From 4e3ed5bc44f6cd20c9e353ab63fd24b92a7942be Mon Sep 17 00:00:00 2001
From: Rick Olson <technoweenie@gmail.com>
Date: Sun, 23 Sep 2007 02:32:55 +0000
Subject: Merge csrf_killer plugin into rails.  Adds RequestForgeryProtection
 model that verifies session-specific _tokens for non-GET requests.  [Rick]

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7592 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
---
 actionpack/lib/action_view/base.rb                 |  2 ++
 .../lib/action_view/helpers/form_tag_helper.rb     | 12 +++++--
 .../lib/action_view/helpers/prototype_helper.rb    |  9 +++++
 actionpack/lib/action_view/helpers/text_helper.rb  | 38 +++++++++++-----------
 actionpack/lib/action_view/helpers/url_helper.rb   |  4 +++
 5 files changed, 44 insertions(+), 21 deletions(-)

(limited to 'actionpack/lib/action_view')

diff --git a/actionpack/lib/action_view/base.rb b/actionpack/lib/action_view/base.rb
index 8e778f6830..ee908214db 100644
--- a/actionpack/lib/action_view/base.rb
+++ b/actionpack/lib/action_view/base.rb
@@ -328,6 +328,8 @@ module ActionView #:nodoc:
       @@sanitized_allowed_protocols.merge(attributes)
     end
 
+    delegate :request_forgery_protection_token, :to => :controller
+
     @@template_handlers = HashWithIndifferentAccess.new
  
     module CompiledTemplates #:nodoc:
diff --git a/actionpack/lib/action_view/helpers/form_tag_helper.rb b/actionpack/lib/action_view/helpers/form_tag_helper.rb
index d8e8f2005e..cb16131cc4 100644
--- a/actionpack/lib/action_view/helpers/form_tag_helper.rb
+++ b/actionpack/lib/action_view/helpers/form_tag_helper.rb
@@ -401,10 +401,10 @@ module ActionView
               ''
             when /^post$/i, "", nil
               html_options["method"] = "post"
-              ''
+              request_forgery_protection_token ? content_tag(:div, token_tag, :style => 'margin:0;padding:0') : ''
             else
               html_options["method"] = "post"
-              content_tag(:div, tag(:input, :type => "hidden", :name => "_method", :value => method), :style => 'margin:0;padding:0')
+              content_tag(:div, tag(:input, :type => "hidden", :name => "_method", :value => method) + token_tag, :style => 'margin:0;padding:0')
           end
         end
         
@@ -419,6 +419,14 @@ module ActionView
           concat(content, block.binding)
           concat("</form>", block.binding)
         end
+
+        def token_tag
+          if request_forgery_protection_token.nil?
+            ''
+          else
+            tag(:input, :type => "hidden", :name => request_forgery_protection_token.to_s, :value => form_token)
+          end
+        end
     end
   end
 end
diff --git a/actionpack/lib/action_view/helpers/prototype_helper.rb b/actionpack/lib/action_view/helpers/prototype_helper.rb
index cc8c5ad54f..df28a0395b 100644
--- a/actionpack/lib/action_view/helpers/prototype_helper.rb
+++ b/actionpack/lib/action_view/helpers/prototype_helper.rb
@@ -738,6 +738,15 @@ module ActionView
         elsif options[:with]
           js_options['parameters'] = options[:with]
         end
+        
+        if request_forgery_protection_token
+          if js_options['parameters']
+            js_options['parameters'] << " + '&"
+          else
+            js_options['parameters'] = "'"
+          end
+          js_options['parameters'] << "_token=' + encodeURIComponent('#{escape_javascript form_token}')"
+        end
       
         options_for_javascript(js_options)
       end
diff --git a/actionpack/lib/action_view/helpers/text_helper.rb b/actionpack/lib/action_view/helpers/text_helper.rb
index af6f6e4bb8..35896c44fb 100644
--- a/actionpack/lib/action_view/helpers/text_helper.rb
+++ b/actionpack/lib/action_view/helpers/text_helper.rb
@@ -325,15 +325,15 @@ module ActionView
       #   strip_links('Blog: <a href="http://www.myblog.com/" class="nav" target=\"_blank\">Visit</a>.')
       #   # => Blog: Visit
       def strip_links(html)
-        # Stupid firefox treats '<href="http://whatever.com" onClick="alert()">something' as link! 
-        if html.index("<a") || html.index("<href")   
-          tokenizer = HTML::Tokenizer.new(html) 
-          result = ''
-          while token = tokenizer.next 
-            node = HTML::Node.parse(nil, 0, 0, token, false) 
-            result << node.to_s unless node.is_a?(HTML::Tag) && ["a", "href"].include?(node.name) 
-          end 
-          strip_links(result) # Recurse - handle all dirty nested links
+        if !html.blank? && html.index("<a") || html.index("<href")
+          tokenizer = HTML::Tokenizer.new(html)
+          result = returning [] do |result|
+            while token = tokenizer.next 
+              node = HTML::Node.parse(nil, 0, 0, token, false) 
+              result << node.to_s unless node.is_a?(HTML::Tag) && ["a", "href"].include?(node.name) 
+            end 
+          end
+          strip_links(result.join) # Recurse - handle all dirty nested links
         else
           html
         end
@@ -441,6 +441,7 @@ module ActionView
       # that of html-scanner.
       #
       # ==== Examples
+      #
       #   strip_tags("Strip <i>these</i> tags!")
       #   # => Strip these tags!
       #
@@ -450,22 +451,21 @@ module ActionView
       #   strip_tags("<div id='top-bar'>Welcome to my website!</div>")
       #   # => Welcome to my website!
       def strip_tags(html)     
-        return html if html.blank?
-        if html.index("<")
-          text = ""
-          tokenizer = HTML::Tokenizer.new(html)
+        return html if html.blank? || !html.index("<")
+        tokenizer = HTML::Tokenizer.new(html)
 
+        text = returning [] do |text|
           while token = tokenizer.next
             node = HTML::Node.parse(nil, 0, 0, token, false)
             # result is only the content of any Text nodes
             text << node.to_s if node.class == HTML::Text  
           end
-          # strip any comments, and if they have a newline at the end (ie. line with
-          # only a comment) strip that too
-          strip_tags(text.gsub(/<!--(.*?)-->[\n]?/m, "")) # Recurse - handle all dirty nested tags
-        else
-          html # already plain text
-        end 
+        end
+        
+        # strip any comments, and if they have a newline at the end (ie. line with
+        # only a comment) strip that too
+        # Recurse - handle all dirty nested tags
+        strip_tags(text.join.gsub(/<!--(.*?)-->[\n]?/m, ""))
       end
       
       # Creates a Cycle object whose _to_s_ method cycles through elements of an
diff --git a/actionpack/lib/action_view/helpers/url_helper.rb b/actionpack/lib/action_view/helpers/url_helper.rb
index 010a789b85..02c5c40727 100644
--- a/actionpack/lib/action_view/helpers/url_helper.rb
+++ b/actionpack/lib/action_view/helpers/url_helper.rb
@@ -472,6 +472,10 @@ module ActionView
             submit_function << "m.setAttribute('name', '_method'); m.setAttribute('value', '#{method}'); f.appendChild(m);"
           end
 
+          if request_forgery_protection_token
+            submit_function << "var s = document.createElement('input'); s.setAttribute('type', 'hidden'); "
+            submit_function << "s.setAttribute('name', '_token'); s.setAttribute('value', '#{escape_javascript form_token}'); f.appendChild(s);"
+          end
           submit_function << "f.submit();"
         end
 
-- 
cgit v1.2.3