actionpack 1.13.6 → 2.0.0

data/lib/action_view/helpers/record_identification_helper.rb

@@ -0,0 +1,20 @@
+module ActionView
+  module Helpers
+    module RecordIdentificationHelper
+      # See ActionController::RecordIdentifier.partial_path -- this is just a delegate to that for convenient access in the view.
+      def partial_path(*args, &block)
+        ActionController::RecordIdentifier.partial_path(*args, &block)
+      end
+
+      # See ActionController::RecordIdentifier.dom_class -- this is just a delegate to that for convenient access in the view.
+      def dom_class(*args, &block)
+        ActionController::RecordIdentifier.dom_class(*args, &block)
+      end
+
+      # See ActionController::RecordIdentifier.dom_id -- this is just a delegate to that for convenient access in the view.
+      def dom_id(*args, &block)
+        ActionController::RecordIdentifier.dom_id(*args, &block)
+      end
+    end
+  end
+end

data/lib/action_view/helpers/record_tag_helper.rb

@@ -0,0 +1,59 @@
+module ActionView
+  module Helpers
+    module RecordTagHelper
+      # Produces a wrapper DIV element with id and class parameters that
+      # relate to the specified ActiveRecord object. Usage example:
+      #
+      #    <% div_for(@person, :class => "foo") do %>
+      #       <%=h @person.name %>
+      #    <% end %>
+      #
+      # produces:
+      #
+      #    <div id="person_123" class="person foo"> Joe Bloggs </div>
+      #
+      def div_for(record, *args, &block)
+        content_tag_for(:div, record, *args, &block)
+      end
+  
+      # content_tag_for creates an HTML element with id and class parameters
+      # that relate to the specified ActiveRecord object. For example:
+      #
+      #    <% content_tag_for(:tr, @person) do %>
+      #      <td><%=h @person.first_name %></td>
+      #      <td><%=h @person.last_name %></td>
+      #    <% end %>
+      #
+      # would produce hthe following HTML (assuming @person is an instance of
+      # a Person object, with an id value of 123):
+      #
+      #    <tr id="person_123" class="person">....</tr>
+      #
+      # If you require the HTML id attribute to have a prefix, you can specify it:
+      #
+      #    <% content_tag_for(:tr, @person, :foo) do %> ...
+      #
+      # produces:
+      #    
+      #    <tr id="foo_person_123" class="person">...
+      #
+      # content_tag_for also accepts a hash of options, which will be converted to
+      # additional HTML attributes. If you specify a <tt>:class</tt> value, it will be combined
+      # with the default class name for your object. For example:
+      #
+      #    <% content_tag_for(:li, @person, :class => "bar") %>...
+      #
+      # produces:
+      #
+      #    <li id="person_123" class="person bar">...
+      #
+      def content_tag_for(tag_name, record, *args, &block)
+        prefix  = args.first.is_a?(Hash) ? nil : args.shift
+        options = args.first.is_a?(Hash) ? args.shift : {}
+        concat content_tag(tag_name, capture(&block), 
+          options.merge({ :class => "#{dom_class(record)} #{options[:class]}".strip, :id => dom_id(record, prefix) })), 
+          block.binding
+      end
+    end
+  end
+end

