Generated page_update javascript is incorrectly escaped.

lib/action_view/helpers/prototype_helper.rb

@@ -547,7 +547,7 @@ def render(*options)
 
             def with_formats(*args)
               return yield unless @context
-              
+
               lookup = @context.lookup_context
               begin
                 old_formats, lookup.formats = lookup.formats, args
@@ -587,7 +587,7 @@ def method_missing(method, *arguments)
       #     page.hide 'spinner'
       #   end
       def update_page(&block)
-        JavaScriptGenerator.new(self, &block).to_s.html_safe
+        JavaScriptGenerator.new(self, &block).to_s
       end
 
       # Works like update_page but wraps the generated JavaScript in a

lib/prototype-rails/javascript_helper.rb

@@ -33,7 +33,7 @@ def button_to_function(name, *args, &block)
     function = block_given? ? update_page(&block) : args[0] || ''
     onclick = "#{"#{html_options[:onclick]}; " if html_options[:onclick]}#{function};"
 
-    tag(:input, html_options.merge(:type => 'button', :value => name, :onclick => onclick))
+    tag(:input, html_options.merge(:type => 'button', :value => name, :onclick => escape_once(onclick)), false, false)
   end
 
   #   link_to_function("Show me more", nil, :id => "more_link") do |page|
@@ -60,6 +60,6 @@ def link_to_function(name, *args, &block)
     onclick = "#{"#{html_options[:onclick]}; " if html_options[:onclick]}#{function}; return false;"
     href = html_options[:href] || '#'
 
-    content_tag(:a, name, html_options.merge(:href => href, :onclick => onclick))
+    content_tag(:a, name, html_options.merge(:href => href, :onclick => escape_once(onclick)), false)
   end
 end

test/template/prototype_helper_test.rb

@@ -104,6 +104,18 @@ def test_update_page_tag_with_html_options
     assert_equal javascript_tag(create_generator(&block).to_s, {:defer => 'true'}), update_page_tag({:defer => 'true'}, &block)
   end
 
+  def test_update_page_html_tag
+    block = Proc.new { |page| page.hide('cancel-commit') }
+    input_tag = submit_tag('Save', :onclick => 'Element.hide("cancel-commit");')
+    assert_equal input_tag, submit_tag('Save', :onclick => update_page(&block))
+  end
+
+  def test_update_page_link_to_function
+    block = Proc.new { |page| page.hide('cancel-commit') }
+    link_tag = link_to_function('Save', 'Element.hide("cancel-commit");')
+    assert_equal link_tag, link_to_function('Save', update_page(&block))
+  end
+
   def test_remote_function
     res = remote_function(:url => authors_path, :with => "'author[name]='+$F('author_name')+'&author[dob]='+$F('author_dob')")
     assert_equal "new Ajax.Request('/authors', {asynchronous:true, evalScripts:true, parameters:'author[name]='+$F('author_name')+'&author[dob]='+$F('author_dob')})", res

vendor/assets/javascripts/prototype_ujs.js

@@ -1,4 +1,14 @@
 (function() {
+  Ajax.Responders.register({
+    onCreate: function(request) {
+      var token = $$('meta[name=csrf-token]')[0];
+      if (token) {
+        if (!request.options.requestHeaders) request.options.requestHeaders = {};
+        request.options.requestHeaders['X-CSRF-Token'] = token.readAttribute('content');
+      }
+    }
+  });
+
   // Technique from Juriy Zaytsev
   // http://thinkweb2.com/projects/prototype/detecting-event-support-without-browser-sniffing/
   function isEventSupported(eventName) {
@@ -130,11 +140,24 @@
 
   function disableFormElements(form) {
     form.select('input[type=submit][data-disable-with]').each(function(input) {
+      if (input.name == form.retrieve('rails:submit-button')) {
+        if (window.hiddenCommit) {
+          window.hiddenCommit.setAttribute('name', input.name);
+          window.hiddenCommit.setAttribute('value', input.value);
+        } else {
+          hiddenCommit = document.createElement('input');
+          hiddenCommit.type = 'hidden';
+          hiddenCommit.value = input.value;
+          hiddenCommit.name = input.name;
+          form.appendChild(hiddenCommit);
+        }
+      }
+
       input.store('rails:original-value', input.getValue());
       input.setValue(input.readAttribute('data-disable-with')).disable();
     });
   }
-  
+
   function enableFormElements(form) {
     form.select('input[type=submit][data-disable-with]').each(function(input) {
       input.setValue(input.retrieve('rails:original-value')).enable();
@@ -147,17 +170,19 @@
   }
 
   document.on('click', 'a[data-confirm], a[data-remote], a[data-method]', function(event, link) {
-    if (!allowAction(link)) {
-      event.stop();
-      return false;
-    }
+    if (Event.isLeftClick(event)) {
+      if (!allowAction(link)) {
+        event.stop();
+        return false;
+      }
 
-    if (link.readAttribute('data-remote')) {
-      handleRemote(link);
-      event.stop();
-    } else if (link.readAttribute('data-method')) {
-      handleMethod(link);
-      event.stop();
+      if (link.readAttribute('data-remote')) {
+        handleRemote(link);
+        event.stop();
+      } else if (link.readAttribute('data-method')) {
+        handleMethod(link);
+        event.stop();
+      }
     }
   });
 
@@ -185,7 +210,7 @@
   document.on('ajax:create', 'form', function(event, form) {
     if (form == event.findElement()) disableFormElements(form);
   });
-  
+
   document.on('ajax:complete', 'form', function(event, form) {
     if (form == event.findElement()) enableFormElements(form);
   });