Skip to content
Browse files

Make csrf_meta_tags use the tag helper

Improved formatting of csrf_helper and improved test coverage
  • Loading branch information...
1 parent a7c5d40 commit 2cdc1f0cd5b89722e8c22bb4b26b83bd4619b28a @robinjam robinjam committed with fxn
View
10 actionpack/lib/action_view/helpers/csrf_helper.rb
@@ -17,10 +17,12 @@ module CsrfHelper
# Note that regular forms generate hidden fields, and that Ajax calls are whitelisted,
# so they do not use these tags.
def csrf_meta_tags
- <<-METAS.strip_heredoc.chomp.html_safe if protect_against_forgery?
- <meta name="csrf-param" content="#{Rack::Utils.escape_html(request_forgery_protection_token)}"/>
- <meta name="csrf-token" content="#{Rack::Utils.escape_html(form_authenticity_token)}"/>
- METAS
+ if protect_against_forgery?
+ [
+ tag('meta', :name => 'csrf-param', :content => request_forgery_protection_token),
+ tag('meta', :name => 'csrf-token', :content => form_authenticity_token)
+ ].join("\n").html_safe
+ end
end
# For backwards compatibility.
View
8 actionpack/test/controller/request_forgery_protection_test.rb
@@ -172,13 +172,11 @@ def assert_not_blocked
class RequestForgeryProtectionControllerTest < ActionController::TestCase
include RequestForgeryProtectionTests
- test 'should emit a csrf-token meta tag' do
+ test 'should emit a csrf-param meta tag and a csrf-token meta tag' do
ActiveSupport::SecureRandom.stubs(:base64).returns(@token + '<=?')
get :meta
- assert_equal <<-METAS.strip_heredoc.chomp, @response.body
- <meta name="csrf-param" content="authenticity_token"/>
- <meta name="csrf-token" content="cf50faa3fe97702ca1ae&lt;=?"/>
- METAS
+ assert_select 'meta[name=?][content=?]', 'csrf-param', 'authenticity_token'
+ assert_select 'meta[name=?][content=?]', 'csrf-token', 'cf50faa3fe97702ca1ae&lt;=?'
end
end

0 comments on commit 2cdc1f0

Please sign in to comment.
Something went wrong with that request. Please try again.