actionpack 1.13.6 → 2.0.0

data/lib/action_controller/vendor/html-scanner/html/document.rb

@@ -1,9 +1,9 @@
-require File.dirname(__FILE__) + '/tokenizer'
-require File.dirname(__FILE__) + '/node'
-require File.dirname(__FILE__) + '/selector'
+require 'html/tokenizer'
+require 'html/node'
+require 'html/selector'
+require 'html/sanitizer'
 
 module HTML #:nodoc:
-  
   # A top-level HTMl document. You give it a body of text, and it will parse that
   # text into a tree of nodes.
   class Document #:nodoc:
@@ -23,6 +23,9 @@ module HTML #:nodoc:
         if node.tag?
           if node_stack.length > 1 && node.closing == :close
             if node_stack.last.name == node.name
+              if node_stack.last.children.empty?
+                node_stack.last.children << Text.new(node_stack.last, node.line, node.position, "")
+              end
               node_stack.pop
             else
               open_start = node_stack.last.position - 20

data/lib/action_controller/vendor/html-scanner/html/sanitizer.rb

@@ -0,0 +1,173 @@
+module HTML
+  class Sanitizer
+    def sanitize(text, options = {})
+      return text unless sanitizeable?(text)
+      tokenize(text, options).join
+    end
+    
+    def sanitizeable?(text)
+      !(text.nil? || text.empty? || !text.index("<"))
+    end
+    
+  protected
+    def tokenize(text, options)
+      tokenizer = HTML::Tokenizer.new(text)
+      result = []
+      while token = tokenizer.next
+        node = Node.parse(nil, 0, 0, token, false)
+        process_node node, result, options
+      end
+      result
+    end
+    
+    def process_node(node, result, options)
+      result << node.to_s
+    end
+  end
+  
+  class FullSanitizer < Sanitizer
+    def sanitize(text, options = {})
+      result = super
+      # strip any comments, and if they have a newline at the end (ie. line with
+      # only a comment) strip that too
+      result.gsub!(/<!--(.*?)-->[\n]?/m, "") if result
+      # Recurse - handle all dirty nested tags
+      result == text ? result : sanitize(result, options)
+    end
+    
+    def process_node(node, result, options)
+      result << node.to_s if node.class == HTML::Text
+    end
+  end
+  
+  class LinkSanitizer < FullSanitizer
+    cattr_accessor :included_tags, :instance_writer => false
+    self.included_tags = Set.new(%w(a href))
+
+    def sanitizeable?(text)
+      !(text.nil? || text.empty? || !((text.index("<a") || text.index("<href")) && text.index(">")))
+    end
+    
+  protected
+    def process_node(node, result, options)
+      result << node.to_s unless node.is_a?(HTML::Tag) && included_tags.include?(node.name) 
+    end
+  end
+  
+  class WhiteListSanitizer < Sanitizer
+    [:protocol_separator, :uri_attributes, :allowed_attributes, :allowed_tags, :allowed_protocols, :bad_tags,
+     :allowed_css_properties, :allowed_css_keywords, :shorthand_css_properties].each do |attr|
+      class_inheritable_accessor attr, :instance_writer => false
+    end
+
+    # A regular expression of the valid characters used to separate protocols like
+    # the ':' in 'http://foo.com'
+    self.protocol_separator     = /:|(&#0*58)|(&#x70)|(%|&#37;)3A/
+    
+    # Specifies a Set of HTML attributes that can have URIs.
+    self.uri_attributes         = Set.new(%w(href src cite action longdesc xlink:href lowsrc))
+
+    # Specifies a Set of 'bad' tags that the #sanitize helper will remove completely, as opposed
+    # to just escaping harmless tags like &lt;font&gt;
+    self.bad_tags               = Set.new(%w(script))
+    
+    # Specifies the default Set of tags that the #sanitize helper will allow unscathed.
+    self.allowed_tags           = Set.new(%w(strong em b i p code pre tt samp kbd var sub 
+      sup dfn cite big small address hr br div span h1 h2 h3 h4 h5 h6 ul ol li dt dd abbr 
+      acronym a img blockquote del ins))
+
+    # Specifies the default Set of html attributes that the #sanitize helper will leave 
+    # in the allowed tag.
+    self.allowed_attributes     = Set.new(%w(href src width height alt cite datetime title class name xml:lang abbr))
+    
+    # Specifies the default Set of acceptable css properties that #sanitize and #sanitize_css will accept.
+    self.allowed_protocols      = Set.new(%w(ed2k ftp http https irc mailto news gopher nntp telnet webcal xmpp callto 
+      feed svn urn aim rsync tag ssh sftp rtsp afs))
+    
+    # Specifies the default Set of acceptable css keywords that #sanitize and #sanitize_css will accept.
+    self.allowed_css_properties = Set.new(%w(azimuth background-color border-bottom-color border-collapse 
+      border-color border-left-color border-right-color border-top-color clear color cursor direction display 
