From 331210df7c8ab3349d2eb1ae604de5fc559e257f Mon Sep 17 00:00:00 2001 From: Aaron Patterson Date: Mon, 1 Feb 2016 17:17:56 -0800 Subject: [PATCH] Generated engines should protect from forgery Generated engines should call `protect_from_forgery`. If this method isn't called, then the Engine could be susceptible to XSS attacks. Thanks @tomekr for reporting this to us! Conflicts: railties/lib/rails/generators/rails/plugin/templates/app/controllers/%namespaced_name%/application_controller.rb.tt railties/test/generators/plugin_generator_test.rb --- .../app/controllers/%name%/application_controller.rb.tt | 1 + 1 file changed, 1 insertion(+) diff --git a/railties/lib/rails/generators/rails/plugin/templates/app/controllers/%name%/application_controller.rb.tt b/railties/lib/rails/generators/rails/plugin/templates/app/controllers/%name%/application_controller.rb.tt index 448ad7f9891..74ce53c7c34 100644 --- a/railties/lib/rails/generators/rails/plugin/templates/app/controllers/%name%/application_controller.rb.tt +++ b/railties/lib/rails/generators/rails/plugin/templates/app/controllers/%name%/application_controller.rb.tt @@ -1,4 +1,5 @@ module <%= camelized %> class ApplicationController < ActionController::Base + protect_from_forgery :with => :exception end end