actionview 4.2.11 → 5.0.7

data/lib/action_view/helpers/tags/datetime_field.rb

@@ -14,7 +14,7 @@ module ActionView
         private
 
           def format_date(value)
-            value.try(:strftime, "%Y-%m-%dT%T.%L%z")
+            raise NotImplementedError
           end
 
           def datetime_value(value)

data/lib/action_view/helpers/tags/label.rb

@@ -17,7 +17,7 @@ module ActionView
             method_and_value = @tag_value.present? ? "#{@method_name}.#{@tag_value}" : @method_name
 
             content ||= Translator
-              .new(object, @object_name, method_and_value, "helpers.label")
+              .new(object, @object_name, method_and_value, scope: "helpers.label")
               .translate
             content ||= @method_name.humanize
 

data/lib/action_view/helpers/tags/placeholderable.rb

@@ -10,7 +10,7 @@ module ActionView
             method_and_value = tag_value.is_a?(TrueClass) ? @method_name : "#{@method_name}.#{tag_value}"
 
             placeholder ||= Tags::Translator
-              .new(object, @object_name, method_and_value, "helpers.placeholder")
+              .new(object, @object_name, method_and_value, scope: "helpers.placeholder")
               .translate
             placeholder ||= @method_name.humanize
             @options[:placeholder] = placeholder

data/lib/action_view/helpers/tags/search_field.rb

@@ -3,18 +3,21 @@ module ActionView
     module Tags # :nodoc:
       class SearchField < TextField # :nodoc:
         def render
-          super do |options|
-            if options["autosave"]
-              if options["autosave"] == true
-                options["autosave"] = request.host.split(".").reverse.join(".")
-              end
-              options["results"] ||= 10
-            end
+          options = @options.stringify_keys
 
-            if options["onsearch"]
-              options["incremental"] = true unless options.has_key?("incremental")
+          if options["autosave"]
+            if options["autosave"] == true
+              options["autosave"] = request.host.split(".").reverse.join(".")
             end
+            options["results"] ||= 10
+          end
+
+          if options["onsearch"]
+            options["incremental"] = true unless options.has_key?("incremental")
           end
+
+          @options = options
+          super
         end
       end
     end

data/lib/action_view/helpers/tags/text_field.rb

@@ -11,7 +11,6 @@ module ActionView
           options["size"] = options["maxlength"] unless options.key?("size")
           options["type"] ||= field_type
           options["value"] = options.fetch("value") { value_before_type_cast(object) } unless field_type == "file"
-          yield options if block_given?
           add_default_name_and_id(options)
           tag("input", options)
         end

data/lib/action_view/helpers/tags/translator.rb

@@ -2,7 +2,7 @@ module ActionView
   module Helpers
     module Tags # :nodoc:
       class Translator # :nodoc:
-        def initialize(object, object_name, method_and_value, scope)
+        def initialize(object, object_name, method_and_value, scope:)
           @object_name = object_name.gsub(/\[(.*)_attributes\]\[\d+\]/, '.\1')
           @method_and_value = method_and_value
           @scope = scope

data/lib/action_view/helpers/text_helper.rb

@@ -103,7 +103,9 @@ module ActionView
       # Highlights one or more +phrases+ everywhere in +text+ by inserting it into
       # a <tt>:highlighter</tt> string. The highlighter can be specialized by passing <tt>:highlighter</tt>
       # as a single-quoted string with <tt>\1</tt> where the phrase is to be inserted (defaults to
-      # '<mark>\1</mark>') or passing a block that receives each matched term.
+      # '<mark>\1</mark>') or passing a block that receives each matched term. By default +text+
+      # is sanitized to prevent possible XSS attacks. If the input is trustworthy, passing false
+      # for <tt>:sanitize</tt> will turn sanitizing off.
       #
       #   highlight('You searched for: rails', 'rails')
       #   # => You searched for: <mark>rails</mark>
@@ -122,6 +124,9 @@ module ActionView
       #
       #   highlight('You searched for: rails', 'rails') { |match| link_to(search_path(q: match, match)) }
       #   # => You searched for: <a href="search?q=rails">rails</a>
+      #
+      #   highlight('<a href="javascript:alert(\'no!\')">ruby</a> on rails', 'rails', sanitize: false)
+      #   # => "<a>ruby</a> on <mark>rails</mark>"
       def highlight(text, phrases, options = {})
         text = sanitize(text) if options.fetch(:sanitize, true)
 
