Merge pull request #26810 from maclover7/jm-fix-26802
Convert ActionController::Parameters to a hash in button_to
This commit is contained in:
commit
680e56deeb
|
@ -617,6 +617,17 @@ module ActionView
|
|||
# to_form_params({ name: 'Denmark' }, 'country')
|
||||
# # => [{name: 'country[name]', value: 'Denmark'}]
|
||||
def to_form_params(attribute, namespace = nil) # :nodoc:
|
||||
attribute = if attribute.respond_to?(:permitted?)
|
||||
unless attribute.permitted?
|
||||
raise ArgumentError, "Attempting to generate a buttom from non-sanitized request parameters!" \
|
||||
" Whitelist and sanitize passed parameters to be secure."
|
||||
end
|
||||
|
||||
attribute.to_h
|
||||
else
|
||||
attribute
|
||||
end
|
||||
|
||||
params = []
|
||||
case attribute
|
||||
when Hash
|
||||
|
|
|
@ -221,6 +221,33 @@ class UrlHelperTest < ActiveSupport::TestCase
|
|||
)
|
||||
end
|
||||
|
||||
class FakeParams
|
||||
def initialize(permitted = true)
|
||||
@permitted = permitted
|
||||
end
|
||||
|
||||
def permitted?
|
||||
@permitted
|
||||
end
|
||||
|
||||
def to_h
|
||||
{ foo: :bar, baz: "quux" }
|
||||
end
|
||||
end
|
||||
|
||||
def test_button_to_with_permited_strong_params
|
||||
assert_dom_equal(
|
||||
%{<form action="http://www.example.com" class="button_to" method="post"><input type="submit" value="Hello" /><input type="hidden" name="baz" value="quux" /><input type="hidden" name="foo" value="bar" /></form>},
|
||||
button_to("Hello", "http://www.example.com", params: FakeParams.new)
|
||||
)
|
||||
end
|
||||
|
||||
def test_button_to_with_unpermited_strong_params
|
||||
assert_raises(ArgumentError) do
|
||||
button_to("Hello", "http://www.example.com", params: FakeParams.new(false))
|
||||
end
|
||||
end
|
||||
|
||||
def test_button_to_with_nested_hash_params
|
||||
assert_dom_equal(
|
||||
%{<form action="http://www.example.com" class="button_to" method="post"><input type="submit" value="Hello" /><input type="hidden" name="foo[bar]" value="baz" /></form>},
|
||||
|
|
Loading…
Reference in New Issue