[Owasp-csrfguard] JavaScriptServlet tag name and value undefined

john.m.allen at thomsonreuters.com john.m.allen at thomsonreuters.com
Tue Mar 11 18:40:08 UTC 2014


I finally figured out why I was getting "undefined" values for token-name and token-value.  I like the library a lot but I see a major issue and a very minor one.

Major Issue

JavaScript DOM Manipulation does not work unless Ajax support is enabled in the property file.
org.owasp.csrfguard.Ajax=true

The documentation has
Note: Use of JavaScript DOM Manipulation is required for Ajax support.
But I did not see anything that said:
Ajax support is required for JavaScript DOM Manipulation.

And I found no other place the POST for the token exists except in the Ajax "if" statement (line 392) in
csrfguard.js, requestPageTokens().  Is the closing brace misplaced?
              if(%INJECT_XHR% == true) {
I am not sure of the intentions, but it worked putting the closing brace just before
              var xhr = window.XMLHttpRequest . . .


Minor Issue

The latest version (git clone https://github.com/aramrami/OWASP-CSRFGuard)
...\csrfguard\src\main\resources\csrfguard.tld
has names that do not match the code.  I changed

              <name>tokenname</name>
              <tag-class>org.owasp.csrfguard.tag.TokenNameTag</tag-class>
              <body-content>empty</body-content>
       </tag>
       <tag>
              <name>tokenvalue</name>

to

              <name>token-name</name>
              . . .
              <name>token-value</name>

John
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-csrfguard/attachments/20140311/01ecd4fd/attachment.html>


More information about the Owasp-csrfguard mailing list