actionpack 3.0.0.beta4 → 3.0.0.rc

data/lib/action_view/helpers/prototype_helper.rb

@@ -1,9 +1,9 @@
 require 'set'
 require 'active_support/json'
-require 'active_support/core_ext/object/returning'
 require 'active_support/core_ext/object/blank'
 
 module ActionView
+  # = Action View Prototype Helpers
   module Helpers
     # Prototype[http://www.prototypejs.org/] is a JavaScript library that provides
     # DOM[http://en.wikipedia.org/wiki/Document_Object_Model] manipulation,
@@ -94,17 +94,15 @@ module ActionView
     # See JavaScriptGenerator for information on updating multiple elements
     # on the page in an Ajax response.
     module PrototypeHelper
-      unless const_defined? :CALLBACKS
-        CALLBACKS    = Set.new([ :create, :uninitialized, :loading, :loaded,
-                         :interactive, :complete, :failure, :success ] +
-                         (100..599).to_a)
-        AJAX_OPTIONS = Set.new([ :before, :after, :condition, :url,
-                         :asynchronous, :method, :insertion, :position,
-                         :form, :with, :update, :script, :type ]).merge(CALLBACKS)
-      end
+      CALLBACKS    = Set.new([ :create, :uninitialized, :loading, :loaded,
+                       :interactive, :complete, :failure, :success ] +
+                       (100..599).to_a)
+      AJAX_OPTIONS = Set.new([ :before, :after, :condition, :url,
+                       :asynchronous, :method, :insertion, :position,
+                       :form, :with, :update, :script, :type ]).merge(CALLBACKS)
 
       # Returns the JavaScript needed for a remote function.
-      # Takes the same arguments as link_to_remote.
+      # See the link_to_remote documentation at http://github.com/rails/prototype_legacy_helper as it takes the same arguments.
       #
       # Example:
       #   # Generates: <select id="options" onchange="new Ajax.Updater('options',
@@ -133,7 +131,7 @@ module ActionView
 
         url_options = options[:url]
         url_options = url_options.merge(:escape => false) if url_options.is_a?(Hash)
-        function << "'#{escape_javascript(url_for(url_options))}'"
+        function << "'#{html_escape(escape_javascript(url_for(url_options)))}'"
         function << ", #{javascript_options})"
 
         function = "#{options[:before]}; #{function}" if options[:before]
@@ -141,7 +139,7 @@ module ActionView
         function = "if (#{options[:condition]}) { #{function}; }" if options[:condition]
         function = "if (confirm('#{escape_javascript(options[:confirm])}')) { #{function}; }" if options[:confirm]
 
-        return function
+        return function.html_safe
       end
 
       # All the methods were moved to GeneratorMethods so that
@@ -229,7 +227,7 @@ module ActionView
         # <script> tag.
         module GeneratorMethods
           def to_s #:nodoc:
-            returning javascript = @lines * $/ do
+            (@lines * $/).tap do |javascript|
               if ActionView::Base.debug_rjs
                 source = javascript.dup
                 javascript.replace "try {\n#{source}\n} catch (e) "
@@ -531,9 +529,9 @@ module ActionView
             end
 
             def record(line)
-              returning line = "#{line.to_s.chomp.gsub(/\;\z/, '')};" do
-                self << line
-              end
+              line = "#{line.to_s.chomp.gsub(/\;\z/, '')};"
+              self << line
+              line
             end
 
             def render(*options)

data/lib/action_view/helpers/raw_output_helper.rb

@@ -1,6 +1,15 @@
 module ActionView #:nodoc:
+  # = Action View Raw Output Helper
   module Helpers #:nodoc:
     module RawOutputHelper
+      # This method outputs without escaping a string. Since escaping tags is 
+      # now default, this can be used when you don't want Rails to automatically
+      # escape tags. This is not recommended if the data is coming from the user's
+      # input.
+      #
+      # For example:
+      #
+      # <%=raw @user.name %>
       def raw(stringish)
         stringish.to_s.html_safe
       end

data/lib/action_view/helpers/record_tag_helper.rb

@@ -1,6 +1,11 @@
+require 'action_controller/record_identifier'
+
 module ActionView
+  # = Action View Record Tag Helpers
   module Helpers
     module RecordTagHelper
+      include ActionController::RecordIdentifier
+
       # Produces a wrapper DIV element with id and class parameters that
       # relate to the specified Active Record object. Usage example:
       #

data/lib/action_view/helpers/sanitize_helper.rb

@@ -2,19 +2,25 @@ require 'action_controller/vendor/html-scanner'
 require 'action_view/helpers/tag_helper'
 
