Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Fix several known web encoding issues:

* Specify accept-charset on all forms. All recent browsers,
  as well as IE5+, will use the encoding specified for form
  parameters
* Unfortunately, IE5+ will not look at accept-charset unless
  at least one character in the form's values is not in the
  page's charset. Since the user can override the default
  charset (which Rails sets to UTF-8), we provide a hidden
  input containing a unicode character, forcing IE to look
  at the accept-charset.
* Now that the vast majority of web input is UTF-8, we set
  the inbound parameters to UTF-8. This will eliminate many
  cases of incompatible encodings between ASCII-8BIT and
  UTF-8.
* You can safely ignore params[:_snowman_]

TODO:

* Validate inbound text to confirm it is UTF-8
* Combine the whole_form implementations in form_helper_test
  and form_tag_helper_test
  • Loading branch information...
commit 25215d7285db10e2c04d903f251b791342e4dd6a 1 parent 06b0d6e
Yehuda Katz wycats authored
31 actionpack/lib/action_dispatch/http/parameters.rb
View
@@ -6,7 +6,11 @@ module Http
module Parameters
# Returns both GET and POST \parameters in a single hash.
def parameters
- @env["action_dispatch.request.parameters"] ||= request_parameters.merge(query_parameters).update(path_parameters).with_indifferent_access
+ @env["action_dispatch.request.parameters"] ||= begin
+ params = request_parameters.merge(query_parameters)
+ params.merge!(path_parameters)
+ encode_params(params).with_indifferent_access
+ end
end
alias :params :parameters
@@ -32,6 +36,31 @@ def path_parameters
end
private
+
+ # TODO: Validate that the characters are UTF-8. If they aren't,
+ # you'll get a weird error down the road, but our form handling
+ # should really prevent that from happening
+ def encode_params(params)
+ return params unless "ruby".encoding_aware?
+
+ if params.is_a?(String)
+ return params.force_encoding("UTF-8").encode!
+ elsif !params.is_a?(Hash)
+ return params
+ end
+
+ params.each do |k, v|
+ case v
+ when Hash
+ encode_params(v)
+ when Array
+ v.map! {|el| encode_params(el) }
+ else
+ encode_params(v)
+ end
+ end
+ end
+
# Convert nested Hash to HashWithIndifferentAccess
def normalize_parameters(value)
case value
15 actionpack/lib/action_view/helpers/form_tag_helper.rb
View
@@ -530,22 +530,31 @@ def html_options_for_form(url_for_options, options, *parameters_for_url)
returning options.stringify_keys do |html_options|
html_options["enctype"] = "multipart/form-data" if html_options.delete("multipart")
html_options["action"] = url_for(url_for_options, *parameters_for_url)
+ html_options["accept-encoding"] = "UTF-8"
html_options["data-remote"] = true if html_options.delete("remote")
end
end
def extra_tags_for_form(html_options)
- case method = html_options.delete("method").to_s
+ snowman_tag = tag(:input, :type => "hidden",
+ :name => "_snowman_", :value => "☃")
Alexander Lomakin
peanut added a note

Oh my god! He is here!!!

