actionpack-rack-upgrade 2.3.14

data/lib/action_view/helpers/raw_output_helper.rb

@@ -0,0 +1,9 @@
+module ActionView #:nodoc:
+  module Helpers #:nodoc:
+    module RawOutputHelper
+      def raw(stringish)
+        stringish.to_s.html_safe
+      end
+    end
+  end
+end

data/lib/action_view/helpers/record_identification_helper.rb

@@ -0,0 +1,20 @@
+module ActionView
+  module Helpers
+    module RecordIdentificationHelper
+      # See ActionController::RecordIdentifier.partial_path -- this is just a delegate to that for convenient access in the view.
+      def partial_path(*args, &block)
+        ActionController::RecordIdentifier.partial_path(*args, &block)
+      end
+
+      # See ActionController::RecordIdentifier.dom_class -- this is just a delegate to that for convenient access in the view.
+      def dom_class(*args, &block)
+        ActionController::RecordIdentifier.dom_class(*args, &block)
+      end
+
+      # See ActionController::RecordIdentifier.dom_id -- this is just a delegate to that for convenient access in the view.
+      def dom_id(*args, &block)
+        ActionController::RecordIdentifier.dom_id(*args, &block)
+      end
+    end
+  end
+end

data/lib/action_view/helpers/record_tag_helper.rb

@@ -0,0 +1,58 @@
+module ActionView
+  module Helpers
+    module RecordTagHelper
+      # Produces a wrapper DIV element with id and class parameters that
+      # relate to the specified Active Record object. Usage example:
+      #
+      #    <% div_for(@person, :class => "foo") do %>
+      #       <%=h @person.name %>
+      #    <% end %>
+      #
+      # produces:
+      #
+      #    <div id="person_123" class="person foo"> Joe Bloggs </div>
+      #
+      def div_for(record, *args, &block)
+        content_tag_for(:div, record, *args, &block)
+      end
+  
+      # content_tag_for creates an HTML element with id and class parameters
+      # that relate to the specified Active Record object. For example:
+      #
+      #    <% content_tag_for(:tr, @person) do %>
+      #      <td><%=h @person.first_name %></td>
+      #      <td><%=h @person.last_name %></td>
+      #    <% end %>
+      #
+      # would produce the following HTML (assuming @person is an instance of
+      # a Person object, with an id value of 123):
+      #
+      #    <tr id="person_123" class="person">....</tr>
+      #
+      # If you require the HTML id attribute to have a prefix, you can specify it:
+      #
+      #    <% content_tag_for(:tr, @person, :foo) do %> ...
+      #
+      # produces:
+      #    
+      #    <tr id="foo_person_123" class="person">...
+      #
+      # content_tag_for also accepts a hash of options, which will be converted to
+      # additional HTML attributes. If you specify a <tt>:class</tt> value, it will be combined
+      # with the default class name for your object. For example:
+      #
+      #    <% content_tag_for(:li, @person, :class => "bar") %>...
+      #
+      # produces:
+      #
+      #    <li id="person_123" class="person bar">...
+      #
+      def content_tag_for(tag_name, record, *args, &block)
+        prefix  = args.first.is_a?(Hash) ? nil : args.shift
+        options = args.extract_options!
+        options.merge!({ :class => "#{dom_class(record)} #{options[:class]}".strip, :id => dom_id(record, prefix) })
+        content_tag(tag_name, options, &block)
+      end
+    end
+  end
+end

data/lib/action_view/helpers/sanitize_helper.rb

@@ -0,0 +1,251 @@
+require 'action_view/helpers/tag_helper'
+
+module ActionView
+  module Helpers #:nodoc:
+    # The SanitizeHelper module provides a set of methods for scrubbing text of undesired HTML elements.
+    # These helper methods extend ActionView making them callable within your template files.
+    module SanitizeHelper
+      # This +sanitize+ helper will html encode all tags and strip all attributes that aren't specifically allowed.
+      # It also strips href/src tags with invalid protocols, like javascript: especially.  It does its best to counter any
+      # tricks that hackers may use, like throwing in unicode/ascii/hex values to get past the javascript: filters.  Check out
+      # the extensive test suite.