 module ActionView
+  # = Action View Sanitize Helpers
   module Helpers #:nodoc:
     # The SanitizeHelper module provides a set of methods for scrubbing text of undesired HTML elements.
-    # These helper methods extend ActionView making them callable within your template files.
+    # These helper methods extend Action View making them callable within your template files.
     module SanitizeHelper
-      # This +sanitize+ helper will html encode all tags and strip all attributes that aren't specifically allowed.
-      # It also strips href/src tags with invalid protocols, like javascript: especially.  It does its best to counter any
-      # tricks that hackers may use, like throwing in unicode/ascii/hex values to get past the javascript: filters.  Check out
+      # This +sanitize+ helper will html encode all tags and strip all attributes that 
+      # aren't specifically allowed.
+      #
+      # It also strips href/src tags with invalid protocols, like javascript: especially.
+      # It does its best to counter any  tricks that hackers may use, like throwing in
+      # unicode/ascii/hex values to get past the javascript: filters.  Check out
       # the extensive test suite.
       #
       #   <%= sanitize @article.body %>
       #
-      # You can add or remove tags/attributes if you want to customize it a bit.  See ActionView::Base for full docs on the
-      # available options.  You can add tags/attributes for single uses of +sanitize+ by passing either the <tt>:attributes</tt> or <tt>:tags</tt> options:
+      # You can add or remove tags/attributes if you want to customize it a bit.
+      # See ActionView::Base for full docs on the available options.  You can add
+      # tags/attributes for single uses of +sanitize+ by passing either the 
+      # <tt>:attributes</tt> or <tt>:tags</tt> options:
       #
       # Normal Use
       #
@@ -26,13 +32,13 @@ module ActionView
       #
       # Add table tags to the default allowed tags
       #
-      #   Rails::Initializer.run do |config|
+      #   class Application < Rails::Application
       #     config.action_view.sanitized_allowed_tags = 'table', 'tr', 'td'
       #   end
       #
       # Remove tags to the default allowed tags
       #
-      #   Rails::Initializer.run do |config|
+      #   class Application < Rails::Application
       #     config.after_initialize do
       #       ActionView::Base.sanitized_allowed_tags.delete 'div'
       #     end
@@ -40,7 +46,7 @@ module ActionView
       #
       # Change allowed default attributes
       #
-      #   Rails::Initializer.run do |config|
+      #   class Application < Rails::Application
       #     config.action_view.sanitized_allowed_attributes = 'id', 'class', 'style'
       #   end
       #
@@ -137,7 +143,7 @@ module ActionView
         # Gets the HTML::FullSanitizer instance used by +strip_tags+.  Replace with
         # any object that responds to +sanitize+.
         #
-        #   Rails::Initializer.run do |config|
+        #   class Application < Rails::Application
         #     config.action_view.full_sanitizer = MySpecialSanitizer.new
         #   end
         #
@@ -148,7 +154,7 @@ module ActionView
         # Gets the HTML::LinkSanitizer instance used by +strip_links+.  Replace with
         # any object that responds to +sanitize+.
         #
-        #   Rails::Initializer.run do |config|
+        #   class Application < Rails::Application
         #     config.action_view.link_sanitizer = MySpecialSanitizer.new
         #   end
         #
@@ -159,7 +165,7 @@ module ActionView
         # Gets the HTML::WhiteListSanitizer instance used by sanitize and +sanitize_css+.
         # Replace with any object that responds to +sanitize+.
         #
-        #   Rails::Initializer.run do |config|
+        #   class Application < Rails::Application
         #     config.action_view.white_list_sanitizer = MySpecialSanitizer.new
         #   end
         #
@@ -169,7 +175,7 @@ module ActionView
 
         # Adds valid HTML attributes that the +sanitize+ helper checks for URIs.
         #
-        #   Rails::Initializer.run do |config|
+        #   class Application < Rails::Application
         #     config.action_view.sanitized_uri_attributes = 'lowsrc', 'target'
         #   end
         #
@@ -179,7 +185,7 @@ module ActionView
 
         # Adds to the Set of 'bad' tags for the +sanitize+ helper.
         #
-        #   Rails::Initializer.run do |config|
+        #   class Application < Rails::Application
         #     config.action_view.sanitized_bad_tags = 'embed', 'object'
         #   end
         #
@@ -189,7 +195,7 @@ module ActionView
 
         # Adds to the Set of allowed tags for the +sanitize+ helper.
         #
-        #   Rails::Initializer.run do |config|
+        #   class Application < Rails::Application
         #     config.action_view.sanitized_allowed_tags = 'table', 'tr', 'td'
         #   end
         #
@@ -199,7 +205,7 @@ module ActionView
 
