Test that csrf meta content is html-escaped, too

31f8a59c · Jeremy Kemper · 7b1d3a0c · 31f8a59c
隐藏空白更改
内联并排

Showing with 2 addition and 1 deletion

actionpack/test/controller/request_forgery_protection_test.rb ...onpack/test/controller/request_forgery_protection_test.rb +2 -1

未找到文件。
--- a/actionpack/test/controller/request_forgery_protection_test.rb
+++ b/actionpack/test/controller/request_forgery_protection_test.rb
@@ -217,8 +217,9 @@ def setup
  end

  test 'should emit a csrf-token meta tag' do
+    ActiveSupport::SecureRandom.stubs(:base64).returns(@token + '<=?')
    get :meta
-    assert_equal %(<meta name="csrf-param" content="authenticity_token"/>\n<meta name="csrf-token" content="#{@token}"/>), @response.body
+    assert_equal %(<meta name="csrf-param" content="authenticity_token"/>\n<meta name="csrf-token" content="cf50faa3fe97702ca1ae&lt;=?"/>), @response.body
  end
 end