padrino-helpers 0.10.7 → 0.11.0

data/lib/padrino-helpers/form_helpers.rb

@@ -1,3 +1,5 @@
+require 'securerandom'
+
 module Padrino
   module Helpers
     ##
@@ -28,8 +30,8 @@ module Padrino
       #
       # @api public
       def form_for(object, url, settings={}, &block)
-        form_html = capture_html(builder_instance(object, settings), &block)
-        form_tag(url, settings) { form_html }
+        instance = builder_instance(object, settings)
+        form_tag(url, settings) { capture_html(instance, &block) }
       end
 
       ##
@@ -54,7 +56,7 @@ module Padrino
         instance = builder_instance(object, settings)
         fields_html = capture_html(instance, &block)
         fields_html << instance.hidden_field(:id) if instance.send(:nested_object_id)
-        concat_content fields_html
+        concat_safe_content fields_html
       end
 
       ##
@@ -79,8 +81,9 @@ module Padrino
         options.reverse_merge!(:method => 'post', :action => url)
         options[:enctype] = 'multipart/form-data' if options.delete(:multipart)
         options['accept-charset'] ||= 'UTF-8'
-        inner_form_html  = hidden_form_method_field(desired_method)
-        inner_form_html += capture_html(&block)
+        inner_form_html = hidden_form_method_field(desired_method)
+        inner_form_html << csrf_token_field
+        inner_form_html << mark_safe(capture_html(&block))
         concat_content content_tag(:form, inner_form_html, options)
       end
 
@@ -100,7 +103,7 @@ module Padrino
       #
       # @api semipublic
       def hidden_form_method_field(desired_method)
-        return '' if desired_method.blank? || desired_method.to_s =~ /get|post/i
+        return ActiveSupport::SafeBuffer.new if desired_method.blank? || desired_method.to_s =~ /get|post/i
         hidden_field_tag(:_method, :value => desired_method)
       end
 
@@ -125,8 +128,8 @@ module Padrino
       def field_set_tag(*args, &block)
         options = args.extract_options!
         legend_text = args[0].is_a?(String) ? args.first : nil
-        legend_html = legend_text.blank? ? '' : content_tag(:legend, legend_text)
-        field_set_content = legend_html + capture_html(&block)
+        legend_html = legend_text.blank? ? ActiveSupport::SafeBuffer.new : content_tag(:legend, legend_text)
+        field_set_content = legend_html + mark_safe(capture_html(&block))
         concat_content content_tag(:fieldset, field_set_content, options)
       end
 
@@ -199,10 +202,10 @@ module Padrino
               }
             }.join
 
-            contents = ''
+            contents = ActiveSupport::SafeBuffer.new
             contents << content_tag(options[:header_tag] || :h2, header_message) unless header_message.blank?
             contents << content_tag(:p, message) unless message.blank?
-            contents << content_tag(:ul, error_messages)
+            contents << safe_content_tag(:ul, error_messages)
 
             content_tag(:div, contents, html)
           end
@@ -276,10 +279,11 @@ module Padrino
       # @api public
       def label_tag(name, options={}, &block)
         options.reverse_merge!(:caption => "#{name.to_s.humanize}: ", :for => name)
-        caption_text = options.delete(:caption)
-        caption_text << "<span class='required'>*</span> " if options.delete(:required)
+        caption_text = options.delete(:caption).html_safe
+        caption_text.safe_concat "<span class='required'>*</span> " if options.delete(:required)
+
         if block_given? # label with inner content
-          label_content = caption_text + capture_html(&block)
+          label_content = caption_text.concat capture_html(&block)
           concat_content(content_tag(:label, label_content, options))
         else # regular label
           content_tag(:label, caption_text, options)
@@ -409,10 +413,10 @@ module Padrino
       #   # => <input name="age" min="18" max="120" step="1" type="number">
       #
       # @api public
-      def number_field_tag(name, options={})        
+      def number_field_tag(name, options={})
         input_tag(:number, options.reverse_merge(:name => name))
       end
-      
+
       ##
       # Creates a telephone field input with the given name and options
       #
@@ -452,7 +456,7 @@ module Padrino
       def email_field_tag(name, options={})
         input_tag(:email, options.reverse_merge(:name => name))
       end
-      
+
       ##
       # Creates a search field input with the given name and options
       #
@@ -573,6 +577,7 @@ module Padrino
       #
       # @api public
       def file_field_tag(name, options={})
+        name = "#{name}[]" if options[:multiple]
         options.reverse_merge!(:name => name)
         input_tag(:file, options)
       end
@@ -630,7 +635,7 @@ module Padrino
         end
         select_options_html = select_options_html.unshift(blank_option(prompt)) if select_options_html.is_a?(Array)
         options.merge!(:name => "#{options[:name]}[]") if options[:multiple]
-        content_tag(:select, select_options_html, options)
+        safe_content_tag(:select, select_options_html, options)
       end
 