         # Adds to the Set of allowed HTML attributes for the +sanitize+ helper.
         #
-        #   Rails::Initializer.run do |config|
+        #   class Application < Rails::Application
         #     config.action_view.sanitized_allowed_attributes = 'onclick', 'longdesc'
         #   end
         #
@@ -209,7 +215,7 @@ module ActionView
 
         # Adds to the Set of allowed CSS properties for the #sanitize and +sanitize_css+ helpers.
         #
-        #   Rails::Initializer.run do |config|
+        #   class Application < Rails::Application
         #     config.action_view.sanitized_allowed_css_properties = 'expression'
         #   end
         #
@@ -219,7 +225,7 @@ module ActionView
 
         # Adds to the Set of allowed CSS keywords for the +sanitize+ and +sanitize_css+ helpers.
         #
-        #   Rails::Initializer.run do |config|
+        #   class Application < Rails::Application
         #     config.action_view.sanitized_allowed_css_keywords = 'expression'
         #   end
         #
@@ -229,7 +235,7 @@ module ActionView
 
         # Adds to the Set of allowed shorthand CSS properties for the +sanitize+ and +sanitize_css+ helpers.
         #
-        #   Rails::Initializer.run do |config|
+        #   class Application < Rails::Application
         #     config.action_view.sanitized_shorthand_css_properties = 'expression'
         #   end
         #
@@ -239,7 +245,7 @@ module ActionView
 
         # Adds to the Set of allowed protocols for the +sanitize+ helper.
         #
-        #   Rails::Initializer.run do |config|
+        #   class Application < Rails::Application
         #     config.action_view.sanitized_allowed_protocols = 'ssh', 'feed'
         #   end
         #

data/lib/action_view/helpers/scriptaculous_helper.rb

@@ -2,9 +2,11 @@ require 'action_view/helpers/javascript_helper'
 require 'active_support/json'
 
 module ActionView
+  # = Action View Scriptaculous Helpers
   module Helpers
-    # Provides a set of helpers for calling Scriptaculous JavaScript
-    # functions, including those which create Ajax controls and visual effects.
+    # Provides a set of helpers for calling Scriptaculous[http://script.aculo.us/]
+    # JavaScript functions, including those which create Ajax controls and visual
+    # effects.
     #
     # To be able to use these helpers, you must include the Prototype
     # JavaScript framework and the Scriptaculous JavaScript library in your
@@ -12,12 +14,11 @@ module ActionView
     # for more information on including the necessary JavaScript.
     #
     # The Scriptaculous helpers' behavior can be tweaked with various options.
+    #
     # See the documentation at http://script.aculo.us for more information on
     # using these helpers in your application.
     module ScriptaculousHelper
-      unless const_defined? :TOGGLE_EFFECTS
-        TOGGLE_EFFECTS = [:toggle_appear, :toggle_slide, :toggle_blind]
-      end
+      TOGGLE_EFFECTS = [:toggle_appear, :toggle_slide, :toggle_blind]
 
       # Returns a JavaScript snippet to be used on the Ajax callbacks for
       # starting visual effects.

data/lib/action_view/helpers/tag_helper.rb

@@ -2,6 +2,7 @@ require 'active_support/core_ext/object/blank'
 require 'set'
 
 module ActionView
+  # = Action View Tag Helpers
   module Helpers #:nodoc:
     # Provides methods to generate HTML tags programmatically when you can't use
     # a Builder. By default, they output XHTML compliant tags.
@@ -121,7 +122,7 @@ module ActionView
                 attrs << %(#{key}="#{key}") if value
               elsif !value.nil?
                 final_value = value.is_a?(Array) ? value.join(" ") : value
-                final_value = escape_once(final_value) if escape
+                final_value = html_escape(final_value) if escape
                 attrs << %(#{key}="#{final_value}")
               end
             end

data/lib/action_view/helpers/text_helper.rb

@@ -3,10 +3,11 @@ require 'active_support/core_ext/string/filters'
 require 'action_view/helpers/tag_helper'
 
