halorgium-actionpack 3.0.pre
Sign up to get free protection for your applications and to get access to all the features.
- data/CHANGELOG +5179 -0
- data/MIT-LICENSE +21 -0
- data/README +409 -0
- data/lib/abstract_controller.rb +16 -0
- data/lib/abstract_controller/base.rb +158 -0
- data/lib/abstract_controller/callbacks.rb +113 -0
- data/lib/abstract_controller/exceptions.rb +12 -0
- data/lib/abstract_controller/helpers.rb +151 -0
- data/lib/abstract_controller/layouts.rb +250 -0
- data/lib/abstract_controller/localized_cache.rb +49 -0
- data/lib/abstract_controller/logger.rb +61 -0
- data/lib/abstract_controller/rendering_controller.rb +188 -0
- data/lib/action_controller.rb +72 -0
- data/lib/action_controller/base.rb +168 -0
- data/lib/action_controller/caching.rb +80 -0
- data/lib/action_controller/caching/actions.rb +163 -0
- data/lib/action_controller/caching/fragments.rb +116 -0
- data/lib/action_controller/caching/pages.rb +154 -0
- data/lib/action_controller/caching/sweeping.rb +97 -0
- data/lib/action_controller/deprecated.rb +4 -0
- data/lib/action_controller/deprecated/integration_test.rb +2 -0
- data/lib/action_controller/deprecated/performance_test.rb +1 -0
- data/lib/action_controller/dispatch/dispatcher.rb +57 -0
- data/lib/action_controller/metal.rb +129 -0
- data/lib/action_controller/metal/benchmarking.rb +73 -0
- data/lib/action_controller/metal/compatibility.rb +145 -0
- data/lib/action_controller/metal/conditional_get.rb +86 -0
- data/lib/action_controller/metal/configuration.rb +28 -0
- data/lib/action_controller/metal/cookies.rb +105 -0
- data/lib/action_controller/metal/exceptions.rb +55 -0
- data/lib/action_controller/metal/filter_parameter_logging.rb +77 -0
- data/lib/action_controller/metal/flash.rb +162 -0
- data/lib/action_controller/metal/head.rb +27 -0
- data/lib/action_controller/metal/helpers.rb +115 -0
- data/lib/action_controller/metal/hide_actions.rb +47 -0
- data/lib/action_controller/metal/http_authentication.rb +312 -0
- data/lib/action_controller/metal/layouts.rb +171 -0
- data/lib/action_controller/metal/mime_responds.rb +317 -0
- data/lib/action_controller/metal/rack_convenience.rb +27 -0
- data/lib/action_controller/metal/redirector.rb +22 -0
- data/lib/action_controller/metal/render_options.rb +103 -0
- data/lib/action_controller/metal/rendering_controller.rb +57 -0
- data/lib/action_controller/metal/request_forgery_protection.rb +108 -0
- data/lib/action_controller/metal/rescuable.rb +13 -0
- data/lib/action_controller/metal/responder.rb +200 -0
- data/lib/action_controller/metal/session.rb +15 -0
- data/lib/action_controller/metal/session_management.rb +45 -0
- data/lib/action_controller/metal/streaming.rb +188 -0
- data/lib/action_controller/metal/testing.rb +39 -0
- data/lib/action_controller/metal/url_for.rb +41 -0
- data/lib/action_controller/metal/verification.rb +130 -0
- data/lib/action_controller/middleware.rb +38 -0
- data/lib/action_controller/notifications.rb +10 -0
- data/lib/action_controller/polymorphic_routes.rb +183 -0
- data/lib/action_controller/record_identifier.rb +91 -0
- data/lib/action_controller/testing/process.rb +111 -0
- data/lib/action_controller/testing/test_case.rb +345 -0
- data/lib/action_controller/translation.rb +13 -0
- data/lib/action_controller/url_rewriter.rb +204 -0
- data/lib/action_controller/vendor/html-scanner.rb +16 -0
- data/lib/action_controller/vendor/html-scanner/html/document.rb +68 -0
- data/lib/action_controller/vendor/html-scanner/html/node.rb +537 -0
- data/lib/action_controller/vendor/html-scanner/html/sanitizer.rb +176 -0
- data/lib/action_controller/vendor/html-scanner/html/selector.rb +828 -0
- data/lib/action_controller/vendor/html-scanner/html/tokenizer.rb +105 -0
- data/lib/action_controller/vendor/html-scanner/html/version.rb +11 -0
- data/lib/action_dispatch.rb +70 -0
- data/lib/action_dispatch/http/headers.rb +33 -0
- data/lib/action_dispatch/http/mime_type.rb +231 -0
- data/lib/action_dispatch/http/mime_types.rb +23 -0
- data/lib/action_dispatch/http/request.rb +539 -0
- data/lib/action_dispatch/http/response.rb +290 -0
- data/lib/action_dispatch/http/status_codes.rb +42 -0
- data/lib/action_dispatch/http/utils.rb +20 -0
- data/lib/action_dispatch/middleware/callbacks.rb +50 -0
- data/lib/action_dispatch/middleware/params_parser.rb +79 -0
- data/lib/action_dispatch/middleware/rescue.rb +26 -0
- data/lib/action_dispatch/middleware/session/abstract_store.rb +208 -0
- data/lib/action_dispatch/middleware/session/cookie_store.rb +235 -0
