diff options
| author | Rafael Mendonça França <rafaelmfranca@gmail.com> | 2016-10-22 01:01:56 -0300 |
|---|---|---|
| committer | Rafael Mendonça França <rafaelmfranca@gmail.com> | 2016-10-22 01:11:58 -0300 |
| commit | 680e56deeb8e1f8d6242e38cc296d1f3e259771b (patch) | |
| tree | b13a4bc4dfb6bdf999cf91ec892055822ca5035a /actionview | |
| parent | 8013ff682ff1c1049a45005e1ec4c865deef3ca4 (diff) | |
| parent | 4aae8bfe4dc6da1722e7f0f1722cf1f7ef472c19 (diff) | |
| download | rails-680e56deeb8e1f8d6242e38cc296d1f3e259771b.tar.gz rails-680e56deeb8e1f8d6242e38cc296d1f3e259771b.tar.bz2 rails-680e56deeb8e1f8d6242e38cc296d1f3e259771b.zip | |
Merge pull request #26810 from maclover7/jm-fix-26802
Convert ActionController::Parameters to a hash in button_to
Diffstat (limited to 'actionview')
| -rw-r--r-- | actionview/lib/action_view/helpers/url_helper.rb | 11 | ||||
| -rw-r--r-- | actionview/test/template/url_helper_test.rb | 27 |
2 files changed, 38 insertions, 0 deletions
diff --git a/actionview/lib/action_view/helpers/url_helper.rb b/actionview/lib/action_view/helpers/url_helper.rb index dad0e9dac3..d410976bef 100644 --- a/actionview/lib/action_view/helpers/url_helper.rb +++ b/actionview/lib/action_view/helpers/url_helper.rb @@ -617,6 +617,17 @@ module ActionView # to_form_params({ name: 'Denmark' }, 'country') # # => [{name: 'country[name]', value: 'Denmark'}] def to_form_params(attribute, namespace = nil) # :nodoc: + attribute = if attribute.respond_to?(:permitted?) + unless attribute.permitted? + raise ArgumentError, "Attempting to generate a buttom from non-sanitized request parameters!" \ + " Whitelist and sanitize passed parameters to be secure." + end + + attribute.to_h + else + attribute + end + params = [] case attribute when Hash diff --git a/actionview/test/template/url_helper_test.rb b/actionview/test/template/url_helper_test.rb index 2ef2be65d2..5a2319fe96 100644 --- a/actionview/test/template/url_helper_test.rb +++ b/actionview/test/template/url_helper_test.rb @@ -221,6 +221,33 @@ class UrlHelperTest < ActiveSupport::TestCase ) end + class FakeParams + def initialize(permitted = true) + @permitted = permitted + end + + def permitted? + @permitted + end + + def to_h + { foo: :bar, baz: "quux" } + end + end + + def test_button_to_with_permited_strong_params + assert_dom_equal( + %{<form action="http://www.example.com" class="button_to" method="post"><input type="submit" value="Hello" /><input type="hidden" name="baz" value="quux" /><input type="hidden" name="foo" value="bar" /></form>}, + button_to("Hello", "http://www.example.com", params: FakeParams.new) + ) + end + + def test_button_to_with_unpermited_strong_params + assert_raises(ArgumentError) do + button_to("Hello", "http://www.example.com", params: FakeParams.new(false)) + end + end + def test_button_to_with_nested_hash_params assert_dom_equal( %{<form action="http://www.example.com" class="button_to" method="post"><input type="submit" value="Hello" /><input type="hidden" name="foo[bar]" value="baz" /></form>}, |