Oh snowman, how I miss you. :metal:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
+
+ method = html_options.delete("method").to_s
+
+ method_tag = case method
when /^get$/i # must be case-insensitive, but can't use downcase as might be nil
html_options["method"] = "get"
''
when /^post$/i, "", nil
html_options["method"] = "post"
- protect_against_forgery? ? content_tag(:div, token_tag, :style => 'margin:0;padding:0;display:inline') : ''
+ token_tag
else
html_options["method"] = "post"
- content_tag(:div, tag(:input, :type => "hidden", :name => "_method", :value => method) + token_tag, :style => 'margin:0;padding:0;display:inline')
+ tag(:input, :type => "hidden", :name => "_method", :value => method) + token_tag
end
+
+ tags = snowman_tag << method_tag
+ content_tag(:div, tags, :style => 'margin:0;padding:0;display:inline')
end
def form_tag_html(html_options)
23 actionpack/test/dispatch/request/url_encoded_params_parsing_test.rb
View
@@ -141,6 +141,29 @@ def assert_parses(expected, actual)
post "/parse", actual
assert_response :ok
assert_equal(expected, TestController.last_request_parameters)
+ assert_utf8(TestController.last_request_parameters)
+ end
+ end
+
+ def assert_utf8(object)
+ return unless "ruby".encoding_aware?
+
+ correct_encoding = Encoding.default_internal
+
+ unless object.is_a?(Hash)
+ assert_equal correct_encoding, object.encoding, "#{object.inspect} should have been UTF-8"
+ return
+ end
+
+ object.each do |k,v|
+ case v
+ when Hash
+ assert_utf8(v)
+ when Array
+ v.each {|el| assert_utf8(el) }
+ else
+ assert_utf8(v)
+ end
end
end
end
2  actionpack/test/template/erb/form_for_test.rb
View
@@ -5,7 +5,7 @@ module ERBTest
class TagHelperTest < BlockTestCase
test "form_for works" do
output = render_content "form_for(:staticpage, :url => {:controller => 'blah', :action => 'update'})", ""
- assert_equal "<form action=\"/blah/update\" method=\"post\"></form>", output
+ assert_match %r{<form.*action="/blah/update".*method="post">.*</form>}, output
end
end
end
4 actionpack/test/template/erb/tag_helper_test.rb
View
@@ -28,8 +28,8 @@ def maybe_deprecated
end
test "percent equals works with form tags" do
- expected_output = "<form action=\"foo\" method=\"post\">hello</form>"
- maybe_deprecated { assert_equal expected_output, render_content("form_tag('foo')", "<%= 'hello' %>") }
+ expected_output = %r{<form.*action="foo".*method="post">.*hello*</form>}
+ maybe_deprecated { assert_match expected_output, render_content("form_tag('foo')", "<%= 'hello' %>") }
end
test "percent equals works with fieldset tags" do
385 actionpack/test/template/form_helper_test.rb
View
@@ -583,7 +583,8 @@ def test_form_for
end
expected =
- "<form action='http://www.example.com' id='create-post' method='post'>" +
+ "<form accept-charset='UTF-8' action='http://www.example.com' id='create-post' method='post'>" +
+ snowman +
"<label for='post_title'>The Title</label>" +
"<input name='post[title]' size='30' type='text' id='post_title' value='Hello World' />" +
"<textarea name='post[body]' id='post_body' rows='20' cols='40'>Back to the hill and over it again!</textarea>" +
@@ -604,15 +605,14 @@ def test_form_for_with_symbol_object_name
concat f.submit('Create post')
end
- expected =
- "<form class='other_name_edit' method='post' action='/posts/123' id='create-post'>" +
- "<div style='margin:0;padding:0;display:inline'><input name='_method' value='put' type='hidden' /></div>" +
+ expected = whole_form("/posts/123", "create-post", "other_name_edit", :method => "put") do
"<label for='other_name_title'>Title</label>" +
"<input name='other_name[title]' size='30' id='other_name_title' value='Hello World' type='text' />" +
"<textarea name='other_name[body]' id='other_name_body' rows='20' cols='40'>Back to the hill and over it again!</textarea>" +
"<input name='other_name[secret]' value='0' type='hidden' />" +
"<input name='other_name[secret]' checked='checked' id='other_name_secret' value='1' type='checkbox' />" +
- "<input name='commit' id='other_name_submit' value='Create post' type='submit' /></form>"
+ "<input name='commit' id='other_name_submit' value='Create post' type='submit' />"
+ end
assert_dom_equal expected, output_buffer
end
@@ -626,14 +626,12 @@ def test_form_for_with_method
end
end
- expected =
- "<form action='http://www.example.com' id='create-post' method='post'>" +
- "<div style='margin:0;padding:0;display:inline'><input name='_method' type='hidden' value='put' /></div>" +
+ expected = whole_form("http://www.example.com", "create-post", nil, "put") do
"<input name='post[title]' size='30' type='text' id='post_title' value='Hello World' />" +
"<textarea name='post[body]' id='post_body' rows='20' cols='40'>Back to the hill and over it again!</textarea>" +
"<input name='post[secret]' type='hidden' value='0' />" +
- "<input name='post[secret]' checked='checked' type='checkbox' id='post_secret' value='1' />" +
- "</form>"
+ "<input name='post[secret]' checked='checked' type='checkbox' id='post_secret' value='1' />"
+ end
assert_dom_equal expected, output_buffer
end
@@ -647,14 +645,12 @@ def test_form_for_with_remote
end
end
- expected =
- "<form action='http://www.example.com' id='create-post' method='post' data-remote='true'>" +
- "<div style='margin:0;padding:0;display:inline'><input name='_method' type='hidden' value='put' /></div>" +
+ expected = whole_form("http://www.example.com", "create-post", nil, :method => "put", :remote => true) do
"<input name='post[title]' size='30' type='text' id='post_title' value='Hello World' />" +
"<textarea name='post[body]' id='post_body' rows='20' cols='40'>Back to the hill and over it again!</textarea>" +
"<input name='post[secret]' type='hidden' value='0' />" +
- "<input name='post[secret]' checked='checked' type='checkbox' id='post_secret' value='1' />" +
- "</form>"
+ "<input name='post[secret]' checked='checked' type='checkbox' id='post_secret' value='1' />"
+ end
assert_dom_equal expected, output_buffer
end
@@ -668,13 +664,12 @@ def test_form_for_with_remote_without_html
end
end
- expected =
- "<form action='http://www.example.com' method='post' data-remote='true'>" +
+ expected = whole_form("http://www.example.com", nil, nil, :remote => true) do
"<input name='post[title]' size='30' type='text' id='post_title' value='Hello World' />" +
"<textarea name='post[body]' id='post_body' rows='20' cols='40'>Back to the hill and over it again!</textarea>" +
"<input name='post[secret]' type='hidden' value='0' />" +
- "<input name='post[secret]' checked='checked' type='checkbox' id='post_secret' value='1' />" +
- "</form>"
+ "<input name='post[secret]' checked='checked' type='checkbox' id='post_secret' value='1' />"
+ end
assert_dom_equal expected, output_buffer
end
@@ -686,13 +681,12 @@ def test_form_for_without_object
concat f.check_box(:secret)
end
- expected =
- "<form action='http://www.example.com' id='create-post' method='post'>" +
+ expected = whole_form("http://www.example.com", "create-post") do
"<input name='post[title]' size='30' type='text' id='post_title' value='Hello World' />" +
"<textarea name='post[body]' id='post_body' rows='20' cols='40'>Back to the hill and over it again!</textarea>" +
"<input name='post[secret]' type='hidden' value='0' />" +
- "<input name='post[secret]' checked='checked' type='checkbox' id='post_secret' value='1' />" +
- "</form>"
+ "<input name='post[secret]' checked='checked' type='checkbox' id='post_secret' value='1' />"
+ end
assert_dom_equal expected, output_buffer
end
@@ -707,14 +701,13 @@ def test_form_for_with_index
