From: Tom Hughes <tom@compton.nu>
Date: Fri, 3 Sep 2010 15:53:01 +0000 (+0100)
Subject: Use form_tag instead of building forms by hand
X-Git-Tag: live~6154
X-Git-Url: https://git.openstreetmap.org/rails.git/commitdiff_plain/2bc44dfddc214efcec9dd2e920fac14a7c2dcec0?ds=sidebyside

Use form_tag instead of building forms by hand

In order for CSRF protection to work we need to use form_for or form_tag
to build all forms so that the authenticity token is added.
---

diff --git a/app/views/user/confirm.html.erb b/app/views/user/confirm.html.erb
index 408ba771f..551719f55 100644
--- a/app/views/user/confirm.html.erb
+++ b/app/views/user/confirm.html.erb
@@ -6,11 +6,11 @@ $("content").style.display = "none";
 
 <p><%= t 'user.confirm.press confirm button' %></p>
 
-<form id="confirm" method="post">
+<%= form_tag({}, { :id => "confirm" }) do %>
   <input type="display_name" name="confirm_string" value="<%= params[:display_name] %>">
   <input type="hidden" name="confirm_string" value="<%= params[:confirm_string] %>">
   <input type="submit" name="confirm_action" value="<%= t 'user.confirm.button' %>">
-</form>
+<% end %>
 
 <script>
 $("confirm").submit();
diff --git a/app/views/user/confirm_email.html.erb b/app/views/user/confirm_email.html.erb
index fd17ef08a..7acb85a98 100644
--- a/app/views/user/confirm_email.html.erb
+++ b/app/views/user/confirm_email.html.erb
@@ -6,10 +6,10 @@ $("content").style.display = "none";
 
 <p><%= t 'user.confirm_email.press confirm button' %></p>
 
-<form id="confirm" method="post">
+<%= form_tag({}, { :id => "confirm" }) do %>
   <input type="hidden" name="confirm_string" value="<%= params[:confirm_string] %>">
   <input type="submit" name="confirm_action" value="<%= t 'user.confirm_email.button' %>">
-</form>
+<% end %>
 
 <script>
 $("confirm").submit();