hanami-helpers 0.0.0 → 0.3.0

data/hanami-helpers.gemspec

@@ -4,20 +4,24 @@ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 require 'hanami/helpers/version'
 
 Gem::Specification.new do |spec|
-  spec.name          = "hanami-helpers"
+  spec.name          = 'hanami-helpers'
   spec.version       = Hanami::Helpers::VERSION
-  spec.authors       = ["Luca Guidi"]
-  spec.email         = ["me@lucaguidi.com"]
+  spec.authors       = ['Luca Guidi', 'Trung Lê', 'Alfonso Uceda']
+  spec.email         = ['me@lucaguidi.com', 'trung.le@ruby-journal.com', 'uceda73@gmail.com']
+  spec.summary       = %q{Hanami helpers}
+  spec.description   = %q{View helpers for Ruby applications}
+  spec.homepage      = 'http://hanamirb.org'
+  spec.license       = 'MIT'
 
-  spec.summary       = %q{The web, with simplicity}
-  spec.description   = %q{Hanami is a web framework for Ruby}
-  spec.homepage      = "http://hanamirb.org"
+  spec.files         = `git ls-files -- lib/* CHANGELOG.md LICENSE.md README.md hanami-helpers.gemspec`.split($/)
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ['lib']
+  spec.required_ruby_version = '>= 2.0.0'
 
-  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
-  spec.bindir        = "exe"
-  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
-  spec.require_paths = ["lib"]
+  spec.add_dependency 'hanami-utils', '~> 0.7'
 
-  spec.add_development_dependency "bundler", "~> 1.11"
-  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency 'bundler',  '~> 1.6'
+  spec.add_development_dependency 'rake',     '~> 10.0'
+  spec.add_development_dependency 'minitest', '~> 5.5'
 end

data/lib/hanami-helpers.rb

@@ -0,0 +1 @@
+require 'hanami/helpers'

data/lib/hanami/helpers.rb

@@ -1,7 +1,33 @@
-require "hanami/helpers/version"
+require 'hanami/helpers/version'
+require 'hanami/helpers/html_helper'
+require 'hanami/helpers/escape_helper'
+require 'hanami/helpers/routing_helper'
+require 'hanami/helpers/link_to_helper'
+require 'hanami/helpers/form_helper'
+require 'hanami/helpers/number_formatting_helper'
 
 module Hanami
+  # View helpers for Ruby applications
+  #
+  # @since 0.1.0
   module Helpers
-    # Your code goes here...
+    # Override for Module.included
+    #
+    # It injects all the available helpers.
+    #
+    # @since 0.1.0
+    # @api private
+    #
+    # @see http://www.ruby-doc.org/core/Module.html#method-i-included
+    def self.included(base)
+      base.class_eval do
+        include Hanami::Helpers::HtmlHelper
+        include Hanami::Helpers::EscapeHelper
+        include Hanami::Helpers::RoutingHelper
+        include Hanami::Helpers::LinkToHelper
+        include Hanami::Helpers::FormHelper
+        include Hanami::Helpers::NumberFormattingHelper
+      end
+    end
   end
 end