data/lib/action_view/helpers/sanitize_helper.rb

@@ -0,0 +1,223 @@
+require 'action_view/helpers/tag_helper'
+require 'html/document'
+
+module ActionView
+  module Helpers #:nodoc:
+    # The SanitizeHelper module provides a set of methods for scrubbing text of undesired HTML elements.
+    # These helper methods extend ActionView making them callable within your template files.
+    module SanitizeHelper
+      def self.included(base)
+        base.extend(ClassMethods)
+      end
+      
+      # This #sanitize helper will html encode all tags and strip all attributes that aren't specifically allowed.  
+      # It also strips href/src tags with invalid protocols, like javascript: especially.  It does its best to counter any
+      # tricks that hackers may use, like throwing in unicode/ascii/hex values to get past the javascript: filters.  Check out
+      # the extensive test suite.
+      #
+      #   <%= sanitize @article.body %>
+      # 
+      # You can add or remove tags/attributes if you want to customize it a bit.  See ActionView::Base for full docs on the
+      # available options.  You can add tags/attributes for single uses of #sanitize by passing either the :attributes or :tags options:
+      #
+      # Normal Use
+      #
+      #   <%= sanitize @article.body %>
+      #
+      # Custom Use (only the mentioned tags and attributes are allowed, nothing else)
+      #
+      #   <%= sanitize @article.body, :tags => %w(table tr td), :attributes => %w(id class style)
+      # 
+      # Add table tags to the default allowed tags
+      #   
+      #   Rails::Initializer.run do |config|
+      #     config.action_view.sanitized_allowed_tags = 'table', 'tr', 'td'
+      #   end
+      # 
+      # Remove tags to the default allowed tags
+      #   
+      #   Rails::Initializer.run do |config|
+      #     config.after_initialize do
+      #       ActionView::Base.sanitized_allowed_tags.delete 'div'
+      #     end
+      #   end
+      # 
+      # Change allowed default attributes
+      # 
+      #   Rails::Initializer.run do |config|
+      #     config.action_view.sanitized_allowed_attributes = 'id', 'class', 'style'
+      #   end
+      # 
+      def sanitize(html, options = {})
+        self.class.white_list_sanitizer.sanitize(html, options)
+      end
+
+      # Sanitizes a block of css code.  Used by #sanitize when it comes across a style attribute
+      def sanitize_css(style)
+        self.class.white_list_sanitizer.sanitize_css(style)
+      end
+
+      # Strips all HTML tags from the +html+, including comments.  This uses the 
+      # html-scanner tokenizer and so its HTML parsing ability is limited by 
+      # that of html-scanner.
+      #
+      # ==== Examples
+      #
+      #   strip_tags("Strip <i>these</i> tags!")
+      #   # => Strip these tags!
+      #
+      #   strip_tags("<b>Bold</b> no more!  <a href='more.html'>See more here</a>...")
+      #   # => Bold no more!  See more here...
+      # 
+      #   strip_tags("<div id='top-bar'>Welcome to my website!</div>")
+      #   # => Welcome to my website!
+      def strip_tags(html)     
+        self.class.full_sanitizer.sanitize(html)
+      end
+
+      # Strips all link tags from +text+ leaving just the link text.
+      #
+      # ==== Examples
+      #   strip_links('<a href="http://www.rubyonrails.org">Ruby on Rails</a>')
+      #   # => Ruby on Rails
+      #
+      #   strip_links('Please e-mail me at <a href="mailto:me@email.com">me@email.com</a>.')
+      #   # => Please e-mail me at me@email.com.
+      #
+      #   strip_links('Blog: <a href="http://www.myblog.com/" class="nav" target=\"_blank\">Visit</a>.')
+      #   # => Blog: Visit
+      def strip_links(html)
+        self.class.link_sanitizer.sanitize(html)
+      end
+
+      module ClassMethods #:nodoc:
+        def self.extended(base)
+          class << base
+            attr_writer :full_sanitizer, :link_sanitizer, :white_list_sanitizer
+
+            # we want these to be class methods on ActionView::Base, they'll get mattr_readers for these below.
+            helper_def = [:sanitized_protocol_separator, :sanitized_uri_attributes, :sanitized_bad_tags, :sanitized_allowed_tags,
+                :sanitized_allowed_attributes, :sanitized_allowed_css_properties, :sanitized_allowed_css_keywords,
+                :sanitized_shorthand_css_properties, :sanitized_allowed_protocols, :sanitized_protocol_separator=].collect! do |prop|
+              prop = prop.to_s
