diff options
| author | Jeremy Kemper <jeremy@bitsweat.net> | 2010-02-04 17:45:43 -0800 |
|---|---|---|
| committer | Jeremy Kemper <jeremy@bitsweat.net> | 2010-02-04 17:45:43 -0800 |
| commit | 3062bc70eff68397a00fc652e8eee4ae8089e0a2 (patch) | |
| tree | 89a09a8093668130ff46de1ef024c2e41f8e3861 /actionpack | |
| parent | 2191aa47acc0a560366c8c09fa9635602cff5f07 (diff) | |
| download | rails-3062bc70eff68397a00fc652e8eee4ae8089e0a2.tar.gz rails-3062bc70eff68397a00fc652e8eee4ae8089e0a2.tar.bz2 rails-3062bc70eff68397a00fc652e8eee4ae8089e0a2.zip | |
HTML-escape csrf meta contents
Diffstat (limited to 'actionpack')
| -rw-r--r-- | actionpack/lib/action_view/helpers/csrf_helper.rb | 2 | ||||
| -rw-r--r-- | actionpack/test/controller/request_forgery_protection_test.rb | 4 |
2 files changed, 3 insertions, 3 deletions
diff --git a/actionpack/lib/action_view/helpers/csrf_helper.rb b/actionpack/lib/action_view/helpers/csrf_helper.rb index 6f98bd4573..41c6b67f91 100644 --- a/actionpack/lib/action_view/helpers/csrf_helper.rb +++ b/actionpack/lib/action_view/helpers/csrf_helper.rb @@ -4,7 +4,7 @@ module ActionView # Returns a meta tag with the request forgery protection token for forms to use. Put this in your head. def csrf_meta_tag if protect_against_forgery? - %(<meta name="csrf-param" content="#{Rack::Utils.escape(request_forgery_protection_token)}"/>\n<meta name="csrf-token" content="#{Rack::Utils.escape(form_authenticity_token)}"/>).html_safe + %(<meta name="csrf-param" content="#{Rack::Utils.escape_html(request_forgery_protection_token)}"/>\n<meta name="csrf-token" content="#{Rack::Utils.escape_html(form_authenticity_token)}"/>).html_safe end end end diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb index 77d07d8eeb..c38ffad748 100644 --- a/actionpack/test/controller/request_forgery_protection_test.rb +++ b/actionpack/test/controller/request_forgery_protection_test.rb @@ -210,7 +210,7 @@ class RequestForgeryProtectionControllerTest < ActionController::TestCase @request = ActionController::TestRequest.new @request.format = :html @response = ActionController::TestResponse.new - @token = "cf50faa3fe97702ca1ae" + @token = "cf50faa3fe97702ca1a/=?" ActiveSupport::SecureRandom.stubs(:base64).returns(@token) ActionController::Base.request_forgery_protection_token = :authenticity_token @@ -227,7 +227,7 @@ class FreeCookieControllerTest < ActionController::TestCase @controller = FreeCookieController.new @request = ActionController::TestRequest.new @response = ActionController::TestResponse.new - @token = "cf50faa3fe97702ca1ae" + @token = "cf50faa3fe97702ca1a/=?" ActiveSupport::SecureRandom.stubs(:base64).returns(@token) end |