 module ActionView
+  # = Action View Text Helpers
   module Helpers #:nodoc:
     # The TextHelper module provides a set of methods for filtering, formatting
     # and transforming strings, which can reduce the amount of inline Ruby code in
-    # your views. These helper methods extend ActionView making them callable
+    # your views. These helper methods extend Action View making them callable
     # within your template files.
     module TextHelper
       # The preferred method of outputting text in your views is to use the
@@ -40,6 +41,10 @@ module ActionView
       #
       # Pass a <tt>:separator</tt> to truncate +text+ at a natural break.
       #
+      # The result is not marked as HTML-safe, so will be subject to the default escaping when
+      # used in views, unless wrapped by <tt>raw()</tt>. Care should be taken if +text+ contains HTML tags
+      # or entities, because truncation may produce invalid HTML (such as unbalanced or incomplete tags).
+      #
       # ==== Examples
       #
       #   truncate("Once upon a time in a world far far away")
@@ -48,33 +53,16 @@ module ActionView
       #   truncate("Once upon a time in a world far far away", :length => 17)
       #   # => "Once upon a ti..."
       #
-      #   truncate("Once upon a time in a world far far away", :lenght => 17, :separator => ' ')
+      #   truncate("Once upon a time in a world far far away", :length => 17, :separator => ' ')
       #   # => "Once upon a..."
       #
       #   truncate("And they found that many people were sleeping better.", :length => 25, :omission => '... (continued)')
       #   # => "And they f... (continued)"
       #
-      # You can still use <tt>truncate</tt> with the old API that accepts the
-      # +length+ as its optional second and the +ellipsis+ as its
-      # optional third parameter:
-      #   truncate("Once upon a time in a world far far away", 14)
-      #   # => "Once upon a..."
-      #
-      #   truncate("And they found that many people were sleeping better.", 25, "... (continued)")
-      #   # => "And they f... (continued)"
-      def truncate(text, *args)
-        options = args.extract_options!
-        unless args.empty?
-          ActiveSupport::Deprecation.warn('truncate takes an option hash instead of separate ' +
-            'length and omission arguments', caller)
-
-          options[:length] = args[0] || 30
-          options[:omission] = args[1] || "..."
-        end
-
+      #   truncate("<p>Once upon a time in a world far far away</p>")
+      #   # => "<p>Once upon a time in a wo..."
+      def truncate(text, options = {})
         options.reverse_merge!(:length => 30)
-
-        text = sanitize(text) unless text.html_safe? || options[:safe]
         text.truncate(options.delete(:length), options) if text
       end
 
@@ -106,13 +94,13 @@ module ActionView
         end
         options.reverse_merge!(:highlighter => '<strong class="highlight">\1</strong>')
 
-        text = sanitize(text) unless text.html_safe? || options[:safe]
+        text = sanitize(text) unless options[:sanitize] == false
         if text.blank? || phrases.blank?
           text
         else
           match = Array(phrases).map { |p| Regexp.escape(p) }.join('|')
           text.gsub(/(#{match})(?!(?:[^<]*?)(?:["'])[^<>]*>)/i, options[:highlighter])
-        end
+        end.html_safe
       end
 
       # Extracts an excerpt from +text+ that matches the first instance of +phrase+.
@@ -220,89 +208,6 @@ module ActionView
         end * "\n"
       end
 