data/lib/hanami/helpers/escape_helper.rb

@@ -0,0 +1,271 @@
+require 'hanami/utils/escape'
+
+module Hanami
+  module Helpers
+    # Escape helpers
+    #
+    # You can include this module inside your view and 
+    # the view will have access all methods.
+    #
+    # By including <tt>Hanami::Helpers::EscapeHelper</tt> it will inject private
+    # methods as markup escape utilities.
+    #
+    # @since 0.1.0
+    module EscapeHelper
+      private
+      # Escape the given HTML tag content.
+      #
+      # This should be used only for untrusted contents: user input.
+      #
+      # This should be used only for tag contents.
+      # To escape tag attributes please use <tt>Hanami::Helpers::EscapeHelper#escape_html_attribute</tt>.
+      #
+      # @param input [String] the input
+      #
+      # @return [String] the escaped string
+      #
+      # @since 0.1.0
+      #
+      # @see Hanami::Helpers::EscapeHelper#escape_html_attribute
+      #
+      # @example Basic usage
+      #   require 'hanami/helpers/escape_helper'
+      #
+      #   class MyView
+      #     include Hanami::Helpers::EscapeHelper
+      #
+      #     def good_content
+      #       h "hello"
+      #     end
+      #
+      #     def evil_content
+      #       h "<script>alert('xss')</script>"
+      #     end
+      #   end
+      #
+      #   view = MyView.new
+      #
+      #   view.good_content
+      #     # => "hello"
+      #
+      #   view.evil_content
+      #     # => "&lt;script&gt;alert(&apos;xss&apos;)&lt;&#x2F;script&gt;"
+      #
+      # @example With HTML builder
+      #   #
+      #   # CONTENTS ARE AUTOMATICALLY ESCAPED
+      #   #
+      #   require 'hanami/helpers'
+      #
+      #   class MyView
+      #     include Hanami::Helpers
+      #
+      #     def evil_content
+      #       html.div do
+      #         "<script>alert('xss')</script>"
+      #       end
+      #     end
+      #   end
+      #
+      #   view = MyView.new
+      #   view.evil_content
+      #     # => "<div>\n&lt;script&gt;alert(&apos;xss&apos;)&lt;&#x2F;script&gt;</div>"
+      def escape_html(input)
+        Utils::Escape.html(input)
+      end
+
+      # @since 0.1.0
+      alias_method :h, :escape_html
+
+      # Escape the given HTML tag attribute.
+      #
+      # This MUST be used for escaping HTML tag attributes.
+      #
+      # This should be used only for untrusted contents: user input.
+      #
+      # This can also be used to escape tag contents, but it's slower.
+      # For this purpose use <tt>Hanami::Helpers::EscapeHelper#escape_html</tt>.
+      #
+      # @param input [String] the input
+      #
+      # @return [String] the escaped string
+      #
+      # @since 0.1.0
+      #
+      # @see Hanami::Helpers::EscapeHelper#escape_html
+      #
+      # @example Basic usage
+      #   require 'hanami/helpers/escape_helper'
+      #
+      #   class MyView
+      #     include Hanami::Helpers::EscapeHelper
+      #
+      #     def good_attribute
+      #       attribute = "small"
+      #
+      #       %(<span class="#{ ha(attribute) }">hello</span>
+      #     end
+      #
+      #     def evil_attribute
+      #       attribute = %(" onclick="javascript:alert('xss')" id=")
+      #
+      #       %(<span class="#{ ha(attribute) }">hello</span>
+      #     end
+      #   end
+      #
+      #   view = MyView.new
+      #
+      #   view.good_attribute
+      #     # => %(<span class="small">hello</span>)
+      #
+      #   view.evil_attribute
+      #     # => %(<span class="&quot;&#x20;onclick&#x3d;&quot;javascript&#x3a;alert&#x28;&#x27;xss&#x27;&#x29;&quot;&#x20;id&#x3d;&quot;">hello</span>
+      #
+      # @example With HTML builder
+      #   #
+      #   # ATTRIBUTES AREN'T AUTOMATICALLY ESCAPED
+      #   #
+      #   require 'hanami/helpers'
+      #
+      #   class MyView
+      #     include Hanami::Helpers
+      #
+      #     def evil_attribute