+              "def #{prop}(#{:value if prop =~ /=$/}) white_list_sanitizer.#{prop.sub /sanitized_/, ''} #{:value if prop =~ /=$/} end"
+            end.join("\n")
+            eval helper_def
+          end
+        end
+        
+        # Gets the HTML::FullSanitizer instance used by strip_tags.  Replace with
+        # any object that responds to #sanitize
+        #
+        #   Rails::Initializer.run do |config|
+        #     config.action_view.full_sanitizer = MySpecialSanitizer.new
+        #   end
+        #
+        def full_sanitizer
+          @full_sanitizer ||= HTML::FullSanitizer.new
+        end
+
+        # Gets the HTML::LinkSanitizer instance used by strip_links.  Replace with
+        # any object that responds to #sanitize
+        #
+        #   Rails::Initializer.run do |config|
+        #     config.action_view.link_sanitizer = MySpecialSanitizer.new
+        #   end
+        #
+        def link_sanitizer
+          @link_sanitizer ||= HTML::LinkSanitizer.new
+        end
+
+        # Gets the HTML::WhiteListSanitizer instance used by sanitize and sanitize_css.
+        # Replace with any object that responds to #sanitize
+        #
+        #   Rails::Initializer.run do |config|
+        #     config.action_view.white_list_sanitizer = MySpecialSanitizer.new
+        #   end
+        #
+        def white_list_sanitizer
+          @white_list_sanitizer ||= HTML::WhiteListSanitizer.new
+        end
+
+        # Adds valid HTML attributes that the #sanitize helper checks for URIs.
+        #
+        #   Rails::Initializer.run do |config|
+        #     config.action_view.sanitized_uri_attributes = 'lowsrc', 'target'
+        #   end
+        #
+        def sanitized_uri_attributes=(attributes)
+          HTML::WhiteListSanitizer.uri_attributes.merge(attributes)
+        end
+
+        # Adds to the Set of 'bad' tags for the #sanitize helper.
+        #
+        #   Rails::Initializer.run do |config|
+        #     config.action_view.sanitized_bad_tags = 'embed', 'object'
+        #   end
+        #
+        def sanitized_bad_tags=(attributes)
+          HTML::WhiteListSanitizer.bad_tags.merge(attributes)
+        end
+        # Adds to the Set of allowed tags for the #sanitize helper.
+        #
+        #   Rails::Initializer.run do |config|
+        #     config.action_view.sanitized_allowed_tags = 'table', 'tr', 'td'
+        #   end
+        #
+        def sanitized_allowed_tags=(attributes)
+          HTML::WhiteListSanitizer.allowed_tags.merge(attributes)
+        end
+
+        # Adds to the Set of allowed html attributes for the #sanitize helper.
+        #
+        #   Rails::Initializer.run do |config|
+        #     config.action_view.sanitized_allowed_attributes = 'onclick', 'longdesc'
+        #   end
+        #
+        def sanitized_allowed_attributes=(attributes)
+          HTML::WhiteListSanitizer.allowed_attributes.merge(attributes)
+        end
+
+        # Adds to the Set of allowed css properties for the #sanitize and #sanitize_css heleprs.
+        #
+        #   Rails::Initializer.run do |config|
+        #     config.action_view.sanitized_allowed_css_properties = 'expression'
+        #   end
+        #
+        def sanitized_allowed_css_properties=(attributes)
+          HTML::WhiteListSanitizer.allowed_css_properties.merge(attributes)
+        end
+
+        # Adds to the Set of allowed css keywords for the #sanitize and #sanitize_css helpers.
+        #
+        #   Rails::Initializer.run do |config|
+        #     config.action_view.sanitized_allowed_css_keywords = 'expression'
+        #   end
+        #
+        def sanitized_allowed_css_keywords=(attributes)
+          HTML::WhiteListSanitizer.allowed_css_keywords.merge(attributes)
+        end
+
+        # Adds to the Set of allowed shorthand css properties for the #sanitize and #sanitize_css helpers.
+        #
+        #   Rails::Initializer.run do |config|
+        #     config.action_view.sanitized_shorthand_css_properties = 'expression'
+        #   end
+        #
+        def sanitized_shorthand_css_properties=(attributes)
+          HTML::WhiteListSanitizer.shorthand_css_properties.merge(attributes)
+        end
+
+        # Adds to the Set of allowed protocols for the #sanitize helper.
+        #
+        #   Rails::Initializer.run do |config|
+        #     config.action_view.sanitized_allowed_protocols = 'ssh', 'feed'
+        #   end
+        #
+        def sanitized_allowed_protocols=(attributes)
+          HTML::WhiteListSanitizer.allowed_protocols.merge(attributes)
+        end
+      end
+    end
+  end
+end

