actionpack 4.0.1 → 4.2.11.1

data/lib/action_view/helpers/record_tag_helper.rb

@@ -1,106 +0,0 @@
-module ActionView
-  # = Action View Record Tag Helpers
-  module Helpers
-    module RecordTagHelper
-      include ActionView::RecordIdentifier
-
-      # Produces a wrapper DIV element with id and class parameters that
-      # relate to the specified Active Record object. Usage example:
-      #
-      #    <%= div_for(@person, class: "foo") do %>
-      #       <%= @person.name %>
-      #    <% end %>
-      #
-      # produces:
-      #
-      #    <div id="person_123" class="person foo"> Joe Bloggs </div>
-      #
-      # You can also pass an array of Active Record objects, which will then
-      # get iterated over and yield each record as an argument for the block.
-      # For example:
-      #
-      #    <%= div_for(@people, class: "foo") do |person| %>
-      #      <%= person.name %>
-      #    <% end %>
-      #
-      # produces:
-      #
-      #    <div id="person_123" class="person foo"> Joe Bloggs </div>
-      #    <div id="person_124" class="person foo"> Jane Bloggs </div>
-      #
-      def div_for(record, *args, &block)
-        content_tag_for(:div, record, *args, &block)
-      end
-
-      # content_tag_for creates an HTML element with id and class parameters
-      # that relate to the specified Active Record object. For example:
-      #
-      #    <%= content_tag_for(:tr, @person) do %>
-      #      <td><%= @person.first_name %></td>
-      #      <td><%= @person.last_name %></td>
-      #    <% end %>
-      #
-      # would produce the following HTML (assuming @person is an instance of
-      # a Person object, with an id value of 123):
-      #
-      #    <tr id="person_123" class="person">....</tr>
-      #
-      # If you require the HTML id attribute to have a prefix, you can specify it:
-      #
-      #    <%= content_tag_for(:tr, @person, :foo) do %> ...
-      #
-      # produces:
-      #
-      #    <tr id="foo_person_123" class="person">...
-      #
-      # You can also pass an array of objects which this method will loop through
-      # and yield the current object to the supplied block, reducing the need for
-      # having to iterate through the object (using <tt>each</tt>) beforehand.
-      # For example (assuming @people is an array of Person objects):
-      #
-      #    <%= content_tag_for(:tr, @people) do |person| %>
-      #      <td><%= person.first_name %></td>
-      #      <td><%= person.last_name %></td>
-      #    <% end %>
-      #
-      # produces:
-      #
-      #    <tr id="person_123" class="person">...</tr>
-      #    <tr id="person_124" class="person">...</tr>
-      #
-      # content_tag_for also accepts a hash of options, which will be converted to
-      # additional HTML attributes. If you specify a <tt>:class</tt> value, it will be combined
-      # with the default class name for your object. For example:
-      #
-      #    <%= content_tag_for(:li, @person, class: "bar") %>...
-      #
-      # produces:
-      #
-      #    <li id="person_123" class="person bar">...
-      #
-      def content_tag_for(tag_name, single_or_multiple_records, prefix = nil, options = nil, &block)
-        options, prefix = prefix, nil if prefix.is_a?(Hash)
-
-        Array(single_or_multiple_records).map do |single_record|
-          content_tag_for_single_record(tag_name, single_record, prefix, options, &block)
-        end.join("\n").html_safe
-      end
-
-      private
-
-        # Called by <tt>content_tag_for</tt> internally to render a content tag
-        # for each record.
-        def content_tag_for_single_record(tag_name, record, prefix, options, &block)
-          options = options ? options.dup : {}
-          options[:class] = [ dom_class(record, prefix), options[:class] ].compact
-          options[:id]    = dom_id(record, prefix)
-
-          if block_given?
-            content_tag(tag_name, capture(record, &block), options)
-          else
-            content_tag(tag_name, "", options)
-          end
-        end
-    end
-  end
-end

data/lib/action_view/helpers/rendering_helper.rb

@@ -1,90 +0,0 @@
-module ActionView
-  module Helpers
-    # = Action View Rendering
-    #
-    # Implements methods that allow rendering from a view context.
