diff options
Diffstat (limited to 'actionpack')
| -rw-r--r-- | actionpack/lib/action_view/helpers/csrf_helper.rb | 10 | ||||
| -rw-r--r-- | actionpack/test/controller/request_forgery_protection_test.rb | 8 |
2 files changed, 9 insertions, 9 deletions
diff --git a/actionpack/lib/action_view/helpers/csrf_helper.rb b/actionpack/lib/action_view/helpers/csrf_helper.rb index 65c8debc76..1f2bc28cac 100644 --- a/actionpack/lib/action_view/helpers/csrf_helper.rb +++ b/actionpack/lib/action_view/helpers/csrf_helper.rb @@ -17,10 +17,12 @@ module ActionView # Note that regular forms generate hidden fields, and that Ajax calls are whitelisted, # so they do not use these tags. def csrf_meta_tags - <<-METAS.strip_heredoc.chomp.html_safe if protect_against_forgery? - <meta name="csrf-param" content="#{Rack::Utils.escape_html(request_forgery_protection_token)}"/> - <meta name="csrf-token" content="#{Rack::Utils.escape_html(form_authenticity_token)}"/> - METAS + if protect_against_forgery? + [ + tag('meta', :name => 'csrf-param', :content => request_forgery_protection_token), + tag('meta', :name => 'csrf-token', :content => form_authenticity_token) + ].join("\n").html_safe + end end # For backwards compatibility. diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb index d520b5e512..31f4bf3a76 100644 --- a/actionpack/test/controller/request_forgery_protection_test.rb +++ b/actionpack/test/controller/request_forgery_protection_test.rb @@ -172,13 +172,11 @@ end class RequestForgeryProtectionControllerTest < ActionController::TestCase include RequestForgeryProtectionTests - test 'should emit a csrf-token meta tag' do + test 'should emit a csrf-param meta tag and a csrf-token meta tag' do ActiveSupport::SecureRandom.stubs(:base64).returns(@token + '<=?') get :meta - assert_equal <<-METAS.strip_heredoc.chomp, @response.body - <meta name="csrf-param" content="authenticity_token"/> - <meta name="csrf-token" content="cf50faa3fe97702ca1ae<=?"/> - METAS + assert_select 'meta[name=?][content=?]', 'csrf-param', 'authenticity_token' + assert_select 'meta[name=?][content=?]', 'csrf-token', 'cf50faa3fe97702ca1ae<=?' end end |