diff --git a/src/Orchard.Web/Packages/Orchard.Blogs/Views/Blog/Create.aspx b/src/Orchard.Web/Packages/Orchard.Blogs/Views/Blog/Create.aspx
index a56cc2ab8..5fe49baf6 100644
--- a/src/Orchard.Web/Packages/Orchard.Blogs/Views/Blog/Create.aspx
+++ b/src/Orchard.Web/Packages/Orchard.Blogs/Views/Blog/Create.aspx
@@ -3,12 +3,9 @@
<%@ Import Namespace="Orchard.Blogs.ViewModels"%>
<% Html.Include("AdminHead"); %>
Add Blog
- <% using (Html.BeginForm()) { %>
+ <% using (Html.BeginFormAntiForgeryPost()) { %>
<%=Html.ValidationSummary() %>
<%=Html.EditorForItem(vm => vm.Blog) %>
- <%
+ <%
} %>
<% Html.Include("AdminFoot"); %>
\ No newline at end of file
diff --git a/src/Orchard.Web/Packages/Orchard.Blogs/Views/Blog/Edit.aspx b/src/Orchard.Web/Packages/Orchard.Blogs/Views/Blog/Edit.aspx
index cf41724df..e3d4a6ee1 100644
--- a/src/Orchard.Web/Packages/Orchard.Blogs/Views/Blog/Edit.aspx
+++ b/src/Orchard.Web/Packages/Orchard.Blogs/Views/Blog/Edit.aspx
@@ -3,12 +3,9 @@
<%@ Import Namespace="Orchard.Blogs.ViewModels"%>
<% Html.Include("AdminHead"); %>
Edit Blog
- <% using (Html.BeginForm()) { %>
+ <% using (Html.BeginFormAntiForgeryPost()) { %>
<%=Html.ValidationSummary() %>
<%=Html.EditorForItem(m => m.Blog) %>
- <%
+ <%
} %>
<% Html.Include("AdminFoot"); %>
\ No newline at end of file
diff --git a/src/Orchard.Web/Packages/Orchard.Blogs/Views/BlogPost/Create.aspx b/src/Orchard.Web/Packages/Orchard.Blogs/Views/BlogPost/Create.aspx
index b987670aa..2521dc878 100644
--- a/src/Orchard.Web/Packages/Orchard.Blogs/Views/BlogPost/Create.aspx
+++ b/src/Orchard.Web/Packages/Orchard.Blogs/Views/BlogPost/Create.aspx
@@ -3,9 +3,8 @@
<%@ Import Namespace="Orchard.Blogs.ViewModels"%>
<% Html.Include("AdminHead"); %>
Add Post
- <% using (Html.BeginForm()) { %>
+ <% using (Html.BeginFormAntiForgeryPost()) { %>
<%=Html.ValidationSummary() %>
- <%=Html.EditorForItem(m => m.BlogPost) %>
- <%=Html.OrchardAntiForgeryToken() %><%
+ <%=Html.EditorForItem(m => m.BlogPost) %><%
} %>
<% Html.Include("AdminFoot"); %>
\ No newline at end of file
diff --git a/src/Orchard.Web/Packages/Orchard.Blogs/Views/BlogPost/Edit.aspx b/src/Orchard.Web/Packages/Orchard.Blogs/Views/BlogPost/Edit.aspx
index 9493faa72..d68f1b35f 100644
--- a/src/Orchard.Web/Packages/Orchard.Blogs/Views/BlogPost/Edit.aspx
+++ b/src/Orchard.Web/Packages/Orchard.Blogs/Views/BlogPost/Edit.aspx
@@ -3,9 +3,8 @@
<%@ Import Namespace="Orchard.Blogs.ViewModels"%>
<% Html.Include("AdminHead"); %>
Edit Post
- <% using (Html.BeginForm()) { %>
+ <% using (Html.BeginFormAntiForgeryPost()) { %>
<%=Html.ValidationSummary() %>
- <%=Html.EditorForItem(m => m.BlogPost) %>
- <%=Html.OrchardAntiForgeryToken() %><%
+ <%=Html.EditorForItem(m => m.BlogPost) %><%
} %>
<% Html.Include("AdminFoot"); %>
\ No newline at end of file
diff --git a/src/Orchard/Mvc/Filters/AntiForgeryAuthorizationFilter.cs b/src/Orchard/Mvc/Filters/AntiForgeryAuthorizationFilter.cs
index 78d04a23c..551796b3d 100644
--- a/src/Orchard/Mvc/Filters/AntiForgeryAuthorizationFilter.cs
+++ b/src/Orchard/Mvc/Filters/AntiForgeryAuthorizationFilter.cs
@@ -11,6 +11,7 @@ namespace Orchard.Mvc.Filters {
if (!(filterContext.HttpContext.Request.HttpMethod == "POST" && filterContext.RequestContext.HttpContext.Request.IsAuthenticated))
return;
+ //TODO: (erikpo) Change the salt to be something unique per application like a site setting with a Guid.NewGuid().ToString("N") value
ValidateAntiForgeryTokenAttribute validator = new ValidateAntiForgeryTokenAttribute { Salt = "Orchard" };