-    # In order to use this module, all you need is to implement
-    # view_renderer that returns an ActionView::Renderer object.
-    module RenderingHelper
-      # Returns the result of a render that's dictated by the options hash. The primary options are:
-      #
-      # * <tt>:partial</tt> - See <tt>ActionView::PartialRenderer</tt>.
-      # * <tt>:file</tt> - Renders an explicit template file (this used to be the old default), add :locals to pass in those.
-      # * <tt>:inline</tt> - Renders an inline template similar to how it's done in the controller.
-      # * <tt>:text</tt> - Renders the text passed in out.
-      #
-      # If no options hash is passed or :update specified, the default is to render a partial and use the second parameter
-      # as the locals hash.
-      def render(options = {}, locals = {}, &block)
-        case options
-        when Hash
-          if block_given?
-            view_renderer.render_partial(self, options.merge(:partial => options[:layout]), &block)
-          else
-            view_renderer.render(self, options)
-          end
-        else
-          view_renderer.render_partial(self, :partial => options, :locals => locals)
-        end
-      end
-
-      # Overwrites _layout_for in the context object so it supports the case a block is
-      # passed to a partial. Returns the contents that are yielded to a layout, given a
-      # name or a block.
-      #
-      # You can think of a layout as a method that is called with a block. If the user calls
-      # <tt>yield :some_name</tt>, the block, by default, returns <tt>content_for(:some_name)</tt>.
-      # If the user calls simply +yield+, the default block returns <tt>content_for(:layout)</tt>.
-      #
-      # The user can override this default by passing a block to the layout:
-      #
-      #   # The template
-      #   <%= render layout: "my_layout" do %>
-      #     Content
-      #   <% end %>
-      #
-      #   # The layout
-      #   <html>
-      #     <%= yield %>
-      #   </html>
-      #
-      # In this case, instead of the default block, which would return <tt>content_for(:layout)</tt>,
-      # this method returns the block that was passed in to <tt>render :layout</tt>, and the response
-      # would be
-      #
-      #   <html>
-      #     Content
-      #   </html>
-      #
-      # Finally, the block can take block arguments, which can be passed in by +yield+:
-      #
-      #   # The template
-      #   <%= render layout: "my_layout" do |customer| %>
-      #     Hello <%= customer.name %>
-      #   <% end %>
-      #
-      #   # The layout
-      #   <html>
-      #     <%= yield Struct.new(:name).new("David") %>
-      #   </html>
-      #
-      # In this case, the layout would receive the block passed into <tt>render :layout</tt>,
-      # and the struct specified would be passed into the block as an argument. The result
-      # would be
-      #
-      #   <html>
-      #     Hello David
-      #   </html>
-      #
-      def _layout_for(*args, &block)
-        name = args.first
-
-        if block && !name.is_a?(Symbol)
-          capture(*args, &block)
-        else
-          super
-        end
-      end
-    end
-  end
-end

data/lib/action_view/helpers/sanitize_helper.rb

@@ -1,256 +0,0 @@
-require 'active_support/core_ext/object/try'
-require 'action_view/vendor/html-scanner'
-
-module ActionView
-  # = Action View Sanitize Helpers
-  module Helpers
-    # The SanitizeHelper module provides a set of methods for scrubbing text of undesired HTML elements.
-    # These helper methods extend Action View making them callable within your template files.
-    module SanitizeHelper
-      extend ActiveSupport::Concern
-      # This +sanitize+ helper will html encode all tags and strip all attributes that
-      # aren't specifically allowed.
-      #
-      # It also strips href/src tags with invalid protocols, like javascript: especially.
-      # It does its best to counter any  tricks that hackers may use, like throwing in
-      # unicode/ascii/hex values to get past the javascript: filters. Check out
-      # the extensive test suite.
-      #
-      #   <%= sanitize @article.body %>
-      #
-      # You can add or remove tags/attributes if you want to customize it a bit.
