actionview 4.1.0.beta1

data/lib/action_view/helpers/output_safety_helper.rb

@@ -0,0 +1,38 @@
+require 'active_support/core_ext/string/output_safety'
+
+module ActionView #:nodoc:
+  # = Action View Raw Output Helper
+  module Helpers #:nodoc:
+    module OutputSafetyHelper
+      # This method outputs without escaping a string. Since escaping tags is
+      # now default, this can be used when you don't want Rails to automatically
+      # escape tags. This is not recommended if the data is coming from the user's
+      # input.
+      #
+      # For example:
+      #
+      #  raw @user.name
+      #  # => 'Jimmy <alert>Tables</alert>'
+      def raw(stringish)
+        stringish.to_s.html_safe
+      end
+
+      # This method returns a html safe string similar to what <tt>Array#join</tt>
+      # would return. All items in the array, including the supplied separator, are
+      # html escaped unless they are html safe, and the returned string is marked
+      # as html safe.
+      #
+      #   safe_join(["<p>foo</p>".html_safe, "<p>bar</p>"], "<br />")
+      #   # => "<p>foo</p>&lt;br /&gt;&lt;p&gt;bar&lt;/p&gt;"
+      #
+      #   safe_join(["<p>foo</p>".html_safe, "<p>bar</p>".html_safe], "<br />".html_safe)
+      #   # => "<p>foo</p><br /><p>bar</p>"
+      #
+      def safe_join(array, sep=$,)
+        sep = ERB::Util.html_escape(sep)
+
+        array.map { |i| ERB::Util.html_escape(i) }.join(sep).html_safe
+      end
+    end
+  end
+end

data/lib/action_view/helpers/record_tag_helper.rb

@@ -0,0 +1,108 @@
+require 'action_view/record_identifier'
+
+module ActionView
+  # = Action View Record Tag Helpers
+  module Helpers
+    module RecordTagHelper
+      include ActionView::RecordIdentifier
+
+      # Produces a wrapper DIV element with id and class parameters that
+      # relate to the specified Active Record object. Usage example:
+      #
+      #    <%= div_for(@person, class: "foo") do %>
+      #       <%= @person.name %>
+      #    <% end %>
+      #
+      # produces:
+      #
+      #    <div id="person_123" class="person foo"> Joe Bloggs </div>
+      #
+      # You can also pass an array of Active Record objects, which will then
+      # get iterated over and yield each record as an argument for the block.
+      # For example:
+      #
+      #    <%= div_for(@people, class: "foo") do |person| %>
+      #      <%= person.name %>
+      #    <% end %>
+      #
+      # produces:
+      #
+      #    <div id="person_123" class="person foo"> Joe Bloggs </div>
+      #    <div id="person_124" class="person foo"> Jane Bloggs </div>
+      #
+      def div_for(record, *args, &block)
+        content_tag_for(:div, record, *args, &block)
+      end
+
+      # content_tag_for creates an HTML element with id and class parameters
+      # that relate to the specified Active Record object. For example:
+      #
+      #    <%= content_tag_for(:tr, @person) do %>
+      #      <td><%= @person.first_name %></td>
+      #      <td><%= @person.last_name %></td>
+      #    <% end %>
+      #
+      # would produce the following HTML (assuming @person is an instance of
+      # a Person object, with an id value of 123):
+      #
+      #    <tr id="person_123" class="person">....</tr>
+      #
+      # If you require the HTML id attribute to have a prefix, you can specify it:
+      #
+      #    <%= content_tag_for(:tr, @person, :foo) do %> ...
+      #
+      # produces:
+      #
+      #    <tr id="foo_person_123" class="person">...
+      #
+      # You can also pass an array of objects which this method will loop through
+      # and yield the current object to the supplied block, reducing the need for
+      # having to iterate through the object (using <tt>each</tt>) beforehand.
+      # For example (assuming @people is an array of Person objects):
+      #
+      #    <%= content_tag_for(:tr, @people) do |person| %>
+      #      <td><%= person.first_name %></td>
+      #      <td><%= person.last_name %></td>
+      #    <% end %>
+      #
+      # produces:
+      #
+      #    <tr id="person_123" class="person">...</tr>
+      #    <tr id="person_124" class="person">...</tr>
+      #
+      # content_tag_for also accepts a hash of options, which will be converted to
+      # additional HTML attributes. If you specify a <tt>:class</tt> value, it will be combined
+      # with the default class name for your object. For example:
+      #
+      #    <%= content_tag_for(:li, @person, class: "bar") %>...
+      #
+      # produces:
+      #
+      #    <li id="person_123" class="person bar">...
+      #
+      def content_tag_for(tag_name, single_or_multiple_records, prefix = nil, options = nil, &block)
+        options, prefix = prefix, nil if prefix.is_a?(Hash)
+
+        Array(single_or_multiple_records).map do |single_record|
+          content_tag_for_single_record(tag_name, single_record, prefix, options, &block)
+        end.join("\n").html_safe
+      end
+
+      private
+
+        # Called by <tt>content_tag_for</tt> internally to render a content tag
+        # for each record.
+        def content_tag_for_single_record(tag_name, record, prefix, options, &block)
+          options = options ? options.dup : {}
+          options[:class] = [ dom_class(record, prefix), options[:class] ].compact
+          options[:id]    = dom_id(record, prefix)
+
+          if block_given?
+            content_tag(tag_name, capture(record, &block), options)
+          else
+            content_tag(tag_name, "", options)
+          end
+        end
+    end
+  end
+end

