railties 3.1.0.rc4 → 3.1.0.rc5

data/guides/source/rails_application_templates.textile

@@ -1,6 +1,6 @@
 h2. Rails Application Templates
 
-Application templates are simple ruby files containing DSL for adding plugins/gems/initializers etc. to your freshly created Rails project or an existing Rails project.
+Application templates are simple Ruby files containing DSL for adding plugins/gems/initializers etc. to your freshly created Rails project or an existing Rails project.
 
 By referring to this guide, you will be able to:
 
@@ -11,22 +11,18 @@ endprologue.
 
 h3. Usage
 
-To apply a template, you need to provide the Rails generator with the location of the template you wish to apply, using -m option:
+To apply a template, you need to provide the Rails generator with the location of the template you wish to apply, using -m option. This can either be path to a file or a URL.
 
 <shell>
 $ rails new blog -m ~/template.rb
+$ rails new blog -m http://example.com/template.rb
 </shell>
 
-It's also possible to apply a template using a URL:
-
-<shell>
-$ rails new blog -m https://gist.github.com/755496.txt
-</shell>
-
-Alternatively, you can use the rake task +rails:template+ to apply a template to an existing Rails application:
+You can use the rake task +rails:template+ to apply templates to an existing Rails application. The location of the template needs to be passed in to an environment variable named LOCATION. Again, this can either be path to a file or a URL.
 
 <shell>
 $ rake rails:template LOCATION=~/template.rb
+$ rake rails:template LOCATION=http://example.com/template.rb
 </shell>
 
 h3. Template API
@@ -58,14 +54,12 @@ gem "bj"
 gem "nokogiri"
 </ruby>
 
-Please note that this will NOT install the gems for you. So you may want to run the +rake gems:install+ task too:
+Please note that this will NOT install the gems for you and you will have to run +bundle install+ to do that.
 
 <ruby>
-rake "gems:install"
+bundle install
 </ruby>
 
-And let Rails take care of installing the required gems if they’re not already installed.
-
 h4. add_source(source, options = {})
 
 Adds the given source to the generated application's +Gemfile+.
@@ -229,7 +223,7 @@ rake("rails:freeze:gems") if yes?("Freeze rails gems ?")
 no?(question) acts just the opposite.
 </ruby>
 
-h4. git(:must => "-a love")
+h4. git(:command)
 
 Rails templates let you run any git command:
 

data/guides/source/routing.textile

@@ -68,7 +68,7 @@ Rails would dispatch that request to the +destroy+ method on the +photos+ contro
 
 h4. CRUD, Verbs, and Actions
 
-In Rails, a resourceful route provides a mapping between HTTP verbs and URLs and controller actions. By convention, each action also maps to particular CRUD operations in a database. A single entry in the routing file, such as
+In Rails, a resourceful route provides a mapping between HTTP verbs and URLs to controller actions. By convention, each action also maps to particular CRUD operations in a database. A single entry in the routing file, such as
 
 <ruby>
 resources :photos
@@ -94,8 +94,8 @@ Creating a resourceful route will also expose a number of helpers to the control
 
 * +photos_path+ returns +/photos+
 * +new_photo_path+ returns +/photos/new+
-* +edit_photo_path(id)+ returns +/photos/:id/edit+ (for instance, +edit_photo_path(10)+ returns +/photos/10/edit+)
-* +photo_path(id)+ returns +/photos/:id+ (for instance, +photo_path(10)+ returns +/photos/10+)
+* +edit_photo_path(:id)+ returns +/photos/:id/edit+ (for instance, +edit_photo_path(10)+ returns +/photos/10/edit+)
+* +photo_path(:id)+ returns +/photos/:id+ (for instance, +photo_path(10)+ returns +/photos/10+)
 
 Each of these helpers has a corresponding +_url+ helper (such as +photos_url+) which returns the same path prefixed with the current host, port and path prefix.
 