- data/lib/action_dispatch/middleware/session/mem_cache_store.rb +47 -0
- data/lib/action_dispatch/middleware/show_exceptions.rb +143 -0
- data/lib/action_dispatch/middleware/stack.rb +116 -0
- data/lib/action_dispatch/middleware/static.rb +44 -0
- data/lib/action_dispatch/middleware/string_coercion.rb +29 -0
- data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.erb +24 -0
- data/lib/action_dispatch/middleware/templates/rescues/_trace.erb +26 -0
- data/lib/action_dispatch/middleware/templates/rescues/diagnostics.erb +10 -0
- data/lib/action_dispatch/middleware/templates/rescues/layout.erb +29 -0
- data/lib/action_dispatch/middleware/templates/rescues/missing_template.erb +2 -0
- data/lib/action_dispatch/middleware/templates/rescues/routing_error.erb +10 -0
- data/lib/action_dispatch/middleware/templates/rescues/template_error.erb +21 -0
- data/lib/action_dispatch/middleware/templates/rescues/unknown_action.erb +2 -0
- data/lib/action_dispatch/routing.rb +381 -0
- data/lib/action_dispatch/routing/deprecated_mapper.rb +878 -0
- data/lib/action_dispatch/routing/mapper.rb +327 -0
- data/lib/action_dispatch/routing/route.rb +49 -0
- data/lib/action_dispatch/routing/route_set.rb +497 -0
- data/lib/action_dispatch/testing/assertions.rb +8 -0
- data/lib/action_dispatch/testing/assertions/dom.rb +35 -0
- data/lib/action_dispatch/testing/assertions/model.rb +19 -0
- data/lib/action_dispatch/testing/assertions/response.rb +145 -0
- data/lib/action_dispatch/testing/assertions/routing.rb +144 -0
- data/lib/action_dispatch/testing/assertions/selector.rb +639 -0
- data/lib/action_dispatch/testing/assertions/tag.rb +123 -0
- data/lib/action_dispatch/testing/integration.rb +504 -0
- data/lib/action_dispatch/testing/performance_test.rb +15 -0
- data/lib/action_dispatch/testing/test_request.rb +83 -0
- data/lib/action_dispatch/testing/test_response.rb +131 -0
- data/lib/action_pack.rb +24 -0
- data/lib/action_pack/version.rb +9 -0
- data/lib/action_view.rb +58 -0
- data/lib/action_view/base.rb +308 -0
- data/lib/action_view/context.rb +44 -0
- data/lib/action_view/erb/util.rb +48 -0
- data/lib/action_view/helpers.rb +62 -0
- data/lib/action_view/helpers/active_model_helper.rb +306 -0
- data/lib/action_view/helpers/ajax_helper.rb +68 -0
- data/lib/action_view/helpers/asset_tag_helper.rb +830 -0
- data/lib/action_view/helpers/atom_feed_helper.rb +198 -0
- data/lib/action_view/helpers/cache_helper.rb +39 -0
- data/lib/action_view/helpers/capture_helper.rb +168 -0
- data/lib/action_view/helpers/date_helper.rb +988 -0
- data/lib/action_view/helpers/debug_helper.rb +38 -0
- data/lib/action_view/helpers/form_helper.rb +1102 -0
- data/lib/action_view/helpers/form_options_helper.rb +600 -0
- data/lib/action_view/helpers/form_tag_helper.rb +495 -0
- data/lib/action_view/helpers/javascript_helper.rb +208 -0
- data/lib/action_view/helpers/number_helper.rb +311 -0
- data/lib/action_view/helpers/prototype_helper.rb +1309 -0
- data/lib/action_view/helpers/raw_output_helper.rb +9 -0
- data/lib/action_view/helpers/record_identification_helper.rb +20 -0
- data/lib/action_view/helpers/record_tag_helper.rb +58 -0
- data/lib/action_view/helpers/sanitize_helper.rb +259 -0
- data/lib/action_view/helpers/scriptaculous_helper.rb +226 -0
- data/lib/action_view/helpers/tag_helper.rb +151 -0
- data/lib/action_view/helpers/text_helper.rb +594 -0
- data/lib/action_view/helpers/translation_helper.rb +39 -0
- data/lib/action_view/helpers/url_helper.rb +639 -0
- data/lib/action_view/locale/en.yml +117 -0
- data/lib/action_view/paths.rb +80 -0
- data/lib/action_view/render/partials.rb +342 -0
- data/lib/action_view/render/rendering.rb +134 -0
- data/lib/action_view/safe_buffer.rb +28 -0
- data/lib/action_view/template/error.rb +101 -0
- data/lib/action_view/template/handler.rb +36 -0
- data/lib/action_view/template/handlers.rb +52 -0
- data/lib/action_view/template/handlers/builder.rb +17 -0
- data/lib/action_view/template/handlers/erb.rb +53 -0
- data/lib/action_view/template/handlers/rjs.rb +18 -0
- data/lib/action_view/template/resolver.rb +165 -0
- data/lib/action_view/template/template.rb +131 -0
- data/lib/action_view/template/text.rb +38 -0
- data/lib/action_view/test_case.rb +163 -0
- metadata +236 -0
@@ -0,0 +1,20 @@
|
|
1
|
+
module ActionView
|
2
|
+
module Helpers
|
3
|
+
module RecordIdentificationHelper
|
4
|
+
# See ActionController::RecordIdentifier.partial_path -- this is just a delegate to that for convenient access in the view.
