Permalink
Browse files

HTML-escape csrf meta contents

  • Loading branch information...
1 parent 2191aa4 commit 3062bc70eff68397a00fc652e8eee4ae8089e0a2 @jeremy jeremy committed Feb 5, 2010
View
2 actionpack/lib/action_view/helpers/csrf_helper.rb
@@ -4,7 +4,7 @@ module CsrfHelper
# Returns a meta tag with the request forgery protection token for forms to use. Put this in your head.
def csrf_meta_tag
if protect_against_forgery?
- %(<meta name="csrf-param" content="#{Rack::Utils.escape(request_forgery_protection_token)}"/>\n<meta name="csrf-token" content="#{Rack::Utils.escape(form_authenticity_token)}"/>).html_safe
+ %(<meta name="csrf-param" content="#{Rack::Utils.escape_html(request_forgery_protection_token)}"/>\n<meta name="csrf-token" content="#{Rack::Utils.escape_html(form_authenticity_token)}"/>).html_safe
end
end
end
View
4 actionpack/test/controller/request_forgery_protection_test.rb
@@ -210,7 +210,7 @@ def setup
@request = ActionController::TestRequest.new
@request.format = :html
@response = ActionController::TestResponse.new
- @token = "cf50faa3fe97702ca1ae"
+ @token = "cf50faa3fe97702ca1a/=?"
ActiveSupport::SecureRandom.stubs(:base64).returns(@token)
ActionController::Base.request_forgery_protection_token = :authenticity_token
@@ -227,7 +227,7 @@ def setup
@controller = FreeCookieController.new
@request = ActionController::TestRequest.new
@response = ActionController::TestResponse.new
- @token = "cf50faa3fe97702ca1ae"
+ @token = "cf50faa3fe97702ca1a/=?"
ActiveSupport::SecureRandom.stubs(:base64).returns(@token)
end

0 comments on commit 3062bc7

Please sign in to comment.