+      elevation float font font-family font-size font-style font-variant font-weight height letter-spacing line-height
+      overflow pause pause-after pause-before pitch pitch-range richness speak speak-header speak-numeral speak-punctuation
+      speech-rate stress text-align text-decoration text-indent unicode-bidi vertical-align voice-family volume white-space
+      width))
+  
+    # Specifies the default Set of acceptable css keywords that #sanitize and #sanitize_css will accept.
+    self.allowed_css_keywords   = Set.new(%w(auto aqua black block blue bold both bottom brown center
+      collapse dashed dotted fuchsia gray green !important italic left lime maroon medium none navy normal
+      nowrap olive pointer purple red right solid silver teal top transparent underline white yellow))
+
+    # Specifies the default Set of allowed shorthand css properties for the #sanitize and #sanitize_css helpers.
+    self.shorthand_css_properties = Set.new(%w(background border margin padding))
+
+    # Sanitizes a block of css code.  Used by #sanitize when it comes across a style attribute
+    def sanitize_css(style)
+      # disallow urls
+      style = style.to_s.gsub(/url\s*\(\s*[^\s)]+?\s*\)\s*/, ' ')
+
+      # gauntlet
+      if style !~ /^([:,;#%.\sa-zA-Z0-9!]|\w-\w|\'[\s\w]+\'|\"[\s\w]+\"|\([\d,\s]+\))*$/ ||
+          style !~ /^(\s*[-\w]+\s*:\s*[^:;]*(;|$))*$/
+        return ''
+      end
+
+      clean = []
+      style.scan(/([-\w]+)\s*:\s*([^:;]*)/) do |prop,val|
+        if allowed_css_properties.include?(prop.downcase)
+          clean <<  prop + ': ' + val + ';'
+        elsif shorthand_css_properties.include?(prop.split('-')[0].downcase) 
+          unless val.split().any? do |keyword|
+            !allowed_css_keywords.include?(keyword) && 
+              keyword !~ /^(#[0-9a-f]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|\d{0,2}\.?\d{0,2}(cm|em|ex|in|mm|pc|pt|px|%|,|\))?)$/
+          end
+            clean << prop + ': ' + val + ';'
+          end
+        end
+      end
+      clean.join(' ')
+    end
+
+  protected
+    def tokenize(text, options)
+      options[:parent] = []
+      options[:attributes] ||= allowed_attributes
+      options[:tags]       ||= allowed_tags
+      super
+    end
+
+    def process_node(node, result, options)
+      result << case node
+        when HTML::Tag
+          if node.closing == :close
+            options[:parent].shift
+          else
+            options[:parent].unshift node.name
+          end
+          
+          process_attributes_for node, options
+
+          options[:tags].include?(node.name) ? node : nil
+        else
+          bad_tags.include?(options[:parent].first) ? nil : node.to_s.gsub(/</, "&lt;")
+      end
+    end
+    
+    def process_attributes_for(node, options)
+      return unless node.attributes
+      node.attributes.keys.each do |attr_name|
+        value = node.attributes[attr_name].to_s
+
+        if !options[:attributes].include?(attr_name) || contains_bad_protocols?(attr_name, value)
+          node.attributes.delete(attr_name)
+        else
+          node.attributes[attr_name] = attr_name == 'style' ? sanitize_css(value) : CGI::escapeHTML(value)
+        end
+      end
+    end
+
+    def contains_bad_protocols?(attr_name, value)
+      uri_attributes.include?(attr_name) && 
+      (value =~ /(^[^\/:]*):|(&#0*58)|(&#x70)|(%|&#37;)3A/ && !allowed_protocols.include?(value.split(protocol_separator).first))
+    end
+  end
+end

data/lib/action_controller/vendor/html-scanner/html/selector.rb

@@ -240,19 +240,24 @@ module HTML
       raise ArgumentError, "CSS expression cannot be empty" if selector.empty?
       @source = ""
       values = values[0] if values.size == 1 && values[0].is_a?(Array)
+
       # We need a copy to determine if we failed to parse, and also
       # preserve the original pass by-ref statement.
       statement = selector.strip.dup
+
       # Create a simple selector, along with negation.
       simple_selector(statement, values).each { |name, value| instance_variable_set("@#{name}", value) }
 
+      @alternates = []
+      @depends = nil
+
       # Alternative selector.
       if statement.sub!(/^\s*,\s*/, "")
         second = Selector.new(statement, values)
-        (@alternates ||= []) << second
+        @alternates << second
         # If there are alternate selectors, we group them in the top selector.
         if alternates = second.instance_variable_get(:@alternates)
-          second.instance_variable_set(:@alternates, nil)
+          second.instance_variable_set(:@alternates, [])
           @alternates.concat alternates
         end
         @source << " , " << second.to_s
@@ -412,7 +417,7 @@ module HTML
 
