HTML-escape csrf meta contents

3062bc70 · Jeremy Kemper · 2191aa47 · 3062bc70 · 3062bc70
2 changed file
--- a/actionpack/lib/action_view/helpers/csrf_helper.rb
+++ b/actionpack/lib/action_view/helpers/csrf_helper.rb
@@ -4,7 +4,7 @@ module CsrfHelper
      # Returns a meta tag with the request forgery protection token for forms to use. Put this in your head.
      def csrf_meta_tag
        if protect_against_forgery?
-          %(<meta name="csrf-param" content="#{Rack::Utils.escape(request_forgery_protection_token)}"/>\n<meta name="csrf-token" content="#{Rack::Utils.escape(form_authenticity_token)}"/>).html_safe
+          %(<meta name="csrf-param" content="#{Rack::Utils.escape_html(request_forgery_protection_token)}"/>\n<meta name="csrf-token" content="#{Rack::Utils.escape_html(form_authenticity_token)}"/>).html_safe
        end
      end
    end

--- a/actionpack/test/controller/request_forgery_protection_test.rb
+++ b/actionpack/test/controller/request_forgery_protection_test.rb
@@ -210,7 +210,7 @@ def setup
    @request    = ActionController::TestRequest.new
    @request.format = :html
    @response   = ActionController::TestResponse.new
-    @token      = "cf50faa3fe97702ca1ae"
+    @token      = "cf50faa3fe97702ca1a/=?"

    ActiveSupport::SecureRandom.stubs(:base64).returns(@token)
    ActionController::Base.request_forgery_protection_token = :authenticity_token
@@ -227,7 +227,7 @@ def setup
    @controller = FreeCookieController.new
    @request    = ActionController::TestRequest.new
    @response   = ActionController::TestResponse.new
-    @token      = "cf50faa3fe97702ca1ae"
+    @token      = "cf50faa3fe97702ca1a/=?"

    ActiveSupport::SecureRandom.stubs(:base64).returns(@token)
  end