@@ -199,7 +204,12 @@ module ActionView
 
       # Attempts to pluralize the +singular+ word unless +count+ is 1. If
       # +plural+ is supplied, it will use that when count is > 1, otherwise
-      # it will use the Inflector to determine the plural form.
+      # it will use the Inflector to determine the plural form for the given locale,
+      # which defaults to I18n.locale
+      #
+      # The word will be pluralized using rules defined for the locale
+      # (you must define your own inflection rules for languages other than English).
+      # See ActiveSupport::Inflector.pluralize
       #
       #   pluralize(1, 'person')
       #   # => 1 person
@@ -207,16 +217,19 @@ module ActionView
       #   pluralize(2, 'person')
       #   # => 2 people
       #
-      #   pluralize(3, 'person', 'users')
+      #   pluralize(3, 'person', plural: 'users')
       #   # => 3 users
       #
       #   pluralize(0, 'person')
       #   # => 0 people
-      def pluralize(count, singular, plural = nil)
+      #
+      #   pluralize(2, 'Person', locale: :de)
+      #   # => 2 Personen
+      def pluralize(count, singular, plural_arg = nil, plural: plural_arg, locale: I18n.locale)
         word = if (count == 1 || count =~ /^1(\.0+)?$/)
           singular
         else
-          plural || singular.pluralize
+          plural || singular.pluralize(locale)
         end
 
         "#{count || 0} #{word}"
@@ -237,12 +250,15 @@ module ActionView
       #
       #   word_wrap('Once upon a time', line_width: 1)
       #   # => Once\nupon\na\ntime
-      def word_wrap(text, options = {})
-        line_width = options.fetch(:line_width, 80)
-
+      #
+      #   You can also specify a custom +break_sequence+ ("\n" by default)
+      #
+      #   word_wrap('Once upon a time', line_width: 1, break_sequence: "\r\n")
+      #   # => Once\r\nupon\r\na\r\ntime
+      def word_wrap(text, line_width: 80, break_sequence: "\n")
         text.split("\n").collect! do |line|
-          line.length > line_width ? line.gsub(/(.{1,#{line_width}})(\s+|$)/, "\\1\n").strip : line
-        end * "\n"
+          line.length > line_width ? line.gsub(/(.{1,#{line_width}})(\s+|$)/, "\\1#{break_sequence}").strip : line
+        end * break_sequence
       end
 
       # Returns +text+ transformed into HTML using simple formatting rules.
@@ -309,7 +325,7 @@ module ActionView
       #   <table>
       #   <% @items.each do |item| %>
       #     <tr class="<%= cycle("odd", "even") -%>">
-      #       <td>item</td>
+      #       <td><%= item %></td>
       #     </tr>
       #   <% end %>
       #   </table>