@@ -163,14 +163,14 @@ end
 
 This will create a number of routes for each of the +posts+ and +comments+ controller. For +Admin::PostsController+, Rails will create:
 
-|_.HTTP Verb |_.Path              |_.action |_.named helper            |
-|GET         |/admin/posts        |index    | admin_posts_path         |
-|GET         |/admin/posts/new    |new      | new_admin_posts_path     |
-|POST        |/admin/posts        |create   | admin_posts_path         |
-|GET         |/admin/posts/1      |show     | admin_post_path(id)      |
-|GET         |/admin/posts/1/edit |edit     | edit_admin_post_path(id) |
-|PUT         |/admin/posts/1      |update   | admin_post_path(id)      |
-|DELETE      |/admin/posts/1      |destroy  | admin_post_path(id)      |
+|_.HTTP Verb |_.Path                |_.action |_.named helper             |
+|GET         |/admin/posts          |index    | admin_posts_path          |
+|GET         |/admin/posts/new      |new      | new_admin_post_path       |
+|POST        |/admin/posts          |create   | admin_posts_path          |
+|GET         |/admin/posts/:id      |show     | admin_post_path(:id)      |
+|GET         |/admin/posts/:id/edit |edit     | edit_admin_post_path(:id) |
+|PUT         |/admin/posts/:id      |update   | admin_post_path(:id)      |
+|DELETE      |/admin/posts/:id      |destroy  | admin_post_path(:id)      |
 
 If you want to route +/posts+ (without the prefix +/admin+) to +Admin::PostsController+, you could use
 
@@ -204,12 +204,12 @@ In each of these cases, the named routes remain the same as if you did not use +
 
 |_.HTTP Verb |_.Path               |_.action |_.named helper      |
 |GET         |/admin/posts         |index    | posts_path         |
-|GET         |/admin/posts/new     |new      | posts_path         |
+|GET         |/admin/posts/new     |new      | new_post_path      |
 |POST        |/admin/posts         |create   | posts_path         |
-|GET         |/admin/posts/1       |show     | post_path(id)      |
-|GET         |/admin/posts/1/edit  |edit     | edit_post_path(id) |
-|PUT         |/admin/posts/1       |update   | post_path(id)      |
-|DELETE      |/admin/posts/1       |destroy  | post_path(id)      |
+|GET         |/admin/posts/:id     |show     | post_path(:id)     |
+|GET         |/admin/posts/:id/edit|edit     | edit_post_path(:id)|
+|PUT         |/admin/posts/:id     |update   | post_path(:id)     |
+|DELETE      |/admin/posts/:id     |destroy  | post_path(:id)     |
 
 h4. Nested Resources
 
@@ -236,13 +236,13 @@ end
 In addition to the routes for magazines, this declaration will also route ads to an +AdsController+. The ad URLs require a magazine:
 
 |_.HTTP Verb |_.Path                  |_.action |_.used for                                                                 |
-|GET         |/magazines/1/ads        |index    |display a list of all ads for a specific magazine                          |
-|GET         |/magazines/1/ads/new    |new      |return an HTML form for creating a new ad belonging to a specific magazine |
-|POST        |/magazines/1/ads        |create   |create a new ad belonging to a specific magazine                           |
-|GET         |/magazines/1/ads/1      |show     |display a specific ad belonging to a specific magazine                     |
-|GET         |/magazines/1/ads/1/edit |edit     |return an HTML form for editing an ad belonging to a specific magazine     |
-|PUT         |/magazines/1/ads/1      |update   |update a specific ad belonging to a specific magazine                      |
-|DELETE      |/magazines/1/ads/1      |destroy  |delete a specific ad belonging to a specific magazine                      |
+|GET         |/magazines/:id/ads        |index    |display a list of all ads for a specific magazine                          |
+|GET         |/magazines/:id/ads/new    |new      |return an HTML form for creating a new ad belonging to a specific magazine |
+|POST        |/magazines/:id/ads        |create   |create a new ad belonging to a specific magazine                           |
+|GET         |/magazines/:id/ads/:id      |show     |display a specific ad belonging to a specific magazine                     |
+|GET         |/magazines/:id/ads/:id/edit |edit     |return an HTML form for editing an ad belonging to a specific magazine     |
+|PUT         |/magazines/:id/ads/:id      |update   |update a specific ad belonging to a specific magazine                      |
+|DELETE      |/magazines/:id/ads/:id      |destroy  |delete a specific ad belonging to a specific magazine                      |
 
 
 This will also create routing helpers such as +magazine_ads_url+ and +edit_magazine_ad_path+. These helpers take an instance of Magazine as the first parameter (+magazine_ads_url(@magazine)+).
@@ -560,13 +560,19 @@ would match +zoo/woo/foo/bar/baz+ with +params[:a]+ equals +"zoo/woo"+, and +par
 NOTE: Starting from Rails 3.1, wildcard routes will always match the optional format segment by default. For example if you have this route:
 
