From 82c1fed89fe6dae8f44b6647dd94fc68f01eaa81 Mon Sep 17 00:00:00 2001
From: David Heinemeier Hansson <david@loudthinking.com>
Date: Tue, 25 Sep 2007 16:50:35 +0000
Subject: Protect button_to behind protect_from_forgery (closes #9675) [lifo]

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7636 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
---
 actionpack/lib/action_view/helpers/url_helper.rb | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

(limited to 'actionpack/lib/action_view')

diff --git a/actionpack/lib/action_view/helpers/url_helper.rb b/actionpack/lib/action_view/helpers/url_helper.rb
index 96e4fdda48..490b2c1215 100644
--- a/actionpack/lib/action_view/helpers/url_helper.rb
+++ b/actionpack/lib/action_view/helpers/url_helper.rb
@@ -201,7 +201,12 @@ module ActionView
         end
 
         form_method = method.to_s == 'get' ? 'get' : 'post'
-
+        
+        request_token_tag = ''
+        if form_method == 'post' && request_forgery_protection_token
+          request_token_tag = tag(:input, :type => "hidden", :name => request_forgery_protection_token.to_s, :value => form_authenticity_token)
+        end
+        
         if confirm = html_options.delete("confirm")
           html_options["onclick"] = "return #{confirm_javascript_function(confirm)};"
         end
@@ -212,7 +217,7 @@ module ActionView
         html_options.merge!("type" => "submit", "value" => name)
 
         "<form method=\"#{form_method}\" action=\"#{escape_once url}\" class=\"button-to\"><div>" +
-          method_tag + tag("input", html_options) + "</div></form>"
+          method_tag + tag("input", html_options) + request_token_tag + "</div></form>"
       end
 
 
-- 
cgit v1.2.3