actionpack 3.0.20 → 3.1.0.beta1

data/lib/action_view/helpers/form_options_helper.rb

@@ -2,6 +2,7 @@ require 'cgi'
 require 'erb'
 require 'action_view/helpers/form_helper'
 require 'active_support/core_ext/object/blank'
+require 'active_support/core_ext/string/output_safety'
 
 module ActionView
   # = Action View Form Option Helpers
@@ -100,7 +101,6 @@ module ActionView
     #
     module FormOptionsHelper
       # ERB::Util can mask some helpers like textilize. Make sure to include them.
-      include ERB::Util
       include TextHelper
 
       # Create a select tag and a series of contained option tags for the provided object and method.
@@ -247,7 +247,7 @@ module ActionView
       #
       #   time_zone_select( "user", 'time_zone', /Australia/)
       #
-      #   time_zone_select( "user", "time_zone", ActiveSupport::Timezone.all.sort, :model => ActiveSupport::Timezone)
+      #   time_zone_select( "user", "time_zone", ActiveSupport::TimeZone.all.sort, :model => ActiveSupport::TimeZone)
       def time_zone_select(object, method, priority_zones = nil, options = {}, html_options = {})
         InstanceTag.new(object, method, self,  options.delete(:object)).to_time_zone_select_tag(priority_zones, options, html_options)
       end
@@ -297,17 +297,16 @@ module ActionView
       def options_for_select(container, selected = nil)
         return container if String === container
 
-        container = container.to_a if Hash === container
         selected, disabled = extract_selected_and_disabled(selected).map do | r |
-           Array.wrap(r).map { |item| item.to_s }
+           Array.wrap(r).map(&:to_s)
         end
 
         container.map do |element|
           html_attributes = option_html_attributes(element)
-          text, value = option_text_and_value(element).map { |item| item.to_s }
+          text, value = option_text_and_value(element).map(&:to_s)
           selected_attribute = ' selected="selected"' if option_value_selected?(value, selected)
           disabled_attribute = ' disabled="disabled"' if disabled && option_value_selected?(value, disabled)
-          %(<option value="#{html_escape(value)}"#{selected_attribute}#{disabled_attribute}#{html_attributes}>#{html_escape(text)}</option>)
+          %(<option value="#{ERB::Util.html_escape(value)}"#{selected_attribute}#{disabled_attribute}#{html_attributes}>#{ERB::Util.html_escape(text)}</option>)
         end.join("\n").html_safe
 
       end
@@ -397,7 +396,7 @@ module ActionView
       def option_groups_from_collection_for_select(collection, group_method, group_label_method, option_key_method, option_value_method, selected_key = nil)
         collection.map do |group|
           group_label_string = eval("group.#{group_label_method}")
-          "<optgroup label=\"#{html_escape(group_label_string)}\">" +
+          "<optgroup label=\"#{ERB::Util.html_escape(group_label_string)}\">" +
             options_from_collection_for_select(eval("group.#{group_method}"), option_key_method, option_value_method, selected_key) +
             '</optgroup>'
         end.join.html_safe
@@ -502,7 +501,7 @@ module ActionView
           return "" unless Array === element
           html_attributes = []
           element.select { |e| Hash === e }.reduce({}, :merge).each do |k, v|
-            html_attributes << " #{k}=\"#{html_escape(v.to_s)}\""
+            html_attributes << " #{k}=\"#{ERB::Util.html_escape(v.to_s)}\""
           end
           html_attributes.join
         end
@@ -596,13 +595,13 @@ module ActionView
       private
         def add_options(option_tags, options, value = nil)
           if options[:include_blank]
-            option_tags = content_tag('option', options[:include_blank].kind_of?(String) ? options[:include_blank] : nil, :value => '') + "\n" + option_tags
+            option_tags = "<option value=\"\">#{ERB::Util.html_escape(options[:include_blank]) if options[:include_blank].kind_of?(String)}</option>\n" + option_tags
           end
           if value.blank? && options[:prompt]
             prompt = options[:prompt].kind_of?(String) ? options[:prompt] : I18n.translate('helpers.select.prompt', :default => 'Please select')
-            option_tags = content_tag('option', prompt, :value => '') + "\n" + option_tags
+            option_tags = "<option value=\"\">#{ERB::Util.html_escape(prompt)}</option>\n" + option_tags
           end
-          option_tags
+          option_tags.html_safe
         end
     end
 

data/lib/action_view/helpers/form_tag_helper.rb

@@ -1,6 +1,7 @@
 require 'cgi'
 require 'action_view/helpers/tag_helper'
 require 'active_support/core_ext/object/blank'
+require 'active_support/core_ext/string/output_safety'
 
