revises implementation and documentation of csrf_meta_tags, and aliases csrf_meta_tag to it for backwards compatibilty

2022-11-09 12:12:34 -05:00 · 2010-09-11 11:04:19 +02:00 · 2010-09-11 11:04:19 +02:00 · a87b92db7b
commit a87b92db7b
parent f6153f74da
7 changed files with 34 additions and 14 deletions
--- a/actionpack/CHANGELOG
+++ b/actionpack/CHANGELOG
@ -1,6 +1,6 @@
 *Rails 3.1.0 (unreleased)*

-* No changes
+* Renames csrf_meta_tag -> csrf_meta_tags, and aliases csrf_meta_tag for backwards compatibility. [fxn]


 *Rails 3.0.0 (August 29, 2010)*
--- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb
+++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
@ -21,7 +21,7 @@ module ActionController #:nodoc:
  #
  # The token parameter is named <tt>authenticity_token</tt> by default. The name and
  # value of this token must be added to every layout that renders forms by including
-  # <tt>csrf_meta_tag</tt> in the html +head+.
+  # <tt>csrf_meta_tags</tt> in the html +head+.
  #
  # Learn more about CSRF attacks and securing your application in the
  # {Ruby on Rails Security Guide}[http://guides.rubyonrails.org/security.html].
--- a/actionpack/lib/action_view/helpers/csrf_helper.rb
+++ b/actionpack/lib/action_view/helpers/csrf_helper.rb
@ -1,14 +1,30 @@
+require 'active_support/core_ext/string/strip'
+
 module ActionView
  # = Action View CSRF Helper
  module Helpers
    module CsrfHelper
-      # Returns a meta tag with the cross-site request forgery protection token
-      # for forms to use. Place this in your head.
-      def csrf_meta_tag
-        if protect_against_forgery?
-          %(<meta name="csrf-param" content="#{Rack::Utils.escape_html(request_forgery_protection_token)}"/>\n<meta name="csrf-token" content="#{Rack::Utils.escape_html(form_authenticity_token)}"/>).html_safe
-        end
+      # Returns meta tags "csrf-param" and "csrf-token" with the name of the cross-site
+      # request forgery protection parameter and token, respectively.
+      #
+      #   <head>
+      #     <%= csrf_meta_tags %>
+      #   </head>
+      #
+      # These are used to generate the dynamic forms that implement non-remote links with
+      # <tt>:method</tt>.
+      #
+      # Note that regular forms generate hidden fields, and that Ajax calls are whitelisted,
+      # so they do not use these tags.
+      def csrf_meta_tags
+        <<-METAS.strip_heredoc.html_safe if protect_against_forgery?
+          <meta name="csrf-param" content="#{Rack::Utils.escape_html(request_forgery_protection_token)}"/>
+          <meta name="csrf-token" content="#{Rack::Utils.escape_html(form_authenticity_token)}"/>
+        METAS
      end
+
+      # For backwards compatibility.
+      alias csrf_meta_tag csrf_meta_tags
    end
  end
 end
--- a/actionpack/test/controller/request_forgery_protection_test.rb
+++ b/actionpack/test/controller/request_forgery_protection_test.rb
@ -1,5 +1,6 @@
 require 'abstract_unit'
 require 'digest/sha1'
+require 'active_support/core_ext/string/strip'

 # common controller actions
 module RequestForgeryProtectionActions
@ -16,7 +17,7 @@ module RequestForgeryProtectionActions
  end

  def meta
-    render :inline => "<%= csrf_meta_tag %>"
+    render :inline => "<%= csrf_meta_tags %>"
  end

  def rescue_action(e) raise e end
@ -219,7 +220,10 @@ class RequestForgeryProtectionControllerTest < ActionController::TestCase
  test 'should emit a csrf-token meta tag' do
    ActiveSupport::SecureRandom.stubs(:base64).returns(@token + '<=?')
    get :meta
-    assert_equal %(<meta name="csrf-param" content="authenticity_token"/>\n<meta name="csrf-token" content="cf50faa3fe97702ca1ae&lt;=?"/>), @response.body
+    assert_equal <<-METAS.strip_heredoc, @response.body
+      <meta name="csrf-param" content="authenticity_token"/>
+      <meta name="csrf-token" content="cf50faa3fe97702ca1ae&lt;=?"/>
+    METAS
  end
 end

--- a/railties/guides/source/getting_started.textile
+++ b/railties/guides/source/getting_started.textile
@ -559,7 +559,7 @@ The view is only part of the story of how HTML is displayed in your web browser.
  <title>Blog</title>
  <%= stylesheet_link_tag :all %>
  <%= javascript_include_tag :defaults %>
-  <%= csrf_meta_tag %>
+  <%= csrf_meta_tags %>
 </head>
 <body style="background: #EEEEEE;">

--- a/railties/lib/rails/generators/rails/app/templates/app/views/layouts/application.html.erb.tt
+++ b/railties/lib/rails/generators/rails/app/templates/app/views/layouts/application.html.erb.tt
@ -4,7 +4,7 @@
  <title><%= app_const_base %></title>
  <%%= stylesheet_link_tag :all %>
  <%%= javascript_include_tag :defaults %>
-  <%%= csrf_meta_tag %>
+  <%%= csrf_meta_tags %>
 </head>
 <body>

--- a/railties/test/application/configuration_test.rb
+++ b/railties/test/application/configuration_test.rb
@ -211,7 +211,7 @@ module ApplicationTests
        protect_from_forgery

        def index
-          render :inline => "<%= csrf_meta_tag %>"
+          render :inline => "<%= csrf_meta_tags %>"
        end
      end