 <ruby>
-map '*pages' => 'pages#show'
+match '*pages' => 'pages#show'
 </ruby>
 
 NOTE: By requesting +"/foo/bar.json"+, your +params[:pages]+ will be equals to +"foo/bar"+ with the request format of JSON. If you want the old 3.0.x behavior back, you could supply +:format => false+ like this:
 
 <ruby>
-map '*pages' => 'pages#show', :format => false
+match '*pages' => 'pages#show', :format => false
+</ruby>
+
+NOTE: If you want to make the format segment mandatory, so it cannot be omitted, you can supply +:format => true+ like this:
+
+<ruby>
+match '*pages' => 'pages#show', :format => true
 </ruby>
 
 h4. Redirection
@@ -628,16 +634,16 @@ resources :photos, :controller => "images"
 
 will recognize incoming paths beginning with +/photos+ but route to the +Images+ controller:
 
-|_.HTTP Verb |_.Path         |_.action |_.named helper       |
-|GET         |/photos        |index    | photos_path         |
-|GET         |/photos/new    |new      | new_photo_path      |
-|POST        |/photos        |create   | photos_path         |
-|GET         |/photos/1      |show     | photo_path(id)      |
-|GET         |/photos/1/edit |edit     | edit_photo_path(id) |
-|PUT         |/photos/1      |update   | photo_path(id)      |
-|DELETE      |/photos/1      |destroy  | photo_path(id)      |
+|_.HTTP Verb |_.Path           |_.action |_.named helper        |
+|GET         |/photos          |index    | photos_path          |
+|GET         |/photos/new      |new      | new_photo_path       |
+|POST        |/photos          |create   | photos_path          |
+|GET         |/photos/:id      |show     | photo_path(:id)      |
+|GET         |/photos/:id/edit |edit     | edit_photo_path(:id) |
+|PUT         |/photos/:id      |update   | photo_path(:id)      |
+|DELETE      |/photos/:id      |destroy  | photo_path(:id)      |
 
-NOTE: Use +photos_path+, +new_photos_path+, etc. to generate paths for this resource.
+NOTE: Use +photos_path+, +new_photo_path+, etc. to generate paths for this resource.
 
 h4. Specifying Constraints
 
@@ -672,14 +678,14 @@ resources :photos, :as => "images"
 
 will recognize incoming paths beginning with +/photos+ and route the requests to +PhotosController+, but use the value of the :as option to name the helpers.
 
-|_.HTTP verb|_.Path          |_.action |_.named helper       |
-|GET        |/photos         |index    | images_path         |
-|GET        |/photos/new     |new      | new_image_path      |
-|POST       |/photos         |create   | images_path         |
-|GET        |/photos/1       |show     | image_path(id)      |
-|GET        |/photos/1/edit  |edit     | edit_image_path(id) |
-|PUT        |/photos/1       |update   | image_path(id)      |
-|DELETE     |/photos/1       |destroy  | image_path(id)      |
+|_.HTTP verb|_.Path            |_.action |_.named helper        |
+|GET        |/photos           |index    | images_path          |
+|GET        |/photos/new       |new      | new_image_path       |
+|POST       |/photos           |create   | images_path          |
+|GET        |/photos/:id       |show     | image_path(:id)      |
+|GET        |/photos/:id/edit  |edit     | edit_image_path(:id) |
+|PUT        |/photos/:id       |update   | image_path(:id)      |
+|DELETE     |/photos/:id       |destroy  | image_path(:id)      |
 
 h4. Overriding the +new+ and +edit+ Segments
 
@@ -776,14 +782,14 @@ end
 
 Rails now creates routes to the +CategoriesController+.
 
-|_.HTTP verb|_.Path                   |_.action |_.named helper          |
-|GET        |/kategorien              |index    | categories_path        |
-|GET        |/kategorien/neu          |new      | new_category_path      |
-|POST       |/kategorien              |create   | categories_path        |
-|GET        |/kategorien/1            |show     | category_path(id)      |
-|GET        |/kategorien/1/bearbeiten |edit     | edit_category_path(id) |
-|PUT        |/kategorien/1            |update   | category_path(id)      |
-|DELETE     |/kategorien/1            |destroy  | category_path(id)      |
+|_.HTTP verb|_.Path                     |_.action |_.named helper           |
+|GET        |/kategorien                |index    | categories_path         |
+|GET        |/kategorien/neu            |new      | new_category_path       |
+|POST       |/kategorien                |create   | categories_path         |
+|GET        |/kategorien/:id            |show     | category_path(:id)      |
+|GET        |/kategorien/:id/bearbeiten |edit     | edit_category_path(:id) |
+|PUT        |/kategorien/:id            |update   | category_path(:id)      |
+|DELETE     |/kategorien/:id            |destroy  | category_path(:id)      |
 
