[Catalyst] Picking template type based on input

Tomas Doran bobtfish at bobtfish.net
Mon Mar 29 01:05:34 GMT 2010

On 29 Mar 2010, at 01:06, Bill Moseley wrote:
> I do this -- every POST must include token, and the token can only  
> be used once.  That means the the form must be fetched before bing  
> posted (to generate the token).

Have anything generic you'd care to share? :)

> However this would obviously not catch forms generated purely from  
> Javascript (and a number of other cases), and so I'm somewhat  
> doubtful of its value in more complex applications. I can certainly  
> remember the stuff which tries to achieve this that is baked into  
> Rails making me scream :)
> I'm not clear how javascript is an issue here, unless the attacker  
> has injected javascript into my site.

The issue is that if you're generating a form in javascript, and  
submitting it in javascript, then something finding forms in the page  
output (and adding a token automatically), which was what I initially  
suggested - would fail to find the form, and ergo you'd have an issue :)

(i.e. it couldn't 'just work automatically' in that case without the  
application collaborating in some manor).


More information about the Catalyst mailing list