Ignore script_name query parameter in generated URLs

Author: mislav

lib/will_paginate/view_helpers/action_view.rb

@@ -99,6 +99,8 @@ def infer_collection_from_controller
     class LinkRenderer < ViewHelpers::LinkRenderer
       protected
 
+      GET_PARAMS_BLACKLIST = [:script_name]
+
       def default_url_params
         {}
       end
@@ -118,7 +120,7 @@ def url(page)
 
       def merge_get_params(url_params)
         if @template.respond_to? :request and @template.request and @template.request.get?
-          symbolized_update(url_params, @template.params)
+          symbolized_update(url_params, @template.params, GET_PARAMS_BLACKLIST)
         end
         url_params
       end

lib/will_paginate/view_helpers/link_renderer.rb

@@ -114,11 +114,12 @@ def rel_value(page)
         end
       end
 
-      def symbolized_update(target, other)
+      def symbolized_update(target, other, blacklist = nil)
         other.each do |key, value|
           key = key.to_sym
           existing = target[key]
-          
+          next if blacklist && blacklist.include?(key)
+
           if value.is_a?(Hash) and (existing.is_a?(Hash) or existing.nil?)
             symbolized_update(existing || (target[key] = {}), value)
           else

spec/view_helpers/action_view_spec.rb

@@ -201,6 +201,13 @@ def renderer.gap() '<span class="my-gap">~~</span>' end
     assert_no_links_match /99/
     assert_no_links_match /ftp/
   end
+
+  it "doesn't allow tampering with script_name" do
+    request.params :script_name => 'p0wned'
+    paginate
+    assert_links_match %r{^/foo/bar}
+    assert_no_links_match /p0wned/
+  end
 
   it "should not preserve parameters on POST" do
     request.post