safe_in_place_editing 2.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+--- 
+SHA1: 
+  metadata.gz: 384a023dadf89e878b381e57b2c352ecd7317916
+  data.tar.gz: 7ef531b3a8ee0bbeb7ea6c7ce983f0de1593cf5d
+SHA512: 
+  metadata.gz: 21f0dedc4d6d5643730e53bb73569e0657b8ec39e05c1d1a7b4e0d61cc17b2e50a9f39e97aba73d33b08b4e8b4ed49f726798dbdce7d12aa36571815caa17149
+  data.tar.gz: 620f9756d1595728dc2e9665e51e99788eaddb8021a615032c9681fab3139a45b2ece720e032e43d1d4f02b86059d960be7a3215e47bb4891e668126195ae7ea

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2013 Hipposoft
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.rdoc

@@ -0,0 +1,318 @@
+= Safe In Place Editing v2.00 (2013-10-22)
+
+Early versions of Ruby On Rails shipped with an in-place editing mechanism
+which allowed simple edits to be performed on model attribute values without
+having to render a full 'edit' view for that model.
+
+Unfortunately this suffered a significant vulnerability which basically meant
+that any in-place editor field was an open JavaScript console, much to the
+presumed delight of malicious users. In-place editing features were later moved
+into a plug-in and the cross-site scripting fault was fixed; this simple plugin
+is available from GitHub:
+
+* https://github.com/amerine/in_place_editing
+
+The original version's vulnerability compelled me to write a replacement. Even
+after the original was fixed, it still had some shortcomings and the Safe In
+Place Editing code addresses those. The full rationale for its creation, along
+with instructions on its use are given below.
+
+Version 1.03 of this software is designed for Rails 3, which deprecates plug-in
+code. Installation is therefore a bit more complex than running "script/plugin"
+as under Rails 2. Such is progress, it seems...!
+
+This plug-in would not exist without the original in-place editor code,
+from which it borrows very heavily. My thanks to all involved.
+
+
+== Upgrading
+
+If you were using the plug-in version of Safe In Place Editing, you need to
+delete the old Safe In Place Editing code from inside "vendor/plugins" in your
+app. You will also need to modify the way you include the support JavaScript
+code from this:
+
+  <%= javascript_include_tag( "safe_in_place_editing/safe_in_place_editing" ) %>
+
+...to this:
+
+  <%= javascript_include_tag( "safe_in_place_editing" ) %>
+
+A global search and replace of "safe_in_place_editing/safe_in_place_editing/"
+to just "safe_in_place_editing" across your application files may suffice.
+
+Now follow the steps given in "Installation" below, to install the new Gem
+version of Safe In Place Editing.
+
+
+== Installation
+
+Add this line to your application's Gemfile:
+
+  gem 'safe_in_place_editing'
+
+You will need to use the Prototype JavaScript library rather than jQuery (the
+two may coexist peacefully, but I haven't tested it). To use that, add the
+following to your Gemfile, if you don't already have it:
+
+  gem 'prototype-rails'
+
+You can find out more about proper usage of the JavaScript files provided by
+this Gem here:
+
+* https://github.com/rails/prototype-rails
+
+Finally, execute:
+
+  bundle
+
+Please note that the Gem here has only been tested in Rails 3 applications
+that use the Rails Asset Pipeline, so though it might work on (for example)
+legacy upgraded Rails 2 applications that don't use the asset pipeline file
+structure, I can't be sure. If you encounter problems, consider switching
+over to the pipeline instead.
+
+* http://guides.rubyonrails.org/asset_pipeline.html
+
+See "Usage exmaples" later for information on how to use the Gem.
+
+
+==  InPlaceEditing problems and Safe In Place Editing solutions
+=== 1: InPlaceEditing's XSS fixes prevent other features from working
+
+At the time of writing the original in-place-editor plugin escapes values
+written into the view coming from the database and values written into the
+view after a user makes an edit, avoiding the vulnerability which it used
+to introduce. This introduces some problems though:
+
+1. It's no longer possible to deliberately insert HTML at all, as per older
+   documentation examples for Textile and Markaby-based in-place editors.
+
+2. The in-place editor form, when shown, shows the _literal_ escaped text (so
+   you get double-escape problems, with things like "&amp;" showing up instead
+   of "&") because it uses a "getText" call in JavaScript that reads
+   "innerHTML" of the <span> used to mark up the text to be used for
+   editing. There are two ways around this:
+
+   * Patch getText to a better implementation as described on the
