diff options
author | Xavier Noria <fxn@hashref.com> | 2010-09-11 11:04:19 +0200 |
---|---|---|
committer | Xavier Noria <fxn@hashref.com> | 2010-09-11 11:05:00 +0200 |
commit | a87b92db7b738cf86deac15d69f4159b2f87d79e (patch) | |
tree | 20cf6f72b45ed922ba0329b74d952b887635897c /actionpack/lib/action_view/helpers/csrf_helper.rb | |
parent | f6153f74da29f56017d5ddb8a2b8869d9b5835d7 (diff) | |
download | rails-a87b92db7b738cf86deac15d69f4159b2f87d79e.tar.gz rails-a87b92db7b738cf86deac15d69f4159b2f87d79e.tar.bz2 rails-a87b92db7b738cf86deac15d69f4159b2f87d79e.zip |
revises implementation and documentation of csrf_meta_tags, and aliases csrf_meta_tag to it for backwards compatibilty
Diffstat (limited to 'actionpack/lib/action_view/helpers/csrf_helper.rb')
-rw-r--r-- | actionpack/lib/action_view/helpers/csrf_helper.rb | 28 |
1 files changed, 22 insertions, 6 deletions
diff --git a/actionpack/lib/action_view/helpers/csrf_helper.rb b/actionpack/lib/action_view/helpers/csrf_helper.rb index 3d03f6aac6..092855b578 100644 --- a/actionpack/lib/action_view/helpers/csrf_helper.rb +++ b/actionpack/lib/action_view/helpers/csrf_helper.rb @@ -1,14 +1,30 @@ +require 'active_support/core_ext/string/strip' + module ActionView # = Action View CSRF Helper module Helpers module CsrfHelper - # Returns a meta tag with the cross-site request forgery protection token - # for forms to use. Place this in your head. - def csrf_meta_tag - if protect_against_forgery? - %(<meta name="csrf-param" content="#{Rack::Utils.escape_html(request_forgery_protection_token)}"/>\n<meta name="csrf-token" content="#{Rack::Utils.escape_html(form_authenticity_token)}"/>).html_safe - end + # Returns meta tags "csrf-param" and "csrf-token" with the name of the cross-site + # request forgery protection parameter and token, respectively. + # + # <head> + # <%= csrf_meta_tags %> + # </head> + # + # These are used to generate the dynamic forms that implement non-remote links with + # <tt>:method</tt>. + # + # Note that regular forms generate hidden fields, and that Ajax calls are whitelisted, + # so they do not use these tags. + def csrf_meta_tags + <<-METAS.strip_heredoc.html_safe if protect_against_forgery? + <meta name="csrf-param" content="#{Rack::Utils.escape_html(request_forgery_protection_token)}"/> + <meta name="csrf-token" content="#{Rack::Utils.escape_html(form_authenticity_token)}"/> + METAS end + + # For backwards compatibility. + alias csrf_meta_tag csrf_meta_tags end end end |