data/lib/action_view/helpers/rendering_helper.rb

@@ -0,0 +1,90 @@
+module ActionView
+  module Helpers
+    # = Action View Rendering
+    #
+    # Implements methods that allow rendering from a view context.
+    # In order to use this module, all you need is to implement
+    # view_renderer that returns an ActionView::Renderer object.
+    module RenderingHelper
+      # Returns the result of a render that's dictated by the options hash. The primary options are:
+      #
+      # * <tt>:partial</tt> - See <tt>ActionView::PartialRenderer</tt>.
+      # * <tt>:file</tt> - Renders an explicit template file (this used to be the old default), add :locals to pass in those.
+      # * <tt>:inline</tt> - Renders an inline template similar to how it's done in the controller.
+      # * <tt>:text</tt> - Renders the text passed in out.
+      #
+      # If no options hash is passed or :update specified, the default is to render a partial and use the second parameter
+      # as the locals hash.
+      def render(options = {}, locals = {}, &block)
+        case options
+        when Hash
+          if block_given?
+            view_renderer.render_partial(self, options.merge(:partial => options[:layout]), &block)
+          else
+            view_renderer.render(self, options)
+          end
+        else
+          view_renderer.render_partial(self, :partial => options, :locals => locals)
+        end
+      end
+
+      # Overwrites _layout_for in the context object so it supports the case a block is
+      # passed to a partial. Returns the contents that are yielded to a layout, given a
+      # name or a block.
+      #
+      # You can think of a layout as a method that is called with a block. If the user calls
+      # <tt>yield :some_name</tt>, the block, by default, returns <tt>content_for(:some_name)</tt>.
+      # If the user calls simply +yield+, the default block returns <tt>content_for(:layout)</tt>.
+      #
+      # The user can override this default by passing a block to the layout:
+      #
+      #   # The template
+      #   <%= render layout: "my_layout" do %>
+      #     Content
+      #   <% end %>
+      #
+      #   # The layout
+      #   <html>
+      #     <%= yield %>
+      #   </html>
+      #
+      # In this case, instead of the default block, which would return <tt>content_for(:layout)</tt>,
+      # this method returns the block that was passed in to <tt>render :layout</tt>, and the response
+      # would be
+      #
+      #   <html>
+      #     Content
+      #   </html>
+      #
+      # Finally, the block can take block arguments, which can be passed in by +yield+:
+      #
+      #   # The template
+      #   <%= render layout: "my_layout" do |customer| %>
+      #     Hello <%= customer.name %>
+      #   <% end %>
+      #
+      #   # The layout
+      #   <html>
+      #     <%= yield Struct.new(:name).new("David") %>
+      #   </html>
+      #
+      # In this case, the layout would receive the block passed into <tt>render :layout</tt>,
+      # and the struct specified would be passed into the block as an argument. The result
+      # would be
+      #
+      #   <html>
+      #     Hello David
+      #   </html>
+      #
+      def _layout_for(*args, &block)
+        name = args.first
+
+        if block && !name.is_a?(Symbol)
+          capture(*args, &block)
+        else
+          super
+        end
+      end
+    end
+  end
+end