+      #       user_input_attribute = %(" onclick="javascript:alert('xss')" id=")
+      #
+      #       html.span id: 'greet', class: ha(user_input_attribute) do
+      #         "hello"
+      #       end
+      #     end
+      #   end
+      #
+      #   view = MyView.new
+      #   view.evil_attribute
+      #     # => %(<span class="&quot;&#x20;onclick&#x3d;&quot;javascript&#x3a;alert&#x28;&#x27;xss&#x27;&#x29;&quot;&#x20;id&#x3d;&quot;">hello</span>
+      def escape_html_attribute(input)
+        Utils::Escape.html_attribute(input)
+      end
+
+      # @since 0.1.0
+      alias_method :ha, :escape_html_attribute
+
+      # Escape an URL to be used in HTML attributes
+      #
+      # This allows only URLs with whitelisted schemes to pass the filter.
+      # Everything else is stripped.
+      #
+      # Default schemes are:
+      #
+      #   * http
+      #   * https
+      #   * mailto
+      #
+      # If you want to allow a different set of schemes, you should pass it as
+      # second argument.
+      #
+      # This should be used only for untrusted contents: user input.
+      #
+      # @param input [String] the input
+      # @param schemes [Array<String>] an optional array of whitelisted schemes
+      #
+      # @return [String] the escaped string
+      #
+      # @since 0.1.0
+      #
+      # @see Hanami::Utils::Escape.url
+      # @see Hanami::Utils::Escape::DEFAULT_URL_SCHEMES
+      #
+      # @example Basic usage
+      #   require 'hanami/helpers/escape_helper'
+      #
+      #   class MyView
+      #     include Hanami::Helpers::EscapeHelper
+      #
+      #     def good_url
+      #       url = "http://hanamirb.org"
+      #
+      #       %(<a href="#{ hu(url) }">Hanami</a>
+      #     end
+      #
+      #     def evil_url
+      #       url = "javascript:alert('xss')"
+      #
+      #       %(<a href="#{ hu(url) }">Evil</a>
+      #     end
+      #   end
+      #
+      #   view = MyView.new
+      #
+      #   view.good_url
+      #     # => %(<a href="http://hanamirb.org">Hanami</a>)
+      #
+      #   view.evil_url
+      #     # => %(<a href="">Evil</a>)
+      #
+      # @example Custom schemes
+      #   require 'hanami/helpers/escape_helper'
+      #
+      #   class MyView
+      #     include Hanami::Helpers::EscapeHelper
+      #
+      #     def ftp_link
+      #       schemes = ['ftp', 'ftps']
+      #       url     = 'ftps://ftp.example.org'
+      #
+      #       %(<a href="#{ hu(url, schemes) }">FTP</a>
+      #     end
+      #   end
+      #
+      #   view = MyView.new
+      #
+      #   view.ftp_link
+      #     # => %(<a href="ftps://ftp.example.org">FTP</a>)
+      def escape_url(input, schemes = Utils::Escape::DEFAULT_URL_SCHEMES)
+        Utils::Escape.url(input, schemes)
+      end
+
+      # @since 0.1.0
+      alias_method :hu, :escape_url
+
+      # Bypass escape.
+      #
+      # Please notice that this can be really dangerous.
+      # Use at your own peril.
+      #
+      # @param input [String] the input
+      #
+      # @return [Hanami::Utils::Escape::SafeString] the string marked as safe string
+      #
+      # @since 0.1.0
+      #
+      # @example
+      #   require 'hanami/helpers/escape_helper'
+      #
+      #   class MyView
+      #     include Hanami::Helpers::EscapeHelper
+      #
+      #     def good_content
+      #       raw "<p>hello</p>"
+      #     end
+      #
+      #     def evil_content
+      #       raw "<script>alert('xss')</script>"
+      #     end
+      #   end
+      #
+      #   view = MyView.new
+      #
+      #   view.good_content
+      #     # => "<p>hello</p>"
+      #
+      #   #
+      #   # !!! WE HAVE OPENED OUR APPLICATION TO AN XSS ATTACK !!!
+      #   #
+      #   view.evil_content
+      #     # => "<script>alert('xss')</script>"
+      def raw(input)
+        Utils::Escape::SafeString.new(input)
+      end
+    end
+  end
+end

