Merge pull request #2376 from dilip-vishwa/patch-2

framework/CHANGELOG.md

@@ -165,6 +165,7 @@ Yii Framework 2 Change Log
 - Chg: Removed implementation of `Arrayable` from `yii\Object` (qiangxue)
 - Chg: Renamed `ActiveRecordInterface::createActiveRelation()` to `createRelation()` (qiangxue)
 - Chg: The scripts in asset bundles are now registered in `View` at the end of `endBody()`. It was done in `endPage()` previously (qiangxue)
+- Chg: Renamed `csrf-var` to `csrf-param` as `csrf-var` is not a valid meta tag name (Dilip)
 - New #66: [Auth client library](https://github.com/yiisoft/yii2-authclient) OpenId, OAuth1, OAuth2 clients (klimov-paul)
 - New #706: Added `yii\widgets\Pjax` and enhanced `GridView` to work with `Pjax` to support AJAX-update (qiangxue)
 - New #1393: [Codeception testing framework integration](https://github.com/yiisoft/yii2-codeception) (Ragazzo)

framework/assets/yii.js

@@ -60,8 +60,8 @@ yii = (function ($) {
 		/**
 		 * @return string|undefined the CSRF variable name. Undefined is returned if CSRF validation is not enabled.
 		 */
-		getCsrfVar: function () {
-			return $('meta[name=csrf-var]').prop('content');
+		getCsrfParam: function () {
+			return $('meta[name=csrf-param]').prop('content');
 		},
 
 		/**
@@ -130,9 +130,9 @@ yii = (function ($) {
 				if (!method.match(/(get|post)/i)) {
 					$form.append('<input name="_method" value="' + method + '" type="hidden">');
 				}
-				var csrfVar = pub.getCsrfVar();
-				if (csrfVar) {
-					$form.append('<input name="' + csrfVar + '" value="' + pub.getCsrfToken() + '" type="hidden">');
+				var csrfParam = pub.getCsrfParam();
+				if (csrfParam) {
+					$form.append('<input name="' + csrfParam + '" value="' + pub.getCsrfToken() + '" type="hidden">');
 				}
 				$form.hide().appendTo('body');
 			}
@@ -199,7 +199,7 @@ yii = (function ($) {
 	function initCsrfHandler() {
 		// automatically send CSRF token for all AJAX requests
 		$.ajaxPrefilter(function (options, originalOptions, xhr) {
-			if (!options.crossDomain && pub.getCsrfVar()) {
+			if (!options.crossDomain && pub.getCsrfParam()) {
 				xhr.setRequestHeader('X-CSRF-Token', pub.getCsrfToken());
 			}
 		});

framework/helpers/BaseHtml.php

@@ -244,7 +244,7 @@ class BaseHtml
 				$method = 'post';
 			}
 			if ($request->enableCsrfValidation && !strcasecmp($method, 'post')) {
-				$hiddenInputs[] = static::hiddenInput($request->csrfVar, $request->getCsrfToken());
+				$hiddenInputs[] = static::hiddenInput($request->csrfParam, $request->getCsrfToken());
 			}
 		}
 

framework/web/Request.php

@@ -95,10 +95,10 @@ class Request extends \yii\base\Request
 	 * from the same application. If not, a 400 HTTP exception will be raised.
 	 *
 	 * Note, this feature requires that the user client accepts cookie. Also, to use this feature,
-	 * forms submitted via POST method must contain a hidden input whose name is specified by [[csrfVar]].
+	 * forms submitted via POST method must contain a hidden input whose name is specified by [[csrfParam]].
 	 * You may use [[\yii\web\Html::beginForm()]] to generate his hidden input.
 	 *
-	 * In JavaScript, you may get the values of [[csrfVar]] and [[csrfToken]] via `yii.getCsrfVar()` and
+	 * In JavaScript, you may get the values of [[csrfParam]] and [[csrfToken]] via `yii.getCsrfParam()` and
 	 * `yii.getCsrfToken()`, respectively. The [[\yii\web\YiiAsset]] asset must be registered.
 	 *
 	 * @see Controller::enableCsrfValidation
@@ -109,7 +109,7 @@ class Request extends \yii\base\Request
 	 * @var string the name of the token used to prevent CSRF. Defaults to '_csrf'.
 	 * This property is used only when [[enableCsrfValidation]] is true.
 	 */
-	public $csrfVar = '_csrf';
+	public $csrfParam = '_csrf';
 	/**
 	 * @var array the configuration of the CSRF cookie. This property is used only when [[enableCsrfValidation]] is true.
 	 * @see Cookie
@@ -1103,7 +1103,7 @@ class Request extends \yii\base\Request
 	public function getRawCsrfToken()
 	{
 		if ($this->_csrfCookie === null) {
-			$this->_csrfCookie = $this->getCookies()->get($this->csrfVar);
+			$this->_csrfCookie = $this->getCookies()->get($this->csrfParam);
 			if ($this->_csrfCookie === null) {
 				$this->_csrfCookie = $this->createCsrfCookie();
 				Yii::$app->getResponse()->getCookies()->add($this->_csrfCookie);
@@ -1175,7 +1175,7 @@ class Request extends \yii\base\Request
 	protected function createCsrfCookie()
 	{
 		$options = $this->csrfCookie;
-		$options['name'] = $this->csrfVar;
+		$options['name'] = $this->csrfParam;
 		$options['value'] = Security::generateRandomKey();
 		return new Cookie($options);
 	}
@@ -1194,8 +1194,8 @@ class Request extends \yii\base\Request
 		if (!$this->enableCsrfValidation || in_array($method, ['GET', 'HEAD', 'OPTIONS'], true)) {
 			return true;
 		}
-		$trueToken = $this->getCookies()->getValue($this->csrfVar);
-		$token = $this->getBodyParam($this->csrfVar);
+		$trueToken = $this->getCookies()->getValue($this->csrfParam);
+		$token = $this->getBodyParam($this->csrfParam);
 		return $this->validateCsrfTokenInternal($token, $trueToken)
 			|| $this->validateCsrfTokenInternal($this->getCsrfTokenFromHeader(), $trueToken);
 	}

framework/web/View.php

@@ -454,7 +454,7 @@ class View extends \yii\base\View
 
 		$request = Yii::$app->getRequest();
 		if ($request instanceof \yii\web\Request && $request->enableCsrfValidation && !$request->getIsAjax()) {
-			$lines[] = Html::tag('meta', '', ['name' => 'csrf-var', 'content' => $request->csrfVar]);
+			$lines[] = Html::tag('meta', '', ['name' => 'csrf-param', 'content' => $request->csrfVar]);
 			$lines[] = Html::tag('meta', '', ['name' => 'csrf-token', 'content' => $request->getCsrfToken()]);
 		}