 module ActionView
   # = Action View Form Tag Helpers
@@ -24,6 +25,9 @@ module ActionView
       # * <tt>:method</tt> - The method to use when submitting the form, usually either "get" or "post".
       #   If "put", "delete", or another verb is used, a hidden input with name <tt>_method</tt>
       #   is added to simulate the verb over post.
+      # * <tt>:authenticity_token</tt> - Authenticity token to use in the form. Use only if you need to
+      #   pass custom authenticity token string, or to not add authenticity_token field at all
+      #   (by passing <tt>false</tt>).
       # * A list of parameters to feed to the URL the form will be posted to.
       # * <tt>:remote</tt> - If set to true, will allow the Unobtrusive JavaScript drivers to control the
       #   submit behaviour. By default this behaviour is an ajax submit.
@@ -46,8 +50,14 @@ module ActionView
       #  <%= form_tag('/posts', :remote => true) %>
       #   # => <form action="/posts" method="post" data-remote="true">
       #
-      def form_tag(url_for_options = {}, options = {}, &block)
-        html_options = html_options_for_form(url_for_options, options)
+      #   form_tag('http://far.away.com/form', :authenticity_token => false)
+      #   # form without authenticity token
+      #
+      #   form_tag('http://far.away.com/form', :authenticity_token => "cf50faa3fe97702ca1ae")
+      #   # form with custom authenticity token
+      #
+      def form_tag(url_for_options = {}, options = {}, *parameters_for_url, &block)
+        html_options = html_options_for_form(url_for_options, options, *parameters_for_url)
         if block_given?
           form_tag_in_block(html_options, &block)
         else
@@ -64,6 +74,8 @@ module ActionView
       # ==== Options
       # * <tt>:multiple</tt> - If set to true the selection will allow multiple choices.
       # * <tt>:disabled</tt> - If set to true, the user will not be able to use this input.
+      # * <tt>:include_blank</tt> - If set to true, an empty option will be create
+      # * <tt>:prompt</tt> - Create a prompt option with blank value and the text asking user to select something
       # * Any other key creates standard HTML attributes for the tag.
       #
       # ==== Examples
@@ -89,22 +101,26 @@ module ActionView
       #   # => <select class="form_input" id="access" multiple="multiple" name="access[]"><option>Read</option>
       #   #    <option>Write</option></select>
       #
+      #   select_tag "people", options_from_collection_for_select(@people, "id", "name"), :include_blank => true
+      #   # => <select id="people" name="people"><option value=""></option><option value="1">David</option></select>
+      #
+      #   select_tag "people", options_from_collection_for_select(@people, "id", "name"), :prompt => "Select something"
+      #   # => <select id="people" name="people"><option value="">Select something</option><option value="1">David</option></select>
+      #
       #   select_tag "destination", "<option>NYC</option><option>Paris</option><option>Rome</option>", :disabled => true
       #   # => <select disabled="disabled" id="destination" name="destination"><option>NYC</option>
       #   #    <option>Paris</option><option>Rome</option></select>
       def select_tag(name, option_tags = nil, options = {})
-        if Array === option_tags
-          ActiveSupport::Deprecation.warn 'Passing an array of option_tags to select_tag implicitly joins them without marking them as HTML-safe. Pass option_tags.join.html_safe instead.', caller
+        html_name = (options[:multiple] == true && !name.to_s.ends_with?("[]")) ? "#{name}[]" : name
+
+        if options.delete(:include_blank)
+          option_tags = "<option value=\"\"></option>".html_safe + option_tags
         end
 
-        html_name = (options[:multiple] == true && !name.to_s.ends_with?("[]")) ? "#{name}[]" : name
-        if blank = options.delete(:include_blank)
-          if blank.kind_of?(String)
-            option_tags = content_tag(:option, blank, :value => '').safe_concat(option_tags)
-          else
-            option_tags = content_tag(:option, '', :value => '').safe_concat(option_tags)
-          end
+        if prompt = options.delete(:prompt)
+          option_tags = "<option value=\"\">#{prompt}</option>".html_safe + option_tags
         end
+
         content_tag :select, option_tags, { "name" => html_name, "id" => sanitize_to_id(name) }.update(options.stringify_keys)
       end
 
@@ -295,7 +311,7 @@ module ActionView
         end
 
         escape = options.key?("escape") ? options.delete("escape") : true
-        content = html_escape(content) if escape
+        content = ERB::Util.html_escape(content) if escape
 
         content_tag :textarea, content.to_s.html_safe, { "name" => name, "id" => sanitize_to_id(name) }.update(options)
       end
@@ -398,12 +414,65 @@ module ActionView
         end
 
         if confirm = options.delete("confirm")
-          add_confirm_to_attributes!(options, confirm)
+          options["data-confirm"] = confirm
         end
 
         tag :input, { "type" => "submit", "name" => "commit", "value" => value }.update(options.stringify_keys)
       end
 
