a few more CSRF tests

mojolicious · Dec 4, 2013 · 59ca3a4 · 59ca3a4
1 parent 490e48b
commit 59ca3a4
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 9 deletions.
diff --git a/lib/Mojolicious/Guides/Rendering.pod b/lib/Mojolicious/Guides/Rendering.pod
@@ -745,11 +745,11 @@ L<Mojolicious::Validator::Validation/"error">.
 
 =head2 Cross-site request forgery
 
-Cross-site request forgery is a very common attack on web applications that
-trick your logged in users to submit forms they did not intend to send. All
-you have to do to protect your users from this, is to add an additional hidden
-field to your forms with L<Mojolicious::Plugin::TagHelpers/"csrf_field"> and
-validate it with L<Mojolicious::Validator::Validation/"csrf_protect">.
+CSRF is a very common attack on web applications that trick your logged in
+users to submit forms they did not intend to send. All you have to do to
+protect your users from this, is to add an additional hidden field to your
+forms with L<Mojolicious::Plugin::TagHelpers/"csrf_field"> and validate it
+with L<Mojolicious::Validator::Validation/"csrf_protect">.
 
   use Mojolicious::Lite;
 

diff --git a/lib/Mojolicious/Plugin/TagHelpers.pm b/lib/Mojolicious/Plugin/TagHelpers.pm
@@ -314,7 +314,7 @@ picked up and shown as default.
 
   %= csrf_field
 
-Generate hidden input element with CSRF token from
+Generate hidden input element with
 L<Mojolicious::Plugin::DefaultHelpers/"csrf_token">.
 
   <input name="csrf_token" type="hidden" value="fa6a08..." />

diff --git a/t/mojolicious/validation_lite_app.t b/t/mojolicious/validation_lite_app.t
@@ -175,7 +175,8 @@ $t->post_ok('/' => form => {foo => 'no'})->status_is(200)
 
 # Missing CSRF token
 $t->get_ok('/forgery' => form => {foo => 'bar'})->status_is(200)
-  ->content_like(qr/Wrong or missing CSRF token!/);
+  ->content_like(qr/Wrong or missing CSRF token!/)
+  ->element_exists('[value=bar]');
 
 # Correct CSRF token
 my $token
@@ -191,11 +192,13 @@ $t->post_ok('/forgery' => {'X-CSRF-Token' => $token} => form => {foo => 'bar'})
 
 # Wrong CSRF token (header)
 $t->post_ok('/forgery' => {'X-CSRF-Token' => 'abc'} => form => {foo => 'bar'})
-  ->status_is(200)->content_like(qr/Wrong or missing CSRF token!/);
+  ->status_is(200)->content_like(qr/Wrong or missing CSRF token!/)
+  ->element_exists('[value=bar]');
 
 # Missing CSRF token again
 $t->post_ok('/forgery' => form => {foo => 'bar'})->status_is(200)
-  ->content_like(qr/Wrong or missing CSRF token!/);
+  ->content_like(qr/Wrong or missing CSRF token!/)
+  ->element_exists('[value=bar]');
 
 # Failed validation for all fields (with custom helper)
 $t->app->helper(