developer.jelix.org is not used any more and exists only for history. Post new tickets on the Github account.
developer.jelix.org n'est plus utilisée, et existe uniquement pour son historique. Postez les nouveaux tickets sur le compte github.

Opened 9 years ago

Closed 9 years ago

#1272 closed bug (invalid)

Potiential CSRF vulnerability when using ajax request + jforms

Reported by: laurentj Owned by:
Priority: high Milestone: Jelix 1.1.9
Component: jelix:forms Version: 1.2.1
Severity: critical Keywords:
Cc: Blocked By:
Blocking: Documentation needed: no
Hosting Provider: Php version:

Description

we should study this issue http://www.djangoproject.com/weblog/2011/feb/08/security/ appeared in django. Probably we should make more checks and support an X-CSRFTOKEN custom header.

Change History (1)

comment:1 Changed 9 years ago by laurentj

  • Resolution set to invalid
  • Status changed from new to closed

Since we always check the token, even in ajax case, jelix don't have this kind of vulnerability.

Note: See TracTickets for help on using tickets.