actionpack 2.3.4 → 2.3.5

data/lib/action_controller/test_case.rb

@@ -105,6 +105,11 @@ module ActionController
   class TestCase < ActiveSupport::TestCase
     include TestProcess
 
+    def initialize(*args)
+      super
+      @controller = nil
+    end
+
     module Assertions
       %w(response selector tag dom routing model).each do |kind|
         include ActionController::Assertions.const_get("#{kind.camelize}Assertions")
@@ -195,7 +200,7 @@ module ActionController
         @controller.send(:initialize_current_url)
       end
     end
-    
+
     # Cause the action to be rescued according to the regular rules for rescue_action when the visitor is not local
     def rescue_action_in_public!
       @request.remote_addr = '208.77.188.166' # example.com

data/lib/action_controller/test_process.rb

@@ -91,7 +91,7 @@ module ActionController #:nodoc:
       @path || super()
     end
 
-    def assign_parameters(controller_path, action, parameters)
+    def assign_parameters(controller_path, action, parameters = {})
       parameters = parameters.symbolize_keys.merge(:controller => controller_path, :action => action)
       extra_keys = ActionController::Routing::Routes.extra_keys(parameters)
       non_path_parameters = get? ? query_parameters : request_parameters

data/lib/action_controller/translation.rb

@@ -1,12 +1,12 @@
 module ActionController
   module Translation
     def translate(*args)
-      I18n.translate *args
+      I18n.translate(*args)
     end
     alias :t :translate
 
     def localize(*args)
-      I18n.localize *args
+      I18n.localize(*args)
     end
     alias :l :localize
   end

data/lib/action_controller/uploaded_file.rb

@@ -3,14 +3,14 @@ module ActionController
     def self.included(base)
       base.class_eval do
         attr_accessor :original_path, :content_type
-        alias_method :local_path, :path
+        alias_method :local_path, :path if method_defined?(:path)
       end
     end
 
     def self.extended(object)
       object.class_eval do
         attr_accessor :original_path, :content_type
-        alias_method :local_path, :path
+        alias_method :local_path, :path if method_defined?(:path)
       end
     end
 

data/lib/action_controller/vendor/html-scanner/html/node.rb

@@ -162,7 +162,7 @@ module HTML #:nodoc:
           end
           
           closing = ( scanner.scan(/\//) ? :close : nil )
-          return Text.new(parent, line, pos, content) unless name = scanner.scan(/[\w:-]+/)
+          return Text.new(parent, line, pos, content) unless name = scanner.scan(/[-:\w\x00-\x09\x0b-\x0c\x0e-\x1f]+/)
           name.downcase!
   
           unless closing

data/lib/action_pack/version.rb

@@ -2,7 +2,7 @@ module ActionPack #:nodoc:
   module VERSION #:nodoc:
     MAJOR = 2
     MINOR = 3
-    TINY  = 4
+    TINY  = 5
 
     STRING = [MAJOR, MINOR, TINY].join('.')
   end

data/lib/action_view.rb

@@ -49,10 +49,10 @@ module ActionView
   autoload :TemplateHandler, 'action_view/template_handler'
   autoload :TemplateHandlers, 'action_view/template_handlers'
   autoload :Helpers, 'action_view/helpers'
+  autoload :SafeBuffer, 'action_view/safe_buffer'
 end
 
-class ERB
-  autoload :Util, 'action_view/erb/util'
-end
+require 'action_view/erb/util'
+
 
 I18n.load_path << "#{File.dirname(__FILE__)}/action_view/locale/en.yml"

data/lib/action_view/base.rb

@@ -187,13 +187,18 @@ module ActionView #:nodoc:
     @@cache_template_loading = nil
     cattr_accessor :cache_template_loading
 
+    # :nodoc:
+    def self.xss_safe?
+      false
+    end
+
     def self.cache_template_loading?
       ActionController::Base.allow_concurrency || (cache_template_loading.nil? ? !ActiveSupport::Dependencies.load? : cache_template_loading)
     end
 
     attr_internal :request
 
-    delegate :request_forgery_protection_token, :template, :params, :session, :cookies, :response, :headers,
+    delegate :request_forgery_protection_token, :params, :session, :cookies, :response, :headers,
              :flash, :logger, :action_name, :controller_name, :to => :controller
 
     module CompiledTemplates #:nodoc:

data/lib/action_view/erb/util.rb

@@ -18,6 +18,12 @@ class ERB
       s.to_s.gsub(/[&"><]/) { |special| HTML_ESCAPE[special] }
     end
 
