aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--actionpack/CHANGELOG2
-rw-r--r--actionpack/lib/action_controller/metal/request_forgery_protection.rb4
-rw-r--r--actionpack/lib/action_view/helpers/csrf_helper.rb28
-rw-r--r--actionpack/test/controller/request_forgery_protection_test.rb8
-rw-r--r--railties/guides/source/getting_started.textile2
-rw-r--r--railties/lib/rails/generators/rails/app/templates/app/views/layouts/application.html.erb.tt2
-rw-r--r--railties/test/application/configuration_test.rb2
7 files changed, 34 insertions, 14 deletions
diff --git a/actionpack/CHANGELOG b/actionpack/CHANGELOG
index 75d0632a6d..2231d6db4b 100644
--- a/actionpack/CHANGELOG
+++ b/actionpack/CHANGELOG
@@ -1,6 +1,6 @@
*Rails 3.1.0 (unreleased)*
-* No changes
+* Renames csrf_meta_tag -> csrf_meta_tags, and aliases csrf_meta_tag for backwards compatibility. [fxn]
*Rails 3.0.0 (August 29, 2010)*
diff --git a/actionpack/lib/action_controller/metal/request_forgery_protection.rb b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
index fc3118671f..02f577647e 100644
--- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb
+++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
@@ -17,11 +17,11 @@ module ActionController #:nodoc:
# which will check the token and raise an ActionController::InvalidAuthenticityToken
# if it doesn't match what was expected. A call to this method is generated for new
# \Rails applications by default. You can customize the error message by editing
- # public/422.html.
+ # public/422.html.
#
# The token parameter is named <tt>authenticity_token</tt> by default. The name and
# value of this token must be added to every layout that renders forms by including
- # <tt>csrf_meta_tag</tt> in the html +head+.
+ # <tt>csrf_meta_tags</tt> in the html +head+.
#
# Learn more about CSRF attacks and securing your application in the
# {Ruby on Rails Security Guide}[http://guides.rubyonrails.org/security.html].
diff --git a/actionpack/lib/action_view/helpers/csrf_helper.rb b/actionpack/lib/action_view/helpers/csrf_helper.rb
index 3d03f6aac6..092855b578 100644
--- a/actionpack/lib/action_view/helpers/csrf_helper.rb
+++ b/actionpack/lib/action_view/helpers/csrf_helper.rb
@@ -1,14 +1,30 @@
+require 'active_support/core_ext/string/strip'
+
module ActionView
# = Action View CSRF Helper
module Helpers
module CsrfHelper
- # Returns a meta tag with the cross-site request forgery protection token
- # for forms to use. Place this in your head.
- def csrf_meta_tag
- if protect_against_forgery?
- %(<meta name="csrf-param" content="#{Rack::Utils.escape_html(request_forgery_protection_token)}"/>\n<meta name="csrf-token" content="#{Rack::Utils.escape_html(form_authenticity_token)}"/>).html_safe
- end
+ # Returns meta tags "csrf-param" and "csrf-token" with the name of the cross-site
+ # request forgery protection parameter and token, respectively.
+ #
+ # <head>
+ # <%= csrf_meta_tags %>
+ # </head>
+ #
+ # These are used to generate the dynamic forms that implement non-remote links with
+ # <tt>:method</tt>.
+ #
+ # Note that regular forms generate hidden fields, and that Ajax calls are whitelisted,
+ # so they do not use these tags.
+ def csrf_meta_tags
+ <<-METAS.strip_heredoc.html_safe if protect_against_forgery?
+ <meta name="csrf-param" content="#{Rack::Utils.escape_html(request_forgery_protection_token)}"/>
+ <meta name="csrf-token" content="#{Rack::Utils.escape_html(form_authenticity_token)}"/>
+ METAS
end
+
+ # For backwards compatibility.
+ alias csrf_meta_tag csrf_meta_tags
end
end
end
diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb
index 5ec760d4ea..7e169431f4 100644
--- a/actionpack/test/controller/request_forgery_protection_test.rb
+++ b/actionpack/test/controller/request_forgery_protection_test.rb
@@ -1,5 +1,6 @@
require 'abstract_unit'
require 'digest/sha1'
+require 'active_support/core_ext/string/strip'
# common controller actions
module RequestForgeryProtectionActions
@@ -16,7 +17,7 @@ module RequestForgeryProtectionActions
end
def meta
- render :inline => "<%= csrf_meta_tag %>"
+ render :inline => "<%= csrf_meta_tags %>"
end
def rescue_action(e) raise e end
@@ -219,7 +220,10 @@ class RequestForgeryProtectionControllerTest < ActionController::TestCase
test 'should emit a csrf-token meta tag' do
ActiveSupport::SecureRandom.stubs(:base64).returns(@token + '<=?')
get :meta
- assert_equal %(<meta name="csrf-param" content="authenticity_token"/>\n<meta name="csrf-token" content="cf50faa3fe97702ca1ae&lt;=?"/>), @response.body
+ assert_equal <<-METAS.strip_heredoc, @response.body
+ <meta name="csrf-param" content="authenticity_token"/>
+ <meta name="csrf-token" content="cf50faa3fe97702ca1ae&lt;=?"/>
+ METAS
end
end
diff --git a/railties/guides/source/getting_started.textile b/railties/guides/source/getting_started.textile
index 92b9131b59..9eae712a93 100644
--- a/railties/guides/source/getting_started.textile
+++ b/railties/guides/source/getting_started.textile
@@ -559,7 +559,7 @@ The view is only part of the story of how HTML is displayed in your web browser.
<title>Blog</title>
<%= stylesheet_link_tag :all %>
<%= javascript_include_tag :defaults %>
- <%= csrf_meta_tag %>
+ <%= csrf_meta_tags %>
</head>
<body style="background: #EEEEEE;">
diff --git a/railties/lib/rails/generators/rails/app/templates/app/views/layouts/application.html.erb.tt b/railties/lib/rails/generators/rails/app/templates/app/views/layouts/application.html.erb.tt
index 1dd112b4a6..1de78eecae 100644
--- a/railties/lib/rails/generators/rails/app/templates/app/views/layouts/application.html.erb.tt
+++ b/railties/lib/rails/generators/rails/app/templates/app/views/layouts/application.html.erb.tt
@@ -4,7 +4,7 @@
<title><%= app_const_base %></title>
<%%= stylesheet_link_tag :all %>
<%%= javascript_include_tag :defaults %>
- <%%= csrf_meta_tag %>
+ <%%= csrf_meta_tags %>
</head>
<body>
diff --git a/railties/test/application/configuration_test.rb b/railties/test/application/configuration_test.rb
index 6bf56f7052..7403d16cf4 100644
--- a/railties/test/application/configuration_test.rb
+++ b/railties/test/application/configuration_test.rb
@@ -211,7 +211,7 @@ module ApplicationTests
protect_from_forgery
def index
- render :inline => "<%= csrf_meta_tag %>"
+ render :inline => "<%= csrf_meta_tags %>"
end
end