end
end
- expected =
- "<form action='http://www.example.com' method='post'>" +
+ expected = whole_form do
"<label for='post_123_title'>Title</label>" +
"<input name='post[123][title]' size='30' type='text' id='post_123_title' value='Hello World' />" +
"<textarea name='post[123][body]' id='post_123_body' rows='20' cols='40'>Back to the hill and over it again!</textarea>" +
"<input name='post[123][secret]' type='hidden' value='0' />" +
- "<input name='post[123][secret]' checked='checked' type='checkbox' id='post_123_secret' value='1' />" +
- "</form>"
+ "<input name='post[123][secret]' checked='checked' type='checkbox' id='post_123_secret' value='1' />"
+ end
assert_dom_equal expected, output_buffer
end
@@ -728,13 +721,12 @@ def test_form_for_with_nil_index_option_override
end
end
- expected =
- "<form action='http://www.example.com' method='post'>" +
+ expected = whole_form do
"<input name='post[][title]' size='30' type='text' id='post__title' value='Hello World' />" +
"<textarea name='post[][body]' id='post__body' rows='20' cols='40'>Back to the hill and over it again!</textarea>" +
"<input name='post[][secret]' type='hidden' value='0' />" +
- "<input name='post[][secret]' checked='checked' type='checkbox' id='post__secret' value='1' />" +
- "</form>"
+ "<input name='post[][secret]' checked='checked' type='checkbox' id='post__secret' value='1' />"
+ end
assert_dom_equal expected, output_buffer
end
@@ -749,9 +741,10 @@ def test_submit_with_object_as_new_record_and_locale_strings
end
end
- expected = "<form action='http://www.example.com' method='post'>" +
- "<input name='commit' id='post_submit' type='submit' value='Create Post' />" +
- "</form>"
+ expected = whole_form do
+ "<input name='commit' id='post_submit' type='submit' value='Create Post' />"
+ end
+
assert_dom_equal expected, output_buffer
ensure
I18n.locale = old_locale
@@ -766,9 +759,10 @@ def test_submit_with_object_as_existing_record_and_locale_strings
end
end
- expected = "<form action='http://www.example.com' method='post'>" +
- "<input name='commit' id='post_submit' type='submit' value='Confirm Post changes' />" +
- "</form>"
+ expected = whole_form do
+ "<input name='commit' id='post_submit' type='submit' value='Confirm Post changes' />"
+ end
+
assert_dom_equal expected, output_buffer
ensure
I18n.locale = old_locale
@@ -781,9 +775,10 @@ def test_submit_without_object_and_locale_strings
concat f.submit :class => "extra"
end
- expected = "<form action='http://www.example.com' method='post'>" +
- "<input name='commit' class='extra' id='post_submit' type='submit' value='Save changes' />" +
- "</form>"
+ expected = whole_form do
+ "<input name='commit' class='extra' id='post_submit' type='submit' value='Save changes' />"
+ end
+
assert_dom_equal expected, output_buffer
ensure
I18n.locale = old_locale
@@ -798,9 +793,10 @@ def test_submit_with_object_and_nested_lookup
end
end
- expected = "<form action='http://www.example.com' method='post'>" +
- "<input name='commit' id='another_post_submit' type='submit' value='Update your Post' />" +
- "</form>"
+ expected = whole_form do
+ "<input name='commit' id='another_post_submit' type='submit' value='Update your Post' />"
+ end
+
assert_dom_equal expected, output_buffer
ensure
I18n.locale = old_locale
@@ -815,9 +811,9 @@ def test_nested_fields_for
end
end
- expected = "<form action='http://www.example.com' method='post'>" +
- "<input name='post[comment][title]' size='30' type='text' id='post_comment_title' value='Hello World' />" +
- "</form>"
+ expected = whole_form do
+ "<input name='post[comment][title]' size='30' type='text' id='post_comment_title' value='Hello World' />"
+ end
assert_dom_equal expected, output_buffer
end
@@ -832,10 +828,10 @@ def test_nested_fields_for_with_nested_collections
end
end
- expected = "<form action='http://www.example.com' method='post'>" +
- "<input name='post[123][title]' size='30' type='text' id='post_123_title' value='Hello World' />" +
- "<input name='post[123][comment][][name]' size='30' type='text' id='post_123_comment__name' value='new comment' />" +
- "</form>"
+ expected = whole_form do
+ "<input name='post[123][title]' size='30' type='text' id='post_123_title' value='Hello World' />" +
+ "<input name='post[123][comment][][name]' size='30' type='text' id='post_123_comment__name' value='new comment' />"
+ end
assert_dom_equal expected, output_buffer
end
@@ -850,10 +846,10 @@ def test_nested_fields_for_with_index_and_parent_fields
end
end
- expected = "<form action='http://www.example.com' method='post'>" +
- "<input name='post[1][title]' size='30' type='text' id='post_1_title' value='Hello World' />" +
- "<input name='post[1][comment][1][name]' size='30' type='text' id='post_1_comment_1_name' value='new comment' />" +
- "</form>"
+ expected = whole_form do
+ "<input name='post[1][title]' size='30' type='text' id='post_1_title' value='Hello World' />" +
+ "<input name='post[1][comment][1][name]' size='30' type='text' id='post_1_comment_1_name' value='new comment' />"
+ end
assert_dom_equal expected, output_buffer
end
@@ -867,9 +863,9 @@ def test_form_for_with_index_and_nested_fields_for
end
end
- expected = "<form action='http://www.example.com' method='post'>" +
- "<input name='post[1][comment][title]' size='30' type='text' id='post_1_comment_title' value='Hello World' />" +
- "</form>"
+ expected = whole_form do
+ "<input name='post[1][comment][title]' size='30' type='text' id='post_1_comment_title' value='Hello World' />"
+ end
assert_dom_equal expected, output_buffer
end
@@ -883,9 +879,9 @@ def test_nested_fields_for_with_index_on_both
end
end
- expected = "<form action='http://www.example.com' method='post'>" +
- "<input name='post[1][comment][5][title]' size='30' type='text' id='post_1_comment_5_title' value='Hello World' />" +
- "</form>"
+ expected = whole_form do
+ "<input name='post[1][comment][5][title]' size='30' type='text' id='post_1_comment_5_title' value='Hello World' />"
+ end
assert_dom_equal expected, output_buffer
end
@@ -899,9 +895,9 @@ def test_nested_fields_for_with_auto_index
end
end
- expected = "<form action='http://www.example.com' method='post'>" +
- "<input name='post[123][comment][title]' size='30' type='text' id='post_123_comment_title' value='Hello World' />" +
- "</form>"
+ expected = whole_form do
+ "<input name='post[123][comment][title]' size='30' type='text' id='post_123_comment_title' value='Hello World' />"
+ end
assert_dom_equal expected, output_buffer
end
@@ -915,9 +911,9 @@ def test_nested_fields_for_with_index_radio_button
end
end
- expected = "<form action='http://www.example.com' method='post'>" +
- "<input name='post[comment][5][title]' type='radio' id='post_comment_5_title_hello' value='hello' />" +
- "</form>"
+ expected = whole_form do
+ "<input name='post[comment][5][title]' type='radio' id='post_comment_5_title_hello' value='hello' />"
+ end
assert_dom_equal expected, output_buffer
end
@@ -931,9 +927,9 @@ def test_nested_fields_for_with_auto_index_on_both
end
end
- expected = "<form action='http://www.example.com' method='post'>" +
- "<input name='post[123][comment][123][title]' size='30' type='text' id='post_123_comment_123_title' value='Hello World' />" +
- "</form>"
+ expected = whole_form do
+ "<input name='post[123][comment][123][title]' size='30' type='text' id='post_123_comment_123_title' value='Hello World' />"
+ end
assert_dom_equal expected, output_buffer
end
@@ -952,12 +948,11 @@ def test_nested_fields_for_with_index_and_auto_index
}
end