 h4. Overriding the Singular Form
 
@@ -880,7 +886,7 @@ h3. Changelog
 
 * April 10, 2010: Updated guide to remove outdated and superfluous information, and to provide information about new features, by "Yehuda Katz":http://www.yehudakatz.com
 * April 2, 2010: Updated guide to match new Routing DSL in Rails 3, by "Rizwan Reza":http://www.rizwanreza.com/
-* Febuary 1, 2010: Modifies the routing documentation to match new routing DSL in Rails 3, by Prem Sichanugrist
+* February 1, 2010: Modifies the routing documentation to match new routing DSL in Rails 3, by Prem Sichanugrist
 * October 4, 2008: Added additional detail on specifying verbs for resource member/collection routes, by "Mike Gunderloy":credits.html#mgunderloy
 * September 23, 2008: Added section on namespaced controllers and routing, by "Mike Gunderloy":credits.html#mgunderloy
 * September 10, 2008: initial version by "Mike Gunderloy":credits.html#mgunderloy

data/guides/source/ruby_on_rails_guides_guidelines.textile

@@ -62,10 +62,10 @@ To force process of all the guides, pass +ALL=1+.
 
 It is also recommended that you work with +WARNINGS=1+. This detects duplicate IDs and warns about broken internal links.
 
-If you want to generate guides in languages other than English, you can keep them in a separate directory under +source+ (eg. <tt>source/es</tt>) and use the +LANGUAGE+ environment variable:
+If you want to generate guides in languages other than English, you can keep them in a separate directory under +source+ (eg. <tt>source/es</tt>) and use the +GUIDES_LANGUAGE+ environment variable:
 
 <plain>
-rake generate_guides LANGUAGE=es
+bundle exec rake generate_guides GUIDES_LANGUAGE=es
 </plain>
 
 h3. HTML Validation
@@ -73,7 +73,7 @@ h3. HTML Validation
 Please validate the generated HTML with:
 
 <plain>
-rake validate_guides
+bundle exec rake validate_guides
 </plain>
 
 Particularly, titles get an ID generated from their content and this often leads to duplicates. Please set +WARNINGS=1+ when generating guides to detect them. The warning messages suggest a way to fix them.

data/guides/source/security.textile

@@ -15,7 +15,7 @@ endprologue.
 
 h3. Introduction
 
-Web application frameworks are made to help developers building web applications. Some of them also help you with securing the web application. In fact one framework is not more secure than another: If you use it correctly, you will be able to build secure apps with many frameworks. Ruby on Rails has some clever helper methods, for example against SQL injection, so that this is hardly a problem. It‘s nice to see that all of the Rails applications I audited had a good level of security.
+Web application frameworks are made to help developers building web applications. Some of them also help you with securing the web application. In fact one framework is not more secure than another: If you use it correctly, you will be able to build secure apps with many frameworks. Ruby on Rails has some clever helper methods, for example against SQL injection, so that this is hardly a problem. It's nice to see that all of the Rails applications I audited had a good level of security.
 
 In general there is no such thing as plug-n-play security. Security depends on the people using the framework, and sometimes on the development method. And it depends on all layers of a web application environment: The back-end storage, the web server and the web application itself (and possibly other layers or applications).
 
@@ -23,7 +23,7 @@ The Gartner Group however estimates that 75% of attacks are at the web applicati
 
 The threats against web applications include user account hijacking, bypass of access control, reading or modifying sensitive data, or presenting fraudulent content. Or an attacker might be able to install a Trojan horse program or unsolicited e-mail sending software, aim at financial enrichment or cause brand name damage by modifying company resources. In order to prevent attacks, minimize their impact and remove points of attack, first of all, you have to fully understand the attack methods in order to find the correct countermeasures. That is what this guide aims at.
 
