[Rails] Re: cross site scripting security

Thu, 26 Mar 2009 13:36:06 -0700 

> If you're concerned about security then commenting that out to resolve
> the errors you were getting in development was probably a mistake.
>

 Right, well I had this funny feeling about it, but at the time I was
trying to get some javascript stuff to work ..

 Anyway, there is a javascript call like this:


function update_server(info)
{

 <%= remote_function(:url => {:action => 'resize_field'},
                     :with => '{col:info.col,width:info.width}')
                               %>
}

So I just set some routing, I'm not a routing expert, but I did this:

map.connect 'shgrid/resize_field/:col/:width',
              :controller => 'shgrid',
              :action => 'resize_field'

But I get the error (below). I'm not sure if there's a proper way to
do it with remote_function() ?
Anyway, first I did the main dev, now I am trying to learn more on
security ..

Processing ShgridController#resize_field (for 155.x.x.x at 2009-03-26
16:28:11) [POST]
  Session ID: 92c3ef636f552fbeff8e574d96bedb9f
  Parameters: {"col"=>"5", "action"=>"resize_field",
"controller"=>"shgrid", "width"=>"66"}
  User Load (0.000269)   SELECT * FROM "users" WHERE (name = 'Zack2')
LIMIT 1
  AdminSetting Load (0.000156)   SELECT * FROM "admin_settings" LIMIT
1


ActionController::InvalidAuthenticityToken
(ActionController::InvalidAuthenticityToken):
    /usr/local/lib/ruby/gems/1.8/gems/actionpack-2.1.2/lib/
action_controller/request_forgery_protection.rb:86:in
`verify_authenticity_token'
    /usr/local/lib/ruby/gems/1.8/gems/activesupport-2.1.2/lib/
active_support/callbacks.rb:173:in `send'
    /usr/local/lib/ruby/gems/1.8/gems/activesupport-2.1.2/lib/
active_support/callbacks.rb:173:in `evaluate_method'



--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Ruby 
on Rails: Talk" group.
To post to this group, send email to rubyonrails-talk@googlegroups.com
To unsubscribe from this group, send email to 
rubyonrails-talk+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to