data/lib/action_view/helpers/translation_helper.rb

@@ -6,35 +6,56 @@ module ActionView
   # = Action View Translation Helpers
   module Helpers
     module TranslationHelper
+      extend ActiveSupport::Concern
+
       include TagHelper
-      # Delegates to <tt>I18n#translate</tt> but also performs three additional functions.
+
+      included do
+        mattr_accessor :debug_missing_translation
+        self.debug_missing_translation = true
+      end
+
+      # Delegates to <tt>I18n#translate</tt> but also performs three additional
+      # functions.
+      #
+      # First, it will ensure that any thrown +MissingTranslation+ messages will
+      # be rendered as inline spans that:
+      #
+      # * Have a <tt>translation-missing</tt> class applied
+      # * Contain the missing key as the value of the +title+ attribute
+      # * Have a titleized version of the last key segment as text
       #
-      # First, it will ensure that any thrown +MissingTranslation+ messages will be turned
-      # into inline spans that:
+      # For example, the value returned for the missing translation key
+      # <tt>"blog.post.title"</tt> will be:
       #
-      #   * have a "translation-missing" class set,
-      #   * contain the missing key as a title attribute and
-      #   * a titleized version of the last key segment as a text.
+      #    <span
+      #      class="translation_missing"
+      #      title="translation missing: en.blog.post.title">Title</span>
       #
-      # E.g. the value returned for a missing translation key :"blog.post.title" will be
-      # <span class="translation_missing" title="translation missing: en.blog.post.title">Title</span>.
-      # This way your views will display rather reasonable strings but it will still
-      # be easy to spot missing translations.
+      # This allows for views to display rather reasonable strings while still
+      # giving developers a way to find missing translations.
       #
-      # Second, it'll scope the key by the current partial if the key starts
-      # with a period. So if you call <tt>translate(".foo")</tt> from the
-      # <tt>people/index.html.erb</tt> template, you'll actually be calling
-      # <tt>I18n.translate("people.index.foo")</tt>. This makes it less repetitive
-      # to translate many keys within the same partials and gives you a simple framework
-      # for scoping them consistently. If you don't prepend the key with a period,
-      # nothing is converted.
+      # If you would prefer missing translations to raise an error, you can
+      # opt out of span-wrapping behavior globally by setting
+      # <tt>ActionView::Base.raise_on_missing_translations = true</tt> or
+      # individually by passing <tt>raise: true</tt> as an option to
+      # <tt>translate</tt>.
       #
-      # Third, it'll mark the translation as safe HTML if the key has the suffix
-      # "_html" or the last element of the key is the word "html". For example,
-      # calling translate("footer_html") or translate("footer.html") will return
-      # a safe HTML string that won't be escaped by other HTML helper methods. This
-      # naming convention helps to identify translations that include HTML tags so that
-      # you know what kind of output to expect when you call translate in a template.
+      # Second, if the key starts with a period <tt>translate</tt> will scope
+      # the key by the current partial. Calling <tt>translate(".foo")</tt> from
+      # the <tt>people/index.html.erb</tt> template is equivalent to calling
+      # <tt>translate("people.index.foo")</tt>. This makes it less
+      # repetitive to translate many keys within the same partial and provides
+      # a convention to scope keys consistently.
+      #
+      # Third, the translation will be marked as <tt>html_safe</tt> if the key
+      # has the suffix "_html" or the last element of the key is "html". Calling
+      # <tt>translate("footer_html")</tt> or <tt>translate("footer.html")</tt>
+      # will return an HTML safe string that won't be escaped by other HTML
+      # helper methods. This naming convention helps to identify translations
+      # that include HTML tags so that you know what kind of output to expect
+      # when you call translate in a template and translators know which keys
+      # they can provide HTML values for.
       def translate(key, options = {})
         options = options.dup
         has_default = options.has_key?(:default)
@@ -47,11 +68,11 @@ module ActionView
         # If the user has explicitly decided to NOT raise errors, pass that option to I18n.
         # Otherwise, tell I18n to raise an exception, which we rescue further in this method.
         # Note: `raise_error` refers to us re-raising the error in this method. I18n is forced to raise by default.
-        if options[:raise] == false || (options.key?(:rescue_format) && options[:rescue_format].nil?)
+        if options[:raise] == false
           raise_error = false
           i18n_raise = false
         else
-          raise_error = options[:raise] || options[:rescue_format] || ActionView::Base.raise_on_missing_translations
+          raise_error = options[:raise] || ActionView::Base.raise_on_missing_translations
           i18n_raise = true
         end
 
@@ -75,7 +96,16 @@ module ActionView
           raise e if raise_error
 
           keys = I18n.normalize_keys(e.locale, e.key, e.options[:scope])
-          content_tag('span', keys.last.to_s.titleize, :class => 'translation_missing', :title => "translation missing: #{keys.join('.')}")
+          title = "translation missing: #{keys.join('.')}"
+
+          interpolations = options.except(:default, :scope)
+          if interpolations.any?
+            title << ", " << interpolations.map { |k, v| "#{k}: #{ERB::Util.html_escape(v)}" }.join(', ')
+          end
+
+          return title unless ActionView::Base.debug_missing_translation
+
+          content_tag('span', keys.last.to_s.titleize, class: 'translation_missing', title: title)
         end
       end
       alias :t :translate

data/lib/action_view/helpers/url_helper.rb

@@ -41,14 +41,24 @@ module ActionView
       end
 
       def _back_url # :nodoc:
-        referrer = controller.respond_to?(:request) && controller.request.env["HTTP_REFERER"]
-        referrer || 'javascript:history.back()'
+        _filtered_referrer || 'javascript:history.back()'
       end
       protected :_back_url
 