-      # Returns the text with all the Textile[http://www.textism.com/tools/textile] codes turned into HTML tags.
-      #
-      # You can learn more about Textile's syntax at its website[http://www.textism.com/tools/textile].
-      # <i>This method is only available if RedCloth[http://redcloth.org/] is available</i>.
-      #
-      # ==== Examples
-      #   textilize("*This is Textile!*  Rejoice!")
-      #   # => "<p><strong>This is Textile!</strong>  Rejoice!</p>"
-      #
-      #   textilize("I _love_ ROR(Ruby on Rails)!")
-      #   # => "<p>I <em>love</em> <acronym title="Ruby on Rails">ROR</acronym>!</p>"
-      #
-      #   textilize("h2. Textile makes markup -easy- simple!")
-      #   # => "<h2>Textile makes markup <del>easy</del> simple!</h2>"
-      #
-      #   textilize("Visit the Rails website "here":http://www.rubyonrails.org/.)
-      #   # => "<p>Visit the Rails website <a href="http://www.rubyonrails.org/">here</a>.</p>"
-      #
-      #   textilize("This is worded <strong>strongly</strong>")
-      #   # => "<p>This is worded <strong>strongly</strong></p>"
-      #
-      #   textilize("This is worded <strong>strongly</strong>", :filter_html)
-      #   # => "<p>This is worded &lt;strong&gt;strongly&lt;/strong&gt;</p>"
-      #
-      def textilize(text, *options)
-        options ||= [:hard_breaks]
-        text = sanitize(text) unless text.html_safe? || options.delete(:safe)
-
-        if text.blank?
-          ""
-        else
-          textilized = RedCloth.new(text, options)
-          textilized.to_html
-        end.html_safe
-      end
-
-      # Returns the text with all the Textile codes turned into HTML tags,
-      # but without the bounding <p> tag that RedCloth adds.
-      #
-      # You can learn more about Textile's syntax at its website[http://www.textism.com/tools/textile].
-      # <i>This method is only available if RedCloth[http://redcloth.org/] is available</i>.
-      #
-      # ==== Examples
-      #   textilize_without_paragraph("*This is Textile!*  Rejoice!")
-      #   # => "<strong>This is Textile!</strong>  Rejoice!"
-      #
-      #   textilize_without_paragraph("I _love_ ROR(Ruby on Rails)!")
-      #   # => "I <em>love</em> <acronym title="Ruby on Rails">ROR</acronym>!"
-      #
-      #   textilize_without_paragraph("h2. Textile makes markup -easy- simple!")
-      #   # => "<h2>Textile makes markup <del>easy</del> simple!</h2>"
-      #
-      #   textilize_without_paragraph("Visit the Rails website "here":http://www.rubyonrails.org/.)
-      #   # => "Visit the Rails website <a href="http://www.rubyonrails.org/">here</a>."
-      def textilize_without_paragraph(text, *options)
-        textiled = textilize(text, *options)
-        if textiled[0..2] == "<p>" then textiled = textiled[3..-1] end
-        if textiled[-4..-1] == "</p>" then textiled = textiled[0..-5] end
-        return textiled
-      end
-
-      # Returns the text with all the Markdown codes turned into HTML tags.
-      # <i>This method requires BlueCloth[http://www.deveiate.org/projects/BlueCloth]
-      # to be available</i>.
-      #
-      # ==== Examples
-      #   markdown("We are using __Markdown__ now!")
-      #   # => "<p>We are using <strong>Markdown</strong> now!</p>"
-      #
-      #   markdown("We like to _write_ `code`, not just _read_ it!")
-      #   # => "<p>We like to <em>write</em> <code>code</code>, not just <em>read</em> it!</p>"
-      #
-      #   markdown("The [Markdown website](http://daringfireball.net/projects/markdown/) has more information.")
-      #   # => "<p>The <a href="http://daringfireball.net/projects/markdown/">Markdown website</a>
-      #   #     has more information.</p>"
-      #
-      #   markdown('![The ROR logo](http://rubyonrails.com/images/rails.png "Ruby on Rails")')
-      #   # => '<p><img src="http://rubyonrails.com/images/rails.png" alt="The ROR logo" title="Ruby on Rails" /></p>'
-      def markdown(text, *options)
-        text = sanitize(text) unless text.html_safe? || options.delete(:safe)
-        (text.blank? ? "" : BlueCloth.new(text).to_html).html_safe
-      end
-
       # Returns +text+ transformed into HTML using simple formatting rules.
       # Two or more consecutive newlines(<tt>\n\n</tt>) are considered as a
       # paragraph and wrapped in <tt><p></tt> tags. One newline (<tt>\n</tt>) is
@@ -325,9 +230,9 @@ module ActionView
       #   simple_format("Look ma! A class!", :class => 'description')
       #   # => "<p class='description'>Look ma! A class!</p>"
       def simple_format(text, html_options={}, options={})
-        text = '' if text.nil?
+        text = ''.html_safe if text.nil?
         start_tag = tag('p', html_options, true)
-        text = sanitize(text) unless text.html_safe? || options[:safe]
+        text = sanitize(text) unless options[:sanitize] == false
         text.gsub!(/\r\n?/, "\n")                    # \r\n and \r -> \n
         text.gsub!(/\n\n+/, "</p>\n\n#{start_tag}")  # 2+ newline  -> paragraph
         text.gsub!(/([^\n]\n)(?=[^\n])/, '\1<br />') # 1 newline   -> br
@@ -571,7 +476,11 @@ module ActionView
               link_text = block_given?? yield(href) : href
               href = 'http://' + href unless scheme
 
-              content_tag(:a, link_text, link_attributes.merge('href' => href), !(options[:safe] || text.html_safe?)) + punctuation.reverse.join('')
+              unless options[:sanitize] == false
+                link_text = sanitize(link_text)
+                href      = sanitize(href)
+              end
+              content_tag(:a, link_text, link_attributes.merge('href' => href), !!options[:sanitize]) + punctuation.reverse.join('')
             end
           end.html_safe
         end
@@ -586,7 +495,11 @@ module ActionView
               text.html_safe
             else
               display_text = (block_given?) ? yield(text) : text
-              display_text = sanitize(display_text) unless options[:safe]
+
+              unless options[:sanitize] == false
+                text         = sanitize(text)
+                display_text = sanitize(display_text) unless text == display_text
+              end
               mail_to text, display_text, html_options
             end
           end