data/lib/action_view/helpers/sanitize_helper.rb

@@ -0,0 +1,256 @@
+require 'active_support/core_ext/object/try'
+require 'action_view/vendor/html-scanner'
+
+module ActionView
+  # = Action View Sanitize Helpers
+  module Helpers
+    # The SanitizeHelper module provides a set of methods for scrubbing text of undesired HTML elements.
+    # These helper methods extend Action View making them callable within your template files.
+    module SanitizeHelper
+      extend ActiveSupport::Concern
+      # This +sanitize+ helper will html encode all tags and strip all attributes that
+      # aren't specifically allowed.
+      #
+      # It also strips href/src tags with invalid protocols, like javascript: especially.
+      # It does its best to counter any  tricks that hackers may use, like throwing in
+      # unicode/ascii/hex values to get past the javascript: filters. Check out
+      # the extensive test suite.
+      #
+      #   <%= sanitize @article.body %>
+      #
+      # You can add or remove tags/attributes if you want to customize it a bit.
+      # See ActionView::Base for full docs on the available options. You can add
+      # tags/attributes for single uses of +sanitize+ by passing either the
+      # <tt>:attributes</tt> or <tt>:tags</tt> options:
+      #
+      # Normal Use
+      #
+      #   <%= sanitize @article.body %>
+      #
+      # Custom Use (only the mentioned tags and attributes are allowed, nothing else)
+      #
+      #   <%= sanitize @article.body, tags: %w(table tr td), attributes: %w(id class style) %>
+      #
+      # Add table tags to the default allowed tags
+      #
+      #   class Application < Rails::Application
+      #     config.action_view.sanitized_allowed_tags = 'table', 'tr', 'td'
+      #   end
+      #
+      # Remove tags to the default allowed tags
+      #
+      #   class Application < Rails::Application
+      #     config.after_initialize do
+      #       ActionView::Base.sanitized_allowed_tags.delete 'div'
+      #     end
+      #   end
+      #
+      # Change allowed default attributes
+      #
+      #   class Application < Rails::Application
+      #     config.action_view.sanitized_allowed_attributes = 'id', 'class', 'style'
+      #   end
+      #
+      # Please note that sanitizing user-provided text does not guarantee that the
+      # resulting markup is valid (conforming to a document type) or even well-formed.
+      # The output may still contain e.g. unescaped '<', '>', '&' characters and
+      # confuse browsers.
+      #
+      def sanitize(html, options = {})
+        self.class.white_list_sanitizer.sanitize(html, options).try(:html_safe)
+      end
+
+      # Sanitizes a block of CSS code. Used by +sanitize+ when it comes across a style attribute.
+      def sanitize_css(style)
+        self.class.white_list_sanitizer.sanitize_css(style)
+      end
+
+      # Strips all HTML tags from the +html+, including comments. This uses the
+      # html-scanner tokenizer and so its HTML parsing ability is limited by
+      # that of html-scanner.
+      #
+      #   strip_tags("Strip <i>these</i> tags!")
+      #   # => Strip these tags!
+      #
+      #   strip_tags("<b>Bold</b> no more!  <a href='more.html'>See more here</a>...")
+      #   # => Bold no more!  See more here...
+      #
+      #   strip_tags("<div id='top-bar'>Welcome to my website!</div>")
+      #   # => Welcome to my website!
+      def strip_tags(html)
+        self.class.full_sanitizer.sanitize(html)
+      end
+
+      # Strips all link tags from +text+ leaving just the link text.
+      #
+      #   strip_links('<a href="http://www.rubyonrails.org">Ruby on Rails</a>')
+      #   # => Ruby on Rails
+      #
+      #   strip_links('Please e-mail me at <a href="mailto:me@email.com">me@email.com</a>.')
+      #   # => Please e-mail me at me@email.com.
+      #
+      #   strip_links('Blog: <a href="http://www.myblog.com/" class="nav" target=\"_blank\">Visit</a>.')
+      #   # => Blog: Visit.
+      def strip_links(html)
+        self.class.link_sanitizer.sanitize(html)
+      end
+
+      module ClassMethods #:nodoc:
+        attr_writer :full_sanitizer, :link_sanitizer, :white_list_sanitizer
+
+        def sanitized_protocol_separator
+          white_list_sanitizer.protocol_separator
+        end
+
+        def sanitized_uri_attributes
+          white_list_sanitizer.uri_attributes
+        end
+
+        def sanitized_bad_tags
+          white_list_sanitizer.bad_tags
+        end
+
+        def sanitized_allowed_tags
+          white_list_sanitizer.allowed_tags
+        end
+
+        def sanitized_allowed_attributes
+          white_list_sanitizer.allowed_attributes
+        end
+
+        def sanitized_allowed_css_properties
+          white_list_sanitizer.allowed_css_properties
+        end
+
+        def sanitized_allowed_css_keywords