+      #
+      #   <%= sanitize @article.body %>
+      #
+      # You can add or remove tags/attributes if you want to customize it a bit.  See ActionView::Base for full docs on the
+      # available options.  You can add tags/attributes for single uses of +sanitize+ by passing either the <tt>:attributes</tt> or <tt>:tags</tt> options:
+      #
+      # Normal Use
+      #
+      #   <%= sanitize @article.body %>
+      #
+      # Custom Use (only the mentioned tags and attributes are allowed, nothing else)
+      #
+      #   <%= sanitize @article.body, :tags => %w(table tr td), :attributes => %w(id class style)
+      #
+      # Add table tags to the default allowed tags
+      #
+      #   Rails::Initializer.run do |config|
+      #     config.action_view.sanitized_allowed_tags = 'table', 'tr', 'td'
+      #   end
+      #
+      # Remove tags to the default allowed tags
+      #
+      #   Rails::Initializer.run do |config|
+      #     config.after_initialize do
+      #       ActionView::Base.sanitized_allowed_tags.delete 'div'
+      #     end
+      #   end
+      #
+      # Change allowed default attributes
+      #
+      #   Rails::Initializer.run do |config|
+      #     config.action_view.sanitized_allowed_attributes = 'id', 'class', 'style'
+      #   end
+      #
+      # Please note that sanitizing user-provided text does not guarantee that the
+      # resulting markup is valid (conforming to a document type) or even well-formed.
+      # The output may still contain e.g. unescaped '<', '>', '&' characters and
+      # confuse browsers.
+      #
+      def sanitize(html, options = {})
+        self.class.white_list_sanitizer.sanitize(html, options).try(:html_safe)
+      end
+
+      # Sanitizes a block of CSS code. Used by +sanitize+ when it comes across a style attribute.
+      def sanitize_css(style)
+        self.class.white_list_sanitizer.sanitize_css(style)
+      end
+
+      # Strips all HTML tags from the +html+, including comments.  This uses the
+      # html-scanner tokenizer and so its HTML parsing ability is limited by
+      # that of html-scanner.
+      #
+      # ==== Examples
+      #
+      #   strip_tags("Strip <i>these</i> tags!")
+      #   # => Strip these tags!
+      #
+      #   strip_tags("<b>Bold</b> no more!  <a href='more.html'>See more here</a>...")
+      #   # => Bold no more!  See more here...
+      #
+      #   strip_tags("<div id='top-bar'>Welcome to my website!</div>")
+      #   # => Welcome to my website!
+      def strip_tags(html)
+        self.class.full_sanitizer.sanitize(html).try(:html_safe)
+      end
+
+      # Strips all link tags from +text+ leaving just the link text.
+      #
+      # ==== Examples
+      #   strip_links('<a href="http://www.rubyonrails.org">Ruby on Rails</a>')
+      #   # => Ruby on Rails
+      #
+      #   strip_links('Please e-mail me at <a href="mailto:me@email.com">me@email.com</a>.')
+      #   # => Please e-mail me at me@email.com.
+      #
+      #   strip_links('Blog: <a href="http://www.myblog.com/" class="nav" target=\"_blank\">Visit</a>.')
+      #   # => Blog: Visit
+      def strip_links(html)
+        self.class.link_sanitizer.sanitize(html)
+      end
+
+      module ClassMethods #:nodoc:
+        attr_writer :full_sanitizer, :link_sanitizer, :white_list_sanitizer
+
+        def sanitized_protocol_separator
+          white_list_sanitizer.protocol_separator
+        end
+
+        def sanitized_uri_attributes
+          white_list_sanitizer.uri_attributes
+        end
+
+        def sanitized_bad_tags
+          white_list_sanitizer.bad_tags
+        end
+
+        def sanitized_allowed_tags
+          white_list_sanitizer.allowed_tags
+        end
+
+        def sanitized_allowed_attributes
+          white_list_sanitizer.allowed_attributes
+        end
+
+        def sanitized_allowed_css_properties
+          white_list_sanitizer.allowed_css_properties
+        end
+
+        def sanitized_allowed_css_keywords
+          white_list_sanitizer.allowed_css_keywords
+        end
+
+        def sanitized_shorthand_css_properties
+          white_list_sanitizer.shorthand_css_properties
+        end
+
+        def sanitized_allowed_protocols
+          white_list_sanitizer.allowed_protocols
+        end
+
+        def sanitized_protocol_separator=(value)
+          white_list_sanitizer.protocol_separator = value
+        end
+
+        # Gets the HTML::FullSanitizer instance used by +strip_tags+.  Replace with
+        # any object that responds to +sanitize+.
