prevent tampering with host, port, protocol

Prevents :host, :port, :protocol settings get inherited from GET query
parameters.

Fixes #285

lib/will_paginate/view_helpers/action_view.rb

@@ -106,6 +106,7 @@ def default_url_params
       def url(page)
         @base_url_params ||= begin
           url_params = merge_get_params(default_url_params)
+          url_params[:only_path] = true
           merge_optional_params(url_params)
         end
 

spec/view_helpers/action_view_spec.rb

@@ -189,6 +189,15 @@ def renderer.gap() '<span class="my-gap">~~</span>' end
     paginate
     assert_links_match /foo\[bar\]=baz/
   end
+
+  it "doesn't allow tampering with host, port, protocol" do
+    request.params :host => 'disney.com', :port => '99', :protocol => 'ftp'
+    paginate
+    assert_links_match %r{^/foo/bar}
+    assert_no_links_match /disney/
+    assert_no_links_match /99/
+    assert_no_links_match /ftp/
+  end
 
   it "should not preserve parameters on POST" do
     request.post
@@ -328,16 +337,16 @@ class << helper
       include Routes.url_helpers
       include WillPaginate::ActionView
     end
-    helper.default_url_options[:host] = 'example.com'
-    helper.default_url_options[:controller] = 'dummy'
-    # helper.default_url_options[:only_path] = true
+    helper.default_url_options.update \
+      :only_path => true,
+      :controller => 'dummy'
 
     collection = WillPaginate::Collection.new(2, 1, 3)
     @render_output = helper.will_paginate(collection)
 
     assert_select 'a[href]', 4 do |links|
       urls = links.map {|l| l['href'] }.uniq
-      urls.should == ['http://example.com/dummy/page/1', 'http://example.com/dummy/page/3']
+      urls.should == ['/dummy/page/1', '/dummy/page/3']
     end
   end