validator.OnAuthorization(filterContext);
diff --git a/src/Orchard/Mvc/Html/HtmlHelperExtensions.cs b/src/Orchard/Mvc/Html/HtmlHelperExtensions.cs
index b411f3b71..97c3be3f0 100644
--- a/src/Orchard/Mvc/Html/HtmlHelperExtensions.cs
+++ b/src/Orchard/Mvc/Html/HtmlHelperExtensions.cs
@@ -4,6 +4,7 @@ using System.Linq;
using System.Linq.Expressions;
using System.Text;
using System.Web.Mvc;
+using System.Web.Mvc.Html;
using System.Web.Routing;
using Orchard.Utility;
@@ -176,12 +177,39 @@ namespace Orchard.Mvc.Html {
#endregion
- #region OrchardAntiForgeryToken
+ #region BeginFormAntiForgeryPost
- public static MvcHtmlString OrchardAntiForgeryToken(this HtmlHelper htmlHelper)
- {
+ public static MvcForm BeginFormAntiForgeryPost(this HtmlHelper htmlHelper) {
+ return htmlHelper.BeginFormAntiForgeryPost(htmlHelper.ViewContext.HttpContext.Request.RawUrl, FormMethod.Post, new RouteValueDictionary());
+ }
+ //TODO: (erikpo) Uncomment when needed (not currently needed)
+ //public static MvcForm BeginFormAntiForgeryPost(this HtmlHelper htmlHelper, string formAction) {
+ // return htmlHelper.BeginFormAntiForgeryPost(formAction, FormMethod.Post, new RouteValueDictionary());
+ //}
+ //public static MvcForm BeginFormAntiForgeryPost(this HtmlHelper htmlHelper, string formAction, FormMethod formMethod) {
+ // return htmlHelper.BeginFormAntiForgeryPost(formAction, formMethod, new RouteValueDictionary());
+ //}
+ //public static MvcForm BeginFormAntiForgeryPost(this HtmlHelper htmlHelper, string formAction, FormMethod formMethod, object htmlAttributes) {
+ // return htmlHelper.BeginFormAntiForgeryPost(formAction, formMethod, new RouteValueDictionary(htmlAttributes));
+ //}
+ public static MvcForm BeginFormAntiForgeryPost(this HtmlHelper htmlHelper, string formAction, FormMethod formMethod, IDictionary htmlAttributes) {
+ TagBuilder tagBuilder = new TagBuilder("form");
+
+ tagBuilder.MergeAttributes(htmlAttributes);
+ tagBuilder.MergeAttribute("action", formAction);
+ tagBuilder.MergeAttribute("method", HtmlHelper.GetFormMethodString(formMethod), true);
+
+ htmlHelper.ViewContext.HttpContext.Response.Write(tagBuilder.ToString(TagRenderMode.StartTag));
+
+ return new MvcFormAntiForgeryPost(htmlHelper);
+ }
+
+ #endregion
+
+ #region AntiForgeryTokenOrchard
+
+ public static MvcHtmlString AntiForgeryTokenOrchard(this HtmlHelper htmlHelper) {
//TODO: (erikpo) Change the salt to be something unique per application like a site setting with a Guid.NewGuid().ToString("N") value
-
return htmlHelper.AntiForgeryToken("Orchard");
}
diff --git a/src/Orchard/Mvc/Html/MvcFormAntiForgeryPost.cs b/src/Orchard/Mvc/Html/MvcFormAntiForgeryPost.cs
new file mode 100644
index 000000000..8b9fb18d7
--- /dev/null
+++ b/src/Orchard/Mvc/Html/MvcFormAntiForgeryPost.cs
@@ -0,0 +1,18 @@
+using System.Web.Mvc;
+using System.Web.Mvc.Html;
+
+namespace Orchard.Mvc.Html {
+ public class MvcFormAntiForgeryPost : MvcForm {
+ private readonly HtmlHelper _htmlHelper;
+
+ public MvcFormAntiForgeryPost(HtmlHelper htmlHelper) : base(htmlHelper.ViewContext) {
+ _htmlHelper = htmlHelper;
+ }
+
+ protected override void Dispose(bool disposing) {
+ _htmlHelper.ViewContext.RequestContext.HttpContext.Response.Write(_htmlHelper.AntiForgeryTokenOrchard());
+
+ base.Dispose(disposing);
+ }
+ }
+}
\ No newline at end of file
diff --git a/src/Orchard/Orchard.csproj b/src/Orchard/Orchard.csproj
index 222d8ce99..361cfd95c 100644
--- a/src/Orchard/Orchard.csproj
+++ b/src/Orchard/Orchard.csproj
@@ -200,6 +200,7 @@
+