-      # Creates a link tag of the given +name+ using a URL created by the set of +options+.
+      def _filtered_referrer # :nodoc:
+        if controller.respond_to?(:request)
+          referrer = controller.request.env["HTTP_REFERER"]
+          if referrer && URI(referrer).scheme != 'javascript'
+            referrer
+          end
+        end
+      rescue URI::InvalidURIError
+      end
+      protected :_filtered_referrer
+
+      # Creates an anchor element of the given +name+ using a URL created by the set of +options+.
       # See the valid options in the documentation for +url_for+. It's also possible to
-      # pass a String instead of an options hash, which generates a link tag that uses the
+      # pass a String instead of an options hash, which generates an anchor element that uses the
       # value of the String as the href for the link. Using a <tt>:back</tt> Symbol instead
       # of an options hash will generate a link to the referrer (a JavaScript back link
       # will be used in place of a referrer if none exists). If +nil+ is passed as the name
@@ -172,6 +182,11 @@ module ActionView
       #
       #   link_to "Visit Other Site", "http://www.rubyonrails.org/", data: { confirm: "Are you sure?" }
       #   # => <a href="http://www.rubyonrails.org/" data-confirm="Are you sure?">Visit Other Site</a>
+      #
+      # Also you can set any link attributes such as <tt>target</tt>, <tt>rel</tt>, <tt>type</tt>:
+      #
+      #   link_to "External link", "http://www.rubyonrails.org/", target: "_blank", rel: "nofollow"
+      #   # => <a href="http://www.rubyonrails.org/" target="_blank" rel="nofollow">External link</a>
       def link_to(name = nil, options = nil, html_options = nil, &block)
         html_options, options, name = options, name, block if block_given?
         options ||= {}
@@ -179,9 +194,9 @@ module ActionView
         html_options = convert_options_to_data_attributes(options, html_options)
 
         url = url_for(options)
-        html_options['href'] ||= url
+        html_options["href".freeze] ||= url
 
-        content_tag(:a, name || url, html_options, &block)
+        content_tag("a".freeze, name || url, html_options, &block)
       end
 
       # Generates a form containing a single button that submits to the URL created
@@ -280,24 +295,28 @@ module ActionView
         html_options, options = options, name if block_given?
         options      ||= {}
         html_options ||= {}
-
         html_options = html_options.stringify_keys
-        convert_boolean_attributes!(html_options, %w(disabled))
 
         url    = options.is_a?(String) ? options : url_for(options)
         remote = html_options.delete('remote')
         params = html_options.delete('params')
 
         method     = html_options.delete('method').to_s
-        method_tag = BUTTON_TAG_METHOD_VERBS.include?(method) ? method_tag(method) : ''.html_safe
+        method_tag = BUTTON_TAG_METHOD_VERBS.include?(method) ? method_tag(method) : ''.freeze.html_safe
 
         form_method  = method == 'get' ? 'get' : 'post'
         form_options = html_options.delete('form') || {}
         form_options[:class] ||= html_options.delete('form_class') || 'button_to'
-        form_options.merge!(method: form_method, action: url)
-        form_options.merge!("data-remote" => "true") if remote
+        form_options[:method] = form_method
+        form_options[:action] = url
+        form_options[:'data-remote'] = true if remote
 
-        request_token_tag = form_method == 'post' ? token_tag : ''
+        request_token_tag = if form_method == 'post'
+          request_method = method.empty? ? 'post' : method
+          token_tag(nil, form_options: { action: url, method: request_method })
+        else
+          ''.freeze
+        end
 
         html_options = convert_options_to_data_attributes(options, html_options)
         html_options['type'] = 'submit'
@@ -311,8 +330,8 @@ module ActionView
 
         inner_tags = method_tag.safe_concat(button).safe_concat(request_token_tag)
         if params
-          params.each do |param_name, value|
-            inner_tags.safe_concat tag(:input, type: "hidden", name: param_name, value: value.to_param)
+          to_form_params(params).each do |param|
+            inner_tags.safe_concat tag(:input, type: "hidden", name: param[:name], value: param[:value])
           end
         end
         content_tag('form', inner_tags, form_options)
@@ -428,6 +447,7 @@ module ActionView
       # * <tt>:body</tt> - Preset the body of the email.
       # * <tt>:cc</tt> - Carbon Copy additional recipients on the email.
       # * <tt>:bcc</tt> - Blind Carbon Copy additional recipients on the email.
+      # * <tt>:reply_to</tt> - Preset the Reply-To field of the email.
       #
       # ==== Obfuscation
       # Prior to Rails 4.0, +mail_to+ provided options for encoding the address
@@ -457,72 +477,60 @@ module ActionView
         html_options, name = name, nil if block_given?
         html_options = (html_options || {}).stringify_keys
 
