From 1aa836ffc74ba2788786fb32b2a939a7b54ae1b7 Mon Sep 17 00:00:00 2001 From: Qiang Xue Date: Tue, 17 Sep 2013 21:00:19 -0400 Subject: [PATCH] use meta tags to pass CSRF token. --- framework/yii/assets/yii.js | 19 +++++++++++++------ framework/yii/base/View.php | 8 ++++++++ framework/yii/web/YiiAsset.php | 15 --------------- 3 files changed, 21 insertions(+), 21 deletions(-) diff --git a/framework/yii/assets/yii.js b/framework/yii/assets/yii.js index 3859a55..f2ac379 100644 --- a/framework/yii/assets/yii.js +++ b/framework/yii/assets/yii.js @@ -43,12 +43,19 @@ */ yii = (function ($) { var pub = { - // version of Yii framework - version: '2.0', - // CSRF token name and value. If this is set and a form is created and submitted using JavaScript - // via POST, the CSRF token should be submitted too to pass CSRF validation. - csrfVar: undefined, - csrfToken: undefined, + /** + * @return string|undefined the CSRF variable name. Undefined is returned is CSRF validation is not enabled. + */ + getCsrfVar: function() { + return $('meta[name=csrf-var]').attr('content'); + }, + + /** + * @return string|undefined the CSRF token. Undefined is returned is CSRF validation is not enabled. + */ + getCsrfToken: function() { + return $('meta[name=csrf-token]').attr('content'); + }, initModule: function (module) { if (module.isActive === undefined || module.isActive) { diff --git a/framework/yii/base/View.php b/framework/yii/base/View.php index 4d3d996..77d0e5c 100644 --- a/framework/yii/base/View.php +++ b/framework/yii/base/View.php @@ -12,6 +12,7 @@ use yii\helpers\FileHelper; use yii\helpers\Html; use yii\web\JqueryAsset; use yii\web\AssetBundle; +use yii\web\Request; use yii\widgets\Block; use yii\widgets\ContentDecorator; use yii\widgets\FragmentCache; @@ -708,6 +709,13 @@ class View extends Component if (!empty($this->metaTags)) { $lines[] = implode("\n", $this->metaTags); } + + $request = Yii::$app->getRequest(); + if ($request instanceof Request && $request->enableCsrfValidation) { + $lines[] = Html::tag('meta', '', array('name' => 'csrf-var', 'content' => $request->csrfVar)); + $lines[] = Html::tag('meta', '', array('name' => 'csrf-token', 'content' => $request->getCsrfToken())); + } + if (!empty($this->linkTags)) { $lines[] = implode("\n", $this->linkTags); } diff --git a/framework/yii/web/YiiAsset.php b/framework/yii/web/YiiAsset.php index 7d82027..2ad5384 100644 --- a/framework/yii/web/YiiAsset.php +++ b/framework/yii/web/YiiAsset.php @@ -23,19 +23,4 @@ class YiiAsset extends AssetBundle public $depends = array( 'yii\web\JqueryAsset', ); - - /** - * @inheritdoc - */ - public function registerAssets($view) - { - parent::registerAssets($view); - $js[] = "yii.version='" . Yii::getVersion() . "';"; - $request = Yii::$app->getRequest(); - if ($request instanceof Request && $request->enableCsrfValidation) { - $js[] = "yii.csrfVar='{$request->csrfVar}';"; - $js[] = "yii.csrfToken='{$request->csrfToken}';"; - } - $view->registerJs(implode("\n", $js), View::POS_END); - } }