+     Scriptaculous Wiki (why is this not in their core release?!)
+
+     https://madrobby.github.com/scriptaculous/ajax-inplaceeditor/
+
+       Object.extend(Ajax.InPlaceEditor.prototype, {
+           getText: function() {
+               return this.element.childNodes[0]           ?
+                      this.element.childNodes[0].nodeValue : '';
+           }
+       });
+
+   * Have a custom method to return the unescaped value of the field
+     sitting on the server side (again, as for the Textile and Markaby
+     examples) - but this means one more controller method and a server
+     round-trip each time an editor is shown.
+
+Safe In Place Editing patches getText as described above, escapes values in
+the initially created form and its auto-generated helpers, if used, escape
+updated values when rendering them for the in-place view update. You can
+defeat escaping in the safe_in_place_editor_field helper method with a
+special override parameter but this is strongly discouraged.
+
+You must include the JavaScript code for the getText patch and supporting
+methods when using the plugin:
+
+  <%= javascript_include_tag( "safe_in_place_editing/safe_in_place_editing" ) %>
+
+
+=== 2: InPlaceEditing bypasses optimistic locking
+
+Optimistic locking is a safety feature in Rails which even the core
+developers seem to forget about sometimes! It associates a version number
+with models. If two users are viewing an 'edit' page for that model and one of
+them submits their form first, then when the other user tries to submit their
+own edits, Rails will detect that the associated version number on their form
+is too old and raise a locking error. Without this, the second user would be
+able to just overwrite the edits made by the first user without anybody
+realising this error had happened.
+
+Unfortunately the stock InPlaceEditing plugin is written in such a way that
+locking is bypassed; an in-place editor always succeeds, no matter how out of
+date the view in which the editor resides happens to be.
+
+One might take the approach of the anti-forgery request mechanism patch needed
+to get the in-place edit plug-in working with Rails 2, extending the ":with" 
+key's value in the options hash with a query string passing the lock_version
+through:
+
+    if ( object.respond_to?( :lock_version ) )
+      in_place_editor_options[ :with ] ||= "Form.serialize(form)"
+      in_place_editor_options[ :with ]  += " + '&lock_version=#{ object.lock_version }'"
+    end
+
+The update code on the server side could manually check this against the
+object it just found in the database. Unfortunately the client JavaScript
+code is static, so after a first update the form itself is out of date,
+passing an old lock version through and all subsequent update attempts
+fail until the whole view is reloaded.
+
+    lock_version = nil
+    lock_version = @item.lock_version.to_s if ( @item.respond_to?( :lock_version ) )
+
+    if ( lock_version != params[ :lock_version ] )
+      # Somebody else already edited this item. Do "something"
+      # (see later).
+    else
+      @item.update_attribute( attribute, params[ :value ] )
+    end
+
+We might attempt to write out JS which assigns global variables unique to
+each form with the initial lock value. An on-complete JS handler could
+then increment the lock version at the client side. This seems ridiculously
+over complicated given the task at hand, requires one to override the
+default on-complete handler, bypass or extend the Rails plug-in (since it
+offers no interface to change the on-complete handler details) and the
+client might still get out of sync with the server's lock versions. Since
+there is little alternative, however, Safe In Place Editing takes this 
+heavyweight approach, using extra JS support methods to try and reduce the
+inline code baggage.
+
+
+=== 3: InPlaceEditing's error handling seems to be faulty
+
+In theory, returning a 500 error should lead to the onFailure handler running
+in the JS domain, but when used from Rails 2.0.2, just about all properties of
+the 'transport' object used in the default handler function are undefined with
+the standard InPlaceEditing plugin. As a result, no alert box can be shown to the user. The onComplete handler is *always* run, regardless of whether the
+request returns a 2xx or other status code and this leads to numerous problems
+when trying to elegantly handle errors.
+
+The JavaScript assistance functions included with SafeInPlaceEditing take
+care of error handling for you. If the on-failure code seems to be having
