Merge pull request #4532 from rafaelfranca/av-button_to-refactor

Refactor button_to helper to use token_tag method

4 files changed, 40 insertions, 20 deletions

diff --git a/actionpack/lib/action_view/helpers/form_tag_helper.rb b/actionpack/lib/action_view/helpers/form_tag_helper.rb
index 57b90a9c42..e97f602728 100644
--- a/actionpack/lib/action_view/helpers/form_tag_helper.rb
+++ b/actionpack/lib/action_view/helpers/form_tag_helper.rb
@@ -627,7 +627,7 @@ module ActionView
               token_tag(authenticity_token)
             else
               html_options["method"] = "post"
-              tag(:input, :type => "hidden", :name => "_method", :value => method) + token_tag(authenticity_token)
+              method_tag(method) + token_tag(authenticity_token)
           end
 
           tags = utf8_enforcer_tag << method_tag
@@ -646,15 +646,6 @@ module ActionView
           output.safe_concat("</form>")
         end
 
-        def token_tag(token)
-          if token == false || !protect_against_forgery?
-            ''
-          else
-            token ||= form_authenticity_token
-            tag(:input, :type => "hidden", :name => request_forgery_protection_token.to_s, :value => token)
-          end
-        end
-
         # see http://www.w3.org/TR/html4/types.html#type-name
         def sanitize_to_id(name)
           name.to_s.gsub(']','').gsub(/[^-a-zA-Z0-9:.]/, "_")
diff --git a/actionpack/lib/action_view/helpers/url_helper.rb b/actionpack/lib/action_view/helpers/url_helper.rb
index ebd1f280a8..56f999f2f5 100644
--- a/actionpack/lib/action_view/helpers/url_helper.rb
+++ b/actionpack/lib/action_view/helpers/url_helper.rb
@@ -327,7 +327,7 @@ module ActionView
 
         method_tag = ''
         if (method = html_options.delete('method')) && %w{put delete}.include?(method.to_s)
-          method_tag = tag('input', :type => 'hidden', :name => '_method', :value => method.to_s)
+          method_tag = method_tag(method)
         end
 
         form_method = method.to_s == 'get' ? 'get' : 'post'
@@ -336,10 +336,7 @@ module ActionView
 
         remote = html_options.delete('remote')
 
-        request_token_tag = ''
-        if form_method == 'post' && protect_against_forgery?
-          request_token_tag = tag(:input, :type => "hidden", :name => request_forgery_protection_token.to_s, :value => form_authenticity_token)
-        end
+        request_token_tag = form_method == 'post' ? token_tag : ''
 
         url = options.is_a?(String) ? options : self.url_for(options)
         name ||= url
@@ -670,6 +667,19 @@ module ActionView
           bool_attrs.each { |x| html_options[x] = x if html_options.delete(x) }
           html_options
         end
+
+        def token_tag(token=nil)
+          if token == false || !protect_against_forgery?
+            ''
+          else
+            token ||= form_authenticity_token
+            tag(:input, :type => "hidden", :name => request_forgery_protection_token.to_s, :value => token)
+          end
+        end
+
+        def method_tag(method)
+          tag('input', :type => 'hidden', :name => '_method', :value => method.to_s)
+        end
     end
   end
 end
diff --git a/actionpack/test/template/html-scanner/sanitizer_test.rb b/actionpack/test/template/html-scanner/sanitizer_test.rb
index b4d751e405..32c655c5fd 100644
--- a/actionpack/test/template/html-scanner/sanitizer_test.rb
+++ b/actionpack/test/template/html-scanner/sanitizer_test.rb
@@ -56,7 +56,6 @@ class SanitizerTest < ActionController::TestCase
     assert_sanitized "a b c<script language=\"Javascript\">blah blah blah</script>d e f", "a b cd e f"
   end
 
-  # TODO: Clean up
   def test_sanitize_js_handlers
     raw = %{onthis="do that" <a href="#" onclick="hello" name="foo" onbogus="remove me">hello</a>}
     assert_sanitized raw, %{onthis="do that" <a name="foo" href="#">hello</a>}
@@ -215,7 +214,6 @@ class SanitizerTest < ActionController::TestCase
     assert_sanitized img_hack, "<img>"
   end
 
-  # TODO: Clean up
   def test_should_sanitize_attributes
     assert_sanitized %(<SPAN title="'><script>alert()</script>">blah</SPAN>), %(<span title="'&gt;&lt;script&gt;alert()&lt;/script&gt;">blah</span>)
   end
diff --git a/actionpack/test/template/url_helper_test.rb b/actionpack/test/template/url_helper_test.rb
index d013a44e6c..cf4dafbac4 100644
--- a/actionpack/test/template/url_helper_test.rb
+++ b/actionpack/test/template/url_helper_test.rb
@@ -11,6 +11,9 @@ class UrlHelperTest < ActiveSupport::TestCase
   # In those cases, we'll set up a simple mock
   attr_accessor :controller, :request
 
+  cattr_accessor :request_forgery
+  self.request_forgery = false
+
   routes = ActionDispatch::Routing::RouteSet.new
   routes.draw do
     match "/" => "foo#bar"
@@ -49,11 +52,22 @@ class UrlHelperTest < ActiveSupport::TestCase
     assert_equal 'javascript:history.back()', url_for(:back)
   end
 
-  # todo: missing test cases
+  # TODO: missing test cases
   def test_button_to_with_straight_url
     assert_dom_equal "<form method=\"post\" action=\"http://www.example.com\" class=\"button_to\"><div><input type=\"submit\" value=\"Hello\" /></div></form>", button_to("Hello", "http://www.example.com")
   end
 
+  def test_button_to_with_straight_url_and_request_forgery
+    self.request_forgery = true
+
+    assert_dom_equal(
+      %{<form method="post" action="http://www.example.com" class="button_to"><div><input type="submit" value="Hello" /><input name="form_token" type="hidden" value="secret" /></div></form>},
+      button_to("Hello", "http://www.example.com")
+    )
+  ensure
+    self.request_forgery = false
+  end
+
   def test_button_to_with_form_class
     assert_dom_equal "<form method=\"post\" action=\"http://www.example.com\" class=\"custom-class\"><div><input type=\"submit\" value=\"Hello\" /></div></form>", button_to("Hello", "http://www.example.com", :form_class => 'custom-class')
   end
@@ -435,9 +449,16 @@ class UrlHelperTest < ActiveSupport::TestCase
     assert mail_to("me@domain.com", "My email", :encode => "hex").html_safe?
   end
 
-  # TODO: button_to looks at this ... why?
   def protect_against_forgery?
-    false
+    self.request_forgery
+  end
+
+  def form_authenticity_token
+    "secret"
+  end
+
+  def request_forgery_protection_token
+    "form_token"
   end
 
   private