       ##
@@ -689,6 +694,68 @@ module Padrino
         input_tag(:image, options)
       end
 
+      # Constructs a hidden field containing a CSRF token.
+      #
+      # @param [String] token
+      #   The token to use. Will be read from the session by default.
+      #
+      # @return [String] The hidden field with CSRF token as value.
+      #
+      # @example
+      #   csrf_token_field
+      #
+      # @api public
+      def csrf_token_field(token = nil)
+        if defined? session
+          token ||= (session[:csrf] ||= SecureRandom.hex(32))
+        end
+
+        hidden_field_tag :authenticity_token, :value => token
+      end
+
+      ##
+      # Creates a form containing a single button that submits to the url.
+      #
+      # @overload button_to(name, url, options={})
+      #   @param [String]  caption  The text caption.
+      #   @param [String]  url      The url href.
+      #   @param [Hash]    options  The html options.
+      # @overload button_to(name, options={}, &block)
+      #   @param [String]  url      The url href.
+      #   @param [Hash]    options  The html options.
+      #   @param [Proc]    block    The button content.
+      #
+      # @option options [Boolean] :multipart
+      #   If true, this form will support multipart encoding.
+      # @option options [String] :remote
+      #   Instructs ujs handler to handle the submit as ajax.
+      # @option options [Symbol] :method
+      #   Instructs ujs handler to use different http method (i.e :post, :delete).
+      #
+      # @return [String] Form and button html with specified +options+.
+      #
+      # @example
+      #   button_to 'Delete', url(:accounts_destroy, :id => account), :method => :delete, :class => :form
+      #   # Generates:
+      #   # <form class="form" action="/admin/accounts/destroy/2" method="post">
+      #   #   <input type="hidden" value="delete" name="_method" />
+      #   #   <input type="submit" value="Delete" />
+      #   # </form>
+      #
+      # @api public
+      def button_to(*args, &block)
+        name, url = args[0], args[1]
+        options   = args.extract_options!
+        options['data-remote'] = 'true' if options.delete(:remote)
+        if block_given?
+          form_tag(url, options, &block)
+        else
+          form_tag(url, options) do
+            submit_tag(name)
+          end
+        end
+      end
+
       protected
 
         ##

data/lib/padrino-helpers/format_helpers.rb

@@ -1,3 +1,4 @@
+# -*- coding: utf-8 -*-
 module Padrino
   module Helpers
     ###
@@ -373,7 +374,7 @@ module Padrino
       def js_escape_html(html_content)
         return '' unless html_content
         javascript_mapping = { '\\' => '\\\\', '</' => '<\/', "\r\n" => '\n', "\n" => '\n', "\r" => '\n', '"' => '\\"', "'" => "\\'" }
-        html_content.gsub(/(\\|<\/|\r\n|[\n\r"'])/) { javascript_mapping[$1] }
+        html_content.gsub(/(\\|<\/|\r\n|[\n\r"'])/){|m| javascript_mapping[m]}
       end
       alias :escape_javascript :js_escape_html
     end # FormatHelpers

data/lib/padrino-helpers/locale/fr.yml

@@ -27,25 +27,25 @@ fr:
         format: "%n %u"
         units:
           byte:
-            one:   "Byte"
-            other: "Bytes"
-          kb: "KB"
-          mb: "MB"
-          gb: "GB"
-          tb: "TB"
+            one:   "Octet"
+            other: "Octets"
+          kb: "Ko"
+          mb: "Mo"
+          gb: "Go"
+          tb: "To"
 
