75 : If ajax is disabled, the javascript token injection don't work

aramrami · Jul 27, 2017 · a7c199a · a7c199a
1 parent 9e26fc1
commit a7c199a
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/csrfguard/src/main/resources/csrfguard.js b/csrfguard/src/main/resources/csrfguard.js
@@ -412,6 +412,8 @@
 	 * the token hijacking problem.
 	 */
 	if(isValidDomain(document.domain, "%DOMAIN_ORIGIN%")) {
+		var token_name = '%TOKEN_NAME%';
+		var token_value = '%TOKEN_VALUE%';
 		/** optionally include Ajax support **/
 		if(%INJECT_XHR% == true) {
 			if(navigator.appName == "Microsoft Internet Explorer") {
@@ -428,8 +430,8 @@
 
 		var token_pair = xhr.responseText;
 		token_pair = token_pair.split(":");
-		var token_name = token_pair[0];
-		var token_value = token_pair[1];
+		token_name = token_pair[0];
+		token_value = token_pair[1];
 
 			XMLHttpRequest.prototype.onsend = function(data) {
 				if(isValidUrl(this.url)) {