From 47bec4b9b4be864300e67897fa32bdc8340d36be Mon Sep 17 00:00:00 2001
From: ooooooo-q <ooooooo-q@users.noreply.github.com>
Date: Tue, 11 Feb 2020 14:57:04 +0900
Subject: [PATCH] escape href

---
 src/rails.js | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/rails.js b/src/rails.js
index 93620134..970c81ff 100644
--- a/src/rails.js
+++ b/src/rails.js
@@ -218,9 +218,11 @@
         target = link.attr('target'),
         csrfToken = rails.csrfToken(),
         csrfParam = rails.csrfParam(),
-        form = $('<form method="post" action="' + href + '"></form>'),
+        form = $('<form method="post"></form>'),
         metadataInput = '<input name="_method" value="' + method + '" type="hidden" />';
 
+      form.attr('action', href);
+
       if (csrfParam !== undefined && csrfToken !== undefined && !rails.isCrossDomain(href)) {
         metadataInput += '<input name="' + csrfParam + '" value="' + csrfToken + '" type="hidden" />';
       }