       # If this selector is part of the group, try all the alternative
       # selectors (unless first_only).
-      if @alternates && (!first_only || !matches)
+      if !first_only || !matches
         @alternates.each do |alternate|
           break if matches && first_only
           if subset = alternate.match(element, first_only)
@@ -789,15 +794,15 @@ module HTML
     # eventually, and array of substitution values.
     #
     # This method is called from four places, so it helps to put it here
-    # for resue. The only logic deals with the need to detect comma
+    # for reuse. The only logic deals with the need to detect comma
     # separators (alternate) and apply them to the selector group of the
     # top selector.
     def next_selector(statement, values)
       second = Selector.new(statement, values)
       # If there are alternate selectors, we group them in the top selector.
       if alternates = second.instance_variable_get(:@alternates)
-        second.instance_variable_set(:@alternates, nil)
-        (@alternates ||= []).concat alternates
+        second.instance_variable_set(:@alternates, [])
+        @alternates.concat alternates
       end
       second
     end

data/lib/action_controller/verification.rb

@@ -12,7 +12,8 @@ module ActionController #:nodoc:
     # parameters being set, or without certain session values existing.
     #
     # When a verification is violated, values may be inserted into the flash, and
-    # a specified redirection is triggered.
+    # a specified redirection is triggered. If no specific action is configured,
+    # verification failures will by default result in a 400 Bad Request response.
     #
     # Usage:
     #
@@ -42,37 +43,37 @@ module ActionController #:nodoc:
       # the user is redirected to a different action. The +options+ parameter
       # is a hash consisting of the following key/value pairs:
       #
-      # * <tt>:params</tt>: a single key or an array of keys that must
+      # * <tt>:params</tt> - a single key or an array of keys that must
       #   be in the <tt>params</tt> hash in order for the action(s) to be safely
       #   called.
-      # * <tt>:session</tt>: a single key or an array of keys that must
+      # * <tt>:session</tt> - a single key or an array of keys that must
       #   be in the <tt>session</tt> in order for the action(s) to be safely called.
-      # * <tt>:flash</tt>: a single key or an array of keys that must
+      # * <tt>:flash</tt> - a single key or an array of keys that must
       #   be in the flash in order for the action(s) to be safely called.
-      # * <tt>:method</tt>: a single key or an array of keys--any one of which
+      # * <tt>:method</tt> - a single key or an array of keys--any one of which
       #   must match the current request method in order for the action(s) to
       #   be safely called. (The key should be a symbol: <tt>:get</tt> or
       #   <tt>:post</tt>, for example.)
-      # * <tt>:xhr</tt>: true/false option to ensure that the request is coming
+      # * <tt>:xhr</tt> - true/false option to ensure that the request is coming
       #   from an Ajax call or not. 
-      # * <tt>:add_flash</tt>: a hash of name/value pairs that should be merged
+      # * <tt>:add_flash</tt> - a hash of name/value pairs that should be merged
       #   into the session's flash if the prerequisites cannot be satisfied.
-      # * <tt>:add_headers</tt>: a hash of name/value pairs that should be
+      # * <tt>:add_headers</tt> - a hash of name/value pairs that should be
       #   merged into the response's headers hash if the prerequisites cannot
       #   be satisfied.
-      # * <tt>:redirect_to</tt>: the redirection parameters to be used when
+      # * <tt>:redirect_to</tt> - the redirection parameters to be used when
       #   redirecting if the prerequisites cannot be satisfied. You can 
       #   redirect either to named route or to the action in some controller.
-      # * <tt>:render</tt>: the render parameters to be used when
+      # * <tt>:render</tt> - the render parameters to be used when
       #   the prerequisites cannot be satisfied.
-      # * <tt>:only</tt>: only apply this verification to the actions specified
+      # * <tt>:only</tt> - only apply this verification to the actions specified
       #   in the associated array (may also be a single value).
-      # * <tt>:except</tt>: do not apply this verification to the actions
+      # * <tt>:except</tt> - do not apply this verification to the actions
       #   specified in the associated array (may also be a single value).
       def verify(options={})
         filter_opts = { :only => options[:only], :except => options[:except] }
         before_filter(filter_opts) do |c|
-          c.send :verify_action, options
+          c.send! :verify_action, options
         end
       end
     end
@@ -81,7 +82,7 @@ module ActionController #:nodoc:
       prereqs_invalid =
         [*options[:params] ].find { |v| params[v].nil?  } ||
         [*options[:session]].find { |v| session[v].nil? } ||
-        [*options[:flash]  ].find { |v| flash[v].nil?    }
+        [*options[:flash]  ].find { |v| flash[v].nil?   }
       