+        #
+        #   Rails::Initializer.run do |config|
+        #     config.action_view.full_sanitizer = MySpecialSanitizer.new
+        #   end
+        #
+        def full_sanitizer
+          @full_sanitizer ||= HTML::FullSanitizer.new
+        end
+
+        # Gets the HTML::LinkSanitizer instance used by +strip_links+.  Replace with
+        # any object that responds to +sanitize+.
+        #
+        #   Rails::Initializer.run do |config|
+        #     config.action_view.link_sanitizer = MySpecialSanitizer.new
+        #   end
+        #
+        def link_sanitizer
+          @link_sanitizer ||= HTML::LinkSanitizer.new
+        end
+
+        # Gets the HTML::WhiteListSanitizer instance used by sanitize and +sanitize_css+.
+        # Replace with any object that responds to +sanitize+.
+        #
+        #   Rails::Initializer.run do |config|
+        #     config.action_view.white_list_sanitizer = MySpecialSanitizer.new
+        #   end
+        #
+        def white_list_sanitizer
+          @white_list_sanitizer ||= HTML::WhiteListSanitizer.new
+        end
+
+        # Adds valid HTML attributes that the +sanitize+ helper checks for URIs.
+        #
+        #   Rails::Initializer.run do |config|
+        #     config.action_view.sanitized_uri_attributes = 'lowsrc', 'target'
+        #   end
+        #
+        def sanitized_uri_attributes=(attributes)
+          HTML::WhiteListSanitizer.uri_attributes.merge(attributes)
+        end
+
+        # Adds to the Set of 'bad' tags for the +sanitize+ helper.
+        #
+        #   Rails::Initializer.run do |config|
+        #     config.action_view.sanitized_bad_tags = 'embed', 'object'
+        #   end
+        #
+        def sanitized_bad_tags=(attributes)
+          HTML::WhiteListSanitizer.bad_tags.merge(attributes)
+        end
+
+        # Adds to the Set of allowed tags for the +sanitize+ helper.
+        #
+        #   Rails::Initializer.run do |config|
+        #     config.action_view.sanitized_allowed_tags = 'table', 'tr', 'td'
+        #   end
+        #
+        def sanitized_allowed_tags=(attributes)
+          HTML::WhiteListSanitizer.allowed_tags.merge(attributes)
+        end
+
+        # Adds to the Set of allowed HTML attributes for the +sanitize+ helper.
+        #
+        #   Rails::Initializer.run do |config|
+        #     config.action_view.sanitized_allowed_attributes = 'onclick', 'longdesc'
+        #   end
+        #
+        def sanitized_allowed_attributes=(attributes)
+          HTML::WhiteListSanitizer.allowed_attributes.merge(attributes)
+        end
+
+        # Adds to the Set of allowed CSS properties for the #sanitize and +sanitize_css+ helpers.
+        #
+        #   Rails::Initializer.run do |config|
+        #     config.action_view.sanitized_allowed_css_properties = 'expression'
+        #   end
+        #
+        def sanitized_allowed_css_properties=(attributes)
+          HTML::WhiteListSanitizer.allowed_css_properties.merge(attributes)
+        end
+
+        # Adds to the Set of allowed CSS keywords for the +sanitize+ and +sanitize_css+ helpers.