- expected = "<form action='http://www.example.com' method='post'>" +
- "<input name='post[123][comment][5][title]' size='30' type='text' id='post_123_comment_5_title' value='Hello World' />" +
- "</form>" +
- "<form action='http://www.example.com' method='post'>" +
- "<input name='post[1][comment][123][title]' size='30' type='text' id='post_1_comment_123_title' value='Hello World' />" +
- "</form>"
+ expected = whole_form do
+ "<input name='post[123][comment][5][title]' size='30' type='text' id='post_123_comment_5_title' value='Hello World' />"
+ end + whole_form do
+ "<input name='post[1][comment][123][title]' size='30' type='text' id='post_1_comment_123_title' value='Hello World' />"
+ end
assert_dom_equal expected, output_buffer
end
@@ -975,10 +970,10 @@ def test_nested_fields_for_with_a_new_record_on_a_nested_attributes_one_to_one_a
end
end
- expected = '<form action="http://www.example.com" method="post">' +
- '<input name="post[title]" size="30" type="text" id="post_title" value="Hello World" />' +
- '<input id="post_author_attributes_name" name="post[author_attributes][name]" size="30" type="text" value="new author" />' +
- '</form>'
+ expected = whole_form do
+ '<input name="post[title]" size="30" type="text" id="post_title" value="Hello World" />' +
+ '<input id="post_author_attributes_name" name="post[author_attributes][name]" size="30" type="text" value="new author" />'
+ end
assert_dom_equal expected, output_buffer
end
@@ -1006,11 +1001,11 @@ def test_nested_fields_for_with_an_existing_record_on_a_nested_attributes_one_to
end
end
- expected = '<form action="http://www.example.com" method="post">' +
- '<input name="post[title]" size="30" type="text" id="post_title" value="Hello World" />' +
- '<input id="post_author_attributes_name" name="post[author_attributes][name]" size="30" type="text" value="author #321" />' +
- '<input id="post_author_attributes_id" name="post[author_attributes][id]" type="hidden" value="321" />' +
- '</form>'
+ expected = whole_form do
+ '<input name="post[title]" size="30" type="text" id="post_title" value="Hello World" />' +
+ '<input id="post_author_attributes_name" name="post[author_attributes][name]" size="30" type="text" value="author #321" />' +
+ '<input id="post_author_attributes_id" name="post[author_attributes][id]" type="hidden" value="321" />'
+ end
assert_dom_equal expected, output_buffer
end
@@ -1028,11 +1023,11 @@ def test_nested_fields_for_with_existing_records_on_a_nested_attributes_one_to_o
end
end
- expected = '<form action="http://www.example.com" method="post">' +
- '<input name="post[title]" size="30" type="text" id="post_title" value="Hello World" />' +
- '<input id="post_author_attributes_id" name="post[author_attributes][id]" type="hidden" value="321" />' +
- '<input id="post_author_attributes_name" name="post[author_attributes][name]" size="30" type="text" value="author #321" />' +
- '</form>'
+ expected = whole_form do
+ '<input name="post[title]" size="30" type="text" id="post_title" value="Hello World" />' +
+ '<input id="post_author_attributes_id" name="post[author_attributes][id]" type="hidden" value="321" />' +
+ '<input id="post_author_attributes_name" name="post[author_attributes][name]" size="30" type="text" value="author #321" />'
+ end
assert_dom_equal expected, output_buffer
end
@@ -1051,13 +1046,13 @@ def test_nested_fields_for_with_existing_records_on_a_nested_attributes_collecti
end
end
- expected = '<form action="http://www.example.com" method="post">' +
- '<input name="post[title]" size="30" type="text" id="post_title" value="Hello World" />' +
- '<input id="post_comments_attributes_0_name" name="post[comments_attributes][0][name]" size="30" type="text" value="comment #1" />' +
- '<input id="post_comments_attributes_0_id" name="post[comments_attributes][0][id]" type="hidden" value="1" />' +
- '<input id="post_comments_attributes_1_name" name="post[comments_attributes][1][name]" size="30" type="text" value="comment #2" />' +
- '<input id="post_comments_attributes_1_id" name="post[comments_attributes][1][id]" type="hidden" value="2" />' +
- '</form>'
+ expected = whole_form do
+ '<input name="post[title]" size="30" type="text" id="post_title" value="Hello World" />' +
+ '<input id="post_comments_attributes_0_name" name="post[comments_attributes][0][name]" size="30" type="text" value="comment #1" />' +
+ '<input id="post_comments_attributes_0_id" name="post[comments_attributes][0][id]" type="hidden" value="1" />' +
+ '<input id="post_comments_attributes_1_name" name="post[comments_attributes][1][name]" size="30" type="text" value="comment #2" />' +
+ '<input id="post_comments_attributes_1_id" name="post[comments_attributes][1][id]" type="hidden" value="2" />'
+ end
assert_dom_equal expected, output_buffer
end
@@ -1077,13 +1072,13 @@ def test_nested_fields_for_with_existing_records_on_a_nested_attributes_collecti
end
end
- expected = '<form action="http://www.example.com" method="post">' +
- '<input name="post[title]" size="30" type="text" id="post_title" value="Hello World" />' +
- '<input id="post_comments_attributes_0_id" name="post[comments_attributes][0][id]" type="hidden" value="1" />' +
- '<input id="post_comments_attributes_0_name" name="post[comments_attributes][0][name]" size="30" type="text" value="comment #1" />' +
- '<input id="post_comments_attributes_1_id" name="post[comments_attributes][1][id]" type="hidden" value="2" />' +
- '<input id="post_comments_attributes_1_name" name="post[comments_attributes][1][name]" size="30" type="text" value="comment #2" />' +
- '</form>'
+ expected = whole_form do
+ '<input name="post[title]" size="30" type="text" id="post_title" value="Hello World" />' +
+ '<input id="post_comments_attributes_0_id" name="post[comments_attributes][0][id]" type="hidden" value="1" />' +
+ '<input id="post_comments_attributes_0_name" name="post[comments_attributes][0][name]" size="30" type="text" value="comment #1" />' +
+ '<input id="post_comments_attributes_1_id" name="post[comments_attributes][1][id]" type="hidden" value="2" />' +
+ '<input id="post_comments_attributes_1_name" name="post[comments_attributes][1][name]" size="30" type="text" value="comment #2" />'
+ end
assert_dom_equal expected, output_buffer
end
@@ -1102,11 +1097,11 @@ def test_nested_fields_for_with_new_records_on_a_nested_attributes_collection_as
end
end
- expected = '<form action="http://www.example.com" method="post">' +
- '<input name="post[title]" size="30" type="text" id="post_title" value="Hello World" />' +
- '<input id="post_comments_attributes_0_name" name="post[comments_attributes][0][name]" size="30" type="text" value="new comment" />' +
- '<input id="post_comments_attributes_1_name" name="post[comments_attributes][1][name]" size="30" type="text" value="new comment" />' +
- '</form>'
+ expected = whole_form do
+ '<input name="post[title]" size="30" type="text" id="post_title" value="Hello World" />' +
+ '<input id="post_comments_attributes_0_name" name="post[comments_attributes][0][name]" size="30" type="text" value="new comment" />' +
+ '<input id="post_comments_attributes_1_name" name="post[comments_attributes][1][name]" size="30" type="text" value="new comment" />'
+ end
assert_dom_equal expected, output_buffer
end
@@ -1125,12 +1120,12 @@ def test_nested_fields_for_with_existing_and_new_records_on_a_nested_attributes_
end
end
- expected = '<form action="http://www.example.com" method="post">' +
- '<input name="post[title]" size="30" type="text" id="post_title" value="Hello World" />' +