       if !prereqs_invalid && options[:method]
         prereqs_invalid ||= 
@@ -93,16 +94,21 @@ module ActionController #:nodoc:
       if prereqs_invalid
         flash.update(options[:add_flash]) if options[:add_flash]
         response.headers.update(options[:add_headers]) if options[:add_headers]
+
         unless performed?
-          render(options[:render]) if options[:render]
-          options[:redirect_to] = self.send(options[:redirect_to]) if options[:redirect_to].is_a? Symbol
-          redirect_to(options[:redirect_to]) if options[:redirect_to]
+          case
+          when options[:render]
+            render(options[:render])
+          when options[:redirect_to]
+            options[:redirect_to] = self.send!(options[:redirect_to]) if options[:redirect_to].is_a?(Symbol)
+            redirect_to(options[:redirect_to])
+          else
+            head(:bad_request)
+          end
         end
-        return false
       end
-
-      true
     end
+
     private :verify_action
   end
-end
+end

data/lib/action_pack.rb

@@ -1,5 +1,5 @@
 #--
-# Copyright (c) 2004-2006 David Heinemeier Hansson
+# Copyright (c) 2004-2007 David Heinemeier Hansson
 #
 # Permission is hereby granted, free of charge, to any person obtaining
 # a copy of this software and associated documentation files (the

data/lib/action_pack/version.rb

@@ -1,9 +1,9 @@
 module ActionPack #:nodoc:
   module VERSION #:nodoc:
-    MAJOR = 1
-    MINOR = 13
-    TINY  = 6
-    
+    MAJOR = 2
+    MINOR = 0
+    TINY  = 0
+
     STRING = [MAJOR, MINOR, TINY].join('.')
   end
 end

data/lib/action_view.rb

@@ -1,5 +1,5 @@
 #--
-# Copyright (c) 2004-2006 David Heinemeier Hansson
+# Copyright (c) 2004-2007 David Heinemeier Hansson
 #
 # Permission is hereby granted, free of charge, to any person obtaining
 # a copy of this software and associated documentation files (the
@@ -21,7 +21,6 @@
 # WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #++
 
-$:.unshift(File.dirname(__FILE__) + "/action_view/vendor")
 require 'action_view/base'
 require 'action_view/partials'
 
@@ -29,4 +28,4 @@ ActionView::Base.class_eval do
   include ActionView::Partials
 end
 
-ActionView::Base.load_helpers(File.dirname(__FILE__) + "/action_view/helpers/")
+ActionView::Base.load_helpers

data/lib/action_view/base.rb

@@ -1,11 +1,22 @@
 require 'erb'
+require 'builder'
+
+class ERB
+  module Util
+    HTML_ESCAPE = { '&' => '&amp;', '"' => '&quot;', '>' => '&gt;', '<' => '&lt;' }
+
+    def html_escape(s)
+      s.to_s.gsub(/[&\"><]/) { |special| HTML_ESCAPE[special] }
+    end
+  end
+end
 
 module ActionView #:nodoc:
   class ActionViewError < StandardError #:nodoc:
   end
 
-  # Action View templates can be written in three ways. If the template file has a +.rhtml+ extension then it uses a mixture of ERb 
-  # (included in Ruby) and HTML. If the template file has a +.rxml+ extension then Jim Weirich's Builder::XmlMarkup library is used. 
+  # Action View templates can be written in three ways. If the template file has a +.erb+ (or +.rhtml+) extension then it uses a mixture of ERb 
+  # (included in Ruby) and HTML. If the template file has a +.builder+ (or +.rxml+) extension then Jim Weirich's Builder::XmlMarkup library is used. 
   # If the template file has a +.rjs+ extension then it will use ActionView::Helpers::PrototypeHelper::JavaScriptGenerator.
   # 
   # = ERb
@@ -77,12 +88,12 @@ module ActionView #:nodoc:
   # == Builder
   #
   # Builder templates are a more programmatic alternative to ERb. They are especially useful for generating XML content. An +XmlMarkup+ object 
-  # named +xml+ is automatically made available to templates with a +.rxml+ extension. 
+  # named +xml+ is automatically made available to templates with a +.builder+ extension. 
   #
   # Here are some basic examples:
   #
   #   xml.em("emphasized")                              # => <em>emphasized</em>
-  #   xml.em { xml.b("emp & bold") }                    # => <em><b>emph &amp; bold</b></em>
+  #   xml.em { xml.b("emph & bold") }                    # => <em><b>emph &amp; bold</b></em>
   #   xml.a("A Link", "href"=>"http://onestepback.org") # => <a href="http://onestepback.org">A Link</a>
   #   xml.target("name"=>"compile", "option"=>"fast")   # => <target option="fast" name="compile"\>
   #                                                     # NOTE: order of attributes is not specified.
@@ -154,10 +165,12 @@ module ActionView #:nodoc:
 
     attr_reader   :first_render
     attr_accessor :base_path, :assigns, :template_extension
-    attr_accessor :controller
+    attr_accessor :controller, :view_paths
 
     attr_reader :logger, :response, :headers
-    attr_internal *ActionController::Base::DEPRECATED_INSTANCE_VARIABLES
+    attr_internal :cookies, :flash, :headers, :params, :request, :response, :session
+    
+    attr_writer :template_format
 
