#73 Replace csrfguard-3.1.0.jar to csrfguard-3-latest.jar from download area

[nyj3c]

Replacement csrfguard-3.1.0.jar to csrfguard-3-latest.jar from download area need additonal src/main/config/csrfguard.properties edits. Because csrfguard-3-latest.jar is version 3.0 and not have expressions such as "%servletContext%" it commited CSFRGuard 3.1. Please add this note to the documentation.

And maybe comment line 77 src/main/java/net/jforum/csrf/CsrfFilter.java by default because CSRFGuard not have proper way to disable logs, it flood log for every request.
csrfGuard.getLogger().log(String.format("CsrfGuard analyzing request %s", httpRequest.getRequestURI()));

[Ulf Dittmer]

Those are both good points - thanks for reporting them!

I have replaced csrfguard-3-latest.jar by csrfguard-3.1-latest.jar, which is based on CSRFGuard 3.1 rather than 3.0, so the issue should no longer occur.

As to logging, CSRFGuard now routes its logging through JForum, so the log4j.xml file can be used to control this. If you want to see those messages, you can add a setting for the net.jforum.csrf category to log at "debug". Otherwise, the net.jforum category applies, and its "info" level will suppress them. Until the next release of JForum you'll have to get the latest source code and build it from scratch to get this change.

[nyj3c]

Thanks for logger net.jforum.csrf.CsrfLogger implementation.

But in new version csrfguard-3.1-latest.jar anchors did not work. Anchors do not appear at all.
I'm try rebuild with this patch https://github.com/aramrami/OWASP-CSRFGuard/pull/60 but anchors duplicate. Move location.split before sanitizedLocation works good.

[Ulf Dittmer]

You're right, the patch I added was incomplete. I've just updated the jar file with the full patch; please give it a try.

[nyj3c]

I tested it, it works well, thanks.

In the previous version csrfguard-3.1-latest.jar was no sb.append(hashPart) therefore the anchor did not work.