+        #
+        #   Rails::Initializer.run do |config|
+        #     config.action_view.sanitized_allowed_css_keywords = 'expression'
+        #   end
+        #
+        def sanitized_allowed_css_keywords=(attributes)
+          HTML::WhiteListSanitizer.allowed_css_keywords.merge(attributes)
+        end
+
+        # Adds to the Set of allowed shorthand CSS properties for the +sanitize+ and +sanitize_css+ helpers.
+        #
+        #   Rails::Initializer.run do |config|
+        #     config.action_view.sanitized_shorthand_css_properties = 'expression'
+        #   end
+        #
+        def sanitized_shorthand_css_properties=(attributes)
+          HTML::WhiteListSanitizer.shorthand_css_properties.merge(attributes)
+        end
+
+        # Adds to the Set of allowed protocols for the +sanitize+ helper.
+        #
+        #   Rails::Initializer.run do |config|
+        #     config.action_view.sanitized_allowed_protocols = 'ssh', 'feed'
+        #   end
+        #
+        def sanitized_allowed_protocols=(attributes)
+          HTML::WhiteListSanitizer.allowed_protocols.merge(attributes)
+        end
+      end
+    end
+  end
+end

data/lib/action_view/helpers/scriptaculous_helper.rb

@@ -0,0 +1,226 @@
+require 'action_view/helpers/javascript_helper'
+require 'active_support/json'
+
+module ActionView
+  module Helpers
+    # Provides a set of helpers for calling Scriptaculous JavaScript 
+    # functions, including those which create Ajax controls and visual effects.
+    #
+    # To be able to use these helpers, you must include the Prototype 
+    # JavaScript framework and the Scriptaculous JavaScript library in your 
+    # pages. See the documentation for ActionView::Helpers::JavaScriptHelper
+    # for more information on including the necessary JavaScript.
+    #
+    # The Scriptaculous helpers' behavior can be tweaked with various options.
+    # See the documentation at http://script.aculo.us for more information on
+    # using these helpers in your application.
+    module ScriptaculousHelper
+      unless const_defined? :TOGGLE_EFFECTS
+        TOGGLE_EFFECTS = [:toggle_appear, :toggle_slide, :toggle_blind]
+      end
+      
+      # Returns a JavaScript snippet to be used on the Ajax callbacks for
+      # starting visual effects.
+      #
+      # Example:
+      #   <%= link_to_remote "Reload", :update => "posts", 
+      #         :url => { :action => "reload" }, 
+      #         :complete => visual_effect(:highlight, "posts", :duration => 0.5)
+      #
+      # If no +element_id+ is given, it assumes "element" which should be a local
+      # variable in the generated JavaScript execution context. This can be 
+      # used for example with +drop_receiving_element+:
+      #
+      #   <%= drop_receiving_element (...), :loading => visual_effect(:fade) %>
+      #
+      # This would fade the element that was dropped on the drop receiving 
+      # element.
+      #
+      # For toggling visual effects, you can use <tt>:toggle_appear</tt>, <tt>:toggle_slide</tt>, and
+      # <tt>:toggle_blind</tt> which will alternate between appear/fade, slidedown/slideup, and
+      # blinddown/blindup respectively.
+      #
+      # You can change the behaviour with various options, see
+      # http://script.aculo.us for more documentation.
+      def visual_effect(name, element_id = false, js_options = {})
+        element = element_id ? ActiveSupport::JSON.encode(element_id) : "element"
+        
+        js_options[:queue] = if js_options[:queue].is_a?(Hash)
+          '{' + js_options[:queue].map {|k, v| k == :limit ? "#{k}:#{v}" : "#{k}:'#{v}'" }.join(',') + '}'
+        elsif js_options[:queue]
+          "'#{js_options[:queue]}'"
+        end if js_options[:queue]
+        
+        [:endcolor, :direction, :startcolor, :scaleMode, :restorecolor].each do |option|
+          js_options[option] = "'#{js_options[option]}'" if js_options[option]
+        end
+
+        if TOGGLE_EFFECTS.include? name.to_sym
+          "Effect.toggle(#{element},'#{name.to_s.gsub(/^toggle_/,'')}',#{options_for_javascript(js_options)});"
+        else
+          "new Effect.#{name.to_s.camelize}(#{element},#{options_for_javascript(js_options)});"
+        end
+      end
+      
+      # Makes the element with the DOM ID specified by +element_id+ sortable
+      # by drag-and-drop and make an Ajax call whenever the sort order has
+      # changed. By default, the action called gets the serialized sortable
+      # element as parameters.