- '<input id="post_comments_attributes_0_name" name="post[comments_attributes][0][name]" size="30" type="text" value="comment #321" />' +
- '<input id="post_comments_attributes_0_id" name="post[comments_attributes][0][id]" type="hidden" value="321" />' +
- '<input id="post_comments_attributes_1_name" name="post[comments_attributes][1][name]" size="30" type="text" value="new comment" />' +
- '</form>'
+ expected = whole_form do
+ '<input name="post[title]" size="30" type="text" id="post_title" value="Hello World" />' +
+ '<input id="post_comments_attributes_0_name" name="post[comments_attributes][0][name]" size="30" type="text" value="comment #321" />' +
+ '<input id="post_comments_attributes_0_id" name="post[comments_attributes][0][id]" type="hidden" value="321" />' +
+ '<input id="post_comments_attributes_1_name" name="post[comments_attributes][1][name]" size="30" type="text" value="new comment" />'
+ end
assert_dom_equal expected, output_buffer
end
@@ -1145,9 +1140,9 @@ def test_nested_fields_for_with_an_empty_supplied_attributes_collection
end
end
- expected = '<form action="http://www.example.com" method="post">' +
- '<input name="post[title]" size="30" type="text" id="post_title" value="Hello World" />' +
- '</form>'
+ expected = whole_form do
+ '<input name="post[title]" size="30" type="text" id="post_title" value="Hello World" />'
+ end
assert_dom_equal expected, output_buffer
end
@@ -1164,13 +1159,13 @@ def test_nested_fields_for_with_existing_records_on_a_supplied_nested_attributes
end
end
- expected = '<form action="http://www.example.com" method="post">' +
- '<input name="post[title]" size="30" type="text" id="post_title" value="Hello World" />' +
- '<input id="post_comments_attributes_0_name" name="post[comments_attributes][0][name]" size="30" type="text" value="comment #1" />' +
- '<input id="post_comments_attributes_0_id" name="post[comments_attributes][0][id]" type="hidden" value="1" />' +
- '<input id="post_comments_attributes_1_name" name="post[comments_attributes][1][name]" size="30" type="text" value="comment #2" />' +
- '<input id="post_comments_attributes_1_id" name="post[comments_attributes][1][id]" type="hidden" value="2" />' +
- '</form>'
+ expected = whole_form do
+ '<input name="post[title]" size="30" type="text" id="post_title" value="Hello World" />' +
+ '<input id="post_comments_attributes_0_name" name="post[comments_attributes][0][name]" size="30" type="text" value="comment #1" />' +
+ '<input id="post_comments_attributes_0_id" name="post[comments_attributes][0][id]" type="hidden" value="1" />' +
+ '<input id="post_comments_attributes_1_name" name="post[comments_attributes][1][name]" size="30" type="text" value="comment #2" />' +
+ '<input id="post_comments_attributes_1_id" name="post[comments_attributes][1][id]" type="hidden" value="2" />'
+ end
assert_dom_equal expected, output_buffer
end
@@ -1188,13 +1183,13 @@ def test_nested_fields_for_with_existing_records_on_a_supplied_nested_attributes
end
end
- expected = '<form action="http://www.example.com" method="post">' +
- '<input name="post[title]" size="30" type="text" id="post_title" value="Hello World" />' +
- '<input id="post_comments_attributes_0_name" name="post[comments_attributes][0][name]" size="30" type="text" value="comment #1" />' +
- '<input id="post_comments_attributes_0_id" name="post[comments_attributes][0][id]" type="hidden" value="1" />' +
- '<input id="post_comments_attributes_1_name" name="post[comments_attributes][1][name]" size="30" type="text" value="comment #2" />' +
- '<input id="post_comments_attributes_1_id" name="post[comments_attributes][1][id]" type="hidden" value="2" />' +
- '</form>'
+ expected = whole_form do
+ '<input name="post[title]" size="30" type="text" id="post_title" value="Hello World" />' +
+ '<input id="post_comments_attributes_0_name" name="post[comments_attributes][0][name]" size="30" type="text" value="comment #1" />' +
+ '<input id="post_comments_attributes_0_id" name="post[comments_attributes][0][id]" type="hidden" value="1" />' +
+ '<input id="post_comments_attributes_1_name" name="post[comments_attributes][1][name]" size="30" type="text" value="comment #2" />' +
+ '<input id="post_comments_attributes_1_id" name="post[comments_attributes][1][id]" type="hidden" value="2" />'
+ end
assert_dom_equal expected, output_buffer
end
@@ -1213,12 +1208,12 @@ def test_nested_fields_for_on_a_nested_attributes_collection_association_yields_
end
end
- expected = '<form action="http://www.example.com" method="post">' +
- '<input name="post[title]" size="30" type="text" id="post_title" value="Hello World" />' +
- '<input id="post_comments_attributes_0_name" name="post[comments_attributes][0][name]" size="30" type="text" value="comment #321" />' +
- '<input id="post_comments_attributes_0_id" name="post[comments_attributes][0][id]" type="hidden" value="321" />' +
- '<input id="post_comments_attributes_1_name" name="post[comments_attributes][1][name]" size="30" type="text" value="new comment" />' +
- '</form>'
+ expected = whole_form do
+ '<input name="post[title]" size="30" type="text" id="post_title" value="Hello World" />' +
+ '<input id="post_comments_attributes_0_name" name="post[comments_attributes][0][name]" size="30" type="text" value="comment #321" />' +
+ '<input id="post_comments_attributes_0_id" name="post[comments_attributes][0][id]" type="hidden" value="321" />' +
+ '<input id="post_comments_attributes_1_name" name="post[comments_attributes][1][name]" size="30" type="text" value="new comment" />'
+ end
assert_dom_equal expected, output_buffer
assert_equal yielded_comments, @post.comments
@@ -1235,10 +1230,10 @@ def test_nested_fields_for_with_child_index_option_override_on_a_nested_attribut
end
end
- expected = '<form action="http://www.example.com" method="post">' +
- '<input id="post_comments_attributes_abc_name" name="post[comments_attributes][abc][name]" size="30" type="text" value="comment #321" />' +
- '<input id="post_comments_attributes_abc_id" name="post[comments_attributes][abc][id]" type="hidden" value="321" />' +
- '</form>'
+ expected = whole_form do
+ '<input id="post_comments_attributes_abc_name" name="post[comments_attributes][abc][name]" size="30" type="text" value="comment #321" />' +
+ '<input id="post_comments_attributes_abc_id" name="post[comments_attributes][abc][id]" type="hidden" value="321" />'
+ end
assert_dom_equal expected, output_buffer
end
@@ -1273,20 +1268,20 @@ def test_nested_fields_uses_unique_indices_for_different_collection_associations
end
end
- expected = '<form action="http://www.example.com" method="post">' +
- '<input id="post_comments_attributes_0_name" name="post[comments_attributes][0][name]" size="30" type="text" value="comment #321" />' +
- '<input id="post_comments_attributes_0_relevances_attributes_0_value" name="post[comments_attributes][0][relevances_attributes][0][value]" size="30" type="text" value="commentrelevance #314" />' +
- '<input id="post_comments_attributes_0_relevances_attributes_0_id" name="post[comments_attributes][0][relevances_attributes][0][id]" type="hidden" value="314" />' +
- '<input id="post_comments_attributes_0_id" name="post[comments_attributes][0][id]" type="hidden" value="321" />' +
- '<input id="post_tags_attributes_0_value" name="post[tags_attributes][0][value]" size="30" type="text" value="tag #123" />' +
- '<input id="post_tags_attributes_0_relevances_attributes_0_value" name="post[tags_attributes][0][relevances_attributes][0][value]" size="30" type="text" value="tagrelevance #3141" />' +
