From a16e99c6863866daab85f86d4fa44fcb30aaf4bb Mon Sep 17 00:00:00 2001
From: joshua stein <jcs@jcs.org>
Date: Wed, 12 Feb 2014 13:14:25 -0600
Subject: [PATCH] avoid leaking object ids in form_fors

---
 app/views/comments/_commentbox.html.erb | 4 ++--
 app/views/settings/index.html.erb       | 6 ++++--
 app/views/stories/edit.html.erb         | 2 +-
 3 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/app/views/comments/_commentbox.html.erb b/app/views/comments/_commentbox.html.erb
index 7d9c9ef..f5b87a5 100644
--- a/app/views/comments/_commentbox.html.erb
+++ b/app/views/comments/_commentbox.html.erb
@@ -1,5 +1,6 @@
 <div class="comment comment_form_container">
-<%= form_for comment do |f| %>
+<%= form_for comment,
+:html => { :id => "edit_comment_#{comment.short_id}" } do |f| %>
   <% if comment.errors.any? %>
     <%= errors_for comment %>
   <% end %>
@@ -38,7 +39,6 @@
           :type => "button" %>
       <% end %>
 
-
       <div style="clear: both;"></div>
 
       <%= render :partial => "global/markdownhelp" %>
diff --git a/app/views/settings/index.html.erb b/app/views/settings/index.html.erb
index b21afe7..62fc16d 100644
--- a/app/views/settings/index.html.erb
+++ b/app/views/settings/index.html.erb
@@ -6,7 +6,8 @@
     Account Settings
   </div>
 
-  <%= form_for @edit_user, :url => settings_url, :method => :post do |f| %>
+  <%= form_for @edit_user, :url => settings_url, :method => :post,
+  :html => { :id => "edit_user" } do |f| %>
     <%= error_messages_for f.object %>
 
     <div class="boxline">
@@ -170,7 +171,8 @@
   <br>
   <br>
 
-  <%= form_for @edit_user, :url => delete_account_url, :method => :post do |f| %>
+  <%= form_for @edit_user, :url => delete_account_url, :method => :post,
+  :html => { :id => "delete_user" } do |f| %>
     <div class="legend">
       Delete Account
     </div>
diff --git a/app/views/stories/edit.html.erb b/app/views/stories/edit.html.erb
index 239c495..7dda813 100644
--- a/app/views/stories/edit.html.erb
+++ b/app/views/stories/edit.html.erb
@@ -4,7 +4,7 @@
   </div>
 
   <%= form_for @story, :url => story_url(@story.short_id),
-  :method => :put do |f| %>
+  :method => :put, :html => { :id => "edit_story" } do |f| %>
     <%= render :partial => "stories/form", :locals => { :story => @story,
       :f => f } %>