|
5
|
+
def partial_path(*args, &block)
|
6
|
+
ActionController::RecordIdentifier.partial_path(*args, &block)
|
7
|
+
end
|
8
|
+
|
9
|
+
# See ActionController::RecordIdentifier.dom_class -- this is just a delegate to that for convenient access in the view.
|
10
|
+
def dom_class(*args, &block)
|
11
|
+
ActionController::RecordIdentifier.dom_class(*args, &block)
|
12
|
+
end
|
13
|
+
|
14
|
+
# See ActionController::RecordIdentifier.dom_id -- this is just a delegate to that for convenient access in the view.
|
15
|
+
def dom_id(*args, &block)
|
16
|
+
ActionController::RecordIdentifier.dom_id(*args, &block)
|
17
|
+
end
|
18
|
+
end
|
19
|
+
end
|
20
|
+
end
|
@@ -0,0 +1,58 @@
|
|
1
|
+
module ActionView
|
2
|
+
module Helpers
|
3
|
+
module RecordTagHelper
|
4
|
+
# Produces a wrapper DIV element with id and class parameters that
|
5
|
+
# relate to the specified Active Record object. Usage example:
|
6
|
+
#
|
7
|
+
# <% div_for(@person, :class => "foo") do %>
|
8
|
+
# <%=h @person.name %>
|
9
|
+
# <% end %>
|
10
|
+
#
|
11
|
+
# produces:
|
12
|
+
#
|
13
|
+
# <div id="person_123" class="person foo"> Joe Bloggs </div>
|
14
|
+
#
|
15
|
+
def div_for(record, *args, &block)
|
16
|
+
content_tag_for(:div, record, *args, &block)
|
17
|
+
end
|
18
|
+
|
19
|
+
# content_tag_for creates an HTML element with id and class parameters
|
20
|
+
# that relate to the specified Active Record object. For example:
|
21
|
+
#
|
22
|
+
# <% content_tag_for(:tr, @person) do %>
|
23
|
+
# <td><%=h @person.first_name %></td>
|
24
|
+
# <td><%=h @person.last_name %></td>
|
25
|
+
# <% end %>
|
26
|
+
#
|
27
|
+
# would produce the following HTML (assuming @person is an instance of
|
28
|
+
# a Person object, with an id value of 123):
|
29
|
+
#
|
30
|
+
# <tr id="person_123" class="person">....</tr>
|
31
|
+
#
|
32
|
+
# If you require the HTML id attribute to have a prefix, you can specify it:
|
33
|
+
#
|
34
|
+
# <% content_tag_for(:tr, @person, :foo) do %> ...
|
35
|
+
#
|
36
|
+
# produces:
|
37
|
+
#
|
38
|
+
# <tr id="foo_person_123" class="person">...
|
39
|
+
#
|
40
|
+
# content_tag_for also accepts a hash of options, which will be converted to
|
41
|
+
# additional HTML attributes. If you specify a <tt>:class</tt> value, it will be combined
|
42
|
+
# with the default class name for your object. For example:
|
43
|
+
#
|
44
|
+
# <% content_tag_for(:li, @person, :class => "bar") %>...
|
45
|
+
#
|
46
|
+
# produces:
|
47
|
+
#
|
48
|
+
# <li id="person_123" class="person bar">...
|
49
|
+
#
|
50
|
+
def content_tag_for(tag_name, record, *args, &block)
|
51
|
+
prefix = args.first.is_a?(Hash) ? nil : args.shift
|
52
|
+
options = args.extract_options!
|
53
|
+
options.merge!({ :class => "#{dom_class(record, prefix)} #{options[:class]}".strip, :id => dom_id(record, prefix) })
|
54
|
+
content_tag(tag_name, options, &block)
|
55
|
+
end
|
56
|
+
end
|
57
|
+
end
|
58
|
+
end
|
@@ -0,0 +1,259 @@
|
|
1
|
+
require 'action_view/helpers/tag_helper'
|
2
|
+
|
3
|
+
module ActionView
|
4
|
+
module Helpers #:nodoc:
|
5
|
+
# The SanitizeHelper module provides a set of methods for scrubbing text of undesired HTML elements.
|
6
|
+
# These helper methods extend ActionView making them callable within your template files.
|
7
|
+
module SanitizeHelper
|
8
|
+
# This +sanitize+ helper will html encode all tags and strip all attributes that aren't specifically allowed.
|
9
|
+
# It also strips href/src tags with invalid protocols, like javascript: especially. It does its best to counter any
|
10
|
+
# tricks that hackers may use, like throwing in unicode/ascii/hex values to get past the javascript: filters. Check out
|
11
|
+
# the extensive test suite.
|
12
|
+
#
|
13
|
+
# <%= sanitize @article.body %>
|
14
|
+
#
|
15
|
+
# You can add or remove tags/attributes if you want to customize it a bit. See ActionView::Base for full docs on the
|
16
|
+
# available options. You can add tags/attributes for single uses of +sanitize+ by passing either the <tt>:attributes</tt> or <tt>:tags</tt> options:
|
17
|
+
#
|
18
|
+
# Normal Use
|
19
|
+
#
|
20
|
+
# <%= sanitize @article.body %>
|
21
|
+
#
|
22
|
+
# Custom Use (only the mentioned tags and attributes are allowed, nothing else)
|
23
|
+
#
|
24
|
+
# <%= sanitize @article.body, :tags => %w(table tr td), :attributes => %w(id class style)
|
25
|
+
#
|
26
|
+
# Add table tags to the default allowed tags
|
27
|
+
#
|
28
|
+
# Rails::Initializer.run do |config|
|
29
|
+
# config.action_view.sanitized_allowed_tags = 'table', 'tr', 'td'
|
30
|
+
# end
|
31
|
+
#
|
32
|
+
# Remove tags to the default allowed tags
|
33
|
+
#
|
34
|
+
# Rails::Initializer.run do |config|
|
35
|
+
# config.after_initialize do
|
36
|
+
# ActionView::Base.sanitized_allowed_tags.delete 'div'
|
37
|
+
# end
|
38
|
+
# end
|
39
|
+
#
|
40
|
+
# Change allowed default attributes
|
41
|
+
#
|
42
|
+
# Rails::Initializer.run do |config|
|
43
|
+
# config.action_view.sanitized_allowed_attributes = 'id', 'class', 'style'
|
44
|
+
# end
|
45
|
+
#
|
46
|
+
# Please note that sanitizing user-provided text does not guarantee that the
|
47
|
+
# resulting markup is valid (conforming to a document type) or even well-formed.
|
48
|
+
# The output may still contain e.g. unescaped '<', '>', '&' characters and
|
49
|
+
# confuse browsers.
|
50
|
+
#
|
51
|
+
def sanitize(html, options = {})
|
52
|
+
returning self.class.white_list_sanitizer.sanitize(html, options) do |sanitized|
|
53
|
+
if sanitized
|
54
|
+
sanitized.html_safe!
|
55
|
+
end
|
56
|
+
end
|
57
|
+
end
|
58
|
+
|
59
|
+
# Sanitizes a block of CSS code. Used by +sanitize+ when it comes across a style attribute.
|
60
|
+
def sanitize_css(style)
|
61
|
+
self.class.white_list_sanitizer.sanitize_css(style)
|
62
|
+
end
|
63
|
+
|
64
|
+
# Strips all HTML tags from the +html+, including comments. This uses the
|
65
|
+
# html-scanner tokenizer and so its HTML parsing ability is limited by
|
66
|
+
# that of html-scanner.
|
67
|
+
#
|
68
|
+
# ==== Examples
|
69
|
+
#
|
70
|
+
# strip_tags("Strip <i>these</i> tags!")
|
71
|
+
# # => Strip these tags!
|
72
|
+
#
|
73
|
+
# strip_tags("<b>Bold</b> no more! <a href='more.html'>See more here</a>...")
|
74
|
+
# # => Bold no more! See more here...
|
75
|
+
#
|
76
|
+
# strip_tags("<div id='top-bar'>Welcome to my website!</div>")
|
77
|
+
# # => Welcome to my website!
|
78
|
+
def strip_tags(html)
|
79
|
+
returning self.class.full_sanitizer.sanitize(html) do |sanitized|
|
80
|
+
if sanitized
|
81
|
+
sanitized.html_safe!
|
82
|
+
end
|
83
|
+
end
|
84
|
+
end
|
85
|
+
|
86
|
+
# Strips all link tags from +text+ leaving just the link text.
|
87
|
+
#
|
88
|
+
# ==== Examples
|
89
|
+
# strip_links('<a href="http://www.rubyonrails.org">Ruby on Rails</a>')
|
90
|
+
# # => Ruby on Rails
|
91
|
+
#
|
92
|
+
# strip_links('Please e-mail me at <a href="mailto:me@email.com">me@email.com</a>.')
|
93
|
+
# # => Please e-mail me at me@email.com.
|
94
|
+
#
|
95
|
+
# strip_links('Blog: <a href="http://www.myblog.com/" class="nav" target=\"_blank\">Visit</a>.')
|
96
|
+
# # => Blog: Visit
|
97
|
+
def strip_links(html)
|
98
|
+
self.class.link_sanitizer.sanitize(html)
|
99
|
+
end
|
100
|
+
|
101
|
+
module ClassMethods #:nodoc:
|
102
|
+
attr_writer :full_sanitizer, :link_sanitizer, :white_list_sanitizer
|
103
|
+
|
104
|
+
def sanitized_protocol_separator
|
105
|
+
white_list_sanitizer.protocol_separator
|
106
|
+
end
|
107
|
+
|
108
|
+
def sanitized_uri_attributes
|
109
|
+
white_list_sanitizer.uri_attributes
|
110
|
+
end
|
111
|
+
|
112
|
+
def sanitized_bad_tags
|
113
|
+
white_list_sanitizer.bad_tags
|
114
|
+
end
|
115
|
+
|
116
|
+
def sanitized_allowed_tags
|
117
|
+
white_list_sanitizer.allowed_tags
|
118
|
+
end
|
119
|
+
|
120
|
+
def sanitized_allowed_attributes
|
121
|
+
white_list_sanitizer.allowed_attributes
|
122
|
+
end
|
123
|
+
|
124
|
+
def sanitized_allowed_css_properties
|
125
|
+
white_list_sanitizer.allowed_css_properties
|
126
|
+
end
|
127
|
+
|
128
|
+
def sanitized_allowed_css_keywords
|
129
|
+
white_list_sanitizer.allowed_css_keywords
|
130
|
+
end
|
131
|
+
|
132
|
+
def sanitized_shorthand_css_properties
|
133
|
+
white_list_sanitizer.shorthand_css_properties
|
134
|
+
end
|
135
|
+
|
136
|
+
def sanitized_allowed_protocols
|
137
|
+
white_list_sanitizer.allowed_protocols
|
138
|
+
end
|
139
|
+
|
140
|
+
def sanitized_protocol_separator=(value)