-      # See ActionView::Base for full docs on the available options. You can add
-      # tags/attributes for single uses of +sanitize+ by passing either the
-      # <tt>:attributes</tt> or <tt>:tags</tt> options:
-      #
-      # Normal Use
-      #
-      #   <%= sanitize @article.body %>
-      #
-      # Custom Use (only the mentioned tags and attributes are allowed, nothing else)
-      #
-      #   <%= sanitize @article.body, tags: %w(table tr td), attributes: %w(id class style) %>
-      #
-      # Add table tags to the default allowed tags
-      #
-      #   class Application < Rails::Application
-      #     config.action_view.sanitized_allowed_tags = 'table', 'tr', 'td'
-      #   end
-      #
-      # Remove tags to the default allowed tags
-      #
-      #   class Application < Rails::Application
-      #     config.after_initialize do
-      #       ActionView::Base.sanitized_allowed_tags.delete 'div'
-      #     end
-      #   end
-      #
-      # Change allowed default attributes
-      #
-      #   class Application < Rails::Application
-      #     config.action_view.sanitized_allowed_attributes = 'id', 'class', 'style'
-      #   end
-      #
-      # Please note that sanitizing user-provided text does not guarantee that the
-      # resulting markup is valid (conforming to a document type) or even well-formed.
-      # The output may still contain e.g. unescaped '<', '>', '&' characters and
-      # confuse browsers.
-      #
-      def sanitize(html, options = {})
-        self.class.white_list_sanitizer.sanitize(html, options).try(:html_safe)
-      end
-
-      # Sanitizes a block of CSS code. Used by +sanitize+ when it comes across a style attribute.
-      def sanitize_css(style)
-        self.class.white_list_sanitizer.sanitize_css(style)
-      end
-
-      # Strips all HTML tags from the +html+, including comments. This uses the
-      # html-scanner tokenizer and so its HTML parsing ability is limited by
-      # that of html-scanner.
-      #
-      #   strip_tags("Strip <i>these</i> tags!")
-      #   # => Strip these tags!
-      #
-      #   strip_tags("<b>Bold</b> no more!  <a href='more.html'>See more here</a>...")
-      #   # => Bold no more!  See more here...
-      #
-      #   strip_tags("<div id='top-bar'>Welcome to my website!</div>")
-      #   # => Welcome to my website!
-      def strip_tags(html)
-        self.class.full_sanitizer.sanitize(html)
-      end
-
-      # Strips all link tags from +text+ leaving just the link text.
-      #
-      #   strip_links('<a href="http://www.rubyonrails.org">Ruby on Rails</a>')
-      #   # => Ruby on Rails
-      #
-      #   strip_links('Please e-mail me at <a href="mailto:me@email.com">me@email.com</a>.')
-      #   # => Please e-mail me at me@email.com.
-      #
-      #   strip_links('Blog: <a href="http://www.myblog.com/" class="nav" target=\"_blank\">Visit</a>.')
-      #   # => Blog: Visit.
-      def strip_links(html)
-        self.class.link_sanitizer.sanitize(html)
-      end
-
-      module ClassMethods #:nodoc:
-        attr_writer :full_sanitizer, :link_sanitizer, :white_list_sanitizer
-
-        def sanitized_protocol_separator
-          white_list_sanitizer.protocol_separator
-        end
-
-        def sanitized_uri_attributes
-          white_list_sanitizer.uri_attributes
-        end
-
-        def sanitized_bad_tags
-          white_list_sanitizer.bad_tags
-        end
-
-        def sanitized_allowed_tags
-          white_list_sanitizer.allowed_tags
-        end
-
-        def sanitized_allowed_attributes
-          white_list_sanitizer.allowed_attributes
-        end
-
-        def sanitized_allowed_css_properties
-          white_list_sanitizer.allowed_css_properties
-        end
-
-        def sanitized_allowed_css_keywords
-          white_list_sanitizer.allowed_css_keywords
-        end
-
-        def sanitized_shorthand_css_properties
-          white_list_sanitizer.shorthand_css_properties
-        end
-
-        def sanitized_allowed_protocols
-          white_list_sanitizer.allowed_protocols
-        end
-
-        def sanitized_protocol_separator=(value)
-          white_list_sanitizer.protocol_separator = value
-        end
-
-        # Gets the HTML::FullSanitizer instance used by +strip_tags+. Replace with
-        # any object that responds to +sanitize+.