- '<input id="post_tags_attributes_0_relevances_attributes_0_id" name="post[tags_attributes][0][relevances_attributes][0][id]" type="hidden" value="3141" />' +
- '<input id="post_tags_attributes_0_id" name="post[tags_attributes][0][id]" type="hidden" value="123" />' +
- '<input id="post_tags_attributes_1_value" name="post[tags_attributes][1][value]" size="30" type="text" value="tag #456" />' +
- '<input id="post_tags_attributes_1_relevances_attributes_0_value" name="post[tags_attributes][1][relevances_attributes][0][value]" size="30" type="text" value="tagrelevance #31415" />' +
- '<input id="post_tags_attributes_1_relevances_attributes_0_id" name="post[tags_attributes][1][relevances_attributes][0][id]" type="hidden" value="31415" />' +
- '<input id="post_tags_attributes_1_id" name="post[tags_attributes][1][id]" type="hidden" value="456" />' +
- '</form>'
+ expected = whole_form do
+ '<input id="post_comments_attributes_0_name" name="post[comments_attributes][0][name]" size="30" type="text" value="comment #321" />' +
+ '<input id="post_comments_attributes_0_relevances_attributes_0_value" name="post[comments_attributes][0][relevances_attributes][0][value]" size="30" type="text" value="commentrelevance #314" />' +
+ '<input id="post_comments_attributes_0_relevances_attributes_0_id" name="post[comments_attributes][0][relevances_attributes][0][id]" type="hidden" value="314" />' +
+ '<input id="post_comments_attributes_0_id" name="post[comments_attributes][0][id]" type="hidden" value="321" />' +
+ '<input id="post_tags_attributes_0_value" name="post[tags_attributes][0][value]" size="30" type="text" value="tag #123" />' +
+ '<input id="post_tags_attributes_0_relevances_attributes_0_value" name="post[tags_attributes][0][relevances_attributes][0][value]" size="30" type="text" value="tagrelevance #3141" />' +
+ '<input id="post_tags_attributes_0_relevances_attributes_0_id" name="post[tags_attributes][0][relevances_attributes][0][id]" type="hidden" value="3141" />' +
+ '<input id="post_tags_attributes_0_id" name="post[tags_attributes][0][id]" type="hidden" value="123" />' +
+ '<input id="post_tags_attributes_1_value" name="post[tags_attributes][1][value]" size="30" type="text" value="tag #456" />' +
+ '<input id="post_tags_attributes_1_relevances_attributes_0_value" name="post[tags_attributes][1][relevances_attributes][0][value]" size="30" type="text" value="tagrelevance #31415" />' +
+ '<input id="post_tags_attributes_1_relevances_attributes_0_id" name="post[tags_attributes][1][relevances_attributes][0][id]" type="hidden" value="31415" />' +
+ '<input id="post_tags_attributes_1_id" name="post[tags_attributes][1][id]" type="hidden" value="456" />'
+ end
assert_dom_equal expected, output_buffer
end
@@ -1426,7 +1421,8 @@ def test_form_for_and_fields_for
end
expected =
- "<form action='http://www.example.com' id='create-post' method='post'>" +
+ "<form accept-charset='UTF-8' action='http://www.example.com' id='create-post' method='post'>" +
+ snowman +
"<input name='post[title]' size='30' type='text' id='post_title' value='Hello World' />" +
"<textarea name='post[body]' id='post_body' rows='20' cols='40'>Back to the hill and over it again!</textarea>" +
"<input name='parent_post[secret]' type='hidden' value='0' />" +
@@ -1449,11 +1445,11 @@ def test_form_for_and_fields_for_with_object
end
expected =
- "<form action='http://www.example.com' id='create-post' method='post'>" +
- "<input name='post[title]' size='30' type='text' id='post_title' value='Hello World' />" +
- "<textarea name='post[body]' id='post_body' rows='20' cols='40'>Back to the hill and over it again!</textarea>" +
- "<input name='post[comment][name]' type='text' id='post_comment_name' value='new comment' size='30' />" +
- "</form>"
+ whole_form("http://www.example.com", "create-post") do
+ "<input name='post[title]' size='30' type='text' id='post_title' value='Hello World' />" +
+ "<textarea name='post[body]' id='post_body' rows='20' cols='40'>Back to the hill and over it again!</textarea>" +
+ "<input name='post[comment][name]' type='text' id='post_comment_name' value='new comment' size='30' />"
+ end
assert_dom_equal expected, output_buffer
end
@@ -1477,16 +1473,42 @@ def test_form_for_with_labelled_builder
end
end
- expected =
- "<form action='http://www.example.com' method='post'>" +
- "<label for='title'>Title:</label> <input name='post[title]' size='30' type='text' id='post_title' value='Hello World' /><br/>" +
- "<label for='body'>Body:</label> <textarea name='post[body]' id='post_body' rows='20' cols='40'>Back to the hill and over it again!</textarea><br/>" +
- "<label for='secret'>Secret:</label> <input name='post[secret]' type='hidden' value='0' /><input name='post[secret]' checked='checked' type='checkbox' id='post_secret' value='1' /><br/>" +
- "</form>"
+ expected = whole_form do
+ "<label for='title'>Title:</label> <input name='post[title]' size='30' type='text' id='post_title' value='Hello World' /><br/>" +
+ "<label for='body'>Body:</label> <textarea name='post[body]' id='post_body' rows='20' cols='40'>Back to the hill and over it again!</textarea><br/>" +
+ "<label for='secret'>Secret:</label> <input name='post[secret]' type='hidden' value='0' /><input name='post[secret]' checked='checked' type='checkbox' id='post_secret' value='1' /><br/>"
+ end
assert_dom_equal expected, output_buffer
end
+ def snowman(method = nil)
+ txt = %{<div style="margin:0;padding:0;display:inline">}
+ txt << %{<input name="_snowman_" type="hidden" value="&#9731;" />}
+ txt << %{<input name="_method" type="hidden" value="#{method}" />} if method
+ txt << %{</div>}
+ end
+
+ def form_text(action = "http://www.example.com", id = nil, html_class = nil, remote = nil)
+ txt = %{<form accept-charset="UTF-8" action="#{action}"}
+ txt << %{ data-remote="true"} if remote
+ txt << %{ class="#{html_class}"} if html_class
+ txt << %{ id="#{id}"} if id
+ txt << %{ method="post">}
+ end
+
+ def whole_form(action = "http://www.example.com", id = nil, html_class = nil, options = nil)
+ contents = block_given? ? yield : ""
+
+ if options.is_a?(Hash)
+ method, remote = options.values_at(:method, :remote)
+ else
+ method = options
+ end
+
+ form_text(action, id, html_class, remote) + snowman(method) + contents + "</form>"
+ end
+
def test_default_form_builder
old_default_form_builder, ActionView::Base.default_form_builder =
ActionView::Base.default_form_builder, LabelledFormBuilder
@@ -1499,12 +1521,11 @@ def test_default_form_builder
end
end
- expected =
- "<form action='http://www.example.com' method='post'>" +
+ expected = whole_form do
"<label for='title'>Title:</label> <input name='post[title]' size='30' type='text' id='post_title' value='Hello World' /><br/>" +
"<label for='body'>Body:</label> <textarea name='post[body]' id='post_body' rows='20' cols='40'>Back to the hill and over it again!</textarea><br/>" +
- "<label for='secret'>Secret:</label> <input name='post[secret]' type='hidden' value='0' /><input name='post[secret]' checked='checked' type='checkbox' id='post_secret' value='1' /><br/>" +
- "</form>"
+ "<label for='secret'>Secret:</label> <input name='post[secret]' type='hidden' value='0' /><input name='post[secret]' checked='checked' type='checkbox' id='post_secret' value='1' /><br/>"
+ end
assert_dom_equal expected, output_buffer
ensure
@@ -1577,7 +1598,7 @@ def test_form_for_with_html_options_adds_options_to_form_tag
assert_deprecated do
form_for(:post, @post, :html => {:id => 'some_form', :class => 'some_class'}) do |f| end
end
