, Pete -- Posted via http://www.ruby-forum.com/.

Trying to use Amy Hoy''s ajaxariffic auto_complete methodology and I am getting really close to the end. This is fairly complicated but I will simplify as best I can. My view code is simple... <%= text_field_with_auto_complete ''client'', ''wholename'' %> # wholename is not a column in ''clients'' but rather represents an

Posted this on stack overflow earlier today here<http://stackoverflow.com/questions/13673969/rails-3-2-session-id-nil-until-next-request>, I really either don''t know what I''m doing, or I don''t understand how sessions are supposed to work! I''m connecting to rails from an Air app and communicating with JSON only. When the client sends a login request,

I''m using rails3. It does not seem to check the authenticity_token when doing a POST using Ajax. I traced this to: module ActionDispatch class Request < Rack::Request ..... def forgery_whitelisted? get? || xhr? || content_mime_type.nil? || ! content_mime_type.verify_request? end end so you don''t check if its a get? or a xhr? (ie ajax request). Is this correct? --

I have been trying to write a selector function for Autocompleter.Local that will show a predefined Array and will scroll automatically to the first match. I have had success with with getting my list to populate and show all of the choices, however I cannot get it to scroll to the first match. Since I build the JS Array I can know exactly how many items are in the list going into my selector,