HTML-escape csrf meta contents

rails · Feb 5, 2010 · 3062bc7 · 3062bc7
1 parent 2191aa4
commit 3062bc7
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 3 deletions.
diff --git a/actionpack/lib/action_view/helpers/csrf_helper.rb b/actionpack/lib/action_view/helpers/csrf_helper.rb
@@ -4,7 +4,7 @@ module CsrfHelper
       # Returns a meta tag with the request forgery protection token for forms to use. Put this in your head.
       def csrf_meta_tag
         if protect_against_forgery?
-          %(<meta name="csrf-param" content="#{Rack::Utils.escape(request_forgery_protection_token)}"/>\n<meta name="csrf-token" content="#{Rack::Utils.escape(form_authenticity_token)}"/>).html_safe
+          %(<meta name="csrf-param" content="#{Rack::Utils.escape_html(request_forgery_protection_token)}"/>\n<meta name="csrf-token" content="#{Rack::Utils.escape_html(form_authenticity_token)}"/>).html_safe
         end
       end
     end

diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb
@@ -210,7 +210,7 @@ def setup
     @request    = ActionController::TestRequest.new
     @request.format = :html
     @response   = ActionController::TestResponse.new
-    @token      = "cf50faa3fe97702ca1ae"
+    @token      = "cf50faa3fe97702ca1a/=?"
 
     ActiveSupport::SecureRandom.stubs(:base64).returns(@token)
     ActionController::Base.request_forgery_protection_token = :authenticity_token
@@ -227,7 +227,7 @@ def setup
     @controller = FreeCookieController.new
     @request    = ActionController::TestRequest.new
     @response   = ActionController::TestResponse.new
-    @token      = "cf50faa3fe97702ca1ae"
+    @token      = "cf50faa3fe97702ca1a/=?"
 
     ActiveSupport::SecureRandom.stubs(:base64).returns(@token)
   end