-In order to develop secure web applications you have to keep up to date on all layers and know your enemies. To keep up to date subscribe to security mailing lists, read security blogs and make updating and security checks a habit (check the <a href="#additional-resources">Additional Resources</a> chapter). I do it manually because that‘s how you find the nasty logical security problems.
+In order to develop secure web applications you have to keep up to date on all layers and know your enemies. To keep up to date subscribe to security mailing lists, read security blogs and make updating and security checks a habit (check the <a href="#additional-resources">Additional Resources</a> chapter). I do it manually because that's how you find the nasty logical security problems.
 
 h3. Sessions
 
@@ -209,7 +209,7 @@ The HTTP protocol basically provides two main types of requests - GET and POST (
 * The interaction _(highlight)changes the state_ of the resource in a way that the user would perceive (e.g., a subscription to a service), or
 * The user is _(highlight)held accountable for the results_ of the interaction.
 
-If your web application is RESTful, you might be used to additional HTTP verbs, such as PUT or DELETE. Most of today‘s web browsers, however do not support them - only GET and POST. Rails uses a hidden +_method+ field to handle this barrier.
+If your web application is RESTful, you might be used to additional HTTP verbs, such as PUT or DELETE. Most of today's web browsers, however do not support them - only GET and POST. Rails uses a hidden +_method+ field to handle this barrier.
 
 _(highlight)POST requests can be sent automatically, too_. Here is an example for a link which displays www.harmless.com as destination in the browser's status bar. In fact it dynamically creates a new form that sends a POST request.
 
@@ -386,7 +386,7 @@ params[:user] # => {:name => “ow3ned”, :admin => true}
 
 So if you create a new user using mass-assignment, it may be too easy to become an administrator.
 
-Note that this vulnerability is not restricted to database columns.  Any setter method, unless explicitly protected, is accessible via the <tt>attributes=</tt> method. In fact, this vulnerability is extended even further with the introduction of nested mass assignment (and nested object forms) in Rails 2.3+. The +accepts_nested_attributes_for+ declaration provides us the ability to extend mass assignment to model associations (+has_many+, +has_one+, +has_and_belongs_to_many+). For example:
+Note that this vulnerability is not restricted to database columns. Any setter method, unless explicitly protected, is accessible via the <tt>attributes=</tt> method. In fact, this vulnerability is extended even further with the introduction of nested mass assignment (and nested object forms) in Rails 2.3+. The +accepts_nested_attributes_for+ declaration provides us the ability to extend mass assignment to model associations (+has_many+, +has_one+, +has_and_belongs_to_many+). For example:
 
 <ruby>
   class Person < ActiveRecord::Base
@@ -469,7 +469,7 @@ A more paranoid technique to protect your whole project would be to enforce that
 config.active_record.whitelist_attributes = true
 </ruby>
 
-This will create an empty whitelist of attributes available for mass-assignment for all models in your app. As such, your models will need to explicitly whitelist or blacklist accessible parameters by using an +attr_accessible+ or +attr_protected+ declaration.  This technique is best applied at the start of a new project. However, for an existing project with a thorough set of functional tests, it should be straightforward and relatively quick to use this application config option; run your tests, and expose each attribute (via +attr_accessible+ or +attr_protected+) as dictated by your failing tests.
+This will create an empty whitelist of attributes available for mass-assignment for all models in your app. As such, your models will need to explicitly whitelist or blacklist accessible parameters by using an +attr_accessible+ or +attr_protected+ declaration. This technique is best applied at the start of a new project. However, for an existing project with a thorough set of functional tests, it should be straightforward and relatively quick to use this application config option; run your tests, and expose each attribute (via +attr_accessible+ or +attr_protected+) as dictated by your failing tests.
 
 h3. User Management
 
@@ -540,7 +540,7 @@ Most bots are really dumb, they crawl the web and put their spam into every form
 Here are some ideas how to hide honeypot fields by JavaScript and/or CSS:
 
 * position the fields off of the visible area of the page
-* make the elements very small or colour them the same as the background of the page
+* make the elements very small or color them the same as the background of the page
 * leave the fields displayed, but tell humans to leave them blank
 
 The most simple negative CAPTCHA is one hidden honeypot field. On the server side, you will check the value of the field: If it contains any text, it must be a bot. Then, you can either ignore the post or return a positive result, but not saving the post to the database. This way the bot will be satisfied and moves on. You can do this with annoying users, too.
@@ -567,7 +567,7 @@ h4. Good Passwords
 
 -- _Do you find it hard to remember all your passwords? Don't write them down, but use the initial letters of each word in an easy to remember sentence._
 