+    undef :h
+    alias h html_escape
+
+    module_function :html_escape
+    module_function :h
+
     # A utility method for escaping HTML entities in JSON strings.
     # This method is also aliased as <tt>j</tt>.
     #

data/lib/action_view/helpers.rb

@@ -14,6 +14,7 @@ module ActionView #:nodoc:
     autoload :JavaScriptHelper, 'action_view/helpers/javascript_helper'
     autoload :NumberHelper, 'action_view/helpers/number_helper'
     autoload :PrototypeHelper, 'action_view/helpers/prototype_helper'
+    autoload :RawOutputHelper, 'action_view/helpers/raw_output_helper'
     autoload :RecordIdentificationHelper, 'action_view/helpers/record_identification_helper'
     autoload :RecordTagHelper, 'action_view/helpers/record_tag_helper'
     autoload :SanitizeHelper, 'action_view/helpers/sanitize_helper'
@@ -45,6 +46,7 @@ module ActionView #:nodoc:
     include JavaScriptHelper
     include NumberHelper
     include PrototypeHelper
+    include RawOutputHelper
     include RecordIdentificationHelper
     include RecordTagHelper
     include SanitizeHelper

data/lib/action_view/helpers/active_record_helper.rb

@@ -3,7 +3,7 @@ require 'action_view/helpers/form_helper'
 
 module ActionView
   class Base
-    @@field_error_proc = Proc.new{ |html_tag, instance| "<div class=\"fieldWithErrors\">#{html_tag}</div>" }
+    @@field_error_proc = Proc.new{ |html_tag, instance| "<div class=\"fieldWithErrors\">#{html_tag}</div>".html_safe! }
     cattr_accessor :field_error_proc
   end
 
@@ -171,7 +171,7 @@ module ActionView
         options = params.extract_options!.symbolize_keys
 
         if object = options.delete(:object)
-          objects = [object].flatten
+          objects = Array.wrap(object)
         else
           objects = params.collect {|object_name| instance_variable_get("@#{object_name}") }.compact
         end
@@ -290,7 +290,7 @@ module ActionView
       end
 
       def error_wrapping(html_tag, has_error)
-        has_error ? Base.field_error_proc.call(html_tag, self) : html_tag
+        has_error ? Base.field_error_proc.call(html_tag, self).html_safe! : html_tag
       end
 
       def error_message

data/lib/action_view/helpers/asset_tag_helper.rb

@@ -285,7 +285,7 @@ module ActionView
           end
           javascript_src_tag(joined_javascript_name, options)
         else
-          expand_javascript_sources(sources, recursive).collect { |source| javascript_src_tag(source, options) }.join("\n")
+          expand_javascript_sources(sources, recursive).collect { |source| javascript_src_tag(source, options) }.join("\n").html_safe!
         end
       end
 
@@ -434,7 +434,7 @@ module ActionView
           end
           stylesheet_tag(joined_stylesheet_name, options)
         else
-          expand_stylesheet_sources(sources, recursive).collect { |source| stylesheet_tag(source, options) }.join("\n")
+          expand_stylesheet_sources(sources, recursive).collect { |source| stylesheet_tag(source, options) }.join("\n").html_safe!
         end
       end
 

data/lib/action_view/helpers/capture_helper.rb

@@ -118,13 +118,13 @@ module ActionView
       def content_for(name, content = nil, &block)
         ivar = "@content_for_#{name}"
         content = capture(&block) if block_given?
-        instance_variable_set(ivar, "#{instance_variable_get(ivar)}#{content}")
+        instance_variable_set(ivar, "#{instance_variable_get(ivar)}#{content}".html_safe!)
         nil
       end
 