+      #
+      # Example:
+      #
+      #   <%= sortable_element("my_list", :url => { :action => "order" }) %>
+      #
+      # In the example, the action gets a "my_list" array parameter 
+      # containing the values of the ids of elements the sortable consists 
+      # of, in the current order.
+      #
+      # Important: For this to work, the sortable elements must have id
+      # attributes in the form "string_identifier". For example, "item_1". Only
+      # the identifier part of the id attribute will be serialized.
+      # 
+      # Additional +options+ are:
+      #
+      # * <tt>:format</tt> - A regular expression to determine what to send as the
+      #   serialized id to the server (the default is <tt>/^[^_]*_(.*)$/</tt>).
+      #                           
+      # * <tt>:constraint</tt> - Whether to constrain the dragging to either
+      #   <tt>:horizontal</tt> or <tt>:vertical</tt> (or false to make it unconstrained).
+      #                            
+      # * <tt>:overlap</tt> - Calculate the item overlap in the <tt>:horizontal</tt>
+      #   or <tt>:vertical</tt> direction.
+      #                            
+      # * <tt>:tag</tt> - Which children of the container element to treat as
+      #   sortable (default is <tt>li</tt>).
+      #                          
+      # * <tt>:containment</tt> - Takes an element or array of elements to treat as
+      #   potential drop targets (defaults to the original target element).
+      #                          
+      # * <tt>:only</tt> - A CSS class name or array of class names used to filter
+      #   out child elements as candidates.
+      #                          
+      # * <tt>:scroll</tt> - Determines whether to scroll the list during drag
+      #   operations if the list runs past the visual border.
+      #                          
+      # * <tt>:tree</tt> - Determines whether to treat nested lists as part of the
+      #   main sortable list. This means that you can create multi-layer lists,
+      #   and not only sort items at the same level, but drag and sort items
+      #   between levels.
+      #                          
+      # * <tt>:hoverclass</tt> - If set, the Droppable will have this additional CSS class
+      #   when an accepted Draggable is hovered over it.                         
+      #                          
+      # * <tt>:handle</tt> - Sets whether the element should only be draggable by an
+      #   embedded handle. The value may be a string referencing a CSS class value
+      #   (as of script.aculo.us V1.5). The first child/grandchild/etc. element
+      #   found within the element that has this CSS class value will be used as
+      #   the handle.
+      #                          
+      # * <tt>:ghosting</tt> - Clones the element and drags the clone, leaving
+      #   the original in place until the clone is dropped (default is <tt>false</tt>).
+      #                          
+      # * <tt>:dropOnEmpty</tt> - If true the Sortable container will be made into
+      #   a Droppable, that can receive a Draggable (as according to the containment
+      #   rules) as a child element when there are no more elements inside (default
+      #   is <tt>false</tt>).
+      #                          
+      # * <tt>:onChange</tt> - Called whenever the sort order changes while dragging. When
+      #   dragging from one Sortable to another, the callback is called once on each
+      #   Sortable. Gets the affected element as its parameter.
+      #                          
+      # * <tt>:onUpdate</tt> - Called when the drag ends and the Sortable's order is
+      #   changed in any way. When dragging from one Sortable to another, the callback
+      #   is called once on each Sortable. Gets the container as its parameter.
+      #                                                                                         
+      # See http://script.aculo.us for more documentation.
+      def sortable_element(element_id, options = {})
+        javascript_tag(sortable_element_js(element_id, options).chop!)
