diff options
| -rw-r--r-- | actionpack/lib/action_view/helpers/date_helper.rb | 5 | ||||
| -rw-r--r-- | actionpack/test/template/form_helper_test.rb | 8 | ||||
| -rw-r--r-- | railties/guides/source/security.textile | 2 |
3 files changed, 13 insertions, 2 deletions
diff --git a/actionpack/lib/action_view/helpers/date_helper.rb b/actionpack/lib/action_view/helpers/date_helper.rb index 2b128e8445..c26f0d4911 100644 --- a/actionpack/lib/action_view/helpers/date_helper.rb +++ b/actionpack/lib/action_view/helpers/date_helper.rb @@ -940,7 +940,10 @@ module ActionView # Returns the id attribute for the input tag. # => "post_written_on_1i" def input_id_from_type(type) - input_name_from_type(type).gsub(/([\[\(])|(\]\[)/, '_').gsub(/[\]\)]/, '') + id = input_name_from_type(type).gsub(/([\[\(])|(\]\[)/, '_').gsub(/[\]\)]/, '') + id = @options[:namespace] + '_' + id if @options[:namespace] + + id end # Given an ordering of datetime components, create the selection HTML diff --git a/actionpack/test/template/form_helper_test.rb b/actionpack/test/template/form_helper_test.rb index 4dae5479d6..f9940ead58 100644 --- a/actionpack/test/template/form_helper_test.rb +++ b/actionpack/test/template/form_helper_test.rb @@ -960,6 +960,14 @@ class FormHelperTest < ActionView::TestCase assert_dom_equal expected, output_buffer end + def test_form_for_with_namespace_with_date_select + form_for(@post, :namespace => 'namespace') do |f| + concat f.date_select(:written_on) + end + + assert_select 'select#namespace_post_written_on_1i' + end + def test_form_for_with_namespace_with_label form_for(@post, :namespace => 'namespace') do |f| concat f.label(:title) diff --git a/railties/guides/source/security.textile b/railties/guides/source/security.textile index c2ef7bf9b5..3f2d307792 100644 --- a/railties/guides/source/security.textile +++ b/railties/guides/source/security.textile @@ -374,7 +374,7 @@ end Mass-assignment saves you much work, because you don't have to set each value individually. Simply pass a hash to the +new+ method, or +assign_attributes=+ a hash value, to set the model's attributes to the values in the hash. The problem is that it is often used in conjunction with the parameters (params) hash available in the controller, which may be manipulated by an attacker. He may do so by changing the URL like this: <pre> -"name":http://www.example.com/user/signup?user[name]=ow3ned&user[admin]=1 +http://www.example.com/user/signup?user[name]=ow3ned&user[admin]=1 </pre> This will set the following parameters in the controller: |