-        #
-        #   class Application < Rails::Application
-        #     config.action_view.full_sanitizer = MySpecialSanitizer.new
-        #   end
-        #
-        def full_sanitizer
-          @full_sanitizer ||= HTML::FullSanitizer.new
-        end
-
-        # Gets the HTML::LinkSanitizer instance used by +strip_links+. Replace with
-        # any object that responds to +sanitize+.
-        #
-        #   class Application < Rails::Application
-        #     config.action_view.link_sanitizer = MySpecialSanitizer.new
-        #   end
-        #
-        def link_sanitizer
-          @link_sanitizer ||= HTML::LinkSanitizer.new
-        end
-
-        # Gets the HTML::WhiteListSanitizer instance used by sanitize and +sanitize_css+.
-        # Replace with any object that responds to +sanitize+.
-        #
-        #   class Application < Rails::Application
-        #     config.action_view.white_list_sanitizer = MySpecialSanitizer.new
-        #   end
-        #
-        def white_list_sanitizer
-          @white_list_sanitizer ||= HTML::WhiteListSanitizer.new
-        end
-
-        # Adds valid HTML attributes that the +sanitize+ helper checks for URIs.
-        #
-        #   class Application < Rails::Application
-        #     config.action_view.sanitized_uri_attributes = 'lowsrc', 'target'
-        #   end
-        #
-        def sanitized_uri_attributes=(attributes)
-          HTML::WhiteListSanitizer.uri_attributes.merge(attributes)
-        end
-
-        # Adds to the Set of 'bad' tags for the +sanitize+ helper.
-        #
-        #   class Application < Rails::Application
-        #     config.action_view.sanitized_bad_tags = 'embed', 'object'
-        #   end
-        #
-        def sanitized_bad_tags=(attributes)
-          HTML::WhiteListSanitizer.bad_tags.merge(attributes)
-        end
-
-        # Adds to the Set of allowed tags for the +sanitize+ helper.
-        #
-        #   class Application < Rails::Application
-        #     config.action_view.sanitized_allowed_tags = 'table', 'tr', 'td'
-        #   end
-        #
-        def sanitized_allowed_tags=(attributes)
-          HTML::WhiteListSanitizer.allowed_tags.merge(attributes)
-        end
-
-        # Adds to the Set of allowed HTML attributes for the +sanitize+ helper.
-        #
-        #   class Application < Rails::Application
-        #     config.action_view.sanitized_allowed_attributes = 'onclick', 'longdesc'
-        #   end
-        #
-        def sanitized_allowed_attributes=(attributes)
-          HTML::WhiteListSanitizer.allowed_attributes.merge(attributes)
-        end
-
-        # Adds to the Set of allowed CSS properties for the #sanitize and +sanitize_css+ helpers.
-        #
-        #   class Application < Rails::Application
-        #     config.action_view.sanitized_allowed_css_properties = 'expression'
-        #   end
-        #
-        def sanitized_allowed_css_properties=(attributes)
-          HTML::WhiteListSanitizer.allowed_css_properties.merge(attributes)
-        end
-
-        # Adds to the Set of allowed CSS keywords for the +sanitize+ and +sanitize_css+ helpers.
-        #
-        #   class Application < Rails::Application
-        #     config.action_view.sanitized_allowed_css_keywords = 'expression'
-        #   end
-        #
-        def sanitized_allowed_css_keywords=(attributes)
-          HTML::WhiteListSanitizer.allowed_css_keywords.merge(attributes)
-        end
-
-        # Adds to the Set of allowed shorthand CSS properties for the +sanitize+ and +sanitize_css+ helpers.
