Merge pull request #26810 from maclover7/jm-fix-26802

Convert ActionController::Parameters to a hash in button_to

actionview/lib/action_view/helpers/url_helper.rb

@@ -617,6 +617,17 @@ module ActionView
         #   to_form_params({ name: 'Denmark' }, 'country')
         #   # => [{name: 'country[name]', value: 'Denmark'}]
         def to_form_params(attribute, namespace = nil) # :nodoc:
+          attribute = if attribute.respond_to?(:permitted?)
+            unless attribute.permitted?
+              raise ArgumentError, "Attempting to generate a buttom from non-sanitized request parameters!" \
+                " Whitelist and sanitize passed parameters to be secure."
+            end
+
+            attribute.to_h
+          else
+            attribute
+          end
+
           params = []
           case attribute
           when Hash

actionview/test/template/url_helper_test.rb

@@ -221,6 +221,33 @@ class UrlHelperTest < ActiveSupport::TestCase
     )
   end
 
+  class FakeParams
+    def initialize(permitted = true)
+      @permitted = permitted
+    end
+
+    def permitted?
+      @permitted
+    end
+
+    def to_h
+      { foo: :bar, baz: "quux" }
+    end
+  end
+
+  def test_button_to_with_permited_strong_params
+    assert_dom_equal(
+      %{<form action="http://www.example.com" class="button_to" method="post"><input type="submit" value="Hello" /><input type="hidden" name="baz" value="quux" /><input type="hidden" name="foo" value="bar" /></form>},
+      button_to("Hello", "http://www.example.com", params: FakeParams.new)
+    )
+  end
+
+  def test_button_to_with_unpermited_strong_params
+    assert_raises(ArgumentError) do
+      button_to("Hello", "http://www.example.com", params: FakeParams.new(false))
+    end
+  end
+
   def test_button_to_with_nested_hash_params
     assert_dom_equal(
       %{<form action="http://www.example.com" class="button_to" method="post"><input type="submit" value="Hello" /><input type="hidden" name="foo[bar]" value="baz" /></form>},