   datetime:
     distance_in_words:
       half_a_minute: "une demi minute"
       less_than_x_seconds:
-        one:   "infèrieur à une seconde"
-        other: "infèrieur à %{count} secondes"
+        one:   "inférieur à une seconde"
+        other: "inférieur à %{count} secondes"
       x_seconds:
         one:   "1 seconde"
         other: "%{count} secondes"
       less_than_x_minutes:
-        one:   "infèrieur à 1 minute"
-        other: "infèrieur à %{count} minutes"
+        one:   "inférieur à 1 minute"
+        other: "inférieur à %{count} minutes"
       x_minutes:
         one:   "1 minute"
         other: "%{count} minutes"
@@ -68,8 +68,8 @@ fr:
         one:   "plus d'un an"
         other: "plus de %{count} ans"
       almost_x_years:
-        one:   "près d'un ans"
-        other: "près de %{count} years"
+        one:   "près d'un an"
+        other: "près de %{count} ans"
   models:
     errors:
       template:

data/lib/padrino-helpers/locale/pt_br.yml

@@ -17,8 +17,8 @@ pt_br:
         format: "%u%n"
         unit: "R$"
         # These three are to override number.format and are optional
-        separator: "."
-        delimiter: ","
+        separator: ","
+        delimiter: "."
         precision: 2
 
     # Used in number_to_percentage()

data/lib/padrino-helpers/output_helpers.rb

@@ -26,6 +26,8 @@ module Padrino
       ##
       # Captures the html from a block of template code for any available handler.
       #
+      # Be aware that trusting the html is up to the caller.
+      #
       # @param [Object] *args
       #   Objects yield to the captured block
       # @param [Proc] &block
@@ -37,6 +39,12 @@ module Padrino
       #   capture_html(&block) => "...html..."
       #   capture_html(object_for_block, &block) => "...html..."
       #
+      # @example
+      #   ActiveSupport::SafeBuffer.new + capture_html { "<foo>" }
+      #   # => "&lt;foo&gt;"
+      #   ActiveSupport::SafeBuffer.safe_concat + capture_html { "<foo>" }
+      #   # => "<foo>"
+      #
       # @api semipublic
       def capture_html(*args, &block)
         handler = find_proper_handler
@@ -53,7 +61,9 @@ module Padrino
       ##
       # Outputs the given text to the templates buffer directly.
       #
-      # @param [String] text
+      # The output might be subject to escaping, if it is not marked as safe.
+      #
+      # @param [String,SafeBuffer] text
       #   Text to concatenate to the buffer.
       #
       # @example
@@ -70,6 +80,21 @@ module Padrino
       end
       alias :concat :concat_content
 
+      ##
+      # Outputs the given text to the templates buffer directly,
+      # assuming that it is safe.
+      #
+      # @param [String] text
+      #   Text to concatenate to the buffer.
+      #
+      # @example
+      #   concat_safe_content("This will be output to the template buffer")
+      #
+      # @api semipublic
+      def concat_safe_content(text="")
+        concat_content text.html_safe
+      end
+
       ##
       # Returns true if the block is from a supported template type; false otherwise.
       # Used to determine if html should be returned or concatenated to the view.
@@ -146,7 +171,7 @@ module Padrino
       def yield_content(key, *args)
         blocks = content_blocks[key.to_sym]
         return nil if blocks.empty?
-        blocks.map { |content| capture_html(*args, &content) }.join
+        mark_safe(blocks.map { |content| capture_html(*args, &content) }.join)
       end
 
       protected
@@ -170,6 +195,21 @@ module Padrino
         def find_proper_handler
           OutputHelpers.handlers.map { |h| h.new(self) }.find { |h| h.engines.include?(current_engine) && h.is_type? }
         end
+
+        ##
+        # Marks a String or a collection of Strings as safe. `nil` is accepted
+        # but ignored.
+        #
+        # @param [String, Array<String>] the values to be marked safe.
+        #
+        # @return [ActiveSupport::SafeBuffer, Array<ActiveSupport::SafeBuffer>]
+        def mark_safe(value)
+          if value.respond_to? :map!
+            value.map!{|v| v.html_safe if v }
+          else
+            value.html_safe if value
+          end
+        end
     end # OutputHelpers
   end # Helpers
 end # Padrino

data/lib/padrino-helpers/output_helpers/erb_handler.rb

@@ -28,7 +28,7 @@ module Padrino
         #   @handler.capture_from_template(&block) => "...html..."
         #
         def capture_from_template(*args, &block)
-          self.output_buffer, _buf_was = "", self.output_buffer
+          self.output_buffer, _buf_was = ActiveSupport::SafeBuffer.new, self.output_buffer
           block.call(*args)
           ret = eval("@_out_buf", block.binding)
           self.output_buffer = _buf_was