     # Specify trim mode for the ERB compiler. Defaults to '-'.
     # See ERb documentation for suitable values.
@@ -168,7 +181,7 @@ module ActionView #:nodoc:
     @@cache_template_loading = false
     cattr_accessor :cache_template_loading
 
-    # Specify whether file extension lookup should be cached.
+    # Specify whether file extension lookup should be cached, and whether template base path lookup should be cached.
     # Should be +false+ for development environments. Defaults to +true+.
     @@cache_template_extensions = true
     cattr_accessor :cache_template_extensions
@@ -183,6 +196,11 @@ module ActionView #:nodoc:
     # that alert()s the caught exception (and then re-raises it). 
     @@debug_rjs = false
     cattr_accessor :debug_rjs
+    
+    @@erb_variable = '_erbout'
+    cattr_accessor :erb_variable
+    
+    delegate :request_forgery_protection_token, :to => :controller
 
     @@template_handlers = HashWithIndifferentAccess.new
  
@@ -203,16 +221,34 @@ module ActionView #:nodoc:
     # If for a given path, path.ext1 and path.ext2 exist on the file system, the order of extensions
     # used by pick_template_extension determines whether ext1 or ext2 will be stored.
     @@cached_template_extension = {}
+    # Maps template paths / extensions to 
+    @@cached_base_paths = {}
+
+    # Cache public asset paths
+    cattr_reader :computed_public_paths
+    @@computed_public_paths = {}
+
+    @@templates_requiring_setup = Set.new(%w(builder rxml rjs))
+
+    # Order of template handers checked by #file_exists? depending on the current #template_format
+    DEFAULT_TEMPLATE_HANDLER_PREFERENCE = [:erb, :rhtml, :builder, :rxml, :javascript, :delegate]
+    TEMPLATE_HANDLER_PREFERENCES = {
+      :js       => [:javascript, :erb, :rhtml, :builder, :rxml, :delegate],
+      :xml      => [:builder, :rxml, :erb, :rhtml, :javascript, :delegate],
+      :delegate => [:delegate]
+    }
 
     class ObjectWrapper < Struct.new(:value) #:nodoc:
     end
 
-    def self.load_helpers(helper_dir)#:nodoc:
-      Dir.entries(helper_dir).sort.each do |helper_file|
-        next unless helper_file =~ /^([a-z][a-z_]*_helper).rb$/
-        require File.join(helper_dir, $1)
+    def self.load_helpers #:nodoc:
+      Dir.entries("#{File.dirname(__FILE__)}/helpers").sort.each do |file|
+        next unless file =~ /^([a-z][a-z_]*_helper).rb$/
+        require "action_view/helpers/#{$1}"
         helper_module_name = $1.camelize
-        class_eval("include ActionView::Helpers::#{helper_module_name}") if Helpers.const_defined?(helper_module_name)
+        if Helpers.const_defined?(helper_module_name)
+          include Helpers.const_get(helper_module_name)
+        end
       end
     end
 
@@ -224,38 +260,58 @@ module ActionView #:nodoc:
     # local assigns available to the template. The #render method ought to
     # return the rendered template as a string.
     def self.register_template_handler(extension, klass)
+      TEMPLATE_HANDLER_PREFERENCES[extension.to_sym] = TEMPLATE_HANDLER_PREFERENCES[:delegate]
       @@template_handlers[extension] = klass
     end
 
-    def initialize(base_path = nil, assigns_for_first_render = {}, controller = nil)#:nodoc:
-      @base_path, @assigns = base_path, assigns_for_first_render
+    def initialize(view_paths = [], assigns_for_first_render = {}, controller = nil)#:nodoc:
+      @view_paths = view_paths.respond_to?(:find) ? view_paths.dup : [*view_paths].compact
+      @assigns = assigns_for_first_render
       @assigns_added = nil
       @controller = controller
       @logger = controller && controller.logger 
     end
 
     # Renders the template present at <tt>template_path</tt>. If <tt>use_full_path</tt> is set to true, 
-    # it's relative to the template_root, otherwise it's absolute. The hash in <tt>local_assigns</tt> 
+    # it's relative to the view_paths array, otherwise it's absolute. The hash in <tt>local_assigns</tt> 
     # is made available as local variables.
     def render_file(template_path, use_full_path = true, local_assigns = {}) #:nodoc:
-      @first_render ||= template_path
+      if defined?(ActionMailer) && defined?(ActionMailer::Base) && controller.is_a?(ActionMailer::Base) && !template_path.include?("/")
+        raise ActionViewError, <<-END_ERROR
+Due to changes in ActionMailer, you need to provide the mailer_name along with the template name.
 
