Fix several known web encoding issues:

* Specify accept-charset on all forms. All recent browsers, as well as IE5+, will use the encoding specified for form parameters * Unfortunately, IE5+ will not look at accept-charset unless at least one character in the form's values is not in the page's charset. Since the user can override the default charset (which Rails sets to UTF-8), we provide a hidden input containing a unicode character, forcing IE to look at the accept-charset. * Now that the vast majority of web input is UTF-8, we set the inbound parameters to UTF-8. This will eliminate many cases of incompatible encodings between ASCII-8BIT and UTF-8. * You can safely ignore params[:_snowman_] TODO: * Validate inbound text to confirm it is UTF-8 * Combine the whole_form implementations in form_helper_test and form_tag_helper_test
rails · Jun 28, 2010 · 25215d7 · defmthd · Aug 25, 2010 · Spaceghost
1 parent 06b0d6e
commit 25215d7
Show file tree

Hide file tree

Showing 7 changed files with 318 additions and 198 deletions.
diff --git a/actionpack/lib/action_dispatch/http/parameters.rb b/actionpack/lib/action_dispatch/http/parameters.rb
@@ -6,7 +6,11 @@ module Http
     module Parameters
       # Returns both GET and POST \parameters in a single hash.
       def parameters
-        @env["action_dispatch.request.parameters"] ||= request_parameters.merge(query_parameters).update(path_parameters).with_indifferent_access
+        @env["action_dispatch.request.parameters"] ||= begin
+          params = request_parameters.merge(query_parameters)
+          params.merge!(path_parameters)
+          encode_params(params).with_indifferent_access
+        end
       end
       alias :params :parameters
 
@@ -32,6 +36,31 @@ def path_parameters
       end
 
     private
+
+      # TODO: Validate that the characters are UTF-8. If they aren't,
+      # you'll get a weird error down the road, but our form handling
+      # should really prevent that from happening
+      def encode_params(params)
+        return params unless "ruby".encoding_aware?
+
+        if params.is_a?(String)
+          return params.force_encoding("UTF-8").encode!
+        elsif !params.is_a?(Hash)
+          return params
+        end
+
+        params.each do |k, v|
+          case v
+          when Hash
+            encode_params(v)
+          when Array
+            v.map! {|el| encode_params(el) }
+          else
+            encode_params(v)
+          end
+        end
+      end
+
       # Convert nested Hash to HashWithIndifferentAccess
       def normalize_parameters(value)
         case value

diff --git a/actionpack/lib/action_view/helpers/form_tag_helper.rb b/actionpack/lib/action_view/helpers/form_tag_helper.rb
@@ -530,22 +530,31 @@ def html_options_for_form(url_for_options, options, *parameters_for_url)
           returning options.stringify_keys do |html_options|
             html_options["enctype"] = "multipart/form-data" if html_options.delete("multipart")
             html_options["action"]  = url_for(url_for_options, *parameters_for_url)
+            html_options["accept-encoding"] = "UTF-8"
             html_options["data-remote"] = true if html_options.delete("remote")
           end
         end
 
         def extra_tags_for_form(html_options)
-          case method = html_options.delete("method").to_s
+          snowman_tag = tag(:input, :type => "hidden",
+                            :name => "_snowman_", :value => "&#9731;")
+
+          method = html_options.delete("method").to_s
+
+          method_tag = case method
             when /^get$/i # must be case-insensitive, but can't use downcase as might be nil
               html_options["method"] = "get"
               ''
             when /^post$/i, "", nil
               html_options["method"] = "post"
-              protect_against_forgery? ? content_tag(:div, token_tag, :style => 'margin:0;padding:0;display:inline') : ''
+              token_tag
             else
               html_options["method"] = "post"
-              content_tag(:div, tag(:input, :type => "hidden", :name => "_method", :value => method) + token_tag, :style => 'margin:0;padding:0;display:inline')
+              tag(:input, :type => "hidden", :name => "_method", :value => method) + token_tag
           end
+
+          tags = snowman_tag << method_tag
+          content_tag(:div, tags, :style => 'margin:0;padding:0;display:inline')
         end
 
         def form_tag_html(html_options)

diff --git a/actionpack/test/dispatch/request/url_encoded_params_parsing_test.rb b/actionpack/test/dispatch/request/url_encoded_params_parsing_test.rb
@@ -141,6 +141,29 @@ def assert_parses(expected, actual)
         post "/parse", actual
         assert_response :ok
         assert_equal(expected, TestController.last_request_parameters)
+        assert_utf8(TestController.last_request_parameters)
+      end
+    end
+
+    def assert_utf8(object)
+      return unless "ruby".encoding_aware?
+
+      correct_encoding = Encoding.default_internal
+
+      unless object.is_a?(Hash)
+        assert_equal correct_encoding, object.encoding, "#{object.inspect} should have been UTF-8"
+        return
+      end
+
+      object.each do |k,v|
+        case v
+        when Hash
+          assert_utf8(v)
+        when Array
+          v.each {|el| assert_utf8(el) }
+        else
+          assert_utf8(v)
+        end
       end
     end
 end
diff --git a/actionpack/test/template/erb/form_for_test.rb b/actionpack/test/template/erb/form_for_test.rb
@@ -5,7 +5,7 @@ module ERBTest
   class TagHelperTest < BlockTestCase
     test "form_for works" do
       output = render_content "form_for(:staticpage, :url => {:controller => 'blah', :action => 'update'})", ""
-      assert_equal "<form action=\"/blah/update\" method=\"post\"></form>", output
+      assert_match %r{<form.*action="/blah/update".*method="post">.*</form>}, output
     end
   end
 end
diff --git a/actionpack/test/template/erb/tag_helper_test.rb b/actionpack/test/template/erb/tag_helper_test.rb
@@ -28,8 +28,8 @@ def maybe_deprecated
     end
 
     test "percent equals works with form tags" do
-      expected_output = "<form action=\"foo\" method=\"post\">hello</form>"
-      maybe_deprecated { assert_equal expected_output, render_content("form_tag('foo')", "<%= 'hello' %>") }
+      expected_output = %r{<form.*action="foo".*method="post">.*hello*</form>}
+      maybe_deprecated { assert_match expected_output, render_content("form_tag('foo')", "<%= 'hello' %>") }
     end
 
     test "percent equals works with fieldset tags" do