data/lib/action_view/helpers/scriptaculous_helper.rb

@@ -1,4 +1,4 @@
-require File.dirname(__FILE__) + '/javascript_helper'
+require 'action_view/helpers/javascript_helper'
 
 module ActionView
   module Helpers
@@ -30,7 +30,7 @@ module ActionView
       # variable in the generated JavaScript execution context. This can be 
       # used for example with drop_receiving_element:
       #
-      #   <%= drop_receving_element (...), :loading => visual_effect(:fade) %>
+      #   <%= drop_receiving_element (...), :loading => visual_effect(:fade) %>
       #
       # This would fade the element that was dropped on the drop receiving 
       # element.
@@ -50,6 +50,10 @@ module ActionView
           "'#{js_options[:queue]}'"
         end if js_options[:queue]
         
+        [:endcolor, :direction, :startcolor, :scaleMode, :restorecolor].each do |option|
+          js_options[option] = "'#{js_options[option]}'" if js_options[option]
+        end
+
         if TOGGLE_EFFECTS.include? name.to_sym
           "Effect.toggle(#{element},'#{name.to_s.gsub(/^toggle_/,'')}',#{options_for_javascript(js_options)});"
         else
@@ -72,10 +76,65 @@ module ActionView
       # Important: For this to work, the sortable elements must have id
       # attributes in the form "string_identifier". For example, "item_1". Only
       # the identifier part of the id attribute will be serialized.
+      # 
+      # Additional +options+ are:
       #
+      # <tt>:format</tt>::               A regular expression to determine what to send
+      #                                  as the serialized id to the server (the default
+      #                                  is <tt>/^[^_]*_(.*)$/</tt>).
+      #                                  
+      # <tt>:constraint</tt>::           Whether to constrain the dragging to either <tt>:horizontal</tt>
+      #                                  or <tt>:vertical</tt> (or false to make it unconstrained).
+      #                                   
+      # <tt>:overlap</tt>::              Calculate the item overlap in the <tt>:horizontal</tt> or 
+      #                                  <tt>:vertical</tt> direction.
+      #                                   
+      # <tt>:tag</tt>::                  Which children of the container element to treat as
+      #                                  sortable (default is <tt>li</tt>).
+      #                                  
+      # <tt>:containment</tt>::          Takes an element or array of elements to treat as
+      #                                  potential drop targets (defaults to the original
+      #                                  target element).
+      #                                  
+      # <tt>:only</tt>::                 A CSS class name or arry of class names used to filter
+      #                                  out child elements as candidates.
+      #                                  
+      # <tt>:scroll</tt>::               Determines whether to scroll the list during drag
+      #                                  operationsif the list runs past the visual border.
+      #                                  
+      # <tt>:tree</tt>::                 Determines whether to treat nested lists as part of the
+      #                                  main sortable list. This means that you can create multi-
+      #                                  layer lists, and not only sort items at the same level,
+      #                                  but drag and sort items between levels.
+      #                                  
+      # <tt>:hoverclass</tt>::           If set, the Droppable will have this additional CSS class
+      #                                  when an accepted Draggable is hovered over it.                         
+      #                                 
+      # <tt>:handle</tt>::               Sets whether the element should only be draggable by an
+      #                                  embedded handle. The value may be a string referencing a
+      #                                  CSS class value (as of script.aculo.us V1.5). The first
+      #                                  child/grandchild/etc. element found within the element
+      #                                  that has this CSS class value will be used as the handle.
       #
-      # You can change the behaviour with various options, see
-      # http://script.aculo.us for more documentation.
+      # <tt>:ghosting</tt>::             Clones the element and drags the clone, leaving the original
+      #                                  in place until the clone is dropped (defaut is <tt>false</tt>).
+      #       
+      # <tt>:dropOnEmpty</tt>::          If set to true, the Sortable container will be made into
+      #                                  a Droppable, that can receive a Draggable (as according to
+      #                                  the containment rules) as a child element when there are no
+      #                                  more elements inside (defaut is <tt>false</tt>).
+      #       
+      # <tt>:onChange</tt>::             Called whenever the sort order changes while dragging. When
+      #                                  dragging from one Sortable to another, the callback is
+      #                                  called once on each Sortable. Gets the affected element as
+      #                                  its parameter.
+      #                                 
+      # <tt>:onUpdate</tt>::             Called when the drag ends and the Sortable's order is
+      #                                  changed in any way. When dragging from one Sortable to
+      #                                  another, the callback is called once on each Sortable. Gets
+      #                                  the container as its parameter.
+      #                                                                                         
+      # See http://script.aculo.us for more documentation.
       def sortable_element(element_id, options = {})
         javascript_tag(sortable_element_js(element_id, options).chop!)
       end

