From 3062bc70eff68397a00fc652e8eee4ae8089e0a2 Mon Sep 17 00:00:00 2001
From: Jeremy Kemper <jeremy@bitsweat.net>
Date: Thu, 4 Feb 2010 17:45:43 -0800
Subject: HTML-escape csrf meta contents

---
 actionpack/lib/action_view/helpers/csrf_helper.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'actionpack/lib/action_view')

diff --git a/actionpack/lib/action_view/helpers/csrf_helper.rb b/actionpack/lib/action_view/helpers/csrf_helper.rb
index 6f98bd4573..41c6b67f91 100644
--- a/actionpack/lib/action_view/helpers/csrf_helper.rb
+++ b/actionpack/lib/action_view/helpers/csrf_helper.rb
@@ -4,7 +4,7 @@ module ActionView
       # Returns a meta tag with the request forgery protection token for forms to use. Put this in your head.
       def csrf_meta_tag
         if protect_against_forgery?
-          %(<meta name="csrf-param" content="#{Rack::Utils.escape(request_forgery_protection_token)}"/>\n<meta name="csrf-token" content="#{Rack::Utils.escape(form_authenticity_token)}"/>).html_safe
+          %(<meta name="csrf-param" content="#{Rack::Utils.escape_html(request_forgery_protection_token)}"/>\n<meta name="csrf-token" content="#{Rack::Utils.escape_html(form_authenticity_token)}"/>).html_safe
         end
       end
     end
-- 
cgit v1.2.3