diff options
Diffstat (limited to 'actionpack/lib/action_view')
-rw-r--r-- | actionpack/lib/action_view/base.rb | 2 | ||||
-rw-r--r-- | actionpack/lib/action_view/helpers/form_tag_helper.rb | 12 | ||||
-rw-r--r-- | actionpack/lib/action_view/helpers/prototype_helper.rb | 9 | ||||
-rw-r--r-- | actionpack/lib/action_view/helpers/text_helper.rb | 38 | ||||
-rw-r--r-- | actionpack/lib/action_view/helpers/url_helper.rb | 4 |
5 files changed, 44 insertions, 21 deletions
diff --git a/actionpack/lib/action_view/base.rb b/actionpack/lib/action_view/base.rb index 8e778f6830..ee908214db 100644 --- a/actionpack/lib/action_view/base.rb +++ b/actionpack/lib/action_view/base.rb @@ -328,6 +328,8 @@ module ActionView #:nodoc: @@sanitized_allowed_protocols.merge(attributes) end + delegate :request_forgery_protection_token, :to => :controller + @@template_handlers = HashWithIndifferentAccess.new module CompiledTemplates #:nodoc: diff --git a/actionpack/lib/action_view/helpers/form_tag_helper.rb b/actionpack/lib/action_view/helpers/form_tag_helper.rb index d8e8f2005e..cb16131cc4 100644 --- a/actionpack/lib/action_view/helpers/form_tag_helper.rb +++ b/actionpack/lib/action_view/helpers/form_tag_helper.rb @@ -401,10 +401,10 @@ module ActionView '' when /^post$/i, "", nil html_options["method"] = "post" - '' + request_forgery_protection_token ? content_tag(:div, token_tag, :style => 'margin:0;padding:0') : '' else html_options["method"] = "post" - content_tag(:div, tag(:input, :type => "hidden", :name => "_method", :value => method), :style => 'margin:0;padding:0') + content_tag(:div, tag(:input, :type => "hidden", :name => "_method", :value => method) + token_tag, :style => 'margin:0;padding:0') end end @@ -419,6 +419,14 @@ module ActionView concat(content, block.binding) concat("</form>", block.binding) end + + def token_tag + if request_forgery_protection_token.nil? + '' + else + tag(:input, :type => "hidden", :name => request_forgery_protection_token.to_s, :value => form_token) + end + end end end end diff --git a/actionpack/lib/action_view/helpers/prototype_helper.rb b/actionpack/lib/action_view/helpers/prototype_helper.rb index cc8c5ad54f..df28a0395b 100644 --- a/actionpack/lib/action_view/helpers/prototype_helper.rb +++ b/actionpack/lib/action_view/helpers/prototype_helper.rb @@ -738,6 +738,15 @@ module ActionView elsif options[:with] js_options['parameters'] = options[:with] end + + if request_forgery_protection_token + if js_options['parameters'] + js_options['parameters'] << " + '&" + else + js_options['parameters'] = "'" + end + js_options['parameters'] << "_token=' + encodeURIComponent('#{escape_javascript form_token}')" + end options_for_javascript(js_options) end diff --git a/actionpack/lib/action_view/helpers/text_helper.rb b/actionpack/lib/action_view/helpers/text_helper.rb index af6f6e4bb8..35896c44fb 100644 --- a/actionpack/lib/action_view/helpers/text_helper.rb +++ b/actionpack/lib/action_view/helpers/text_helper.rb @@ -325,15 +325,15 @@ module ActionView # strip_links('Blog: <a href="http://www.myblog.com/" class="nav" target=\"_blank\">Visit</a>.') # # => Blog: Visit def strip_links(html) - # Stupid firefox treats '<href="http://whatever.com" onClick="alert()">something' as link! - if html.index("<a") || html.index("<href") - tokenizer = HTML::Tokenizer.new(html) - result = '' - while token = tokenizer.next - node = HTML::Node.parse(nil, 0, 0, token, false) - result << node.to_s unless node.is_a?(HTML::Tag) && ["a", "href"].include?(node.name) - end - strip_links(result) # Recurse - handle all dirty nested links + if !html.blank? && html.index("<a") || html.index("<href") + tokenizer = HTML::Tokenizer.new(html) + result = returning [] do |result| + while token = tokenizer.next + node = HTML::Node.parse(nil, 0, 0, token, false) + result << node.to_s unless node.is_a?(HTML::Tag) && ["a", "href"].include?(node.name) + end + end + strip_links(result.join) # Recurse - handle all dirty nested links else html end @@ -441,6 +441,7 @@ module ActionView # that of html-scanner. # # ==== Examples + # # strip_tags("Strip <i>these</i> tags!") # # => Strip these tags! # @@ -450,22 +451,21 @@ module ActionView # strip_tags("<div id='top-bar'>Welcome to my website!</div>") # # => Welcome to my website! def strip_tags(html) - return html if html.blank? - if html.index("<") - text = "" - tokenizer = HTML::Tokenizer.new(html) + return html if html.blank? || !html.index("<") + tokenizer = HTML::Tokenizer.new(html) + text = returning [] do |text| while token = tokenizer.next node = HTML::Node.parse(nil, 0, 0, token, false) # result is only the content of any Text nodes text << node.to_s if node.class == HTML::Text end - # strip any comments, and if they have a newline at the end (ie. line with - # only a comment) strip that too - strip_tags(text.gsub(/<!--(.*?)-->[\n]?/m, "")) # Recurse - handle all dirty nested tags - else - html # already plain text - end + end + + # strip any comments, and if they have a newline at the end (ie. line with + # only a comment) strip that too + # Recurse - handle all dirty nested tags + strip_tags(text.join.gsub(/<!--(.*?)-->[\n]?/m, "")) end # Creates a Cycle object whose _to_s_ method cycles through elements of an diff --git a/actionpack/lib/action_view/helpers/url_helper.rb b/actionpack/lib/action_view/helpers/url_helper.rb index 010a789b85..02c5c40727 100644 --- a/actionpack/lib/action_view/helpers/url_helper.rb +++ b/actionpack/lib/action_view/helpers/url_helper.rb @@ -472,6 +472,10 @@ module ActionView submit_function << "m.setAttribute('name', '_method'); m.setAttribute('value', '#{method}'); f.appendChild(m);" end + if request_forgery_protection_token + submit_function << "var s = document.createElement('input'); s.setAttribute('type', 'hidden'); " + submit_function << "s.setAttribute('name', '_token'); s.setAttribute('value', '#{escape_javascript form_token}'); f.appendChild(s);" + end submit_function << "f.submit();" end |