From 4e3ed5bc44f6cd20c9e353ab63fd24b92a7942be Mon Sep 17 00:00:00 2001
From: Rick Olson <technoweenie@gmail.com>
Date: Sun, 23 Sep 2007 02:32:55 +0000
Subject: Merge csrf_killer plugin into rails.  Adds RequestForgeryProtection
 model that verifies session-specific _tokens for non-GET requests.  [Rick]

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7592 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
---
 actionpack/lib/action_view/helpers/prototype_helper.rb | 9 +++++++++
 1 file changed, 9 insertions(+)

(limited to 'actionpack/lib/action_view/helpers/prototype_helper.rb')

diff --git a/actionpack/lib/action_view/helpers/prototype_helper.rb b/actionpack/lib/action_view/helpers/prototype_helper.rb
index cc8c5ad54f..df28a0395b 100644
--- a/actionpack/lib/action_view/helpers/prototype_helper.rb
+++ b/actionpack/lib/action_view/helpers/prototype_helper.rb
@@ -738,6 +738,15 @@ module ActionView
         elsif options[:with]
           js_options['parameters'] = options[:with]
         end
+        
+        if request_forgery_protection_token
+          if js_options['parameters']
+            js_options['parameters'] << " + '&"
+          else
+            js_options['parameters'] = "'"
+          end
+          js_options['parameters'] << "_token=' + encodeURIComponent('#{escape_javascript form_token}')"
+        end
       
         options_for_javascript(js_options)
       end
-- 
cgit v1.2.3