|
141
|
+
white_list_sanitizer.protocol_separator = value
|
142
|
+
end
|
143
|
+
|
144
|
+
# Gets the HTML::FullSanitizer instance used by +strip_tags+. Replace with
|
145
|
+
# any object that responds to +sanitize+.
|
146
|
+
#
|
147
|
+
# Rails::Initializer.run do |config|
|
148
|
+
# config.action_view.full_sanitizer = MySpecialSanitizer.new
|
149
|
+
# end
|
150
|
+
#
|
151
|
+
def full_sanitizer
|
152
|
+
@full_sanitizer ||= HTML::FullSanitizer.new
|
153
|
+
end
|
154
|
+
|
155
|
+
# Gets the HTML::LinkSanitizer instance used by +strip_links+. Replace with
|
156
|
+
# any object that responds to +sanitize+.
|
157
|
+
#
|
158
|
+
# Rails::Initializer.run do |config|
|
159
|
+
# config.action_view.link_sanitizer = MySpecialSanitizer.new
|
160
|
+
# end
|
161
|
+
#
|
162
|
+
def link_sanitizer
|
163
|
+
@link_sanitizer ||= HTML::LinkSanitizer.new
|
164
|
+
end
|
165
|
+
|
166
|
+
# Gets the HTML::WhiteListSanitizer instance used by sanitize and +sanitize_css+.
|
167
|
+
# Replace with any object that responds to +sanitize+.
|
168
|
+
#
|
169
|
+
# Rails::Initializer.run do |config|
|
170
|
+
# config.action_view.white_list_sanitizer = MySpecialSanitizer.new
|
171
|
+
# end
|
172
|
+
#
|
173
|
+
def white_list_sanitizer
|
174
|
+
@white_list_sanitizer ||= HTML::WhiteListSanitizer.new
|
175
|
+
end
|
176
|
+
|
177
|
+
# Adds valid HTML attributes that the +sanitize+ helper checks for URIs.
|
178
|
+
#
|
179
|
+
# Rails::Initializer.run do |config|
|
180
|
+
# config.action_view.sanitized_uri_attributes = 'lowsrc', 'target'
|
181
|
+
# end
|
182
|
+
#
|
183
|
+
def sanitized_uri_attributes=(attributes)
|
184
|
+
HTML::WhiteListSanitizer.uri_attributes.merge(attributes)
|
185
|
+
end
|
186
|
+
|
187
|
+
# Adds to the Set of 'bad' tags for the +sanitize+ helper.
|
188
|
+
#
|
189
|
+
# Rails::Initializer.run do |config|
|
190
|
+
# config.action_view.sanitized_bad_tags = 'embed', 'object'
|
191
|
+
# end
|
192
|
+
#
|
193
|
+
def sanitized_bad_tags=(attributes)
|
194
|
+
HTML::WhiteListSanitizer.bad_tags.merge(attributes)
|
195
|
+
end
|
196
|
+
|
197
|
+
# Adds to the Set of allowed tags for the +sanitize+ helper.
|
198
|
+
#
|
199
|
+
# Rails::Initializer.run do |config|
|
200
|
+
# config.action_view.sanitized_allowed_tags = 'table', 'tr', 'td'
|
201
|
+
# end
|
202
|
+
#
|
203
|
+
def sanitized_allowed_tags=(attributes)
|
204
|
+
HTML::WhiteListSanitizer.allowed_tags.merge(attributes)
|
205
|
+
end
|
206
|
+
|
207
|
+
# Adds to the Set of allowed HTML attributes for the +sanitize+ helper.
|
208
|
+
#
|
209
|
+
# Rails::Initializer.run do |config|
|
210
|
+
# config.action_view.sanitized_allowed_attributes = 'onclick', 'longdesc'
|
211
|
+
# end
|
212
|
+
#
|
213
|
+
def sanitized_allowed_attributes=(attributes)
|
214
|
+
HTML::WhiteListSanitizer.allowed_attributes.merge(attributes)
|
215
|
+
end
|
216
|
+
|
217
|
+
# Adds to the Set of allowed CSS properties for the #sanitize and +sanitize_css+ helpers.
|
218
|
+
#
|
219
|
+
# Rails::Initializer.run do |config|
|
220
|
+
# config.action_view.sanitized_allowed_css_properties = 'expression'
|
221
|
+
# end
|
222
|
+
#
|
223
|
+
def sanitized_allowed_css_properties=(attributes)
|
224
|
+
HTML::WhiteListSanitizer.allowed_css_properties.merge(attributes)
