observe_form encodeURIComponent(value) with protect_form_forgery

Hi

Since Rails 2.2RC1, I have a problem with observe_form. When I use a
simplest :

observe_form "article_form", :frequency => 60, :url => { :action =>
"autosave" }

The Javascript generate is :

new Form.Observer('article_form', 60, function(element, value) {new
Ajax.Request('/admin/content/autosave', {asynchronous:true,
evalScripts:true, parameters:'value=' + encodeURIComponent(value) +
'&authenticity_token=' +
encodeURIComponent('1d6397023865060a4a22e482ebc98295304479c3')})})

With Rails 2.1 I generated :

new Form.Observer('article_form', 60, function(element, value) {new
Ajax.Request('/admin/content/autosave', {asynchronous:true,
evalScripts:true, parameters:'value='+ value + '&authenticity_token=' +
encodeURIComponent('b2bb6b2dd85474c3264ddc1cf365c72495651dc4')})})

If I read test unit about this helper. I can see that no test with
protect_form_forgery. And if I see the result attempt by helper. I can
see that don't want encodeURIComponent(value) :

  def test_observe_form
    assert_dom_equal %(<script
type=\“text/javascript\”>\n//<![CDATA[\nnew Form.Observer(‘cart’, 2,
function(element, value) {new
Ajax.Request(‘http://www.example.com/cart_changed’, {asynchronous:true,
evalScripts:true, parameters:value})})\n//]]>\n</script>),
      observe_form(“cart”, :frequency => 2, :url => { :action =>
“cart_changed” })
  end

I think it's a bug. isn't it ?

Hi

Since Rails 2.2RC1, I have a problem with observe_form. When I use a
simplest :

observe_form "article_form", :frequency => 60, :url => { :action =>
"autosave" }

The Javascript generate is :

new Form.Observer('article_form', 60, function(element, value) {new
Ajax.Request('/admin/content/autosave', {asynchronous:true,
evalScripts:true, parameters:'value=' + encodeURIComponent(value) +
'&authenticity_token=' +
encodeURIComponent('1d6397023865060a4a22e482ebc98295304479c3')})})

With Rails 2.1 I generated :

new Form.Observer('article_form', 60, function(element, value) {new
Ajax.Request('/admin/content/autosave', {asynchronous:true,
evalScripts:true, parameters:'value='+ value +
'&authenticity_token=' +
encodeURIComponent('b2bb6b2dd85474c3264ddc1cf365c72495651dc4')})})

If I read test unit about this helper. I can see that no test with
protect_form_forgery. And if I see the result attempt by helper. I can
see that don't want encodeURIComponent(value) :

If you don't use encodeURIComponent on value then if the form element
you're submitting contains a & then it will screw up your params (if
you're doing parameters:'value='+value)
Just doing parameters:value just chucks the value in the request body,
which I suppose is fine but isn't a proper url encoded parameter.
There probably should be a test case asserting that the auth token is
added properly too

Fred