+trouble then the on-complete code will take over. These functions are also
+used to support optimistic locking as described above.
+
+
+== Usage examples
+
+Any view using Safe In Place Editing requires the Prototype JavaScript library
+to be included. See https://github.com/rails/prototype-rails for details. Most
+people just do this in the "app/assets/javascripts/application.js" file.
+
+Either in your main application layout file, add:
+
+  <%= javascript_include_tag( "safe_in_place_editing" ) %>
+
+...in the document <head> section, or include the script via the asset pipeline
+by editing "app/assets/javascripts/application.js" and adding:
+
+  //= require safe_in_place_editing
+
+Whether you include these resources globally or only for the views that require
+them, don't forget to add both the Prototype JavaScript library files and the
+Safe In Place Editing support code.
+
+In your controller, declare the models and model attribute names which are
+to be available for in-place editing. These declarations cause actions to be
+defined in your controller on your behalf; the actions handle the XHR requests
+from the client JavaScript code executing in web browsers when users alter
+attributes of a model via an in-place editor control.
+
+  safe_in_place_edit_for( :customer, :title )
+  safe_in_place_edit_for( :customer, :code  )
+
+The above sets up a controller so it allows edits to a model called "Customer"
+for attributes "title" and "code".
+
+In the view, wherever you want an editor to be available, add a call to the
+"safe_in_place_editor_field" method. For example, in the case of the controller
+for the "Customer" model above, we might produce a 'show' view for a model
+instance stored in "<tt>@customer</tt>" which includes:
+
+  <strong>Title:</strong>
+  <%= safe_in_place_editor_field( @customer, :title ) %>
+  <br />
+
+  <strong>Code:</strong>
+  <%= safe_in_place_editor_field( @customer, :code ) %>
+  <br />
+
+If you're familiar with the API for the InPlaceEditing plugin, you may be
+surprised at the use of "<tt>@customer</tt>" rather than ":customer" in the
+call to "safe_in_place_editor_field". In fact, this call supports _either_
+form - you can pass a symbol "<tt>:foo</tt>", in which case the plugin assumes
+that an instance variable "<tt>@foo</tt>" is available - or you can just pass
+in the variable value directly. Judging by Google searches this quirk of the
+InPlaceEditing API seemed to trip up quite a few people and I saw no reason to
+duplicate that quirk with Safe In Place Editing!
+
+
+=== Boolean values
+
+As an added bonus, Safe In Place Editing has special support for boolean values
+in models. If you have a true/false field, an in-place editor will show a small
+pop-up menu including "Yes" and "No" entries.
+
+Suppose we have a Task model and the task can be marked as currently active, or
+inactive. To this end it has an attribute "active" which is a boolean property.
+We can create an in-place editor for this by first enabling editing in the
+controller for Tasks:
+
+  safe_in_place_edit_for( :task, :active )
+
+...then in the view, inserting an in-place editor where we might otherwise have
+just shown the value of the 'active' attribute as a simple piece of text:
+
+  <strong>Active:</strong>
+  <%= safe_in_place_editor_field( @task, :active ) %>
+
+It's that simple; the plugin code takes care of the rest. There are numerous
+additional options which can be passed to the various calls; see the API
+documentation for InPlaceEditing for the basics, then check the API
+documentation here for any exceptions or additions.
+
+
+=== Suggested CSS
+
+You can style in-place editors however you like; the default Rails scaffold
+styles may be sufficient. If using scaffolding, though, you might like to try
+out the following additional styles as I think they give good results:
+
+  form.inplaceeditor-form {
+    position: absolute;
+    background: white;
+    border: 2px solid #888;
+    text-align: center;
+  }
+
+  form.inplaceeditor-form input[ type="text" ] {
+    margin: 5px;
+    width: 90%;
+  }
+
+  form.inplaceeditor-form input[ type="submit" ] {
+    margin: 5px;
+    float: left;
+  }
+
+  form.inplaceeditor-form a {
+    margin: 5px;
+    float: right;
+  }
+
+  form.inplaceeditor-form select {
+    margin: 5px;
+    float: left;
+  }
+
+
+== Contacts
+
+Ideally please raise issues, suggestions, pull requests etc. via GitHub:
+
+* https://github.com/pond/safe_in_place_editing
+
+Alternatively free to contact me at "ahodgkin@rowing.org.uk".
+
+
+= Copyright
+
+Copyright (c) 2008-2013 Hipposoft, released under the MIT license.