-      if use_full_path
-        template_path_without_extension, template_extension = path_and_extension(template_path)
+  render "user_mailer/signup"
+  render :file => "user_mailer/signup"
+
+If you are rendering a subtemplate, you must now use controller-like partial syntax:
 
+  render :partial => 'signup' # no mailer_name necessary
+        END_ERROR
+      end
+      
+      @first_render ||= template_path
+      template_path_without_extension, template_extension = path_and_extension(template_path)
+      if use_full_path
         if template_extension
           template_file_name = full_template_path(template_path_without_extension, template_extension)
         else
           template_extension = pick_template_extension(template_path).to_s
+          unless template_extension
+            raise ActionViewError, "No #{template_handler_preferences.to_sentence} template found for #{template_path} in #{view_paths.inspect}"
+          end
           template_file_name = full_template_path(template_path, template_extension)
+          template_extension = template_extension.gsub(/^.+\./, '') # strip off any formats
         end
       else
         template_file_name = template_path
-        template_extension = template_path.split('.').last
       end
 
       template_source = nil # Don't read the source until we know that it is required
 
+      if template_file_name.blank?
+        raise ActionViewError, "Couldn't find template file for #{template_path} in #{view_paths.inspect}"
+      end
+
       begin
         render_template(template_extension, template_source, template_file_name, local_assigns)
       rescue Exception => e
@@ -263,12 +319,12 @@ module ActionView #:nodoc:
           e.sub_template_of(template_file_name)
           raise e
         else
-          raise TemplateError.new(@base_path, template_file_name, @assigns, template_source, e)
+          raise TemplateError.new(find_base_path_for("#{template_path_without_extension}.#{template_extension}") || view_paths.first, template_file_name, @assigns, template_source, e)
         end
       end
     end
-
-    # Renders the template present at <tt>template_path</tt> (relative to the template_root). 
+    
+    # Renders the template present at <tt>template_path</tt> (relative to the view_paths array). 
     # The hash in <tt>local_assigns</tt> is made available as local variables.
     def render(options = {}, old_local_assigns = {}, &block) #:nodoc:
       if options.is_a?(String)
@@ -276,22 +332,31 @@ module ActionView #:nodoc:
       elsif options == :update
         update_page(&block)
       elsif options.is_a?(Hash)
-        options[:locals] ||= {}
-        options[:use_full_path] = options[:use_full_path].nil? ? true : options[:use_full_path]
+        options = options.reverse_merge(:type => :erb, :locals => {}, :use_full_path => true)
 
-        if options[:file]
+        if options[:layout]
+          path, partial_name = partial_pieces(options.delete(:layout))
+
+          if block_given?
+            @content_for_layout = capture(&block)
+            concat(render(options.merge(:partial => "#{path}/#{partial_name}")), block.binding)
+          else
+            @content_for_layout = render(options)
+            render(options.merge(:partial => "#{path}/#{partial_name}"))
+          end
+        elsif options[:file]
           render_file(options[:file], options[:use_full_path], options[:locals])
         elsif options[:partial] && options[:collection]
           render_partial_collection(options[:partial], options[:collection], options[:spacer_template], options[:locals])
         elsif options[:partial]
           render_partial(options[:partial], ActionView::Base::ObjectWrapper.new(options[:object]), options[:locals])
         elsif options[:inline]
-          render_template(options[:type] || :rhtml, options[:inline], nil, options[:locals] || {})
+          render_template(options[:type], options[:inline], nil, options[:locals])
         end
       end
     end
 
-    # Renders the +template+ which is given as a string as either rhtml or rxml depending on <tt>template_extension</tt>.
+    # Renders the +template+ which is given as a string as either erb or builder depending on <tt>template_extension</tt>.
     # The hash in <tt>local_assigns</tt> is made available as local variables.
     def render_template(template_extension, template, file_path = nil, local_assigns = {}) #:nodoc:
       if handler = @@template_handlers[template_extension]
@@ -327,23 +392,54 @@ module ActionView #:nodoc:
       end
     end
 