-        #
-        #   class Application < Rails::Application
-        #     config.action_view.sanitized_shorthand_css_properties = 'expression'
-        #   end
-        #
-        def sanitized_shorthand_css_properties=(attributes)
-          HTML::WhiteListSanitizer.shorthand_css_properties.merge(attributes)
-        end
-
-        # Adds to the Set of allowed protocols for the +sanitize+ helper.
-        #
-        #   class Application < Rails::Application
-        #     config.action_view.sanitized_allowed_protocols = 'ssh', 'feed'
-        #   end
-        #
-        def sanitized_allowed_protocols=(attributes)
-          HTML::WhiteListSanitizer.allowed_protocols.merge(attributes)
-        end
-      end
-    end
-  end
-end

data/lib/action_view/helpers/tag_helper.rb

@@ -1,173 +0,0 @@
-require 'active_support/core_ext/string/output_safety'
-require 'set'
-
-module ActionView
-  # = Action View Tag Helpers
-  module Helpers #:nodoc:
-    # Provides methods to generate HTML tags programmatically when you can't use
-    # a Builder. By default, they output XHTML compliant tags.
-    module TagHelper
-      extend ActiveSupport::Concern
-      include CaptureHelper
-
-      BOOLEAN_ATTRIBUTES = %w(disabled readonly multiple checked autobuffer
-                           autoplay controls loop selected hidden scoped async
-                           defer reversed ismap seemless muted required
-                           autofocus novalidate formnovalidate open pubdate itemscope).to_set
-      BOOLEAN_ATTRIBUTES.merge(BOOLEAN_ATTRIBUTES.map {|attribute| attribute.to_sym })
-
-      PRE_CONTENT_STRINGS = {
-        :textarea => "\n"
-      }
-
-      # Returns an empty HTML tag of type +name+ which by default is XHTML
-      # compliant. Set +open+ to true to create an open tag compatible
-      # with HTML 4.0 and below. Add HTML attributes by passing an attributes
-      # hash to +options+. Set +escape+ to false to disable attribute value
-      # escaping.
-      #
-      # ==== Options
-      # You can use symbols or strings for the attribute names.
-      #
-      # Use +true+ with boolean attributes that can render with no value, like
-      # +disabled+ and +readonly+.
-      #
-      # HTML5 <tt>data-*</tt> attributes can be set with a single +data+ key
-      # pointing to a hash of sub-attributes.
-      #
-      # To play nicely with JavaScript conventions sub-attributes are dasherized.
-      # For example, a key +user_id+ would render as <tt>data-user-id</tt> and
-      # thus accessed as <tt>dataset.userId</tt>.
-      #
-      # Values are encoded to JSON, with the exception of strings and symbols.
-      # This may come in handy when using jQuery's HTML5-aware <tt>.data()</tt>
-      # from 1.4.3.
-      #
-      # ==== Examples
-      #   tag("br")
-      #   # => <br />
-      #
-      #   tag("br", nil, true)
-      #   # => <br>
-      #
-      #   tag("input", type: 'text', disabled: true)
-      #   # => <input type="text" disabled="disabled" />
-      #
-      #   tag("img", src: "open & shut.png")
-      #   # => <img src="open &amp; shut.png" />
-      #
-      #   tag("img", {src: "open &amp; shut.png"}, false, false)
-      #   # => <img src="open &amp; shut.png" />
-      #
-      #   tag("div", data: {name: 'Stephen', city_state: %w(Chicago IL)})
-      #   # => <div data-name="Stephen" data-city-state="[&quot;Chicago&quot;,&quot;IL&quot;]" />
-      def tag(name, options = nil, open = false, escape = true)
-        "<#{name}#{tag_options(options, escape) if options}#{open ? ">" : " />"}".html_safe
-      end
-
-      # Returns an HTML block tag of type +name+ surrounding the +content+. Add
-      # HTML attributes by passing an attributes hash to +options+.
-      # Instead of passing the content as an argument, you can also use a block
-      # in which case, you pass your +options+ as the second parameter.
-      # Set escape to false to disable attribute value escaping.