+      # Creates a button element that defines a <tt>submit</tt> button,
+      # <tt>reset</tt>button or a generic button which can be used in
+      # JavaScript, for example. You can use the button tag as a regular
+      # submit tag but it isn't supported in legacy browsers. However,
+      # the button tag allows richer labels such as images and emphasis,
+      # so this helper will also accept a block.
+      #
+      # ==== Options
+      # * <tt>:confirm => 'question?'</tt> - If present, the
+      #   unobtrusive JavaScript drivers will provide a prompt with
+      #   the question specified. If the user accepts, the form is
+      #   processed normally, otherwise no action is taken.
+      # * <tt>:disabled</tt> - If true, the user will not be able to
+      #   use this input.
+      # * <tt>:disable_with</tt> - Value of this parameter will be
+      #   used as the value for a disabled version of the submit
+      #   button when the form is submitted. This feature is provided
+      #   by the unobtrusive JavaScript driver.
+      # * Any other key creates standard HTML options for the tag.
+      #
+      # ==== Examples
+      #   button_tag
+      #   # => <button name="button" type="submit">Button</button>
+      #
+      #   button_tag(:type => 'button') do
+      #     content_tag(:strong, 'Ask me!')
+      #   end
+      #   # => <button name="button" type="button">
+      #          <strong>Ask me!</strong>
+      #        </button>
+      #
+      #   button_tag "Checkout", :disable_with => "Please wait..."
+      #   # => <button data-disable-with="Please wait..." name="button"
+      #                type="submit">Checkout</button>
+      #
+      def button_tag(content_or_options = nil, options = nil, &block)
+        options = content_or_options if block_given? && content_or_options.is_a?(Hash)
+        options ||= {}
+        options.stringify_keys!
+
+        if disable_with = options.delete("disable_with")
+          options["data-disable-with"] = disable_with
+        end
+
+        if confirm = options.delete("confirm")
+          options["data-confirm"] = confirm
+        end
+
+        options.reverse_merge! 'name' => 'button', 'type' => 'submit'
+
+        content_tag :button, content_or_options || 'Button', options, &block
+      end
+
       # Displays an image which when clicked will submit the form.
       #
       # <tt>source</tt> is passed to AssetTagHelper#path_to_image
@@ -431,7 +500,7 @@ module ActionView
         options.stringify_keys!
 
         if confirm = options.delete("confirm")
-          add_confirm_to_attributes!(options, confirm)
+          options["data-confirm"] = confirm
         end
 
         tag :input, { "type" => "image", "src" => path_to_image(source) }.update(options.stringify_keys)
@@ -529,14 +598,15 @@ module ActionView
       end
 
       private
-        def html_options_for_form(url_for_options, options)
+        def html_options_for_form(url_for_options, options, *parameters_for_url)
           options.stringify_keys.tap do |html_options|
             html_options["enctype"] = "multipart/form-data" if html_options.delete("multipart")
             # The following URL is unescaped, this is just a hash of options, and it is the
-            # responsability of the caller to escape all the values.
-            html_options["action"]  = url_for(url_for_options)
+            # responsibility of the caller to escape all the values.
+            html_options["action"]  = url_for(url_for_options, *parameters_for_url)
             html_options["accept-charset"] = "UTF-8"
             html_options["data-remote"] = true if html_options.delete("remote")
+            html_options["authenticity_token"] = html_options.delete("authenticity_token") if html_options.has_key?("authenticity_token")
           end
         end
 
@@ -544,6 +614,7 @@ module ActionView
           snowman_tag = tag(:input, :type => "hidden",
                             :name => "utf8", :value => "&#x2713;".html_safe)
 
+          authenticity_token = html_options.delete("authenticity_token")
           method = html_options.delete("method").to_s
 
           method_tag = case method
@@ -552,10 +623,10 @@ module ActionView
               ''
             when /^post$/i, "", nil
               html_options["method"] = "post"
-              token_tag
+              token_tag(authenticity_token)
             else
               html_options["method"] = "post"
-              tag(:input, :type => "hidden", :name => "_method", :value => method) + token_tag
+              tag(:input, :type => "hidden", :name => "_method", :value => method) + token_tag(authenticity_token)
           end
 
           tags = snowman_tag << method_tag
@@ -575,11 +646,12 @@ module ActionView
           output.safe_concat("</form>")
         end
 