|
225
|
+
end
|
226
|
+
|
227
|
+
# Adds to the Set of allowed CSS keywords for the +sanitize+ and +sanitize_css+ helpers.
|
228
|
+
#
|
229
|
+
# Rails::Initializer.run do |config|
|
230
|
+
# config.action_view.sanitized_allowed_css_keywords = 'expression'
|
231
|
+
# end
|
232
|
+
#
|
233
|
+
def sanitized_allowed_css_keywords=(attributes)
|
234
|
+
HTML::WhiteListSanitizer.allowed_css_keywords.merge(attributes)
|
235
|
+
end
|
236
|
+
|
237
|
+
# Adds to the Set of allowed shorthand CSS properties for the +sanitize+ and +sanitize_css+ helpers.
|
238
|
+
#
|
239
|
+
# Rails::Initializer.run do |config|
|
240
|
+
# config.action_view.sanitized_shorthand_css_properties = 'expression'
|
241
|
+
# end
|
242
|
+
#
|
243
|
+
def sanitized_shorthand_css_properties=(attributes)
|
244
|
+
HTML::WhiteListSanitizer.shorthand_css_properties.merge(attributes)
|
245
|
+
end
|
246
|
+
|
247
|
+
# Adds to the Set of allowed protocols for the +sanitize+ helper.
|
248
|
+
#
|
249
|
+
# Rails::Initializer.run do |config|
|
250
|
+
# config.action_view.sanitized_allowed_protocols = 'ssh', 'feed'
|
251
|
+
# end
|
252
|
+
#
|
253
|
+
def sanitized_allowed_protocols=(attributes)
|
254
|
+
HTML::WhiteListSanitizer.allowed_protocols.merge(attributes)
|
255
|
+
end
|
256
|
+
end
|
257
|
+
end
|
258
|
+
end
|
259
|
+
end
|
@@ -0,0 +1,226 @@
|
|
1
|
+
require 'action_view/helpers/javascript_helper'
|
2
|
+
require 'active_support/json'
|
3
|
+
|
4
|
+
module ActionView
|
5
|
+
module Helpers
|
6
|
+
# Provides a set of helpers for calling Scriptaculous JavaScript
|
7
|
+
# functions, including those which create Ajax controls and visual effects.
|
8
|
+
#
|
9
|
+
# To be able to use these helpers, you must include the Prototype
|
10
|
+
# JavaScript framework and the Scriptaculous JavaScript library in your
|
11
|
+
# pages. See the documentation for ActionView::Helpers::JavaScriptHelper
|
12
|
+
# for more information on including the necessary JavaScript.
|
13
|
+
#
|
14
|
+
# The Scriptaculous helpers' behavior can be tweaked with various options.
|
15
|
+
# See the documentation at http://script.aculo.us for more information on
|
16
|
+
# using these helpers in your application.
|
17
|
+
module ScriptaculousHelper
|
18
|
+
unless const_defined? :TOGGLE_EFFECTS
|
19
|
+
TOGGLE_EFFECTS = [:toggle_appear, :toggle_slide, :toggle_blind]
|
20
|
+
end
|
21
|
+
|
22
|
+
# Returns a JavaScript snippet to be used on the Ajax callbacks for
|
23
|
+
# starting visual effects.
|
24
|
+
#
|
25
|
+
# Example:
|
26
|
+
# <%= link_to_remote "Reload", :update => "posts",
|
27
|
+
# :url => { :action => "reload" },
|
28
|
+
# :complete => visual_effect(:highlight, "posts", :duration => 0.5)
|
29
|
+
#
|
30
|
+
# If no +element_id+ is given, it assumes "element" which should be a local
|
31
|
+
# variable in the generated JavaScript execution context. This can be
|
32
|
+
# used for example with +drop_receiving_element+:
|
33
|
+
#
|
34
|
+
# <%= drop_receiving_element (...), :loading => visual_effect(:fade) %>
|
35
|
+
#
|
36
|
+
# This would fade the element that was dropped on the drop receiving
|
37
|
+
# element.
|
38
|
+
#
|
39
|
+
# For toggling visual effects, you can use <tt>:toggle_appear</tt>, <tt>:toggle_slide</tt>, and
|
40
|
+
# <tt>:toggle_blind</tt> which will alternate between appear/fade, slidedown/slideup, and
|
41
|
+
# blinddown/blindup respectively.
|
42
|
+
#
|
43
|
+
# You can change the behaviour with various options, see
|
44
|
+
# http://script.aculo.us for more documentation.
|
45
|
+
def visual_effect(name, element_id = false, js_options = {})
|
46
|
+
element = element_id ? ActiveSupport::JSON.encode(element_id) : "element"
|
47
|
+
|
48
|
+
js_options[:queue] = if js_options[:queue].is_a?(Hash)
|
49
|
+
'{' + js_options[:queue].map {|k, v| k == :limit ? "#{k}:#{v}" : "#{k}:'#{v}'" }.join(',') + '}'
|
50
|
+
elsif js_options[:queue]
|
51
|
+
"'#{js_options[:queue]}'"
|
52
|
+
end if js_options[:queue]
|
53
|
+
|
54
|
+
[:endcolor, :direction, :startcolor, :scaleMode, :restorecolor].each do |option|
|
55
|
+
js_options[option] = "'#{js_options[option]}'" if js_options[option]
|
56
|
+
end
|
57
|
+
|
58
|
+
if TOGGLE_EFFECTS.include? name.to_sym
|
59
|
+
"Effect.toggle(#{element},'#{name.to_s.gsub(/^toggle_/,'')}',#{options_for_javascript(js_options)});"
|
60
|
+
else
|
61
|
+
"new Effect.#{name.to_s.camelize}(#{element},#{options_for_javascript(js_options)});"
