From a87b92db7b738cf86deac15d69f4159b2f87d79e Mon Sep 17 00:00:00 2001
From: Xavier Noria <fxn@hashref.com>
Date: Sat, 11 Sep 2010 11:04:19 +0200
Subject: revises implementation and documentation of csrf_meta_tags, and
 aliases csrf_meta_tag to it for backwards compatibilty

---
 .../metal/request_forgery_protection.rb            |  4 ++--
 actionpack/lib/action_view/helpers/csrf_helper.rb  | 28 +++++++++++++++++-----
 2 files changed, 24 insertions(+), 8 deletions(-)

(limited to 'actionpack/lib')

diff --git a/actionpack/lib/action_controller/metal/request_forgery_protection.rb b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
index fc3118671f..02f577647e 100644
--- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb
+++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
@@ -17,11 +17,11 @@ module ActionController #:nodoc:
   # which will check the token and raise an ActionController::InvalidAuthenticityToken
   # if it doesn't match what was expected. A call to this method is generated for new
   # \Rails applications by default. You can customize the error message by editing
-  # public/422.html. 
+  # public/422.html.
   #
   # The token parameter is named <tt>authenticity_token</tt> by default. The name and
   # value of this token must be added to every layout that renders forms by including
-  # <tt>csrf_meta_tag</tt> in the html +head+.
+  # <tt>csrf_meta_tags</tt> in the html +head+.
   #
   # Learn more about CSRF attacks and securing your application in the
   # {Ruby on Rails Security Guide}[http://guides.rubyonrails.org/security.html].
diff --git a/actionpack/lib/action_view/helpers/csrf_helper.rb b/actionpack/lib/action_view/helpers/csrf_helper.rb
index 3d03f6aac6..092855b578 100644
--- a/actionpack/lib/action_view/helpers/csrf_helper.rb
+++ b/actionpack/lib/action_view/helpers/csrf_helper.rb
@@ -1,14 +1,30 @@
+require 'active_support/core_ext/string/strip'
+
 module ActionView
   # = Action View CSRF Helper
   module Helpers
     module CsrfHelper
-      # Returns a meta tag with the cross-site request forgery protection token
-      # for forms to use. Place this in your head.
-      def csrf_meta_tag
-        if protect_against_forgery?
-          %(<meta name="csrf-param" content="#{Rack::Utils.escape_html(request_forgery_protection_token)}"/>\n<meta name="csrf-token" content="#{Rack::Utils.escape_html(form_authenticity_token)}"/>).html_safe
-        end
+      # Returns meta tags "csrf-param" and "csrf-token" with the name of the cross-site
+      # request forgery protection parameter and token, respectively.
+      #
+      #   <head>
+      #     <%= csrf_meta_tags %>
+      #   </head>
+      #
+      # These are used to generate the dynamic forms that implement non-remote links with
+      # <tt>:method</tt>.
+      #
+      # Note that regular forms generate hidden fields, and that Ajax calls are whitelisted,
+      # so they do not use these tags.
+      def csrf_meta_tags
+        <<-METAS.strip_heredoc.html_safe if protect_against_forgery?
+          <meta name="csrf-param" content="#{Rack::Utils.escape_html(request_forgery_protection_token)}"/>
+          <meta name="csrf-token" content="#{Rack::Utils.escape_html(form_authenticity_token)}"/>
+        METAS
       end
+
+      # For backwards compatibility.
+      alias csrf_meta_tag csrf_meta_tags
     end
   end
 end
-- 
cgit v1.2.3