-Bruce Schneier, a security technologist, "has analysed":http://www.schneier.com/blog/archives/2006/12/realworld_passw.html 34,000 real-world user names and passwords from the MySpace phishing attack mentioned <a href="#examples-from-the-underground">below</a>. It turns out that most of the passwords are quite easy to crack. The 20 most common passwords are:
+Bruce Schneier, a security technologist, "has analyzed":http://www.schneier.com/blog/archives/2006/12/realworld_passw.html 34,000 real-world user names and passwords from the MySpace phishing attack mentioned <a href="#examples-from-the-underground">below</a>. It turns out that most of the passwords are quite easy to crack. The 20 most common passwords are:
 
 password1, abc123, myspace1, password, blink182, qwerty1, ****you, 123abc, baseball1, football1, 123456, soccer, monkey1, liverpool1, princess1, jordan23, slipknot1, superman1, iloveyou1, and monkey.
 
@@ -617,7 +617,7 @@ This is alright for some web applications, but certainly not if the user is not
 
 Depending on your web application, there will be many more parameters the user can tamper with. As a rule of thumb, _(highlight)no user input data is secure, until proven otherwise, and every parameter from the user is potentially manipulated_.
 
-Don‘t be fooled by security by obfuscation and JavaScript security. The Web Developer Toolbar for Mozilla Firefox lets you review and change every form's hidden fields. _(highlight)JavaScript can be used to validate user input data, but certainly not to prevent attackers from sending malicious requests with unexpected values_. The Live Http Headers plugin for Mozilla Firefox logs every request and may repeat and change them. That is an easy way to bypass any JavaScript validations. And there are even client-side proxies that allow you to intercept any request and response from and to the Internet.
+Don't be fooled by security by obfuscation and JavaScript security. The Web Developer Toolbar for Mozilla Firefox lets you review and change every form's hidden fields. _(highlight)JavaScript can be used to validate user input data, but certainly not to prevent attackers from sending malicious requests with unexpected values_. The Live Http Headers plugin for Mozilla Firefox logs every request and may repeat and change them. That is an easy way to bypass any JavaScript validations. And there are even client-side proxies that allow you to intercept any request and response from and to the Internet.
 
 h3. Injection
 
@@ -825,7 +825,7 @@ Network traffic is mostly based on the limited Western alphabet, so new characte
   &amp;#108;&amp;#101;&amp;#114;&amp;#116;&amp;#40;&amp;#39;&amp;#88;&amp;#83;&amp;#83;&amp;#39;&amp;#41;>
 </html>
 
-This example pops up a message box. It will be recognized by the above sanitize() filter, though. A great tool to obfuscate and encode strings, and thus “get to know your enemy”, is the "Hackvertor":http://www.businessinfo.co.uk/labs/hackvertor/hackvertor.php. Rails‘ sanitize() method does a good job to fend off encoding attacks.
+This example pops up a message box. It will be recognized by the above sanitize() filter, though. A great tool to obfuscate and encode strings, and thus “get to know your enemy”, is the "Hackvertor":http://www.businessinfo.co.uk/labs/hackvertor/hackvertor.php. Rails' sanitize() method does a good job to fend off encoding attacks.
 
 h5. Examples from the Underground
 
@@ -885,7 +885,7 @@ The "moz-binding":http://www.securiteam.com/securitynews/5LP051FHPE.html CSS pro
 
 h5(#css-injection-countermeasures). Countermeasures
 
-This example, again, showed that a blacklist filter is never complete. However, as custom CSS in web applications is a quite rare feature, I am not aware of a whitelist CSS filter. _(highlight)If you want to allow custom colours or images, you can allow the user to choose them and build the CSS in the web application_. Use Rails' +sanitize()+ method as a model for a whitelist CSS filter, if you really need one.
+This example, again, showed that a blacklist filter is never complete. However, as custom CSS in web applications is a quite rare feature, I am not aware of a whitelist CSS filter. _(highlight)If you want to allow custom colors or images, you can allow the user to choose them and build the CSS in the web application_. Use Rails' +sanitize()+ method as a model for a whitelist CSS filter, if you really need one.
 
