diff options
Diffstat (limited to 'actionview/lib/action_view/helpers/url_helper.rb')
| -rw-r--r-- | actionview/lib/action_view/helpers/url_helper.rb | 17 |
1 files changed, 11 insertions, 6 deletions
diff --git a/actionview/lib/action_view/helpers/url_helper.rb b/actionview/lib/action_view/helpers/url_helper.rb index 2445887c17..d410976bef 100644 --- a/actionview/lib/action_view/helpers/url_helper.rb +++ b/actionview/lib/action_view/helpers/url_helper.rb @@ -331,12 +331,6 @@ module ActionView inner_tags = method_tag.safe_concat(button).safe_concat(request_token_tag) if params - params = if params.respond_to?(:permitted?) - params.to_h - else - params - end - to_form_params(params).each do |param| inner_tags.safe_concat tag(:input, type: "hidden", name: param[:name], value: param[:value]) end @@ -623,6 +617,17 @@ module ActionView # to_form_params({ name: 'Denmark' }, 'country') # # => [{name: 'country[name]', value: 'Denmark'}] def to_form_params(attribute, namespace = nil) # :nodoc: + attribute = if attribute.respond_to?(:permitted?) + unless attribute.permitted? + raise ArgumentError, "Attempting to generate a buttom from non-sanitized request parameters!" \ + " Whitelist and sanitize passed parameters to be secure." + end + + attribute.to_h + else + attribute + end + params = [] case attribute when Hash |