wbsurf...@yahoo.com wrote: > protect_from_forgery :secret => 'hgfjh...kjhghglh' (whatever) > > self.allow_forgery_protection = false > > > I had commented those out during development because certain actions > would error out because of these.
If you're concerned about security then commenting that out to resolve the errors you were getting in development was probably a mistake. > For instance, I think I called remote_function() from java script and > just added :width=>something. > That added width into params, but I guess since it wasn't part of the > routing the forgery protection > flagged an error on it, is my guess. > > Is the best way to go through and try to fix the routing for > everything ? I guess that might be the way I have to do it, I wanted > to check if I really need to do that for security as it's sort of a > pain in the neck to have to try to test > all the methods, fix the routing and such .. Also note that your subject line says Cross Site Scripting (XSS), which is not the same as Cross Site Request Forgery (CSRF). The method protect_from_forgery does nothing (as far as I understand it) to protect against XSS. It only provides protection against CSRF. -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk@googlegroups.com To unsubscribe from this group, send email to rubyonrails-talk+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