+    # Gets the full template path with base path for the given template_path and extension.
+    #
+    #   full_template_path('users/show', 'html.erb')
+    #   # => '~/rails/app/views/users/show.html.erb
+    #
+    def full_template_path(template_path, extension)
+      if @@cache_template_extensions
+        (@@cached_base_paths[template_path] ||= {})[extension.to_s] ||= find_full_template_path(template_path, extension)
+      else
+        find_full_template_path(template_path, extension)
+      end
+    end
+
+    # Gets the extension for an existing template with the given template_path.
+    # Returns the format with the extension if that template exists.
+    #
+    #   pick_template_extension('users/show')
+    #   # => 'html.erb'
+    #
+    #   pick_template_extension('users/legacy')
+    #   # => "rhtml"
+    #
     def pick_template_extension(template_path)#:nodoc:
       if @@cache_template_extensions
-        @@cached_template_extension[template_path] ||= find_template_extension_for(template_path)
+        (@@cached_template_extension[template_path] ||= {})[template_format] ||= find_template_extension_for(template_path)
       else
         find_template_extension_for(template_path)
       end
     end
 
     def delegate_template_exists?(template_path)#:nodoc:
-      @@template_handlers.find { |k,| template_exists?(template_path, k) }
+      delegate = @@template_handlers.find { |k,| template_exists?(template_path, k) }
+      delegate && delegate.first.to_sym
     end
 
     def erb_template_exists?(template_path)#:nodoc:
-      template_exists?(template_path, :rhtml)
+      template_exists?(template_path, :erb)
     end
 
     def builder_template_exists?(template_path)#:nodoc:
+      template_exists?(template_path, :builder)
+    end
+
+    def rhtml_template_exists?(template_path)#:nodoc:
+      template_exists?(template_path, :rhtml)
+    end
+
+    def rxml_template_exists?(template_path)#:nodoc:
       template_exists?(template_path, :rxml)
     end
 
@@ -353,14 +449,10 @@ module ActionView #:nodoc:
 
     def file_exists?(template_path)#:nodoc:
       template_file_name, template_file_extension = path_and_extension(template_path)
-
       if template_file_extension
         template_exists?(template_file_name, template_file_extension)
       else
-        cached_template_extension(template_path) ||
-           %w(erb builder javascript delegate).any? do |template_type| 
-             send("#{template_type}_template_exists?", template_path)
-           end
+        pick_template_extension(template_path)
       end
     end
 
@@ -369,37 +461,95 @@ module ActionView #:nodoc:
       template_path.split('/').last[0,1] != '_'
     end
 
+    # symbolized version of the :format parameter of the request, or :html by default.
+    def template_format
+      return @template_format if @template_format
+      format = controller && controller.respond_to?(:request) && controller.request.parameters[:format]
+      @template_format = format.blank? ? :html : format.to_sym
+    end
+
+    def template_handler_preferences
+      TEMPLATE_HANDLER_PREFERENCES[template_format] || DEFAULT_TEMPLATE_HANDLER_PREFERENCE
+    end
+
+    # Adds a view_path to the front of the view_paths array.
+    # This change affects the current request only.
+    #
+    #   @template.prepend_view_path("views/default")
+    #   @template.prepend_view_path(["views/default", "views/custom"])
+    #
+    def prepend_view_path(path)
+      @view_paths.unshift(*path)
+    end
+    
+    # Adds a view_path to the end of the view_paths array.
+    # This change affects the current request only.
+    #
+    #   @template.append_view_path("views/default")
+    #   @template.append_view_path(["views/default", "views/custom"])
+    #
+    def append_view_path(path)
+      @view_paths.push(*path)
+    end
+
     private
-      # Builds a string holding the full path of the template including extension
-      def full_template_path(template_path, extension)
-        "#{@base_path}/#{template_path}.#{extension}"
+      def find_full_template_path(template_path, extension)
+        file_name = "#{template_path}.#{extension}"
+        base_path = find_base_path_for(file_name)
+        base_path.blank? ? "" : "#{base_path}/#{file_name}"
       end
 
       # Asserts the existence of a template.
       def template_exists?(template_path, extension)
         file_path = full_template_path(template_path, extension)
-        @@method_names.has_key?(file_path) || FileTest.exists?(file_path)
+        !file_path.blank? && @@method_names.has_key?(file_path) || FileTest.exists?(file_path)
       end
 
+      # Splits the path and extension from the given template_path and returns as an array.
       def path_and_extension(template_path)
         template_path_without_extension = template_path.sub(/\.(\w+)$/, '')
         [ template_path_without_extension, $1 ]
       end
+      
+      # Returns the view path that contains the given relative template path.
+      def find_base_path_for(template_file_name)
+        view_paths.find { |p| File.file?(File.join(p, template_file_name)) }
+      end
 
-      def cached_template_extension(template_path)
-        @@cache_template_extensions && @@cached_template_extension[template_path]
+      # Returns the view path that the full path resides in.
+      def extract_base_path_from(full_path)
+        view_paths.find { |p| full_path[0..p.size - 1] == p }
       end
 