-      #
-      # ==== Options
-      # The +options+ hash is used with attributes with no value like (<tt>disabled</tt> and
-      # <tt>readonly</tt>), which you can give a value of true in the +options+ hash. You can use
-      # symbols or strings for the attribute names.
-      #
-      # ==== Examples
-      #   content_tag(:p, "Hello world!")
-      #    # => <p>Hello world!</p>
-      #   content_tag(:div, content_tag(:p, "Hello world!"), class: "strong")
-      #    # => <div class="strong"><p>Hello world!</p></div>
-      #   content_tag("select", options, multiple: true)
-      #    # => <select multiple="multiple">...options...</select>
-      #
-      #   <%= content_tag :div, class: "strong" do -%>
-      #     Hello world!
-      #   <% end -%>
-      #    # => <div class="strong">Hello world!</div>
-      def content_tag(name, content_or_options_with_block = nil, options = nil, escape = true, &block)
-        if block_given?
-          options = content_or_options_with_block if content_or_options_with_block.is_a?(Hash)
-          content_tag_string(name, capture(&block), options, escape)
-        else
-          content_tag_string(name, content_or_options_with_block, options, escape)
-        end
-      end
-
-      # Returns a CDATA section with the given +content+. CDATA sections
-      # are used to escape blocks of text containing characters which would
-      # otherwise be recognized as markup. CDATA sections begin with the string
-      # <tt><![CDATA[</tt> and end with (and may not contain) the string <tt>]]></tt>.
-      #
-      #   cdata_section("<hello world>")
-      #   # => <![CDATA[<hello world>]]>
-      #
-      #   cdata_section(File.read("hello_world.txt"))
-      #   # => <![CDATA[<hello from a text file]]>
-      #
-      #   cdata_section("hello]]>world")
-      #   # => <![CDATA[hello]]]]><![CDATA[>world]]>
-      def cdata_section(content)
-        splitted = content.gsub(']]>', ']]]]><![CDATA[>')
-        "<![CDATA[#{splitted}]]>".html_safe
-      end
-
-      # Returns an escaped version of +html+ without affecting existing escaped entities.
-      #
-      #   escape_once("1 < 2 &amp; 3")
-      #   # => "1 &lt; 2 &amp; 3"
-      #
-      #   escape_once("&lt;&lt; Accept & Checkout")
-      #   # => "&lt;&lt; Accept &amp; Checkout"
-      def escape_once(html)
-        ERB::Util.html_escape_once(html)
-      end
-
-      private
-
-        def content_tag_string(name, content, options, escape = true)
-          tag_options = tag_options(options, escape) if options
-          content     = ERB::Util.h(content) if escape
-          "<#{name}#{tag_options}>#{PRE_CONTENT_STRINGS[name.to_sym]}#{content}</#{name}>".html_safe
-        end
-
-        def tag_options(options, escape = true)
-          return if options.blank?
-          attrs = []
-          options.each_pair do |key, value|
-            if key.to_s == 'data' && value.is_a?(Hash)
-              value.each_pair do |k, v|
-                attrs << data_tag_option(k, v, escape)
-              end
-            elsif BOOLEAN_ATTRIBUTES.include?(key)
-              attrs << boolean_tag_option(key) if value
-            elsif !value.nil?
-              attrs << tag_option(key, value, escape)
-            end
-          end
-          " #{attrs.sort * ' '}".html_safe unless attrs.empty?
-        end
-
-        def data_tag_option(key, value, escape)
-          key   = "data-#{key.to_s.dasherize}"
-          unless value.is_a?(String) || value.is_a?(Symbol) || value.is_a?(BigDecimal)
-            value = value.to_json
-          end
-          tag_option(key, value, escape)
-        end
-
-        def boolean_tag_option(key)
-          %(#{key}="#{key}")
-        end
-
-        def tag_option(key, value, escape)
-          value = value.join(" ") if value.is_a?(Array)
-          value = ERB::Util.h(value) if escape
-          %(#{key}="#{value}")
-        end
-    end
-  end
-end