- expected = "<form action=\"http://www.example.com\" class=\"some_class\" id=\"some_form\" method=\"post\"></form>"
+ expected = whole_form("http://www.example.com", "some_form", "some_class")
assert_dom_equal expected, output_buffer
end
@@ -1587,7 +1608,8 @@ def test_form_for_with_string_url_option
form_for(:post, @post, :url => 'http://www.otherdomain.com') do |f| end
end
- assert_equal '<form action="http://www.otherdomain.com" method="post"></form>', output_buffer
+ assert_equal whole_form("http://www.otherdomain.com"), output_buffer
+ # assert_equal '<form action="http://www.otherdomain.com" method="post"></form>', output_buffer
end
def test_form_for_with_hash_url_option
@@ -1604,14 +1626,15 @@ def test_form_for_with_record_url_option
form_for(:post, @post, :url => @post) do |f| end
end
- expected = "<form action=\"/posts/123\" method=\"post\"></form>"
+ expected = whole_form("/posts/123")
+ # expected = "<form action=\"/posts/123\" method=\"post\"></form>"
assert_equal expected, output_buffer
end
def test_form_for_with_existing_object
form_for(@post) do |f| end
- expected = "<form action=\"/posts/123\" class=\"edit_post\" id=\"edit_post_123\" method=\"post\"><div style=\"margin:0;padding:0;display:inline\"><input name=\"_method\" type=\"hidden\" value=\"put\" /></div></form>"
+ expected = whole_form("/posts/123", "edit_post_123", "edit_post", "put")
assert_equal expected, output_buffer
end
@@ -1622,7 +1645,7 @@ def post.id() nil end
form_for(post) do |f| end
- expected = "<form action=\"/posts\" class=\"new_post\" id=\"new_post\" method=\"post\"></form>"
+ expected = whole_form("/posts", "new_post", "new_post")
assert_equal expected, output_buffer
end
@@ -1630,14 +1653,14 @@ def test_form_for_with_existing_object_in_list
@comment.save
form_for([@post, @comment]) {}
- expected = %(<form action="#{comment_path(@post, @comment)}" class="edit_comment" id="edit_comment_1" method="post"><div style="margin:0;padding:0;display:inline"><input name="_method" type="hidden" value="put" /></div></form>)
+ expected = whole_form(comment_path(@post, @comment), "edit_comment_1", "edit_comment", "put")
assert_dom_equal expected, output_buffer
end
def test_form_for_with_new_object_in_list
form_for([@post, @comment]) {}
- expected = %(<form action="#{comments_path(@post)}" class="new_comment" id="new_comment" method="post"></form>)
+ expected = whole_form(comments_path(@post), "new_comment", "new_comment")
assert_dom_equal expected, output_buffer
end
@@ -1645,21 +1668,21 @@ def test_form_for_with_existing_object_and_namespace_in_list
@comment.save
form_for([:admin, @post, @comment]) {}
- expected = %(<form action="#{admin_comment_path(@post, @comment)}" class="edit_comment" id="edit_comment_1" method="post"><div style="margin:0;padding:0;display:inline"><input name="_method" type="hidden" value="put" /></div></form>)
+ expected = whole_form(admin_comment_path(@post, @comment), "edit_comment_1", "edit_comment", "put")
assert_dom_equal expected, output_buffer
end
def test_form_for_with_new_object_and_namespace_in_list
form_for([:admin, @post, @comment]) {}
- expected = %(<form action="#{admin_comments_path(@post)}" class="new_comment" id="new_comment" method="post"></form>)
+ expected = whole_form(admin_comments_path(@post), "new_comment", "new_comment")
assert_dom_equal expected, output_buffer
end
def test_form_for_with_existing_object_and_custom_url
form_for(@post, :url => "/super_posts") do |f| end
- expected = "<form action=\"/super_posts\" class=\"edit_post\" id=\"edit_post_123\" method=\"post\"><div style=\"margin:0;padding:0;display:inline\"><input name=\"_method\" type=\"hidden\" value=\"put\" /></div></form>"
+ expected = whole_form("/super_posts", "edit_post_123", "edit_post", "put")
assert_equal expected, output_buffer
end
56 actionpack/test/template/form_tag_helper_test.rb
View
@@ -8,6 +8,36 @@ def setup
@controller = BasicController.new
end
+ def snowman(options = {})
+ method = options[:method]
+
+ txt = %{<div style="margin:0;padding:0;display:inline">}
+ txt << %{<input name="_snowman_" type="hidden" value="&#9731;" />}
+ txt << %{<input name="_method" type="hidden" value="#{method}" />} if method
+ txt << %{</div>}
+ end
+
+ def form_text(action = "http://www.example.com", options = {})
+ remote, enctype, html_class, id = options.values_at(:remote, :enctype, :html_class, :id)
+
+ txt = %{<form accept-charset="UTF-8" action="#{action}"}
+ txt << %{ enctype="multipart/form-data"} if enctype
+ txt << %{ data-remote="true"} if remote
+ txt << %{ class="#{html_class}"} if html_class
+ txt << %{ id="#{id}"} if id
+ txt << %{ method="post">}
+ end
+
+ def whole_form(action = "http://www.example.com", options = {})
+ out = form_text(action, options) + snowman(options)
+
+ if block_given?
+ out << yield << "</form>"
+ end
+
+ out
+ end
+
def url_for(options)
if options.is_a?(Hash)
"http://www.example.com"
@@ -31,51 +61,57 @@ def test_check_box_tag_id_sanitized
def test_form_tag
actual = form_tag
- expected = %(<form action="http://www.example.com" method="post">)
+ expected = whole_form
assert_dom_equal expected, actual
end
def test_form_tag_multipart
actual = form_tag({}, { 'multipart' => true })
- expected = %(<form action="http://www.example.com" enctype="multipart/form-data" method="post">)
+ expected = whole_form("http://www.example.com", :enctype => true)
assert_dom_equal expected, actual
end
def test_form_tag_with_method_put
actual = form_tag({}, { :method => :put })
- expected = %(<form action="http://www.example.com" method="post"><div style='margin:0;padding:0;display:inline'><input type="hidden" name="_method" value="put" /></div>)
+ expected = whole_form("http://www.example.com", :method => :put)
assert_dom_equal expected, actual
end
def test_form_tag_with_method_delete
actual = form_tag({}, { :method => :delete })
- expected = %(<form action="http://www.example.com" method="post"><div style='margin:0;padding:0;display:inline'><input type="hidden" name="_method" value="delete" /></div>)
+
+ expected = whole_form("http://www.example.com", :method => :delete)
assert_dom_equal expected, actual
end
def test_form_tag_with_remote
actual = form_tag({}, :remote => true)
- expected = %(<form action="http://www.example.com" method="post" data-remote="true">)
+
+ expected = whole_form("http://www.example.com", :remote => true)
assert_dom_equal expected, actual
end
def test_form_tag_with_remote_false
actual = form_tag({}, :remote => false)
- expected = %(<form action="http://www.example.com" method="post">)
+
+ expected = whole_form
assert_dom_equal expected, actual
end
def test_form_tag_with_block_in_erb
- output_buffer = form_tag("http://example.com") { concat "Hello world!" }
+ output_buffer = form_tag("http://www.example.com") { concat "Hello world!" }
- expected = %(<form action="http://example.com" method="post">Hello world!</form>)
+ expected = whole_form { "Hello world!" }
assert_dom_equal expected, output_buffer
end
def test_form_tag_with_block_and_method_in_erb
- output_buffer = form_tag("http://example.com", :method => :put) { concat "Hello world!" }
+ output_buffer = form_tag("http://www.example.com", :method => :put) { concat "Hello world!" }
+
+ expected = whole_form("http://www.example.com", :method => "put") do
+ "Hello world!"
+ end
- expected = %(<form action="http://example.com" method="post"><div style='margin:0;padding:0;display:inline'><input type="hidden" name="_method" value="put" /></div>Hello world!</form>)
assert_dom_equal expected, output_buffer
end

