csrf_helper.rb in actionpack-3.1.0.beta1

- old
+ new
@@ -1,14 +1,32 @@
+require 'active_support/core_ext/string/strip'
+
 module ActionView
   # = Action View CSRF Helper
   module Helpers
     module CsrfHelper
-      # Returns a meta tag with the cross-site request forgery protection token
-      # for forms to use. Place this in your head.
-      def csrf_meta_tag
+      # Returns meta tags "csrf-param" and "csrf-token" with the name of the cross-site
+      # request forgery protection parameter and token, respectively.
+      #
+      #   <head>
+      #     <%= csrf_meta_tags %>
+      #   </head>
+      #
+      # These are used to generate the dynamic forms that implement non-remote links with
+      # <tt>:method</tt>.
+      #
+      # Note that regular forms generate hidden fields, and that Ajax calls are whitelisted,
+      # so they do not use these tags.
+      def csrf_meta_tags
         if protect_against_forgery?
-          %(<meta name="csrf-param" content="#{Rack::Utils.escape_html(request_forgery_protection_token)}"/>\n<meta name="csrf-token" content="#{Rack::Utils.escape_html(form_authenticity_token)}"/>).html_safe
+          [
+            tag('meta', :name => 'csrf-param', :content => request_forgery_protection_token),
+            tag('meta', :name => 'csrf-token', :content => form_authenticity_token)
+          ].join("\n").html_safe
         end
       end
+
+      # For backwards compatibility.
+      alias csrf_meta_tag csrf_meta_tags
     end
   end
 end