+          white_list_sanitizer.allowed_css_keywords
+        end
+
+        def sanitized_shorthand_css_properties
+          white_list_sanitizer.shorthand_css_properties
+        end
+
+        def sanitized_allowed_protocols
+          white_list_sanitizer.allowed_protocols
+        end
+
+        def sanitized_protocol_separator=(value)
+          white_list_sanitizer.protocol_separator = value
+        end
+
+        # Gets the HTML::FullSanitizer instance used by +strip_tags+. Replace with
+        # any object that responds to +sanitize+.
+        #
+        #   class Application < Rails::Application
+        #     config.action_view.full_sanitizer = MySpecialSanitizer.new
+        #   end
+        #
+        def full_sanitizer
+          @full_sanitizer ||= HTML::FullSanitizer.new
+        end
+
+        # Gets the HTML::LinkSanitizer instance used by +strip_links+. Replace with
+        # any object that responds to +sanitize+.
+        #
+        #   class Application < Rails::Application
+        #     config.action_view.link_sanitizer = MySpecialSanitizer.new
+        #   end
+        #
+        def link_sanitizer
+          @link_sanitizer ||= HTML::LinkSanitizer.new
+        end
+
+        # Gets the HTML::WhiteListSanitizer instance used by sanitize and +sanitize_css+.
+        # Replace with any object that responds to +sanitize+.
+        #
+        #   class Application < Rails::Application
+        #     config.action_view.white_list_sanitizer = MySpecialSanitizer.new
+        #   end
+        #
+        def white_list_sanitizer
+          @white_list_sanitizer ||= HTML::WhiteListSanitizer.new
+        end
+
+        # Adds valid HTML attributes that the +sanitize+ helper checks for URIs.
+        #
+        #   class Application < Rails::Application
+        #     config.action_view.sanitized_uri_attributes = 'lowsrc', 'target'
+        #   end
+        #
+        def sanitized_uri_attributes=(attributes)
+          HTML::WhiteListSanitizer.uri_attributes.merge(attributes)
+        end
+
+        # Adds to the Set of 'bad' tags for the +sanitize+ helper.
+        #
+        #   class Application < Rails::Application
+        #     config.action_view.sanitized_bad_tags = 'embed', 'object'
+        #   end
+        #
+        def sanitized_bad_tags=(attributes)
+          HTML::WhiteListSanitizer.bad_tags.merge(attributes)
+        end
+
+        # Adds to the Set of allowed tags for the +sanitize+ helper.
+        #
+        #   class Application < Rails::Application
+        #     config.action_view.sanitized_allowed_tags = 'table', 'tr', 'td'
+        #   end
+        #
+        def sanitized_allowed_tags=(attributes)
+          HTML::WhiteListSanitizer.allowed_tags.merge(attributes)
+        end
+
+        # Adds to the Set of allowed HTML attributes for the +sanitize+ helper.
+        #
+        #   class Application < Rails::Application
+        #     config.action_view.sanitized_allowed_attributes = 'onclick', 'longdesc'
+        #   end
+        #
+        def sanitized_allowed_attributes=(attributes)
+          HTML::WhiteListSanitizer.allowed_attributes.merge(attributes)
+        end
+
+        # Adds to the Set of allowed CSS properties for the #sanitize and +sanitize_css+ helpers.
+        #
+        #   class Application < Rails::Application
+        #     config.action_view.sanitized_allowed_css_properties = 'expression'
+        #   end
+        #
+        def sanitized_allowed_css_properties=(attributes)
+          HTML::WhiteListSanitizer.allowed_css_properties.merge(attributes)
+        end
+
+        # Adds to the Set of allowed CSS keywords for the +sanitize+ and +sanitize_css+ helpers.
+        #
+        #   class Application < Rails::Application
+        #     config.action_view.sanitized_allowed_css_keywords = 'expression'
+        #   end
+        #
+        def sanitized_allowed_css_keywords=(attributes)
+          HTML::WhiteListSanitizer.allowed_css_keywords.merge(attributes)
+        end
+
+        # Adds to the Set of allowed shorthand CSS properties for the +sanitize+ and +sanitize_css+ helpers.
+        #
+        #   class Application < Rails::Application
+        #     config.action_view.sanitized_shorthand_css_properties = 'expression'
+        #   end
+        #
+        def sanitized_shorthand_css_properties=(attributes)
+          HTML::WhiteListSanitizer.shorthand_css_properties.merge(attributes)
+        end
+
+        # Adds to the Set of allowed protocols for the +sanitize+ helper.
+        #
+        #   class Application < Rails::Application
+        #     config.action_view.sanitized_allowed_protocols = 'ssh', 'feed'
+        #   end
+        #
+        def sanitized_allowed_protocols=(attributes)
+          HTML::WhiteListSanitizer.allowed_protocols.merge(attributes)
+        end
+      end
+    end
+  end
+end