|
62
|
+
end
|
63
|
+
end
|
64
|
+
|
65
|
+
# Makes the element with the DOM ID specified by +element_id+ sortable
|
66
|
+
# by drag-and-drop and make an Ajax call whenever the sort order has
|
67
|
+
# changed. By default, the action called gets the serialized sortable
|
68
|
+
# element as parameters.
|
69
|
+
#
|
70
|
+
# Example:
|
71
|
+
#
|
72
|
+
# <%= sortable_element("my_list", :url => { :action => "order" }) %>
|
73
|
+
#
|
74
|
+
# In the example, the action gets a "my_list" array parameter
|
75
|
+
# containing the values of the ids of elements the sortable consists
|
76
|
+
# of, in the current order.
|
77
|
+
#
|
78
|
+
# Important: For this to work, the sortable elements must have id
|
79
|
+
# attributes in the form "string_identifier". For example, "item_1". Only
|
80
|
+
# the identifier part of the id attribute will be serialized.
|
81
|
+
#
|
82
|
+
# Additional +options+ are:
|
83
|
+
#
|
84
|
+
# * <tt>:format</tt> - A regular expression to determine what to send as the
|
85
|
+
# serialized id to the server (the default is <tt>/^[^_]*_(.*)$/</tt>).
|
86
|
+
#
|
87
|
+
# * <tt>:constraint</tt> - Whether to constrain the dragging to either
|
88
|
+
# <tt>:horizontal</tt> or <tt>:vertical</tt> (or false to make it unconstrained).
|
89
|
+
#
|
90
|
+
# * <tt>:overlap</tt> - Calculate the item overlap in the <tt>:horizontal</tt>
|
91
|
+
# or <tt>:vertical</tt> direction.
|
92
|
+
#
|
93
|
+
# * <tt>:tag</tt> - Which children of the container element to treat as
|
94
|
+
# sortable (default is <tt>li</tt>).
|
95
|
+
#
|
96
|
+
# * <tt>:containment</tt> - Takes an element or array of elements to treat as
|
97
|
+
# potential drop targets (defaults to the original target element).
|
98
|
+
#
|
99
|
+
# * <tt>:only</tt> - A CSS class name or array of class names used to filter
|
100
|
+
# out child elements as candidates.
|
101
|
+
#
|
102
|
+
# * <tt>:scroll</tt> - Determines whether to scroll the list during drag
|
103
|
+
# operations if the list runs past the visual border.
|
104
|
+
#
|
105
|
+
# * <tt>:tree</tt> - Determines whether to treat nested lists as part of the
|
106
|
+
# main sortable list. This means that you can create multi-layer lists,
|
107
|
+
# and not only sort items at the same level, but drag and sort items
|
108
|
+
# between levels.
|
109
|
+
#
|
110
|
+
# * <tt>:hoverclass</tt> - If set, the Droppable will have this additional CSS class
|
111
|
+
# when an accepted Draggable is hovered over it.
|
112
|
+
#
|
113
|
+
# * <tt>:handle</tt> - Sets whether the element should only be draggable by an
|
114
|
+
# embedded handle. The value may be a string referencing a CSS class value
|
115
|
+
# (as of script.aculo.us V1.5). The first child/grandchild/etc. element
|
116
|
+
# found within the element that has this CSS class value will be used as
|
117
|
+
# the handle.
|
118
|
+
#
|
119
|
+
# * <tt>:ghosting</tt> - Clones the element and drags the clone, leaving
|
120
|
+
# the original in place until the clone is dropped (default is <tt>false</tt>).
|
121
|
+
#
|
122
|
+
# * <tt>:dropOnEmpty</tt> - If true the Sortable container will be made into
|
123
|
+
# a Droppable, that can receive a Draggable (as according to the containment
|
124
|
+
# rules) as a child element when there are no more elements inside (default
|
125
|
+
# is <tt>false</tt>).
|
126
|
+
#
|
127
|
+
# * <tt>:onChange</tt> - Called whenever the sort order changes while dragging. When
|
128
|
+
# dragging from one Sortable to another, the callback is called once on each
|
129
|
+
# Sortable. Gets the affected element as its parameter.
|
130
|
+
#
|
131
|
+
# * <tt>:onUpdate</tt> - Called when the drag ends and the Sortable's order is
|
132
|
+
# changed in any way. When dragging from one Sortable to another, the callback
|
133
|
+
# is called once on each Sortable. Gets the container as its parameter.
|
134
|
+
#
|
135
|
+
# See http://script.aculo.us for more documentation.
|
136
|
+
def sortable_element(element_id, options = {})
|
137
|
+
javascript_tag(sortable_element_js(element_id, options).chop!)