-        extras = %w{ cc bcc body subject }.map! { |item|
-          option = html_options.delete(item) || next
-          "#{item}=#{Rack::Utils.escape_path(option)}"
+        extras = %w{ cc bcc body subject reply_to }.map! { |item|
+          option = html_options.delete(item).presence || next
+          "#{item.dasherize}=#{ERB::Util.url_encode(option)}"
         }.compact
-        extras = extras.empty? ? '' : '?' + extras.join('&')
+        extras = extras.empty? ? ''.freeze : '?' + extras.join('&')
 
-        encoded_email_address = ERB::Util.url_encode(email_address ? email_address.to_str : '').gsub("%40", "@")
+        encoded_email_address = ERB::Util.url_encode(email_address).gsub("%40", "@")
         html_options["href"] = "mailto:#{encoded_email_address}#{extras}"
 
-        content_tag(:a, name || email_address, html_options, &block)
+        content_tag("a".freeze, name || email_address, html_options, &block)
       end
 
       # True if the current request URI was generated by the given +options+.
       #
       # ==== Examples
-      # Let's say we're in the <tt>http://www.example.com/shop/checkout?order=desc</tt> action.
+      # Let's say we're in the <tt>http://www.example.com/shop/checkout?order=desc&page=1</tt> action.
       #
       #   current_page?(action: 'process')
       #   # => false
       #
-      #   current_page?(controller: 'shop', action: 'checkout')
-      #   # => true
-      #
-      #   current_page?(controller: 'shop', action: 'checkout', order: 'asc')
-      #   # => false
-      #
       #   current_page?(action: 'checkout')
       #   # => true
       #
       #   current_page?(controller: 'library', action: 'checkout')
       #   # => false
       #
-      #   current_page?('http://www.example.com/shop/checkout')
-      #   # => true
-      #
-      #   current_page?('/shop/checkout')
+      #   current_page?(controller: 'shop', action: 'checkout')
       #   # => true
       #
-      # Let's say we're in the <tt>http://www.example.com/shop/checkout?order=desc&page=1</tt> action.
-      #
-      #   current_page?(action: 'process')
+      #   current_page?(controller: 'shop', action: 'checkout', order: 'asc')
       #   # => false
       #
-      #   current_page?(controller: 'shop', action: 'checkout')
-      #   # => true
-      #
       #   current_page?(controller: 'shop', action: 'checkout', order: 'desc', page: '1')
       #   # => true
       #
       #   current_page?(controller: 'shop', action: 'checkout', order: 'desc', page: '2')
       #   # => false
       #
-      #   current_page?(controller: 'shop', action: 'checkout', order: 'desc')
-      #   # => false
+      #   current_page?('http://www.example.com/shop/checkout')
+      #   # => true
       #
-      #   current_page?(action: 'checkout')
+      #   current_page?('/shop/checkout')
       #   # => true
       #
-      #   current_page?(controller: 'library', action: 'checkout')
-      #   # => false
+      #   current_page?('http://www.example.com/shop/checkout?order=desc&page=1')
+      #   # => true
       #
       # Let's say we're in the <tt>http://www.example.com/products</tt> action with method POST in case of invalid product.
       #
       #   current_page?(controller: 'product', action: 'index')
       #   # => false
       #
+      # We can also pass in the symbol arguments instead of strings.
+      #
       def current_page?(options)
         unless request
           raise "You cannot use helpers that need to determine the current " \
@@ -540,6 +548,8 @@ module ActionView
         request_uri = url_string.index("?") ? request.fullpath : request.path
         request_uri = URI.parser.unescape(request_uri).force_encoding(Encoding::BINARY)
 
+        url_string.chomp!("/") if url_string.start_with?("/") && url_string != "/"
+
         if url_string =~ /^\w+:\/\//
           url_string == "#{request.protocol}#{request.host_with_port}#{request_uri}"
         else
@@ -551,70 +561,89 @@ module ActionView
         def convert_options_to_data_attributes(options, html_options)
           if html_options
             html_options = html_options.stringify_keys
-            html_options['data-remote'] = 'true' if link_to_remote_options?(options) || link_to_remote_options?(html_options)
+            html_options['data-remote'] = 'true'.freeze if link_to_remote_options?(options) || link_to_remote_options?(html_options)
 
