Use form_tag instead of building forms by hand

In order for CSRF protection to work we need to use form_for or form_tag
to build all forms so that the authenticity token is added.

diff --git a/app/views/user/confirm.html.erb b/app/views/user/confirm.html.erb
index 408ba771fc510e7244276709a9f0c4db18851e57..551719f55afe8dc59aebfd759bd8064dcb7620e0 100644 (file)
--- a/app/views/user/confirm.html.erb
+++ b/app/views/user/confirm.html.erb
@@ -6,11 +6,11 @@ $("content").style.display = "none";
 
 <p><%= t 'user.confirm.press confirm button' %></p>
 
-<form id="confirm" method="post">
+<%= form_tag({}, { :id => "confirm" }) do %>
   <input type="display_name" name="confirm_string" value="<%= params[:display_name] %>">
   <input type="hidden" name="confirm_string" value="<%= params[:confirm_string] %>">
   <input type="submit" name="confirm_action" value="<%= t 'user.confirm.button' %>">
-</form>
+<% end %>
 
 <script>
 $("confirm").submit();

diff --git a/app/views/user/confirm_email.html.erb b/app/views/user/confirm_email.html.erb
index fd17ef08a656b49a3e3ace8987b23d8b6cee2e32..7acb85a98003dab2934419838f9dfea2cca6a5db 100644 (file)
--- a/app/views/user/confirm_email.html.erb
+++ b/app/views/user/confirm_email.html.erb
@@ -6,10 +6,10 @@ $("content").style.display = "none";
 
 <p><%= t 'user.confirm_email.press confirm button' %></p>
 
-<form id="confirm" method="post">
+<%= form_tag({}, { :id => "confirm" }) do %>
   <input type="hidden" name="confirm_string" value="<%= params[:confirm_string] %>">
   <input type="submit" name="confirm_action" value="<%= t 'user.confirm_email.button' %>">
-</form>
+<% end %>
 
 <script>
 $("confirm").submit();