|
138
|
+
end
|
139
|
+
|
140
|
+
def sortable_element_js(element_id, options = {}) #:nodoc:
|
141
|
+
options[:with] ||= "Sortable.serialize(#{ActiveSupport::JSON.encode(element_id)})"
|
142
|
+
options[:onUpdate] ||= "function(){" + remote_function(options) + "}"
|
143
|
+
options.delete_if { |key, value| PrototypeHelper::AJAX_OPTIONS.include?(key) }
|
144
|
+
|
145
|
+
[:tag, :overlap, :constraint, :handle].each do |option|
|
146
|
+
options[option] = "'#{options[option]}'" if options[option]
|
147
|
+
end
|
148
|
+
|
149
|
+
options[:containment] = array_or_string_for_javascript(options[:containment]) if options[:containment]
|
150
|
+
options[:only] = array_or_string_for_javascript(options[:only]) if options[:only]
|
151
|
+
|
152
|
+
%(Sortable.create(#{ActiveSupport::JSON.encode(element_id)}, #{options_for_javascript(options)});)
|
153
|
+
end
|
154
|
+
|
155
|
+
# Makes the element with the DOM ID specified by +element_id+ draggable.
|
156
|
+
#
|
157
|
+
# Example:
|
158
|
+
# <%= draggable_element("my_image", :revert => true)
|
159
|
+
#
|
160
|
+
# You can change the behaviour with various options, see
|
161
|
+
# http://script.aculo.us for more documentation.
|
162
|
+
def draggable_element(element_id, options = {})
|
163
|
+
javascript_tag(draggable_element_js(element_id, options).chop!)
|
164
|
+
end
|
165
|
+
|
166
|
+
def draggable_element_js(element_id, options = {}) #:nodoc:
|
167
|
+
%(new Draggable(#{ActiveSupport::JSON.encode(element_id)}, #{options_for_javascript(options)});)
|
168
|
+
end
|
169
|
+
|
170
|
+
# Makes the element with the DOM ID specified by +element_id+ receive
|
171
|
+
# dropped draggable elements (created by +draggable_element+).
|
172
|
+
# and make an AJAX call. By default, the action called gets the DOM ID
|
173
|
+
# of the element as parameter.
|
174
|
+
#
|
175
|
+
# Example:
|
176
|
+
# <%= drop_receiving_element("my_cart", :url =>
|
177
|
+
# { :controller => "cart", :action => "add" }) %>
|
178
|
+
#
|
179
|
+
# You can change the behaviour with various options, see
|
180
|
+
# http://script.aculo.us for more documentation.
|
181
|
+
#
|
182
|
+
# Some of these +options+ include:
|
183
|
+
# * <tt>:accept</tt> - Set this to a string or an array of strings describing the
|
184
|
+
# allowable CSS classes that the +draggable_element+ must have in order
|
185
|
+
# to be accepted by this +drop_receiving_element+.
|
186
|
+
#
|
187
|
+
# * <tt>:confirm</tt> - Adds a confirmation dialog. Example:
|
188
|
+
#
|
189
|
+
# :confirm => "Are you sure you want to do this?"
|
190
|
+
#
|
191
|
+
# * <tt>:hoverclass</tt> - If set, the +drop_receiving_element+ will have
|
192
|
+
# this additional CSS class when an accepted +draggable_element+ is
|
193
|
+
# hovered over it.
|
194
|
+
#
|
195
|
+
# * <tt>:onDrop</tt> - Called when a +draggable_element+ is dropped onto
|
196
|
+
# this element. Override this callback with a JavaScript expression to
|
197
|
+
# change the default drop behaviour. Example:
|
198
|
+
#
|
199
|
+
# :onDrop => "function(draggable_element, droppable_element, event) { alert('I like bananas') }"
|
200
|
+
#
|
201
|
+
# This callback gets three parameters: The Draggable element, the Droppable
|
202
|
+
# element and the Event object. You can extract additional information about
|
203
|
+
# the drop - like if the Ctrl or Shift keys were pressed - from the Event object.
|
204
|
+
#
|
205
|
+
# * <tt>:with</tt> - A JavaScript expression specifying the parameters for
|
206
|
+
# the XMLHttpRequest. Any expressions should return a valid URL query string.
|
207
|
+
def drop_receiving_element(element_id, options = {})
|
208
|
+
javascript_tag(drop_receiving_element_js(element_id, options).chop!)
|
209
|
+
end
|
210
|
+
|
211
|
+
def drop_receiving_element_js(element_id, options = {}) #:nodoc:
|
212
|
+
options[:with] ||= "'id=' + encodeURIComponent(element.id)"
|
213
|
+
options[:onDrop] ||= "function(element){" + remote_function(options) + "}"
|
214
|
+
options.delete_if { |key, value| PrototypeHelper::AJAX_OPTIONS.include?(key) }
|
215
|
+
|
216
|
+
options[:accept] = array_or_string_for_javascript(options[:accept]) if options[:accept]
|
217
|
+
options[:hoverclass] = "'#{options[:hoverclass]}'" if options[:hoverclass]
|
218
|
+
|
219
|
+
# Confirmation happens during the onDrop callback, so it can be removed from the options
|
220
|
+
options.delete(:confirm) if options[:confirm]
|
221
|
+
|
222
|
+
%(Droppables.add(#{ActiveSupport::JSON.encode(element_id)}, #{options_for_javascript(options)});)
|
223
|
+
end
|
224
|
+
end
|
225
|
+
end
|
226
|
+
end
|