data/lib/hanami/helpers/form_helper.rb

@@ -0,0 +1,424 @@
+require 'hanami/helpers/form_helper/form_builder'
+
+module Hanami
+  module Helpers
+    # Form builder
+    #
+    # By including <tt>Hanami::Helpers::FormHelper</tt> it will inject one public method: <tt>form_for</tt>.
+    # This is a HTML5 form builder.
+    #
+    # To understand the general HTML5 builder syntax of this framework, please
+    # consider to have a look at <tt>Hanami::Helpers::HtmlHelper</tt> documentation.
+    #
+    # This builder is independent from any template engine.
+    # This was hard to achieve without a compromise: the form helper should be
+    # used in one output block in a template or as a method in a view (see the examples below).
+    #
+    # Features:
+    #
+    #   * Support for complex markup without the need of concatenation
+    #   * Auto closing HTML5 tags
+    #   * Support for view local variables
+    #   * Method override support (PUT/PATCH/DELETE HTTP verbs aren't understood by browsers)
+    #   * Automatic generation of HTML attributes for inputs: <tt>id</tt>, <tt>name</tt>, <tt>value</tt>
+    #   * Allow to override HTML attributes
+    #   * Extract values from request params and fill <tt>value</tt> attributes
+    #   * Automatic selection of current value for radio button and select inputs
+    #   * Infinite nested fields
+    #
+    # Supported tags and inputs:
+    #
+    #   * <tt>color_field</tt>
+    #   * <tt>date_field</tt>
+    #   * <tt>datetime_field</tt>
+    #   * <tt>datetime_local_field</tt>
+    #   * <tt>email_field</tt>
+    #   * <tt>hidden_field</tt>
+    #   * <tt>file_field</tt>
+    #   * <tt>fields_for</tt>
+    #   * <tt>form_for</tt>
+    #   * <tt>label</tt>
+    #   * <tt>text_area</tt>
+    #   * <tt>text_field</tt>
+    #   * <tt>password_field</tt>
+    #   * <tt>radio_button</tt>
+    #   * <tt>select</tt>
+    #   * <tt>submit</tt>
+    #
+    # @since 0.2.0
+    #
+    # @see Hanami::Helpers::FormHelper#form_for
+    # @see Hanami::Helpers::HtmlHelper
+    #
+    # @example One output block (template)
+    #   <%=
+    #     form_for :book, routes.books_path do
+    #       text_field :title
+    #
+    #       submit 'Create'
+    #     end
+    #   %>
+    #
+    # @example Method (view)
+    #   require 'hanami/helpers'
+    #
+    #   class MyView
+    #     include Hanami::Helpers::FormHelper
+    #
+    #     def my_form
+    #       form_for :book, routes.books_path do
+    #         text_field :title
+    #       end
+    #     end
+    #   end
+    #
+    #   # Corresponding template:
+    #   #
+    #   #  <%= my_form %>
+    module FormHelper
+      # Default HTTP method for form
+      #
+      # @since 0.2.0
+      # @api private
+      DEFAULT_METHOD = 'POST'.freeze
+
+      # Default charset
+      #
+      # @since 0.2.0
+      # @api private
+      DEFAULT_CHARSET = 'utf-8'.freeze
+
+      # CSRF Token session key
+      #
+      # This key is shared with <tt>hanamirb</tt>, <tt>hanami-controller</tt>.
+      #
+      # @since 0.2.0
+      # @api private
+      CSRF_TOKEN = :_csrf_token
+
+      # Form object
+      #
+      # @since 0.2.0
+      class Form
+        # @return [Symbol] the form name
+        #
+        # @since 0.2.0
+        # @api private
+        attr_reader :name
+
+        # @return [String] the form action
+        #
+        # @since 0.2.0
+        # @api private
+        attr_reader :url
+
+        # @return [::Hash] the form values
+        #
+        # @since 0.2.0
+        # @api private
+        attr_reader :values
+
+        # Initialize a form
+        #
+        # It accepts a set of values that are used in combination with request
+        # params to autofill <tt>value</tt> attributes for fields.
+        #
+        # The keys of this Hash, MUST correspond to the structure of the (nested)
+        # fields of the form.
+        #
+        # For a given input where the <tt>name</tt> is `book[title]`, Hanami will
+        # look for `:book` key in values.
+        #
+        # If the current params have the same key, it will be PREFERRED over the
+        # given values.
+        #
+        # For instance, if <tt>params.get('book.title')</tt> equals to
+        # <tt>"TDD"</tt> while <tt>values[:book].title</tt> returns
+        # <tt>"No test"</tt>, the first will win.
+        #
+        # @param name [Symbol] the name of the form
+        # @param url [String] the action of the form
+        # @param values [Hash,NilClass] a Hash of values to be used to autofill
+        #   <tt>value</tt> attributes for fields
+        # @param attributes [Hash,NilClass] a Hash of attributes to pass to the
+        #   <tt>form</tt> tag
+        #
+        # @since 0.2.0