 h4. Textile Injection
 

data/guides/source/testing.textile

@@ -944,7 +944,7 @@ The built-in +test/unit+ based testing is not the only way to test Rails applica
 * "Factory Girl":https://github.com/thoughtbot/factory_girl/tree/master, a replacement for fixtures.
 * "Machinist":https://github.com/notahat/machinist/tree/master, another replacement for fixtures.
 * "Shoulda":http://www.thoughtbot.com/projects/shoulda, an extension to +test/unit+ with additional helpers, macros, and assertions.
-* "RSpec":http://rspec.info/, a behavior-driven development framework
+* "RSpec":http://relishapp.com/rspec, a behavior-driven development framework
 
 h3. Changelog
 

data/lib/rails.rb

@@ -4,6 +4,7 @@ require 'pathname'
 
 require 'active_support'
 require 'active_support/core_ext/kernel/reporting'
+require 'active_support/core_ext/array/extract_options'
 require 'active_support/core_ext/logger'
 
 require 'rails/application'
@@ -14,7 +15,7 @@ require 'action_dispatch/railtie'
 
 # For Ruby 1.8, this initialization sets $KCODE to 'u' to enable the
 # multibyte safe operations. Plugin authors supporting other encodings
-# should override this behaviour and set the relevant +default_charset+
+# should override this behavior and set the relevant +default_charset+
 # on ActionController::Base.
 #
 # For Ruby 1.9, UTF-8 is the default internal and external encoding.
@@ -87,6 +88,31 @@ module Rails
       RAILS_CACHE
     end
 
+    # Returns all rails groups for loading based on:
+    #
+    # * The Rails environment;
+    # * The environment variable RAILS_GROUPS;
+    # * The optional envs given as argument and the hash with group dependencies;
+    #
+    # == Examples
+    #
+    #   groups :assets => [:development, :test]
+    #
+    #   # Returns
+    #   # => [:default, :development, :assets] for Rails.env == "development"
+    #   # => [:default, :production]           for Rails.env == "production"
+    #
+    def groups(*groups)
+      hash = groups.extract_options!
+      env = Rails.env
+      groups.unshift(:default, env)
+      groups.concat ENV["RAILS_GROUPS"].to_s.split(",")
+      groups.concat hash.map { |k,v| k if v.map(&:to_s).include?(env) }
+      groups.compact!
+      groups.uniq!
+      groups
+    end
+
     def version
       VERSION::STRING
     end

data/lib/rails/all.rb

@@ -6,6 +6,7 @@ require "rails"
   action_mailer
   active_resource
   rails/test_unit
+  sprockets
 ).each do |framework|
   begin
     require "#{framework}/railtie"

data/lib/rails/application.rb

@@ -11,7 +11,7 @@ module Rails
   # == Initialization
   #
   # Rails::Application is responsible for executing all railties, engines and plugin
-  # initializers. Besides, it also executed some bootstrap initializers (check
+  # initializers. It also executes some bootstrap initializers (check
   # Rails::Application::Bootstrap) and finishing initializers, after all the others
   # are executed (check Rails::Application::Finisher).
   #
@@ -78,10 +78,6 @@ module Rails
       require environment if environment
     end
 
-    def eager_load! #:nodoc:
-      railties.all(&:eager_load!)
-      super
-    end
 
     def reload_routes!
       routes_reloader.reload!
@@ -100,22 +96,18 @@ module Rails
 
     def load_tasks(app=self)
       initialize_tasks
-      railties.all { |r| r.load_tasks(app) }
       super
       self
     end
 
     def load_generators(app=self)
       initialize_generators
-      railties.all { |r| r.load_generators(app) }
-
       super
       self
     end
 
     def load_console(app=self)
       initialize_console
-      railties.all { |r| r.load_console(app) }
       super
       self
     end
@@ -168,7 +160,9 @@ module Rails
         middleware.use ::Rails::Rack::Logger # must come after Rack::MethodOverride to properly log overridden methods
         middleware.use ::ActionDispatch::ShowExceptions, config.consider_all_requests_local
         middleware.use ::ActionDispatch::RemoteIp, config.action_dispatch.ip_spoofing_check, config.action_dispatch.trusted_proxies
-        middleware.use ::Rack::Sendfile, config.action_dispatch.x_sendfile_header
+        if config.action_dispatch.x_sendfile_header.present?
+          middleware.use ::Rack::Sendfile, config.action_dispatch.x_sendfile_header
+        end
         middleware.use ::ActionDispatch::Reloader unless config.cache_classes
         middleware.use ::ActionDispatch::Callbacks
         middleware.use ::ActionDispatch::Cookies