2 files changed, 23 insertions, 7 deletions

diff --git a/actionview/lib/action_view/helpers/url_helper.rb b/actionview/lib/action_view/helpers/url_helper.rb
index 2445887c17..d410976bef 100644
--- a/actionview/lib/action_view/helpers/url_helper.rb
+++ b/actionview/lib/action_view/helpers/url_helper.rb
@@ -331,12 +331,6 @@ module ActionView
 
         inner_tags = method_tag.safe_concat(button).safe_concat(request_token_tag)
         if params
-          params = if params.respond_to?(:permitted?)
-                     params.to_h
-                   else
-                     params
-                   end
-
           to_form_params(params).each do |param|
             inner_tags.safe_concat tag(:input, type: "hidden", name: param[:name], value: param[:value])
           end
@@ -623,6 +617,17 @@ module ActionView
         #   to_form_params({ name: 'Denmark' }, 'country')
         #   # => [{name: 'country[name]', value: 'Denmark'}]
         def to_form_params(attribute, namespace = nil) # :nodoc:
+          attribute = if attribute.respond_to?(:permitted?)
+            unless attribute.permitted?
+              raise ArgumentError, "Attempting to generate a buttom from non-sanitized request parameters!" \
+                " Whitelist and sanitize passed parameters to be secure."
+            end
+
+            attribute.to_h
+          else
+            attribute
+          end
+
           params = []
           case attribute
           when Hash
diff --git a/actionview/test/template/url_helper_test.rb b/actionview/test/template/url_helper_test.rb
index 4f73241f52..5a2319fe96 100644
--- a/actionview/test/template/url_helper_test.rb
+++ b/actionview/test/template/url_helper_test.rb
@@ -222,7 +222,12 @@ class UrlHelperTest < ActiveSupport::TestCase
   end
 
   class FakeParams
+    def initialize(permitted = true)
+      @permitted = permitted
+    end
+
     def permitted?
+      @permitted
     end
 
     def to_h
@@ -230,13 +235,19 @@ class UrlHelperTest < ActiveSupport::TestCase
     end
   end
 
-  def test_button_to_with_strong_params
+  def test_button_to_with_permited_strong_params
     assert_dom_equal(
       %{<form action="http://www.example.com" class="button_to" method="post"><input type="submit" value="Hello" /><input type="hidden" name="baz" value="quux" /><input type="hidden" name="foo" value="bar" /></form>},
       button_to("Hello", "http://www.example.com", params: FakeParams.new)
     )
   end
 
+  def test_button_to_with_unpermited_strong_params
+    assert_raises(ArgumentError) do
+      button_to("Hello", "http://www.example.com", params: FakeParams.new(false))
+    end
+  end
+
   def test_button_to_with_nested_hash_params
     assert_dom_equal(
       %{<form action="http://www.example.com" class="button_to" method="post"><input type="submit" value="Hello" /><input type="hidden" name="foo[bar]" value="baz" /></form>},