aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--actionpack/lib/action_view/helpers.rb2
-rw-r--r--actionpack/lib/action_view/helpers/csrf_helper.rb12
-rw-r--r--actionpack/test/controller/request_forgery_protection_test.rb16
-rw-r--r--railties/lib/generators/erb/scaffold/templates/layout.html.erb1
4 files changed, 30 insertions, 1 deletions
diff --git a/actionpack/lib/action_view/helpers.rb b/actionpack/lib/action_view/helpers.rb
index ceb0e18d80..b4f649385a 100644
--- a/actionpack/lib/action_view/helpers.rb
+++ b/actionpack/lib/action_view/helpers.rb
@@ -7,6 +7,7 @@ module ActionView #:nodoc:
autoload :AtomFeedHelper, 'action_view/helpers/atom_feed_helper'
autoload :CacheHelper, 'action_view/helpers/cache_helper'
autoload :CaptureHelper, 'action_view/helpers/capture_helper'
+ autoload :CsrfHelper, 'action_view/helpers/csrf_helper'
autoload :DateHelper, 'action_view/helpers/date_helper'
autoload :DebugHelper, 'action_view/helpers/debug_helper'
autoload :FormHelper, 'action_view/helpers/form_helper'
@@ -40,6 +41,7 @@ module ActionView #:nodoc:
include AtomFeedHelper
include CacheHelper
include CaptureHelper
+ include CsrfHelper
include DateHelper
include DebugHelper
include FormHelper
diff --git a/actionpack/lib/action_view/helpers/csrf_helper.rb b/actionpack/lib/action_view/helpers/csrf_helper.rb
new file mode 100644
index 0000000000..2d6af52180
--- /dev/null
+++ b/actionpack/lib/action_view/helpers/csrf_helper.rb
@@ -0,0 +1,12 @@
+module ActionView
+ module Helpers
+ module CsrfHelper
+ # Returns a meta tag with the request forgery protection token for forms to use. Put this in your head.
+ def csrf_meta_tag
+ if protect_against_forgery?
+ %(<meta name="csrf-token" content="#{Rack::Utils.escape(form_authenticity_token)}"/>).html_safe
+ end
+ end
+ end
+ end
+end
diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb
index b2a0e2e2a3..55c21bc84a 100644
--- a/actionpack/test/controller/request_forgery_protection_test.rb
+++ b/actionpack/test/controller/request_forgery_protection_test.rb
@@ -15,13 +15,17 @@ module RequestForgeryProtectionActions
render :text => 'pwn'
end
+ def meta
+ render :inline => "<%= csrf_meta_tag %>"
+ end
+
def rescue_action(e) raise e end
end
# sample controllers
class RequestForgeryProtectionController < ActionController::Base
include RequestForgeryProtectionActions
- protect_from_forgery :only => :index
+ protect_from_forgery :only => %w(index meta)
end
class FreeCookieController < RequestForgeryProtectionController
@@ -211,6 +215,11 @@ class RequestForgeryProtectionControllerTest < ActionController::TestCase
ActiveSupport::SecureRandom.stubs(:base64).returns(@token)
ActionController::Base.request_forgery_protection_token = :authenticity_token
end
+
+ test 'should emit a csrf-token meta tag' do
+ get :meta
+ assert_equal %(<meta name="csrf-token" content="#{@token}"/>), @response.body
+ end
end
class FreeCookieControllerTest < ActionController::TestCase
@@ -238,6 +247,11 @@ class FreeCookieControllerTest < ActionController::TestCase
assert_nothing_raised { send(method, :index)}
end
end
+
+ test 'should not emit a csrf-token meta tag' do
+ get :meta
+ assert @response.body.blank?
+ end
end
class CustomAuthenticityParamControllerTest < ActionController::TestCase
diff --git a/railties/lib/generators/erb/scaffold/templates/layout.html.erb b/railties/lib/generators/erb/scaffold/templates/layout.html.erb
index 496de90ebb..420d17f33c 100644
--- a/railties/lib/generators/erb/scaffold/templates/layout.html.erb
+++ b/railties/lib/generators/erb/scaffold/templates/layout.html.erb
@@ -4,6 +4,7 @@
<title><%= controller_class_name %>: <%%= controller.action_name %></title>
<%%= stylesheet_link_tag 'scaffold' %>
<%%= javascript_include_tag :defaults %>
+ <%%= csrf_meta_tag %>
</head>
<body>
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-29 11:03:17 +0000