observe_form encodeURIComponent(value) with protect_form_forgery

Hi

Since Rails 2.2RC1, I have a problem with observe_form. When I use a simplest :

observe_form "article_form", :frequency => 60, :url => { :action => "autosave" }

The Javascript generate is :

new Form.Observer('article_form', 60, function(element, value) {new Ajax.Request('/admin/content/autosave', {asynchronous:true, evalScripts:true, parameters:'value=' + encodeURIComponent(value) + '&authenticity_token=' + encodeURIComponent('1d6397023865060a4a22e482ebc98295304479c3')})})

With Rails 2.1 I generated :

new Form.Observer('article_form', 60, function(element, value) {new Ajax.Request('/admin/content/autosave', {asynchronous:true, evalScripts:true, parameters:'value='+ value + '&authenticity_token=' + encodeURIComponent('b2bb6b2dd85474c3264ddc1cf365c72495651dc4')})})

If I read test unit about this helper. I can see that no test with protect_form_forgery. And if I see the result attempt by helper. I can see that don't want encodeURIComponent(value) :

  def test_observe_form     assert_dom_equal %(<script type=\"text/javascript\">\n//<![CDATA[\nnew Form.Observer('cart', 2, function(element, value) {new Ajax.Request('http://www.example.com/cart_changed’, {asynchronous:true, evalScripts:true, parameters:value})})\n//]]>\n</script>),       observe_form("cart", :frequency => 2, :url => { :action => "cart_changed" })   end

I think it's a bug. isn't it ?

Hi

Since Rails 2.2RC1, I have a problem with observe_form. When I use a simplest :

observe_form "article_form", :frequency => 60, :url => { :action => "autosave" }

The Javascript generate is :

new Form.Observer('article_form', 60, function(element, value) {new Ajax.Request('/admin/content/autosave', {asynchronous:true, evalScripts:true, parameters:'value=' + encodeURIComponent(value) + '&authenticity_token=' + encodeURIComponent('1d6397023865060a4a22e482ebc98295304479c3')})})

With Rails 2.1 I generated :

new Form.Observer('article_form', 60, function(element, value) {new Ajax.Request('/admin/content/autosave', {asynchronous:true, evalScripts:true, parameters:'value='+ value +
'&authenticity_token=' + encodeURIComponent('b2bb6b2dd85474c3264ddc1cf365c72495651dc4')})})

If I read test unit about this helper. I can see that no test with protect_form_forgery. And if I see the result attempt by helper. I can see that don't want encodeURIComponent(value) :

If you don't use encodeURIComponent on value then if the form element
you're submitting contains a & then it will screw up your params (if
you're doing parameters:'value='+value) Just doing parameters:value just chucks the value in the request body,
which I suppose is fine but isn't a proper url encoded parameter. There probably should be a test case asserting that the auth token is
added properly too

Fred