data/lib/action_view/helpers/tag_helper.rb

@@ -3,33 +3,55 @@ require 'erb'
 
 module ActionView
   module Helpers #:nodoc:
-    # Use these methods to generate HTML tags programmatically when you can't use
+    # Provides methods to generate HTML tags programmatically when you can't use
     # a Builder. By default, they output XHTML compliant tags.
     module TagHelper
       include ERB::Util
 
+      BOOLEAN_ATTRIBUTES = Set.new(%w(disabled readonly multiple))
+
       # Returns an empty HTML tag of type +name+ which by default is XHTML 
-      # compliant. Setting +open+ to true will create an open tag compatible 
+      # compliant. Set +open+ to true to create an open tag compatible 
       # with HTML 4.0 and below. Add HTML attributes by passing an attributes 
-      # hash to +options+. For attributes with no value like (disabled and 
-      # readonly), give it a value of true in the +options+ hash. You can use
+      # hash to +options+. Set +escape+ to false to disable attribute value
+      # escaping.
+      #
+      # ==== Options
+      # The +options+ hash is used with attributes with no value like (<tt>disabled</tt> and 
+      # <tt>readonly</tt>), which you can give a value of true in the +options+ hash. You can use
       # symbols or strings for the attribute names.
       #
+      # ==== Examples
       #   tag("br")
-      #    # => <br />
+      #   # => <br />
+      #
       #   tag("br", nil, true)
-      #    # => <br>
+      #   # => <br>
+      #
       #   tag("input", { :type => 'text', :disabled => true }) 
-      #    # => <input type="text" disabled="disabled" />
-      def tag(name, options = nil, open = false)
-        "<#{name}#{tag_options(options) if options}" + (open ? ">" : " />")
+      #   # => <input type="text" disabled="disabled" />
+      #
+      #   tag("img", { :src => "open & shut.png" })
+      #   # => <img src="open &amp; shut.png" />
+      #
+      #   tag("img", { :src => "open &amp; shut.png" }, false, false)
+      #   # => <img src="open &amp; shut.png" />
+      def tag(name, options = nil, open = false, escape = true)
+        "<#{name}#{tag_options(options, escape) if options}" + (open ? ">" : " />")
       end
 
       # Returns an HTML block tag of type +name+ surrounding the +content+. Add
-      # HTML attributes by passing an attributes hash to +options+. For attributes 
-      # with no value like (disabled and readonly), give it a value of true in 
-      # the +options+ hash. You can use symbols or strings for the attribute names.
+      # HTML attributes by passing an attributes hash to +options+. 
+      # Instead of passing the content as an argument, you can also use a block
+      # in which case, you pass your +options+ as the second parameter.
+      # Set escape to false to disable attribute value escaping.
       #
+      # ==== Options
+      # The +options+ hash is used with attributes with no value like (<tt>disabled</tt> and 
+      # <tt>readonly</tt>), which you can give a value of true in the +options+ hash. You can use
+      # symbols or strings for the attribute names.
+      #
+      # ==== Examples
       #   content_tag(:p, "Hello world!")
       #    # => <p>Hello world!</p>
       #   content_tag(:div, content_tag(:p, "Hello world!"), :class => "strong")
@@ -37,21 +59,19 @@ module ActionView
       #   content_tag("select", options, :multiple => true)
       #    # => <select multiple="multiple">...options...</select>
       #
-      # Instead of passing the content as an argument, you can also use a block
-      # in which case, you pass your +options+ as the second parameter.
-      #
       #   <% content_tag :div, :class => "strong" do -%>
       #     Hello world!
       #   <% end -%>
       #    # => <div class="strong"><p>Hello world!</p></div>
-      def content_tag(name, content_or_options_with_block = nil, options = nil, &block)
+      def content_tag(name, content_or_options_with_block = nil, options = nil, escape = true, &block)
         if block_given?
           options = content_or_options_with_block if content_or_options_with_block.is_a?(Hash)
           content = capture(&block)
-          concat(content_tag_string(name, content, options), block.binding)
+          content_tag = content_tag_string(name, content, options, escape)
+          block_is_within_action_view?(block) ? concat(content_tag, block.binding) : content_tag
         else
           content = content_or_options_with_block
-          content_tag_string(name, content, options)
+          content_tag_string(name, content, options, escape)
         end
       end
 
