[Catalyst] Picking template type based on input
Tomas Doran
bobtfish at bobtfish.net
Mon Mar 29 01:05:34 GMT 2010
On 29 Mar 2010, at 01:06, Bill Moseley wrote:
>
> I do this -- every POST must include token, and the token can only
> be used once. That means the the form must be fetched before bing
> posted (to generate the token).
Have anything generic you'd care to share? :)
>
> However this would obviously not catch forms generated purely from
> Javascript (and a number of other cases), and so I'm somewhat
> doubtful of its value in more complex applications. I can certainly
> remember the stuff which tries to achieve this that is baked into
> Rails making me scream :)
>
> I'm not clear how javascript is an issue here, unless the attacker
> has injected javascript into my site.
The issue is that if you're generating a form in javascript, and
submitting it in javascript, then something finding forms in the page
output (and adding a token automatically), which was what I initially
suggested - would fail to find the form, and ergo you'd have an issue :)
(i.e. it couldn't 'just work automatically' in that case without the
application collaborating in some manor).
Cheers
t0m
More information about the Catalyst
mailing list