Cyril Mougel
2008-Oct-29 22:37 UTC
observe_form encodeURIComponent(value) with protect_form_forgery
Hi
Since Rails 2.2RC1, I have a problem with observe_form. When I use a
simplest :
observe_form "article_form", :frequency => 60, :url => { :action
=>
"autosave" }
The Javascript generate is :
new Form.Observer(''article_form'', 60, function(element, value)
{new
Ajax.Request(''/admin/content/autosave'', {asynchronous:true,
evalScripts:true, parameters:''value='' +
encodeURIComponent(value) +
''&authenticity_token='' +
encodeURIComponent(''1d6397023865060a4a22e482ebc98295304479c3'')})})
With Rails 2.1 I generated :
new Form.Observer(''article_form'', 60, function(element, value)
{new
Ajax.Request(''/admin/content/autosave'', {asynchronous:true,
evalScripts:true, parameters:''value=''+ value +
''&authenticity_token='' +
encodeURIComponent(''b2bb6b2dd85474c3264ddc1cf365c72495651dc4'')})})
If I read test unit about this helper. I can see that no test with
protect_form_forgery. And if I see the result attempt by helper. I can
see that don''t want encodeURIComponent(value) :
def test_observe_form
assert_dom_equal %(<script
type=\"text/javascript\">\n//<![CDATA[\nnew
Form.Observer(''cart'', 2,
function(element, value) {new
Ajax.Request(''http://www.example.com/cart_changed'',
{asynchronous:true,
evalScripts:true, parameters:value})})\n//]]>\n</script>),
observe_form("cart", :frequency => 2, :url => { :action
=>
"cart_changed" })
end
I think it''s a bug. isn''t it ?
--
Cyril Mougel
http://blog.shingara.fr/
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To post to this group, send email to rubyonrails-core@googlegroups.com
To unsubscribe from this group, send email to
rubyonrails-core+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-core?hl=en
-~----------~----~----~----~------~----~------~--~---
Frederick Cheung
2008-Oct-29 22:55 UTC
Re: observe_form encodeURIComponent(value) with protect_form_forgery
On 29 Oct 2008, at 22:37, Cyril Mougel wrote:> > Hi > > Since Rails 2.2RC1, I have a problem with observe_form. When I use a > simplest : > > observe_form "article_form", :frequency => 60, :url => { :action => > "autosave" } > > The Javascript generate is : > > new Form.Observer(''article_form'', 60, function(element, value) {new > Ajax.Request(''/admin/content/autosave'', {asynchronous:true, > evalScripts:true, parameters:''value='' + encodeURIComponent(value) + > ''&authenticity_token='' + > encodeURIComponent(''1d6397023865060a4a22e482ebc98295304479c3'')})}) > > With Rails 2.1 I generated : > > new Form.Observer(''article_form'', 60, function(element, value) {new > Ajax.Request(''/admin/content/autosave'', {asynchronous:true, > evalScripts:true, parameters:''value=''+ value + > ''&authenticity_token='' + > encodeURIComponent(''b2bb6b2dd85474c3264ddc1cf365c72495651dc4'')})}) > > If I read test unit about this helper. I can see that no test with > protect_form_forgery. And if I see the result attempt by helper. I can > see that don''t want encodeURIComponent(value) : >If you don''t use encodeURIComponent on value then if the form element you''re submitting contains a & then it will screw up your params (if you''re doing parameters:''value=''+value) Just doing parameters:value just chucks the value in the request body, which I suppose is fine but isn''t a proper url encoded parameter. There probably should be a test case asserting that the auth token is added properly too Fred> > def test_observe_form > assert_dom_equal %(<script > type=\"text/javascript\">\n//<![CDATA[\nnew Form.Observer(''cart'', 2, > function(element, value) {new > Ajax.Request(''http://www.example.com/cart_changed'', > {asynchronous:true, > evalScripts:true, parameters:value})})\n//]]>\n</script>), > observe_form("cart", :frequency => 2, :url => { :action => > "cart_changed" }) > end >> > I think it''s a bug. isn''t it ? > > -- > Cyril Mougel > http://blog.shingara.fr/ > > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en -~----------~----~----~----~------~----~------~--~---