-            method  = html_options.delete('method')
+            method  = html_options.delete('method'.freeze)
 
             add_method_to_attributes!(html_options, method) if method
 
             html_options
           else
-            link_to_remote_options?(options) ? {'data-remote' => 'true'} : {}
+            link_to_remote_options?(options) ? {'data-remote' => 'true'.freeze} : {}
           end
         end
 
         def link_to_remote_options?(options)
           if options.is_a?(Hash)
-            options.delete('remote') || options.delete(:remote)
+            options.delete('remote'.freeze) || options.delete(:remote)
           end
         end
 
         def add_method_to_attributes!(html_options, method)
-          if method && method.to_s.downcase != "get" && html_options["rel"] !~ /nofollow/
-            html_options["rel"] = "#{html_options["rel"]} nofollow".lstrip
+          if method && method.to_s.downcase != "get".freeze && html_options["rel".freeze] !~ /nofollow/
+            html_options["rel".freeze] = "#{html_options["rel".freeze]} nofollow".lstrip
           end
-          html_options["data-method"] = method
+          html_options["data-method".freeze] = method
         end
 
-        # Processes the +html_options+ hash, converting the boolean
-        # attributes from true/false form into the form required by
-        # HTML/XHTML. (An attribute is considered to be boolean if
-        # its name is listed in the given +bool_attrs+ array.)
-        #
-        # More specifically, for each boolean attribute in +html_options+
-        # given as:
+        def token_tag(token=nil, form_options: {})
+          if token != false && protect_against_forgery?
+            token ||= form_authenticity_token(form_options: form_options)
+            tag(:input, type: "hidden", name: request_forgery_protection_token.to_s, value: token)
+          else
+            ''.freeze
+          end
+        end
+
+        def method_tag(method)
+          tag('input', type: 'hidden', name: '_method', value: method.to_s)
+        end
+
+        # Returns an array of hashes each containing :name and :value keys
+        # suitable for use as the names and values of form input fields:
         #
-        #   "attr" => bool_value
+        #   to_form_params(name: 'David', nationality: 'Danish')
+        #   # => [{name: :name, value: 'David'}, {name: 'nationality', value: 'Danish'}]
         #
-        # if the associated +bool_value+ evaluates to true, it is
-        # replaced with the attribute's name; otherwise the attribute is
-        # removed from the +html_options+ hash. (See the XHTML 1.0 spec,
-        # section 4.5 "Attribute Minimization" for more:
-        # http://www.w3.org/TR/xhtml1/#h-4.5)
+        #   to_form_params(country: {name: 'Denmark'})
+        #   # => [{name: 'country[name]', value: 'Denmark'}]
         #
-        # Returns the updated +html_options+ hash, which is also modified
-        # in place.
+        #   to_form_params(countries: ['Denmark', 'Sweden']})
+        #   # => [{name: 'countries[]', value: 'Denmark'}, {name: 'countries[]', value: 'Sweden'}]
         #
-        # Example:
+        # An optional namespace can be passed to enclose key names:
         #
-        #   convert_boolean_attributes!( html_options,
-        #                                %w( checked disabled readonly ) )
-        def convert_boolean_attributes!(html_options, bool_attrs)
-          bool_attrs.each { |x| html_options[x] = x if html_options.delete(x) }
-          html_options
-        end
+        #   to_form_params({ name: 'Denmark' }, 'country')
+        #   # => [{name: 'country[name]', value: 'Denmark'}]
+        def to_form_params(attribute, namespace = nil) # :nodoc:
+          attribute = if attribute.respond_to?(:permitted?)
+            unless attribute.permitted?
+              raise ArgumentError, "Attempting to generate a buttom from non-sanitized request parameters!" \
+                " Whitelist and sanitize passed parameters to be secure."
+            end
+
+            attribute.to_h
+          else
+            attribute
+          end
 
-        def token_tag(token=nil)
-          if token != false && protect_against_forgery?
-            token ||= form_authenticity_token
-            tag(:input, type: "hidden", name: request_forgery_protection_token.to_s, value: token)
+          params = []
+          case attribute
+          when Hash
+            attribute.each do |key, value|
+              prefix = namespace ? "#{namespace}[#{key}]" : key
+              params.push(*to_form_params(value, prefix))
+            end
+          when Array
+            array_prefix = "#{namespace}[]"
+            attribute.each do |value|
+              params.push(*to_form_params(value, array_prefix))
+            end
           else
-            ''
+            params << { name: namespace, value: attribute.to_param }
           end
-        end
 
-        def method_tag(method)
-          tag('input', type: 'hidden', name: '_method', value: method.to_s)
+          params.sort_by { |pair| pair[:name] }
         end
     end
   end