       # Use an alternate output buffer for the duration of the block.
       # Defaults to a new empty string.
-      def with_output_buffer(buf = '') #:nodoc:
+      def with_output_buffer(buf = "") #:nodoc:
         self.output_buffer, old_buffer = buf, output_buffer
         yield
         output_buffer

data/lib/action_view/helpers/date_helper.rb

@@ -26,8 +26,10 @@ module ActionView
       #   47 hrs, 59 mins, 29 secs <-> 29 days, 23 hrs, 59 mins, 29 secs            # => [2..29] days
       #   29 days, 23 hrs, 59 mins, 30 secs <-> 59 days, 23 hrs, 59 mins, 29 secs   # => about 1 month
       #   59 days, 23 hrs, 59 mins, 30 secs <-> 1 yr minus 1 sec                    # => [2..12] months
-      #   1 yr <-> 2 yrs minus 1 secs                                               # => about 1 year
-      #   2 yrs <-> max time or date                                                # => over [2..X] years
+      #   1 yr <-> 1 yr, 3 months                                                   # => about 1 year
+      #   1 yr, 3 months <-> 1 yr, 9 months                                         # => over 1 year
+      #   1 yr, 9 months <-> 2 yr minus 1 sec                                       # => almost 2 years
+      #   2 yrs <-> max time or date                                                # => (same rules as 1 yr)
       #
       # With <tt>include_seconds</tt> = true and the difference < 1 minute 29 seconds:
       #   0-4   secs      # => less than 5 seconds
@@ -43,17 +45,18 @@ module ActionView
       #   distance_of_time_in_words(from_time, 50.minutes.from_now)           # => about 1 hour
       #   distance_of_time_in_words(from_time, from_time + 15.seconds)        # => less than a minute
       #   distance_of_time_in_words(from_time, from_time + 15.seconds, true)  # => less than 20 seconds
-      #   distance_of_time_in_words(from_time, 3.years.from_now)              # => over 3 years
+      #   distance_of_time_in_words(from_time, 3.years.from_now)              # => about 3 years
       #   distance_of_time_in_words(from_time, from_time + 60.hours)          # => about 3 days
       #   distance_of_time_in_words(from_time, from_time + 45.seconds, true)  # => less than a minute
       #   distance_of_time_in_words(from_time, from_time - 45.seconds, true)  # => less than a minute
       #   distance_of_time_in_words(from_time, 76.seconds.from_now)           # => 1 minute
       #   distance_of_time_in_words(from_time, from_time + 1.year + 3.days)   # => about 1 year
-      #   distance_of_time_in_words(from_time, from_time + 4.years + 9.days + 30.minutes + 5.seconds) # => over 4 years
+      #   distance_of_time_in_words(from_time, from_time + 3.years + 6.months) # => over 3 years
+      #   distance_of_time_in_words(from_time, from_time + 4.years + 9.days + 30.minutes + 5.seconds) # => about 4 years
       #
       #   to_time = Time.now + 6.years + 19.days
-      #   distance_of_time_in_words(from_time, to_time, true)     # => over 6 years
-      #   distance_of_time_in_words(to_time, from_time, true)     # => over 6 years
+      #   distance_of_time_in_words(from_time, to_time, true)     # => about 6 years
+      #   distance_of_time_in_words(to_time, from_time, true)     # => about 6 years
       #   distance_of_time_in_words(Time.now, Time.now)           # => less than a minute
       #
       def distance_of_time_in_words(from_time, to_time = 0, include_seconds = false, options = {})
@@ -81,12 +84,21 @@ module ActionView
             when 2..44           then locale.t :x_minutes,      :count => distance_in_minutes
             when 45..89          then locale.t :about_x_hours,  :count => 1
             when 90..1439        then locale.t :about_x_hours,  :count => (distance_in_minutes.to_f / 60.0).round
-            when 1440..2879      then locale.t :x_days,         :count => 1
-            when 2880..43199     then locale.t :x_days,         :count => (distance_in_minutes / 1440).round
+            when 1440..2529      then locale.t :x_days,         :count => 1
+            when 2530..43199     then locale.t :x_days,         :count => (distance_in_minutes.to_f / 1440.0).round
             when 43200..86399    then locale.t :about_x_months, :count => 1
-            when 86400..525599   then locale.t :x_months,       :count => (distance_in_minutes / 43200).round
-            when 525600..1051199 then locale.t :about_x_years,  :count => 1
-            else                      locale.t :over_x_years,   :count => (distance_in_minutes / 525600).round
+            when 86400..525599   then locale.t :x_months,       :count => (distance_in_minutes.to_f / 43200.0).round
+            else
+              distance_in_years           = distance_in_minutes / 525600
+              minute_offset_for_leap_year = (distance_in_years / 4) * 1440
+              remainder                   = ((distance_in_minutes - minute_offset_for_leap_year) % 525600)
+              if remainder < 131400
+                locale.t(:about_x_years,  :count => distance_in_years)
+              elsif remainder < 394200
+                locale.t(:over_x_years,   :count => distance_in_years)
+              else
+                locale.t(:almost_x_years, :count => distance_in_years + 1)
+              end
           end
         end
       end
@@ -904,15 +916,15 @@ module ActionView
 