data/lib/padrino-helpers/output_helpers/slim_handler.rb

@@ -1,5 +1,4 @@
 # Make slim works with sinatra/padrino
-Slim::Engine.set_default_options(:buffer => '@_out_buf', :generator => Temple::Generators::StringBuffer) if defined?(Slim)
 
 module Padrino
   module Helpers
@@ -31,9 +30,9 @@ module Padrino
         #   @handler.capture_from_template(&block) => "...html..."
         #
         def capture_from_template(*args, &block)
-          self.output_buffer, _buf_was = '', self.output_buffer
+          self.output_buffer, _buf_was = ActiveSupport::SafeBuffer.new, self.output_buffer
           block.call(*args)
-          ret = eval('@_out_buf', block.binding)
+          ret = eval("@_out_buf", block.binding)
           self.output_buffer = _buf_was
           ret
         end
@@ -73,9 +72,9 @@ module Padrino
           def output_buffer=(val)
             template.instance_variable_set(:@_out_buf, val)
           end
-        end # SlimHandler
+      end # SlimHandler
 
-        OutputHelpers.register(SlimHandler)
+      OutputHelpers.register(SlimHandler)
     end # OutputHelpers
   end # Helpers
 end # Padrino

data/lib/padrino-helpers/render_helpers.rb

@@ -46,12 +46,12 @@ module Padrino
             counter += 1
             options[:locals].merge!(object_name => member, "#{object_name}_counter".to_sym => counter)
             render(explicit_engine, template_path, options.dup)
-          }.join("\n")
+          }.join("\n").html_safe
         else
           if member = options.delete(:object)
             options[:locals].merge!(object_name => member)
           end
-          render(explicit_engine, template_path, options.dup)
+          render(explicit_engine, template_path, options.dup).html_safe
         end
       end
       alias :render_partial :partial

data/lib/padrino-helpers/tag_helpers.rb

@@ -13,6 +13,12 @@ module Padrino
         '"' => """
       }
 
+      ##
+      # Cached Regexp for escaping values to avoid rebuilding one
+      # on every escape operation.
+      #
+      ESCAPE_REGEXP = Regexp.union(*ESCAPE_VALUES.keys)
+
       BOOLEAN_ATTRIBUTES = [
         :autoplay,
         :autofocus,
@@ -42,6 +48,12 @@ module Padrino
         :confirm
       ]
 
+      ##
+      # A html_safe newline string to avoid allocating a new on each
+      # concatenation.
+      #
+      NEWLINE = "\n".html_safe.freeze
+
       ##
       # Creates an HTML tag with given name, content, and options
       #
@@ -104,14 +116,30 @@ module Padrino
           content = capture_html(&block)
         end
 
-        content = content.join("\n") if content.respond_to?(:join)
-
         options    = parse_data_options(name, options)
         attributes = tag_attributes(options)
-        output = "<#{name}#{attributes}>#{content}</#{name}>"
+        output = ActiveSupport::SafeBuffer.new
+        output.safe_concat "<#{name}#{attributes}>"
+        if content.respond_to?(:each) && !content.is_a?(String)
+          content.each { |c| output.concat c; output.safe_concat NEWLINE }
+        else
+          output.concat content
+        end
+        output.safe_concat "</#{name}>"
+
         block_is_template?(block) ? concat_content(output) : output
       end
 
+      ##
+      # Like #content_tag, but assumes its input to be safe and doesn't
+      # escape. It also returns safe html.
+      #
+      # @see #content_tag
+      #
+      def safe_content_tag(name, content = nil, options = nil, &block)
+        mark_safe(content_tag(name, mark_safe(content), options, &block))
+      end
+
       ##
       # Creates an HTML input field with the given type and options
       #
@@ -200,7 +228,7 @@ module Padrino
       def tag(name, options = nil, open = false)
         options    = parse_data_options(name, options)
         attributes = tag_attributes(options)
-        "<#{name}#{attributes}#{open ? '>' : ' />'}"
+        "<#{name}#{attributes}#{open ? '>' : ' />'}".html_safe
       end
 
       private
@@ -226,7 +254,7 @@ module Padrino
       # Escape tag values to their HTML/XML entities.
       ##
       def escape_value(string)
-        string.to_s.gsub(Regexp.union(*ESCAPE_VALUES.keys)) { |c| ESCAPE_VALUES[c] }
+        string.to_s.gsub(ESCAPE_REGEXP) { |c| ESCAPE_VALUES[c] }
       end
 
       ##