@@ -60,43 +80,53 @@ module ActionView
       # otherwise be recognized as markup. CDATA sections begin with the string
       # <tt><![CDATA[</tt> and end with (and may not contain) the string <tt>]]></tt>.
       #
+      # ==== Examples
       #   cdata_section("<hello world>")
-      #    # => <![CDATA[<hello world>]]>
+      #   # => <![CDATA[<hello world>]]>
+      #
+      #   cdata_section(File.read("hello_world.txt"))
+      #   # => <![CDATA[<hello from a text file]]>
       def cdata_section(content)
         "<![CDATA[#{content}]]>"
       end
 
-      # Returns the escaped +html+ without affecting existing escaped entities.
+      # Returns an escaped version of +html+ without affecting existing escaped entities.
       #
+      # ==== Examples
       #   escape_once("1 > 2 &amp; 3")
-      #    # => "1 &lt; 2 &amp; 3"
+      #   # => "1 &lt; 2 &amp; 3"
+      #
+      #   escape_once("&lt;&lt; Accept & Checkout")
+      #   # => "&lt;&lt; Accept &amp; Checkout"
       def escape_once(html)
-        fix_double_escape(html_escape(html.to_s))
+        html.to_s.gsub(/[\"><]|&(?!([a-zA-Z]+|(#\d+));)/) { |special| ERB::Util::HTML_ESCAPE[special] }
       end
 
       private
-        def content_tag_string(name, content, options)
-          tag_options = options ? tag_options(options) : ""
+        def content_tag_string(name, content, options, escape = true)
+          tag_options = tag_options(options, escape) if options
           "<#{name}#{tag_options}>#{content}</#{name}>"
         end
-      
-        def tag_options(options)
-          cleaned_options = convert_booleans(options.stringify_keys.reject {|key, value| value.nil?})
-          ' ' + cleaned_options.map {|key, value| %(#{key}="#{escape_once(value)}")}.sort * ' ' unless cleaned_options.empty?
-        end
 
-        def convert_booleans(options)
-          %w( disabled readonly multiple ).each { |a| boolean_attribute(options, a) }
-          options
+        def tag_options(options, escape = true)
+          unless options.blank?
+            attrs = []
+            if escape
+              options.each do |key, value|
+                next unless value
+                key = key.to_s
+                value = BOOLEAN_ATTRIBUTES.include?(key) ? key : escape_once(value)
+                attrs << %(#{key}="#{value}")
+              end
+            else
+              attrs = options.map { |key, value| %(#{key}="#{value}") }
+            end
+            " #{attrs.sort * ' '}" unless attrs.empty?
+          end
         end
 
-        def boolean_attribute(options, attribute)
-          options[attribute] ? options[attribute] = attribute : options.delete(attribute)
-        end
-        
-        # Fix double-escaped entities, such as &amp;amp;, &amp;#123;, etc.
-        def fix_double_escape(escaped)
-          escaped.gsub(/&amp;([a-z]+|(#\d+));/i) { "&#{$1};" }
+        def block_is_within_action_view?(block)
+          eval("defined? _erbout", block.binding)
         end
     end
   end