     class InstanceTag #:nodoc:
       def to_date_select_tag(options = {}, html_options = {})
-        datetime_selector(options, html_options).select_date
+        datetime_selector(options, html_options).select_date.html_safe!
       end
 
       def to_time_select_tag(options = {}, html_options = {})
-        datetime_selector(options, html_options).select_time
+        datetime_selector(options, html_options).select_time.html_safe!
       end
 
       def to_datetime_select_tag(options = {}, html_options = {})
-        datetime_selector(options, html_options).select_datetime
+        datetime_selector(options, html_options).select_datetime.html_safe!
       end
 
       private
@@ -923,7 +935,7 @@ module ActionView
           options[:field_name]           = @method_name
           options[:include_position]     = true
           options[:prefix]             ||= @object_name
-          options[:index]                = @auto_index if @auto_index && !options.has_key?(:index)
+          options[:index]                = @auto_index if defined?(@auto_index) && @auto_index && !options.has_key?(:index)
           options[:datetime_separator] ||= ' &mdash; '
           options[:time_separator]     ||= ' : '
 

data/lib/action_view/helpers/form_helper.rb

@@ -280,7 +280,7 @@ module ActionView
 
         concat(form_tag(options.delete(:url) || {}, options.delete(:html) || {}))
         fields_for(object_name, *(args << options), &proc)
-        concat('</form>')
+        concat('</form>'.html_safe!)
       end
 
       def apply_form_for_options!(object_or_array, options) #:nodoc:
@@ -445,6 +445,15 @@ module ActionView
       #     <% end %>
       #   <% end %>
       #
+      # Or a collection to be used:
+      #
+      #   <% form_for @person, :url => { :action => "update" } do |person_form| %>
+      #     ...
+      #     <% person_form.fields_for :projects, @active_projects do |project_fields| %>
+      #       Name: <%= project_fields.text_field :name %>
+      #     <% end %>
+      #   <% end %>
+      #
       # When projects is already an association on Person you can use
       # +accepts_nested_attributes_for+ to define the writer method for you:
       #
@@ -788,7 +797,7 @@ module ActionView
         add_default_name_and_id(options)
         hidden = tag("input", "name" => options["name"], "type" => "hidden", "value" => options['disabled'] && checked ? checked_value : unchecked_value)
         checkbox = tag("input", options)
-        hidden + checkbox
+        (hidden + checkbox).html_safe!
       end
 
       def to_boolean_select_tag(options = {})
@@ -930,7 +939,7 @@ module ActionView
         end
       end
 
-      (field_helpers - %w(label check_box radio_button fields_for)).each do |selector|
+      (field_helpers - %w(label check_box radio_button fields_for hidden_field)).each do |selector|
         src = <<-end_src
           def #{selector}(method, options = {})  # def text_field(method, options = {})
             @template.send(                      #   @template.send(
@@ -989,6 +998,11 @@ module ActionView
       def radio_button(method, tag_value, options = {})
         @template.radio_button(@object_name, method, tag_value, objectify_options(options))
       end
+      
+      def hidden_field(method, options = {})
+        @emitted_hidden_id = true if method == :id
+        @template.hidden_field(@object_name, method, objectify_options(options))
+      end
 
       def error_message_on(method, *args)
         @template.error_message_on(@object, method, *args)
@@ -1002,6 +1016,10 @@ module ActionView
         @template.submit_tag(value, options.reverse_merge(:id => "#{object_name}_submit"))
       end
 
