On 30 Apr 2011, at 12:48, Ernesto Rocha <ernestorro...@gmail.com> wrote:
> I did some brute force only to test, like this:
>
> <meta name="csrf-param" content="authenticity_token"/>
> <meta name="csrf-token" content="<%= CGI.escape form_authenticity_token %>"/>
>
> some characters are escaped, but now the link_to ... :method => delete is not
> working anymore (the user session is killed).
>
> If I user URI.escape the plus sign is not escaped.
>
How are you adding the authenticity token to the URL ? (Ps, rails has a
csrf_meta_tag helper)
Fred
> So, i'm still at point zero.
>
> Thanks,
> Ernesto
>
>
> On Fri, Apr 29, 2011 at 6:10 AM, Frederick Cheung
> <frederick.che...@gmail.com> wrote:
>
>
> On Apr 29, 3:06 am, Ernesto Rocha <ernestorro...@gmail.com> wrote:
> > How i escape it before the rails server process it ?
> >
> You'll need to do that at the point that you add the token to the link
>
> Fred
> > Thanks,
> > Ernesto
> >
> > On Thu, Apr 28, 2011 at 4:58 AM, Frederick Cheung <
> >
> >
> >
> > frederick.che...@gmail.com> wrote:
> >
> > > On 28 Apr 2011, at 03:22, Ernesto Rocha <ernestorro...@gmail.com> wrote:
> >
> > > Guys,
> >
> > > I'm using some AJAX on my application, but when protect_from_forgery is on
> > > sometimes it works and sometimes the user session is killed. Today i found
> > > out why.
> >
> > > It happens the following:
> >
> > > The authenticity_token is sent correctly as you can see below,
> >
> > > Started DELETE
> > > "/clients/118/files/20?authenticity_token=hoMH9/heaFWXWWy+aE1xKQcpf4xrLoVWG
> > > qkq0pzzwuo="
> > > for 127.0.0.1 at Wed Apr 27 23:06:50 -0300 2011
> >
> > > but, next line on server is,
> >
> > > Processing by ClippingsController#destroy as JS
> > > Parameters: {"authenticity_token"=>"hoMH9/heaFWXWWy
> > > aE1xKQcpf4xrLoVWGqkq0pzzwuo=", "id"=>"20,", "client_id"=>"118"}
> >
> > > as you can see, the plus sign ('+') turned into a white space. Once the
> > > token doesn't match the user session is killed.
> >
> > > Is someone experiencing this ? Any help how to fix it ?
> >
> > > + in urls means space - if the token genuinely contains + then you need to
> > > escape it before putting it in the URL.
> >
> > > Fred
> >
> > > Thanks,
> > > Ernesto
> >
> > > --
> > > You received this message because you are subscribed to the Google Groups
> > > "Ruby on Rails: Talk" group.
> > > To post to this group, send email to rubyonrails-talk@googlegroups.com.
> > > To unsubscribe from this group, send email to
> > > rubyonrails-talk+unsubscr...@googlegroups.com.
> > > For more options, visit this group at
> > >http://groups.google.com/group/rubyonrails-talk?hl=en.
> >
> > > --
> > > You received this message because you are subscribed to the Google Groups
> > > "Ruby on Rails: Talk" group.
> > > To post to this group, send email to rubyonrails-talk@googlegroups.com.
> > > To unsubscribe from this group, send email to
> > > rubyonrails-talk+unsubscr...@googlegroups.com.
> > > For more options, visit this group at
> > >http://groups.google.com/group/rubyonrails-talk?hl=en.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ruby on Rails: Talk" group.
> To post to this group, send email to rubyonrails-talk@googlegroups.com.
> To unsubscribe from this group, send email to
> rubyonrails-talk+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/rubyonrails-talk?hl=en.
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ruby on Rails: Talk" group.
> To post to this group, send email to rubyonrails-talk@googlegroups.com.
> To unsubscribe from this group, send email to
> rubyonrails-talk+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/rubyonrails-talk?hl=en.
--
You received this message because you are subscribed to the Google Groups "Ruby
on Rails: Talk" group.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.
