2010-09-11 05:04:19 -04:00
|
|
|
require 'active_support/core_ext/string/strip'
|
|
|
|
|
2010-02-04 17:15:16 -05:00
|
|
|
module ActionView
|
2010-06-16 14:17:49 -04:00
|
|
|
# = Action View CSRF Helper
|
2010-02-04 17:15:16 -05:00
|
|
|
module Helpers
|
|
|
|
module CsrfHelper
|
2010-09-11 05:04:19 -04:00
|
|
|
# Returns meta tags "csrf-param" and "csrf-token" with the name of the cross-site
|
|
|
|
# request forgery protection parameter and token, respectively.
|
|
|
|
#
|
|
|
|
# <head>
|
|
|
|
# <%= csrf_meta_tags %>
|
|
|
|
# </head>
|
|
|
|
#
|
|
|
|
# These are used to generate the dynamic forms that implement non-remote links with
|
|
|
|
# <tt>:method</tt>.
|
|
|
|
#
|
|
|
|
# Note that regular forms generate hidden fields, and that Ajax calls are whitelisted,
|
|
|
|
# so they do not use these tags.
|
|
|
|
def csrf_meta_tags
|
2010-09-13 19:35:44 -04:00
|
|
|
<<-METAS.strip_heredoc.chomp.html_safe if protect_against_forgery?
|
2010-09-11 05:04:19 -04:00
|
|
|
<meta name="csrf-param" content="#{Rack::Utils.escape_html(request_forgery_protection_token)}"/>
|
|
|
|
<meta name="csrf-token" content="#{Rack::Utils.escape_html(form_authenticity_token)}"/>
|
|
|
|
METAS
|
2010-02-04 17:15:16 -05:00
|
|
|
end
|
2010-09-11 05:04:19 -04:00
|
|
|
|
|
|
|
# For backwards compatibility.
|
|
|
|
alias csrf_meta_tag csrf_meta_tags
|
2010-02-04 17:15:16 -05:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|