+      end
+      
+      def sortable_element_js(element_id, options = {}) #:nodoc:
+        options[:with]     ||= "Sortable.serialize(#{ActiveSupport::JSON.encode(element_id)})"
+        options[:onUpdate] ||= "function(){" + remote_function(options) + "}"
+        options.delete_if { |key, value| PrototypeHelper::AJAX_OPTIONS.include?(key) }
+  
+        [:tag, :overlap, :constraint, :handle].each do |option|
+          options[option] = "'#{options[option]}'" if options[option]
+        end
+  
+        options[:containment] = array_or_string_for_javascript(options[:containment]) if options[:containment]
+        options[:only] = array_or_string_for_javascript(options[:only]) if options[:only]
+  
+        %(Sortable.create(#{ActiveSupport::JSON.encode(element_id)}, #{options_for_javascript(options)});)
+      end
+
+      # Makes the element with the DOM ID specified by +element_id+ draggable.
+      #
+      # Example:
+      #   <%= draggable_element("my_image", :revert => true)
+      # 
+      # You can change the behaviour with various options, see
+      # http://script.aculo.us for more documentation.
+      def draggable_element(element_id, options = {})
+        javascript_tag(draggable_element_js(element_id, options).chop!)
+      end
+      
+      def draggable_element_js(element_id, options = {}) #:nodoc:
+        %(new Draggable(#{ActiveSupport::JSON.encode(element_id)}, #{options_for_javascript(options)});)
+      end
+
+      # Makes the element with the DOM ID specified by +element_id+ receive
+      # dropped draggable elements (created by +draggable_element+).
+      # and make an AJAX call. By default, the action called gets the DOM ID 
+      # of the element as parameter.
+      #
+      # Example:
+      #   <%= drop_receiving_element("my_cart", :url => 
+      #     { :controller => "cart", :action => "add" }) %>
+      #
+      # You can change the behaviour with various options, see
+      # http://script.aculo.us for more documentation.
+      #
+      # Some of these +options+ include:
+      # * <tt>:accept</tt> - Set this to a string or an array of strings describing the
+      #   allowable CSS classes that the +draggable_element+ must have in order 
+      #   to be accepted by this +drop_receiving_element+.
+      #                          
+      # * <tt>:confirm</tt> - Adds a confirmation dialog. Example:
+      #                     
+      #     :confirm => "Are you sure you want to do this?"
+      #                          
+      # * <tt>:hoverclass</tt> - If set, the +drop_receiving_element+ will have
+      #   this additional CSS class when an accepted +draggable_element+ is
+      #   hovered over it.                         
+      #                          
+      # * <tt>:onDrop</tt> - Called when a +draggable_element+ is dropped onto
+      #   this element. Override this callback with a JavaScript expression to 
+      #   change the default drop behaviour. Example:
+      #                          
+      #     :onDrop => "function(draggable_element, droppable_element, event) { alert('I like bananas') }"
+      #                          
+      #   This callback gets three parameters: The Draggable element, the Droppable
+      #   element and the Event object. You can extract additional information about
+      #   the drop - like if the Ctrl or Shift keys were pressed - from the Event object.
+      #                          
+      # * <tt>:with</tt> - A JavaScript expression specifying the parameters for
+      #   the XMLHttpRequest. Any expressions should return a valid URL query string.
+      def drop_receiving_element(element_id, options = {})
+        javascript_tag(drop_receiving_element_js(element_id, options).chop!)
+      end
+      
+      def drop_receiving_element_js(element_id, options = {}) #:nodoc:
+        options[:with]     ||= "'id=' + encodeURIComponent(element.id)"
+        options[:onDrop]   ||= "function(element){" + remote_function(options) + "}"
+        options.delete_if { |key, value| PrototypeHelper::AJAX_OPTIONS.include?(key) }
+
+        options[:accept] = array_or_string_for_javascript(options[:accept]) if options[:accept]    
+        options[:hoverclass] = "'#{options[:hoverclass]}'" if options[:hoverclass]
+        
+        # Confirmation happens during the onDrop callback, so it can be removed from the options
+        options.delete(:confirm) if options[:confirm]
+
+        %(Droppables.add(#{ActiveSupport::JSON.encode(element_id)}, #{options_for_javascript(options)});)
+      end
+    end
+  end
+end