[Rails-core] Re: observe_form encodeURIComponent(value) with protect_form_forgery

Wed, 29 Oct 2008 15:56:18 -0700 


On 29 Oct 2008, at 22:37, Cyril Mougel wrote:

>
> Hi
>
> Since Rails 2.2RC1, I have a problem with observe_form. When I use a
> simplest :
>
> observe_form "article_form", :frequency => 60, :url => { :action =>
> "autosave" }
>
> The Javascript generate is :
>
> new Form.Observer('article_form', 60, function(element, value) {new
> Ajax.Request('/admin/content/autosave', {asynchronous:true,
> evalScripts:true, parameters:'value=' + encodeURIComponent(value) +
> '&authenticity_token=' +
> encodeURIComponent('1d6397023865060a4a22e482ebc98295304479c3')})})
>
> With Rails 2.1 I generated :
>
> new Form.Observer('article_form', 60, function(element, value) {new
> Ajax.Request('/admin/content/autosave', {asynchronous:true,
> evalScripts:true, parameters:'value='+ value +  
> '&authenticity_token=' +
> encodeURIComponent('b2bb6b2dd85474c3264ddc1cf365c72495651dc4')})})
>
> If I read test unit about this helper. I can see that no test with
> protect_form_forgery. And if I see the result attempt by helper. I can
> see that don't want encodeURIComponent(value) :
>
If you don't use encodeURIComponent on value then if the form element  
you're submitting contains a & then it will screw up your params (if  
you're doing parameters:'value='+value)
Just doing parameters:value just chucks the value in the request body,  
which I suppose is fine but isn't a proper url encoded parameter.
There probably should be a test case asserting that the auth token is  
added properly too

Fred
>
>  def test_observe_form
>    assert_dom_equal %(<script
> type=\"text/javascript\">\n//<![CDATA[\nnew Form.Observer('cart', 2,
> function(element, value) {new
> Ajax.Request('http://www.example.com/cart_changed',  
> {asynchronous:true,
> evalScripts:true, parameters:value})})\n//]]>\n</script>),
>      observe_form("cart", :frequency => 2, :url => { :action =>
> "cart_changed" })
>  end
>

>
> I think it's a bug. isn't it ?
>
> -- 
> Cyril Mougel
> http://blog.shingara.fr/
>
>
> >


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Ruby 
on Rails: Core" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/rubyonrails-core?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to