From 2bc44dfddc214efcec9dd2e920fac14a7c2dcec0 Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Fri, 3 Sep 2010 16:53:01 +0100
Subject: [PATCH 1/1] Use form_tag instead of building forms by hand

In order for CSRF protection to work we need to use form_for or form_tag
to build all forms so that the authenticity token is added.
---
 app/views/user/confirm.html.erb       | 4 ++--
 app/views/user/confirm_email.html.erb | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/app/views/user/confirm.html.erb b/app/views/user/confirm.html.erb
index 408ba771f..551719f55 100644
--- a/app/views/user/confirm.html.erb
+++ b/app/views/user/confirm.html.erb
@@ -6,11 +6,11 @@ $("content").style.display = "none";
 
 <p><%= t 'user.confirm.press confirm button' %></p>
 
-<form id="confirm" method="post">
+<%= form_tag({}, { :id => "confirm" }) do %>
   <input type="display_name" name="confirm_string" value="<%= params[:display_name] %>">
   <input type="hidden" name="confirm_string" value="<%= params[:confirm_string] %>">
   <input type="submit" name="confirm_action" value="<%= t 'user.confirm.button' %>">
-</form>
+<% end %>
 
 <script>
 $("confirm").submit();
diff --git a/app/views/user/confirm_email.html.erb b/app/views/user/confirm_email.html.erb
index fd17ef08a..7acb85a98 100644
--- a/app/views/user/confirm_email.html.erb
+++ b/app/views/user/confirm_email.html.erb
@@ -6,10 +6,10 @@ $("content").style.display = "none";
 
 <p><%= t 'user.confirm_email.press confirm button' %></p>
 
-<form id="confirm" method="post">
+<%= form_tag({}, { :id => "confirm" }) do %>
   <input type="hidden" name="confirm_string" value="<%= params[:confirm_string] %>">
   <input type="submit" name="confirm_action" value="<%= t 'user.confirm_email.button' %>">
-</form>
+<% end %>
 
 <script>
 $("confirm").submit();
-- 
2.43.2