-        def token_tag
-          unless protect_against_forgery?
+        def token_tag(token)
+          if token == false || !protect_against_forgery?
             ''
           else
-            tag(:input, :type => "hidden", :name => request_forgery_protection_token.to_s, :value => form_authenticity_token)
+            token = form_authenticity_token if token.nil?
+            tag(:input, :type => "hidden", :name => request_forgery_protection_token.to_s, :value => token)
           end
         end
 

data/lib/action_view/helpers/javascript_helper.rb

@@ -1,42 +1,8 @@
 require 'action_view/helpers/tag_helper'
 
 module ActionView
-  # = Action View JavaScript Helpers
   module Helpers
-    # Provides functionality for working with JavaScript in your views.
-    #
-    # == Ajax, controls and visual effects
-    #
-    # * For information on using Ajax, see
-    #   ActionView::Helpers::PrototypeHelper.
-    # * For information on using controls and visual effects, see
-    #   ActionView::Helpers::ScriptaculousHelper.
-    #
-    # == Including the JavaScript libraries into your pages
-    #
-    # Rails includes the Prototype JavaScript framework and the Scriptaculous
-    # JavaScript controls and visual effects library.  If you wish to use
-    # these libraries and their helpers (ActionView::Helpers::PrototypeHelper
-    # and ActionView::Helpers::ScriptaculousHelper), you must do one of the
-    # following:
-    #
-    # * Use <tt><%= javascript_include_tag :defaults %></tt> in the HEAD
-    #   section of your page (recommended): This function will return
-    #   references to the JavaScript files created by the +rails+ command in
-    #   your <tt>public/javascripts</tt> directory. Using it is recommended as
-    #   the browser can then cache the libraries instead of fetching all the
-    #   functions anew on every request.
-    # * Use <tt><%= javascript_include_tag 'prototype' %></tt>: As above, but
-    #   will only include the Prototype core library, which means you are able
-    #   to use all basic AJAX functionality. For the Scriptaculous-based
-    #   JavaScript helpers, like visual effects, autocompletion, drag and drop
-    #   and so on, you should use the method described above.
-    #
-    # For documentation on +javascript_include_tag+ see
-    # ActionView::Helpers::AssetTagHelper.
     module JavaScriptHelper
-      include PrototypeHelper
-
       JS_ESCAPE_MAP = {
         '\\'    => '\\\\',
         '</'    => '<\/',
@@ -47,15 +13,19 @@ module ActionView
         "'"     => "\\'" }
 
       # Escape carrier returns and single and double quotes for JavaScript segments.
+      # Also available through the alias j(). This is particularly helpful in JavaScript responses, like:
+      #
+      #   $('some_element').replaceWith('<%=j render 'some/element_template' %>');
       def escape_javascript(javascript)
         if javascript
-          result = javascript.gsub(/(\\|<\/|\r\n|[\n\r"'])/) {|match| JS_ESCAPE_MAP[match] }
-          javascript.html_safe? ? result.html_safe : result
+          javascript.gsub(/(\\|<\/|\r\n|[\n\r"'])/) { JS_ESCAPE_MAP[$1] }
         else
           ''
         end
       end
 
+      alias_method :j, :escape_javascript
+
       # Returns a JavaScript tag with the +content+ inside. Example:
       #   javascript_tag "alert('All is good')"
       #
@@ -66,8 +36,8 @@ module ActionView
       #   //]]>
       #   </script>
       #
-      # +html_options+ may be a hash of attributes for the <tt>\<script></tt> tag.
-      # Example:
+      # +html_options+ may be a hash of attributes for the <tt>\<script></tt>
+      # tag. Example:
       #   javascript_tag "alert('All is good')", :defer => 'defer'
       #   # => <script defer="defer" type="text/javascript">alert('All is good')</script>
       #
@@ -92,87 +62,34 @@ module ActionView
         "\n//#{cdata_section("\n#{content}\n//")}\n".html_safe
       end
 