+        #
+        # @example Pass A Value
+        #   # Given the following view
+        #
+        #   module Web::Views::Deliveries
+        #     class Edit
+        #       include Web::View
+        #
+        #       def form
+        #         Form.new(:delivery, routes.delivery_path(id: delivery.id),
+        #         {delivery: delivery, customer: customer},
+        #         {method: :patch})
+        #       end
+        #     end
+        #   end
+        #
+        #   # And the corresponding template:
+        #
+        #   <%=
+        #     form_for form do
+        #       date_field :delivered_on
+        #
+        #       fields_for :customer do
+        #         text_field :name
+        #
+        #         fields_for :address do
+        #           # ...
+        #           text_field :city
+        #         end
+        #       end
+        #
+        #       submit 'Update'
+        #     end
+        #   %>
+        #
+        #   # It will render:
+        #   #
+        #   #  <form action="/deliveries/1" method="POST" accept-charset="utf-8">
+        #   #    <input type="hidden" name="_method" value="PATCH">
+        #   #
+        #   #    # Value taken from delivery.delivered_on
+        #   #    <input type="date" name="delivery[delivered_on]" id="delivery-delivered-on" value="2015-05-27">
+        #   #
+        #   #    # Value taken from customer.name
+        #   #    <input type="text" name="delivery[customer][name]" id="delivery-customer-name" value="Luca">
+        #   #
+        #   #    # Value taken from customer.address.city
+        #   #    <input type="text" name="delivery[customer][address][city]" id="delivery-customer-address-city" value="Rome">
+        #   #
+        #   #    <button type="submit">Update</button>
+        #   #  </form>
+        def initialize(name, url, values = {}, attributes = {})
+          @name       = name
+          @url        = url
+          @values     = values
+          @attributes = attributes || {}
+        end
+
+        # Return the method specified by the given attributes or fall back to
+        # the default value
+        #
+        # @return [String] the method for the action
+        #
+        # @since 0.2.0
+        # @api private
+        #
+        # @see Hanami::Helpers::FormHelper::DEFAULT_METHOD
+        def verb
+          @attributes.fetch(:method, DEFAULT_METHOD)
+        end
+      end
+
+      # Instantiate a HTML5 form builder
+      #
+      # @overload form_for(name, url, options, &blk)
+      #   Use inline values
+      #   @param name [Symbol] the toplevel name of the form, it's used to generate
+      #     input names, ids, and to lookup params to fill values.
+      #   @param url [String] the form action URL
+      #   @param options [Hash] HTML attributes to pass to the form tag and form values
+      #   @option options [Hash] :values An optional payload of objects to pass
+      #   @param blk [Proc] A block that describes the contents of the form
+      #
+      # @overload form_for(form, attributes, &blk)
+      #   Use Form
+      #   @param form [Hanami::Helpers::FormHelper::Form] a form object
+      #   @param attributes [Hash] HTML attributes to pass to the form tag and form values
+      #   @param blk [Proc] A block that describes the contents of the form
+      #
+      # @return [Hanami::Helpers::FormHelper::FormBuilder] the form builder
+      #
+      # @since 0.2.0
+      #
+      # @see Hanami::Helpers::FormHelper
+      # @see Hanami::Helpers::FormHelper::Form
+      # @see Hanami::Helpers::FormHelper::FormBuilder
+      #
+      # @example Inline Values In Template
+      #   <%=
+      #     form_for :book, routes.books_path, class: 'form-horizontal' do
+      #       div do
+      #         label      :title
+      #         text_field :title, class: 'form-control'
+      #       end
+      #
+      #       submit 'Create'
+      #     end
+      #   %>
+      #
+      #   Output:
+      #     # <form action="/books" method="POST" accept-charset="utf-8" id="book-form" class="form-horizontal">
+      #     #   <div>
+      #     #     <label for="book-title">Title</label>
+      #     #     <input type="text" name="book[title]" id="book-title" value="Test Driven Development">
+      #     #   </div>
+      #     #
+      #     #   <button type="submit">Create</button>
+      #     # </form>
+      #
+      #
+      #
+      # @example Use In A View
+      #
+      #   module Web::Views::Books
+      #     class New
+      #
+      #     def form
+      #       form_for :book, routes.books_path, class: 'form-horizontal' do
+      #         div do
+      #           label      :title
+      #           text_field :title, class: 'form-control'