31 comments on commit 25215d7

Jonas Grimfelt

Hmm...what's the motivation behind supporting IE5? Curious as I haven't seen IE5 showing up in any browser stats in years.

José Valim
Owner

IE5+ (emphasis in the +) ;)

Jeremy Walker

Can I suggest documenting the snowman tag? I just saw this in a HTTP trace and panicked somewhat in case my server had been compromised. I just think sending a new variable with every form request is something that people should know about.

Thanks,
iHiD

Jonas Grimfelt

Aha. :)

Alex MacCaw

Woah - was pretty surprised when I saw snowman in my log today.

Pete Nicholls

Paul Campbell

It would actually help to do a (high profile) blog post about this ... I went searching for it when I started seeing snowmen and it was quite hard to track down.

It is the kind of thing that would freak people out, and, dare I say it, make people think of Rails less seriously. I love it, but on the surface, it feels like an immature Easter egg, rather than a cute hack for forcing unicode.

Mark Richman

Why haven't we heard about this hackery before?

Yehuda Katz
Collaborator

This bug exists in IE5, IE6, IE7, and IE8. If the user switches the browser's encoding to Latin-1 (to understand why a user would decide to do something seemingly so crazy, check out this google search: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=diamond+with+a+question+mark+in+it), any form submission will be sent in Latin-1.

This means that if a user searches for "Ché Guevara", it will come through incorrectly on the server-side. In Ruby 1.9, this will result in an encoding error when the text inevitably makes its way into the regular expression engine. In Ruby 1.8, it will result in broken results for the user.

By creating a parameter that can only be understood by IE as a unicode character, we are forcing IE to look at the accept-charset attribute, which then tells it to encode all of the characters as UTF-8, even ones that can be encoded in Latin-1.

Keep in mind that in Ruby 1.8, it is extremely trivial to get Latin-1 data into your UTF-8 database (since NOTHING in the entire stack checks that the bytes that the user sent at any point are valid UTF-8 characters). As a result, it's extremely common for Ruby applications (and PHP applications, etc. etc.) to exhibit this user-facing bug, and therefore extremely common for users to try to change the encoding as a palliative measure.

All that said, when I wrote this patch, I didn't realize that the name of the parameter would ever appear in a user-facing place (it does with forms that use the GET action, such as search forms). Since it does, we will rename this parameter to _e, and use a more innocuous-looking unicode character.

Mark Richman

Oh come on, why not just name it to _ie ;)

Alex MacCaw

Would IE user agent sniffing be a bad idea?

Nicolás Sanguinetti

I mentioned this in twitter, but why not just set up a middleware that does params.delete(:_snowman_) when it gets to rack? That way end-users will never see this. That, and documenting why you get it on your logs (or maybe removing it even before it hits the logs…) should be enough to keep everyone happy.

Thomas Ingram

Personally I love the silliness of _snowman. _ie is a wonderful choice as well, but _e is strikes me as enterprise-y and boring.

Xavier Noria
Owner

@foca renaming is considered because if you send a form with GET, eg a search form, the query string has the snowman. We do not want end-users to have such a prominent strange parameter right there. The fact that it appears in the params hash is not an issue, as "_method" does.

It could be the case that _e is actually called the snowman parameter though :).

aaronchi

I vote for changing snowman to lollipop because it will be more silly and even less corporate-y. That'll teach those suits!

Gotta love open source ;)

Norman Clarke

I think "Frosty" should be the new official Rails mascot.

Pete Nicholls

@paulca Completely agree. Here's one option: I've set up a simple page with information about the Rails snowman people can easily search for. The repo is at http://github.com/Aupajo/rails-snowman-info and the website will be at http://railssnowman.info, once the DNS updates and the CNAME kicks in.

Łukasz Strzałkowski
Collaborator

@Aupajo great idea. But it's no longer snowman but _snowman - checkout this commit: http://github.com/rails/rails/commit/caab17611668ff18a3c8642b2d45b353be5d9691 (with no underscore on the end). I've send you patch via email for it. If you didn't get it, here it is: http://gist.github.com/493743

Jeremy Walker

Would it not make sense just to add a config option to change the name of the parameter. There is always a small risk that whatever is chosen will conflict with an existing app, may be unacceptable in that particular organisation etc. By keeping a default that is well documented (nice work @Aupajo), new users will understand what is going on, but still have control to change it if necessary.

In terms of logs, I think that it should be filtered by default for new apps (in config.filter_parameters), as per :password.

Pete Nicholls

@strzalek Thanks! I've applied your patch.

@ihid I think a company is much more likely to be tripped up by _method than _snowman. If one is acceptable, so should the other be.

Damien Mathieu
Collaborator

@ihid : you shouldn't be using parameters starting with a _ in your forms anyway.
Moreover one of the principles of rails is : convention over configuration. It's just being applied here.

For the filter_parameters, that's intended for security reasons, to avoid having password in clear in the log file.
It doesn't seems applicable here as it's not a matter of security to have the _snowman parameter in the log. You can, however, always add it in your applications if you wish to.

Jeremy Walker

@Aupajo - I agree that _method is probably more dangerous. However, saying that, "method" is an HTTP word and its value is going to be sensible (get/post/put etc). Seeing a ☃ in your URL could be seen as somewhat unprofessional. I like _snowman as a default, but I think it needs a simple config option just in case. Nice work with the explanation page.

Rob Cameron

I vote to keep _snowman as a neat little Rails easter egg.

Mark Richman

@cannikin I would not refer to this as an Easter Egg, as those are typically deliberately obfuscated artifacts. The _snowman thing is quite obvious. What I'd really like to find out is why this bug in IE has been hanging around for so long. As a recovering Microsoft addict, this topic is especially interesting to me.

Tim Connor

name it _unicode_shim but keep the choice of characters? Then it's somewhat self-explanatory, and which character it is matters less, so it might as well be an amusing one, like the snowman

Nathan Youngman

For method=get, is the _snowman needed for IE at all? If not, then I think snowman is fine. Otherwise, changing to a less conspicuous looking Unicode character and parameter name sounds good.

Tim Connor

Now that I think about it, maybe using slang for a drug-dealer is a less than ideal for a covert parameter/character.

Gavin Hughes

-1 on _snowman. I propose _force_ie_unicode_support. That describes exactly what the parameter is for. Self-documenting is definitely better than cute.

Joseph Pearson

Perhaps this should only apply to POST/PUT forms? It makes rather a mess of GET request URLs (eg, search results). Since GETs are theoretically idempotent, involving no important db writes, perhaps the problem here doesn't apply so much to them. Just a thought.

Please sign in to comment.
Something went wrong with that request. Please try again.