-      # Returns a button with the given +name+ text that'll trigger a JavaScript +function+ using the
-      # onclick handler.
-      #
-      # The first argument +name+ is used as the button's value or display text.
+      # Returns a button whose +onclick+ handler triggers the passed JavaScript.
       #
-      # The next arguments are optional and may include the javascript function definition and a hash of html_options.
+      # The helper receives a name, JavaScript code, and an optional hash of HTML options. The
+      # name is used as button label and the JavaScript code goes into its +onclick+ attribute.
+      # If +html_options+ has an <tt>:onclick</tt>, that one is put before +function+.
       #
-      # The +function+ argument can be omitted in favor of an +update_page+
-      # block, which evaluates to a string when the template is rendered
-      # (instead of making an Ajax request first).
+      #   button_to_function "Greeting", "alert('Hello world!')", :class => "ok"
+      #   # => <input class="ok" onclick="alert('Hello world!');" type="button" value="Greeting" />
       #
-      # The +html_options+ will accept a hash of html attributes for the link tag. Some examples are :class => "nav_button", :id => "articles_nav_button"
-      #
-      # Note: if you choose to specify the javascript function in a block, but would like to pass html_options, set the +function+ parameter to nil
-      #
-      # Examples:
-      #   button_to_function "Greeting", "alert('Hello world!')"
-      #   button_to_function "Delete", "if (confirm('Really?')) do_delete()"
-      #   button_to_function "Details" do |page|
-      #     page[:details].visual_effect :toggle_slide
-      #   end
-      #   button_to_function "Details", :class => "details_button" do |page|
-      #     page[:details].visual_effect :toggle_slide
-      #   end
-      def button_to_function(name, *args, &block)
-        html_options = args.extract_options!.symbolize_keys
-
-        function = block_given? ? update_page(&block) : args[0] || ''
+      def button_to_function(name, function=nil, html_options={})
         onclick = "#{"#{html_options[:onclick]}; " if html_options[:onclick]}#{function};"
 
         tag(:input, html_options.merge(:type => 'button', :value => name, :onclick => onclick))
       end
 
-      # Returns a link of the given +name+ that will trigger a JavaScript +function+ using the
-      # onclick handler and return false after the fact.
+      # Returns a link whose +onclick+ handler triggers the passed JavaScript.
       #
-      # The first argument +name+ is used as the link text.
+      # The helper receives a name, JavaScript code, and an optional hash of HTML options. The
+      # name is used as the link text and the JavaScript code goes into the +onclick+ attribute.
+      # If +html_options+ has an <tt>:onclick</tt>, that one is put before +function+. Once all
+      # the JavaScript is set, the helper appends "; return false;".
       #
-      # The next arguments are optional and may include the javascript function definition and a hash of html_options.
+      # The +href+ attribute of the tag is set to "#" unles +html_options+ has one.
       #
-      # The +function+ argument can be omitted in favor of an +update_page+
-      # block, which evaluates to a string when the template is rendered
-      # (instead of making an Ajax request first).
+      #   link_to_function "Greeting", "alert('Hello world!')", :class => "nav_link"
+      #   # => <a class="nav_link" href="#" onclick="alert('Hello world!'); return false;">Greeting</a>
       #
-      # The +html_options+ will accept a hash of html attributes for the link tag. Some examples are :class => "nav_button", :id => "articles_nav_button"
-      #
-      # Note: if you choose to specify the javascript function in a block, but would like to pass html_options, set the +function+ parameter to nil
-      #
-      #
-      # Examples:
-      #   link_to_function "Greeting", "alert('Hello world!')"
-      #     Produces:
-      #       <a onclick="alert('Hello world!'); return false;" href="#">Greeting</a>
-      #
-      #   link_to_function(image_tag("delete"), "if (confirm('Really?')) do_delete()")
-      #     Produces:
-      #       <a onclick="if (confirm('Really?')) do_delete(); return false;" href="#">
-      #         <img src="/images/delete.png?" alt="Delete"/>
-      #       </a>
-      #
-      #   link_to_function("Show me more", nil, :id => "more_link") do |page|
-      #     page[:details].visual_effect  :toggle_blind
-      #     page[:more_link].replace_html "Show me less"
-      #   end
-      #     Produces:
-      #       <a href="#" id="more_link" onclick="try {
-      #         $(&quot;details&quot;).visualEffect(&quot;toggle_blind&quot;);
-      #         $(&quot;more_link&quot;).update(&quot;Show me less&quot;);
-      #       }
-      #       catch (e) {
-      #         alert('RJS error:\n\n' + e.toString());
-      #         alert('$(\&quot;details\&quot;).visualEffect(\&quot;toggle_blind\&quot;);
-      #         \n$(\&quot;more_link\&quot;).update(\&quot;Show me less\&quot;);');
-      #         throw e
-      #       };
-      #       return false;">Show me more</a>
-      #
-      def link_to_function(name, *args, &block)
-        html_options = args.extract_options!.symbolize_keys
-
-        function = block_given? ? update_page(&block) : args[0] || ''
+      def link_to_function(name, function, html_options={})
         onclick = "#{"#{html_options[:onclick]}; " if html_options[:onclick]}#{function}; return false;"
         href = html_options[:href] || '#'