Merge pull request #4532 from rafaelfranca/av-button_to-refactor
Refactor button_to helper to use token_tag method
This commit is contained in:
commit
5caf1bd214
@ -627,7 +627,7 @@ def extra_tags_for_form(html_options)
|
||||
token_tag(authenticity_token)
|
||||
else
|
||||
html_options["method"] = "post"
|
||||
tag(:input, :type => "hidden", :name => "_method", :value => method) + token_tag(authenticity_token)
|
||||
method_tag(method) + token_tag(authenticity_token)
|
||||
end
|
||||
|
||||
tags = utf8_enforcer_tag << method_tag
|
||||
@ -646,15 +646,6 @@ def form_tag_in_block(html_options, &block)
|
||||
output.safe_concat("</form>")
|
||||
end
|
||||
|
||||
def token_tag(token)
|
||||
if token == false || !protect_against_forgery?
|
||||
''
|
||||
else
|
||||
token ||= form_authenticity_token
|
||||
tag(:input, :type => "hidden", :name => request_forgery_protection_token.to_s, :value => token)
|
||||
end
|
||||
end
|
||||
|
||||
# see http://www.w3.org/TR/html4/types.html#type-name
|
||||
def sanitize_to_id(name)
|
||||
name.to_s.gsub(']','').gsub(/[^-a-zA-Z0-9:.]/, "_")
|
||||
|
@ -327,7 +327,7 @@ def button_to(name, options = {}, html_options = {})
|
||||
|
||||
method_tag = ''
|
||||
if (method = html_options.delete('method')) && %w{put delete}.include?(method.to_s)
|
||||
method_tag = tag('input', :type => 'hidden', :name => '_method', :value => method.to_s)
|
||||
method_tag = method_tag(method)
|
||||
end
|
||||
|
||||
form_method = method.to_s == 'get' ? 'get' : 'post'
|
||||
@ -336,10 +336,7 @@ def button_to(name, options = {}, html_options = {})
|
||||
|
||||
remote = html_options.delete('remote')
|
||||
|
||||
request_token_tag = ''
|
||||
if form_method == 'post' && protect_against_forgery?
|
||||
request_token_tag = tag(:input, :type => "hidden", :name => request_forgery_protection_token.to_s, :value => form_authenticity_token)
|
||||
end
|
||||
request_token_tag = form_method == 'post' ? token_tag : ''
|
||||
|
||||
url = options.is_a?(String) ? options : self.url_for(options)
|
||||
name ||= url
|
||||
@ -670,6 +667,19 @@ def convert_boolean_attributes!(html_options, bool_attrs)
|
||||
bool_attrs.each { |x| html_options[x] = x if html_options.delete(x) }
|
||||
html_options
|
||||
end
|
||||
|
||||
def token_tag(token=nil)
|
||||
if token == false || !protect_against_forgery?
|
||||
''
|
||||
else
|
||||
token ||= form_authenticity_token
|
||||
tag(:input, :type => "hidden", :name => request_forgery_protection_token.to_s, :value => token)
|
||||
end
|
||||
end
|
||||
|
||||
def method_tag(method)
|
||||
tag('input', :type => 'hidden', :name => '_method', :value => method.to_s)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
@ -56,7 +56,6 @@ def test_sanitize_script
|
||||
assert_sanitized "a b c<script language=\"Javascript\">blah blah blah</script>d e f", "a b cd e f"
|
||||
end
|
||||
|
||||
# TODO: Clean up
|
||||
def test_sanitize_js_handlers
|
||||
raw = %{onthis="do that" <a href="#" onclick="hello" name="foo" onbogus="remove me">hello</a>}
|
||||
assert_sanitized raw, %{onthis="do that" <a name="foo" href="#">hello</a>}
|
||||
@ -215,7 +214,6 @@ def test_should_not_fall_for_ridiculous_hack
|
||||
assert_sanitized img_hack, "<img>"
|
||||
end
|
||||
|
||||
# TODO: Clean up
|
||||
def test_should_sanitize_attributes
|
||||
assert_sanitized %(<SPAN title="'><script>alert()</script>">blah</SPAN>), %(<span title="'><script>alert()</script>">blah</span>)
|
||||
end
|
||||
|
@ -11,6 +11,9 @@ class UrlHelperTest < ActiveSupport::TestCase
|
||||
# In those cases, we'll set up a simple mock
|
||||
attr_accessor :controller, :request
|
||||
|
||||
cattr_accessor :request_forgery
|
||||
self.request_forgery = false
|
||||
|
||||
routes = ActionDispatch::Routing::RouteSet.new
|
||||
routes.draw do
|
||||
match "/" => "foo#bar"
|
||||
@ -49,11 +52,22 @@ def test_url_for_with_back_and_no_referer
|
||||
assert_equal 'javascript:history.back()', url_for(:back)
|
||||
end
|
||||
|
||||
# todo: missing test cases
|
||||
# TODO: missing test cases
|
||||
def test_button_to_with_straight_url
|
||||
assert_dom_equal "<form method=\"post\" action=\"http://www.example.com\" class=\"button_to\"><div><input type=\"submit\" value=\"Hello\" /></div></form>", button_to("Hello", "http://www.example.com")
|
||||
end
|
||||
|
||||
def test_button_to_with_straight_url_and_request_forgery
|
||||
self.request_forgery = true
|
||||
|
||||
assert_dom_equal(
|
||||
%{<form method="post" action="http://www.example.com" class="button_to"><div><input type="submit" value="Hello" /><input name="form_token" type="hidden" value="secret" /></div></form>},
|
||||
button_to("Hello", "http://www.example.com")
|
||||
)
|
||||
ensure
|
||||
self.request_forgery = false
|
||||
end
|
||||
|
||||
def test_button_to_with_form_class
|
||||
assert_dom_equal "<form method=\"post\" action=\"http://www.example.com\" class=\"custom-class\"><div><input type=\"submit\" value=\"Hello\" /></div></form>", button_to("Hello", "http://www.example.com", :form_class => 'custom-class')
|
||||
end
|
||||
@ -435,9 +449,16 @@ def test_mail_to_returns_html_safe_string
|
||||
assert mail_to("me@domain.com", "My email", :encode => "hex").html_safe?
|
||||
end
|
||||
|
||||
# TODO: button_to looks at this ... why?
|
||||
def protect_against_forgery?
|
||||
false
|
||||
self.request_forgery
|
||||
end
|
||||
|
||||
def form_authenticity_token
|
||||
"secret"
|
||||
end
|
||||
|
||||
def request_forgery_protection_token
|
||||
"form_token"
|
||||
end
|
||||
|
||||
private
|
||||
|
Loading…
Reference in New Issue
Block a user