# HG changeset patch
# User Marcin Kuzminski <marcin@rhodecode.com>
# Date 2017-09-12 20:49:26
# Node ID 4558ec552d09eed5e8449c171031fc039657c950
# Parent  d69882dc478b04d7069e3f73bfd40765774b260c

helpers: make sure request parameter is not rendered inside secure form.

diff --git a/rhodecode/lib/helpers.py b/rhodecode/lib/helpers.py
--- a/rhodecode/lib/helpers.py
+++ b/rhodecode/lib/helpers.py
@@ -1890,7 +1890,7 @@ def form(url, method='post', needs_csrf_
     return wh_form(url, method=method, **attrs)
 
 
-def secure_form(url, method="POST", multipart=False, **attrs):
+def secure_form(form_url, method="POST", multipart=False, **attrs):
     """Start a form tag that points the action to an url. This
     form tag will also include the hidden field containing
     the auth token.
@@ -1910,13 +1910,15 @@ def secure_form(url, method="POST", mult
 
     """
     from webhelpers.pylonslib.secure_form import insecure_form
-    form = insecure_form(url, method, multipart, **attrs)
 
     session = None
+
     # TODO(marcink): after pyramid migration require request variable ALWAYS
     if 'request' in attrs:
         session = attrs['request'].session
+        del attrs['request']
 
+    form = insecure_form(form_url, method, multipart, **attrs)
     token = literal(
         '<input type="hidden" id="{}" name="{}" value="{}">'.format(
         csrf_token_key, csrf_token_key, get_csrf_token(session)))