[Owasp-csrfguard] JavaScriptServlet tag name and value undefined

john.m.allen at thomsonreuters.com john.m.allen at thomsonreuters.com
Tue Mar 11 18:40:08 UTC 2014

I finally figured out why I was getting "undefined" values for token-name and token-value.  I like the library a lot but I see a major issue and a very minor one.

Major Issue

JavaScript DOM Manipulation does not work unless Ajax support is enabled in the property file.

The documentation has
Note: Use of JavaScript DOM Manipulation is required for Ajax support.
But I did not see anything that said:
Ajax support is required for JavaScript DOM Manipulation.

And I found no other place the POST for the token exists except in the Ajax "if" statement (line 392) in
csrfguard.js, requestPageTokens().  Is the closing brace misplaced?
              if(%INJECT_XHR% == true) {
I am not sure of the intentions, but it worked putting the closing brace just before
              var xhr = window.XMLHttpRequest . . .

Minor Issue

The latest version (git clone https://github.com/aramrami/OWASP-CSRFGuard)
has names that do not match the code.  I changed



              . . .

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20140311/01ecd4fd/attachment.html>

More information about the Owasp-csrfguard mailing list