+      def emitted_hidden_id?
+        @emitted_hidden_id
+      end
+
       private
         def objectify_options(options)
           @default_options.merge(options.merge(:object => @object))
@@ -1013,18 +1031,21 @@ module ActionView
 
         def fields_for_with_nested_attributes(association_name, args, block)
           name = "#{object_name}[#{association_name}_attributes]"
-          association = @object.send(association_name)
-          explicit_object = args.first if args.first.respond_to?(:new_record?)
+          association = args.first
+
+          if association.respond_to?(:new_record?)
+            association = [association] if @object.send(association_name).is_a?(Array)
+          elsif !association.is_a?(Array)
+            association = @object.send(association_name)
+          end
 
           if association.is_a?(Array)
-            children = explicit_object ? [explicit_object] : association
             explicit_child_index = args.last[:child_index] if args.last.is_a?(Hash)
-
-            children.map do |child|
+            association.map do |child|
               fields_for_nested_model("#{name}[#{explicit_child_index || nested_child_index(name)}]", child, args, block)
             end.join
-          else
-            fields_for_nested_model(name, explicit_object || association, args, block)
+          elsif association
+            fields_for_nested_model(name, association, args, block)
           end
         end
 
@@ -1033,8 +1054,8 @@ module ActionView
             @template.fields_for(name, object, *args, &block)
           else
             @template.fields_for(name, object, *args) do |builder|
-              @template.concat builder.hidden_field(:id)
               block.call(builder)
+              @template.concat builder.hidden_field(:id) unless builder.emitted_hidden_id?
             end
           end
         end

data/lib/action_view/helpers/form_options_helper.rb

@@ -296,7 +296,7 @@ module ActionView
           options << %(<option value="#{html_escape(value.to_s)}"#{selected_attribute}#{disabled_attribute}>#{html_escape(text.to_s)}</option>)
         end
 
-        options_for_select.join("\n")
+        options_for_select.join("\n").html_safe!
       end
 
       # Returns a string of option tags that have been compiled by iterating over the +collection+ and assigning the

data/lib/action_view/helpers/form_tag_helper.rb

@@ -432,7 +432,7 @@ module ActionView
         concat(tag(:fieldset, options, true))
         concat(content_tag(:legend, legend)) unless legend.blank?
         concat(content)
-        concat("</fieldset>")
+        concat("</fieldset>".html_safe!)
       end
 
       private
@@ -459,14 +459,14 @@ module ActionView
 
         def form_tag_html(html_options)
           extra_tags = extra_tags_for_form(html_options)
-          tag(:form, html_options, true) + extra_tags
+          (tag(:form, html_options, true) + extra_tags).html_safe!
         end
 
         def form_tag_in_block(html_options, &block)
           content = capture(&block)
           concat(form_tag_html(html_options))
           concat(content)
-          concat("</form>")
+          concat("</form>".html_safe!)
         end
 
         def token_tag

data/lib/action_view/helpers/number_helper.rb

@@ -246,6 +246,11 @@ module ActionView
       #  number_to_human_size(483989, :precision => 0)                      # => 473 KB
       #  number_to_human_size(1234567, :precision => 2, :separator => ',')  # => 1,18 MB
       #
+      # Zeros after the decimal point are always stripped out, regardless of the
+      # specified precision:
+      #  helper.number_to_human_size(1234567890123, :precision => 5)        # => "1.12283 TB"
+      #  helper.number_to_human_size(524288000, :precision=>5)              # => "500 MB"
+      #
       # You can still use <tt>number_to_human_size</tt> with the old API that accepts the
       # +precision+ as its optional second parameter:
       #  number_to_human_size(1234567, 2)    # => 1.18 MB
@@ -291,7 +296,7 @@ module ActionView
               :precision => precision,
               :separator => separator,
               :delimiter => delimiter
-            ).sub(/(\d)(#{escaped_separator}[1-9]*)?0+\z/, '\1\2').sub(/#{escaped_separator}\z/, '')
+            ).sub(/(#{escaped_separator})(\d*[1-9])?0+\z/, '\1\2').sub(/#{escaped_separator}\z/, '')
             storage_units_format.gsub(/%n/, formatted_number).gsub(/%u/, unit)
           rescue
             number