       # Determines the template's file extension, such as rhtml, rxml, or rjs.
       def find_template_extension_for(template_path)
-        if match = delegate_template_exists?(template_path)
-          match.first.to_sym
-        elsif erb_template_exists?(template_path):        :rhtml
-        elsif builder_template_exists?(template_path):    :rxml
-        elsif javascript_template_exists?(template_path): :rjs
-        else
-          raise ActionViewError, "No rhtml, rxml, rjs or delegate template found for #{template_path} in #{@base_path}"
+        find_template_extension_from_handler(template_path, true) ||
+        find_template_extension_from_handler(template_path) ||
+        find_template_extension_from_first_render()
+      end
+
+      def find_template_extension_from_handler(template_path, formatted = nil)
+        checked_template_path = formatted ? "#{template_path}.#{template_format}" : template_path
+        template_handler_preferences.each do |template_type|
+          extension =
+            case template_type
+              when :javascript
+                template_exists?(checked_template_path, :rjs) && :rjs
+              when :delegate
+                delegate_template_exists?(checked_template_path)
+              else
+                template_exists?(checked_template_path, template_type) && template_type
+            end
+          if extension
+            return formatted ? "#{template_format}.#{extension}" : extension.to_s
+          end
         end
+        nil
+      end
+      
+      # Determine the template extension from the <tt>@first_render</tt> filename
+      def find_template_extension_from_first_render
+        File.basename(@first_render.to_s)[/^[^.]+\.(.+)$/, 1]
       end
 
       # This method reads a template file.
@@ -439,27 +589,36 @@ module ActionView #:nodoc:
         method_key    = file_name || template
         render_symbol = @@method_names[method_key]
 
-        if @@compile_time[render_symbol] && supports_local_assigns?(render_symbol, local_assigns)
-          if file_name && !@@cache_template_loading 
-            @@compile_time[render_symbol] < File.mtime(file_name) ||
-              (File.symlink?(file_name) && (@@compile_time[render_symbol] < File.lstat(file_name).mtime))
+        compile_time = @@compile_time[render_symbol]
+        if compile_time && supports_local_assigns?(render_symbol, local_assigns)
+          if file_name && !@@cache_template_loading
+            template_changed_since?(file_name, compile_time)
           end
         else
           true
         end
       end
 
+      # Method to handle checking a whether a template has changed since last compile; isolated so that templates
+      # not stored on the file system can hook and extend appropriately.
+      def template_changed_since?(file_name, compile_time)
+        lstat = File.lstat(file_name)
+        compile_time < lstat.mtime || 
+          (lstat.symlink? && compile_time < File.stat(file_name).mtime)
+      end
+
       # Method to create the source code for a given template.
       def create_template_source(extension, template, render_symbol, locals)
         if template_requires_setup?(extension)
           body = case extension.to_sym
-            when :rxml
-              "controller.response.content_type ||= 'application/xml'\n" +
-              "xml ||= Builder::XmlMarkup.new(:indent => 2)\n" +
+            when :rxml, :builder
+              content_type_handler = (controller.respond_to?(:response) ? "controller.response" : "controller")
+              "#{content_type_handler}.content_type ||= Mime::XML\n" +
+              "xml = Builder::XmlMarkup.new(:indent => 2)\n" +
               template +
               "\nxml.target!\n"
             when :rjs
-              "controller.response.content_type ||= 'text/javascript'\n" +
+              "controller.response.content_type ||= Mime::JS\n" +
               "update_page do |page|\n#{template}\nend"
           end
         else
@@ -479,11 +638,7 @@ module ActionView #:nodoc:
       end
 
       def template_requires_setup?(extension) #:nodoc:
-        templates_requiring_setup.include? extension.to_s
-      end
-
-      def templates_requiring_setup #:nodoc:
-        %w(rxml rjs)
+        @@templates_requiring_setup.include? extension.to_s
       end
 
       def assign_method_name(extension, template, file_name)
@@ -514,7 +669,7 @@ module ActionView #:nodoc:
         line_offset = @@template_args[render_symbol].size
         if extension
           case extension.to_sym
-          when :rxml, :rjs
+          when :builder, :rxml, :rjs
             line_offset += 2
           end
         end
@@ -532,7 +687,7 @@ module ActionView #:nodoc:
             logger.debug "Backtrace: #{e.backtrace.join("\n")}"
           end
 
-          raise TemplateError.new(@base_path, file_name || template, @assigns, template, e)
+          raise TemplateError.new(extract_base_path_from(file_name) || view_paths.first, file_name || template, @assigns, template, e)
         end
 
         @@compile_time[render_symbol] = Time.now