mirror of
https://github.com/rails/rails.git
synced 2022-11-09 12:12:34 -05:00
30 lines
1 KiB
Ruby
30 lines
1 KiB
Ruby
require 'active_support/core_ext/string/strip'
|
|
|
|
module ActionView
|
|
# = Action View CSRF Helper
|
|
module Helpers
|
|
module CsrfHelper
|
|
# Returns meta tags "csrf-param" and "csrf-token" with the name of the cross-site
|
|
# request forgery protection parameter and token, respectively.
|
|
#
|
|
# <head>
|
|
# <%= csrf_meta_tags %>
|
|
# </head>
|
|
#
|
|
# These are used to generate the dynamic forms that implement non-remote links with
|
|
# <tt>:method</tt>.
|
|
#
|
|
# Note that regular forms generate hidden fields, and that Ajax calls are whitelisted,
|
|
# so they do not use these tags.
|
|
def csrf_meta_tags
|
|
<<-METAS.strip_heredoc.chomp.html_safe if protect_against_forgery?
|
|
<meta name="csrf-param" content="#{Rack::Utils.escape_html(request_forgery_protection_token)}"/>
|
|
<meta name="csrf-token" content="#{Rack::Utils.escape_html(form_authenticity_token)}"/>
|
|
METAS
|
|
end
|
|
|
|
# For backwards compatibility.
|
|
alias csrf_meta_tag csrf_meta_tags
|
|
end
|
|
end
|
|
end
|