+      #         end
+      #
+      #         submit 'Create'
+      #       end
+      #     end
+      #   end
+      #
+      #   <%= form %>
+      #
+      #   Output:
+      #     # <form action="/books" method="POST" accept-charset="utf-8" id="book-form" class="form-horizontal">
+      #     #   <div>
+      #     #     <label for="book-title">Title</label>
+      #     #     <input type="text" name="book[title]" id="book-title" value="Test Driven Development">
+      #     #   </div>
+      #     #
+      #     #   <button type="submit">Create</button>
+      #     # </form>
+      #
+      # @example Share Code Between Views
+      #
+      #   # Given the following views to create and update a resource
+      #   module Web::Views::Books
+      #     class New
+      #       include Web::View
+      #
+      #       def form
+      #         Form.new(:book, routes.books_path)
+      #       end
+      #
+      #       def submit_label
+      #         'Create'
+      #       end
+      #     end
+      #
+      #     class Edit
+      #       include Web::View
+      #
+      #       def form
+      #         Form.new(:book, routes.book_path(id: book.id),
+      #           {book: book}, {method: :patch})
+      #       end
+      #
+      #       def submit_label
+      #         'Update'
+      #       end
+      #     end
+      #   end
+      #
+      #   # The respective templates can be identical:
+      #
+      #   ## books/new.html.erb
+      #   <%= render partial: 'books/form' %>
+      #
+      #   ## books/edit.html.erb
+      #   <%= render partial: 'books/form' %>
+      #
+      #   # While the partial can have the following markup:
+      #
+      #   ## books/_form.html.erb
+      #   <%=
+      #     form_for form, class: 'form-horizontal' do
+      #       div do
+      #         label      :title
+      #         text_field :title, class: 'form-control'
+      #       end
+      #
+      #       submit submit_label
+      #     end
+      #   %>
+      #
+      #   Output:
+      #     # <form action="/books" method="POST" accept-charset="utf-8" id="book-form" class="form-horizontal">
+      #     #   <div>
+      #     #     <label for="book-title">Title</label>
+      #     #     <input type="text" name="book[title]" id="book-title" value="Test Driven Development">
+      #     #   </div>
+      #     #
+      #     #   <button type="submit">Create</button>
+      #     # </form>
+      #
+      # @example Method override
+      #   <%=
+      #     form_for :book, routes.book_path(id: book.id), method: :put do
+      #       text_field :title
+      #
+      #       submit 'Update'
+      #     end
+      #   %>
+      #
+      #   Output:
+      #     # <form action="/books/23" accept-charset="utf-8" id="book-form" method="POST">
+      #     #   <input type="hidden" name="_method" value="PUT">
+      #     #   <input type="text" name="book[title]" id="book-title" value="Test Driven Development">
+      #     #
+      #     #   <button type="submit">Update</button>
+      #     # </form>
+      #
+      # @example Nested fields
+      #   <%=
+      #     form_for :delivery, routes.deliveries_path do
+      #       text_field :customer_name
+      #
+      #       fields_for :address do
+      #         text_field :city
+      #       end
+      #
+      #       submit 'Create'
+      #     end
+      #   %>
+      #
+      #   Output:
+      #     # <form action="/deliveries" accept-charset="utf-8" id="delivery-form" method="POST">
+      #     #   <input type="text" name="delivery[customer_name]" id="delivery-customer-name" value="">
+      #     #   <input type="text" name="delivery[address][city]" id="delivery-address-city" value="">
+      #     #
+      #     #   <button type="submit">Create</button>
+      #     # </form>
+      def form_for(name, url, options = {}, &blk)
+        form = if name.is_a?(Form)
+          options = url
+          name
+        else
+          Form.new(name, url, options.delete(:values))
+        end
+
+        attributes = { action: form.url, method: form.verb, :'accept-charset' => DEFAULT_CHARSET, id: "#{ form.name }-form" }.merge(options)
+        FormBuilder.new(form, attributes, self, &blk)
+      end
+
+      # Returns CSRF Protection Token stored in session.
+      #
+      # It returns <tt>nil</tt> if sessions aren't enabled or the value is missing.
+      #
+      # @return [String,NilClass] token, if present
+      #
+      # @since 0.2.0
+      def csrf_token
+        if defined?(session)
+          session[CSRF_TOKEN]
+        elsif defined?(locals) && locals[:session]
+          locals[:session][CSRF_TOKEN]
+        end
+      end
+    end
+  end
+end