data/app/assets/safe_in_place_editing/safe_in_place_editing.js

@@ -0,0 +1,78 @@
+/************************************************************************\
+ * File:    safe_in_place_editing.js                                    *
+ *          Hipposoft 2008                                              *
+ *                                                                      *
+ * Purpose: Safe, lockable in-place editing - client-side code.         *
+ *                                                                      *
+ * History: 24-Jun-2008 (ADH): Created.                                 *
+\************************************************************************/
+
+/* Stop "Jack & Jill", written for display purposes into an HTML page,
+ * from being edited as exactly that - "Jack & Jill" - if the in-place
+ * editor is activated due to Prototype's use of "innerHTML" in its internal
+ * "getText" function. See:
+ *
+ *   http://github.com/madrobby/scriptaculous/wikis/ajax-inplaceeditor
+ */
+
+Object.extend
+(
+    Ajax.InPlaceEditor.prototype,
+    {
+        getText: function()
+        {
+            return this.element.childNodes[ 0 ] ? this.element.childNodes[ 0 ].nodeValue : '';
+        }
+    }
+);
+
+/* Support the "on success" and "on failure" functions */
+
+var safeInPlaceEditorDoneFailureReport = false;
+
+/* Custom in-place editor "on failure" function */
+
+function safeInPlaceEditorOnFailure( transport )
+{
+    if ( transport.responseText )
+    {
+        safeInPlaceEditorRaiseAlert( transport );
+        safeInPlaceEditorDoneFailureReport = true;
+    }
+    else
+    {
+        safeInPlaceEditorDoneFailureReport = false;
+    }
+}
+
+/* Custom in-place editor "on complete" function (call by proxy to set
+ * the value of 'lockVar' with the name of the lock variable, if any,
+ * held in global (i.e. 'window') context).
+ */
+
+function safeInPlaceEditorOnComplete( transport, element, lockVar )
+{
+    if ( transport.status == 200 )
+    {
+        if ( lockVar ) window[ lockVar ] += 1;
+    }
+    else if ( ! safeInPlaceEditorDoneFailureReport )
+    {
+        safeInPlaceEditorRaiseAlert( transport );
+    }
+
+    safeInPlaceEditorDoneFailureReport = false;
+}
+
+/* Helper function - raise an alert describing the given transport object's
+ * responseText value.
+ */
+
+function safeInPlaceEditorRaiseAlert( transport )
+{
+    alert
+    (
+        "Error communicating with the server: " +
+        transport.responseText.stripTags()
+    );
+}

data/lib/safe_in_place_editing.rb

@@ -0,0 +1,15 @@
+require 'safe_in_place_editing/version'
+require 'safe_in_place_editing/controller_methods'
+require 'safe_in_place_editing/helper_methods'
+
+if defined? ActionController
+  ActionController::Base.send :include, SafeInPlaceEditing
+  ActionController::Base.helper SafeInPlaceEditingHelper
+end
+
+module SafeInPlaceEditing
+  module Rails
+    class Engine < ::Rails::Engine
+    end
+  end
+end

data/lib/safe_in_place_editing/controller_methods.rb

@@ -0,0 +1,123 @@
+########################################################################
+# File::    safe_in_place_editing.rb
+# (C)::     Hipposoft 2008, 2009
+#
+# Purpose:: Safe, lockable in-place editing - controller support.
+# ----------------------------------------------------------------------
+#           24-Jun-2008 (ADH): Created.
+#           22-Oct-2013 (ADH): Incorporated into 'gemified' sources.
+########################################################################
+
+module SafeInPlaceEditing
+
+  def self.included( base ) # :nodoc:
+    base.extend( ClassMethods )
+  end
+
+  module ClassMethods
+
+    # == Overview
+    #
+    # API equivalent of in_place_edit_for circa 2009, except:
+    #
+    # - Runs all user data through "ERB::Util::html_escape" when sending it to
+    #   the view to avoid associated vulnerabilities with otherwise-unescaped
+    #   user-supplied data; the current InPlaceEditing plugin does this too,
+    #   albeit using "CGI::escapeHTML" for some reason.
+    #
+    # - Supports optimistic locking if a lock_version CGI parameter is
+    #   supplied, by explicitly checking the version being updated.
+    #
+    # - Explicitly catches errors and returns them as 500 status codes
+    #   with a plain text message regardless of Rails environment.
+    #
+    # - You must include some support JavaScript code and Prototype 1.7.x is
+    #   assumed - Rails default tends to be 1.6.x - though it _should_ still
+    #   work with older Prototype library versions. See the example below for
+    #   details.
+    #
+    # See +safe_in_place_editor+ and +safe_in_place_editor_field+ for the
+    # counterpart helper functions.
+    # 
+    #
+    # == Simple example
+    #
+    # This is adapted from the repository at:
+    #
+    # * https://github.com/amerine/in_place_editing
+    #
+    # ...many thanks to those involved.
+    #
+    #   # Controller
+    #   #
+    #   class BlogController < ApplicationController
+    #     safe_in_place_edit_for( :post, :title )
+    #   end
+    #
+    #   # View
+    #   #
+    #   <%= safe_in_place_editor_field( :post, 'title' ) %>
+    #
+    #   # Application layout file, document <head> section
+    #   #
+    #   <%= javascript_include_tag( "safe_in_place_editing/safe_in_place_editing" ) %>
+    #
+    def safe_in_place_edit_for( object, attribute, options = {} )
+      define_method( "set_#{ object }_#{ attribute }" ) do
+        safe_in_place_edit_backend( object, attribute, options )
+      end
+    end
+  end
+
+private
+
+  # Back-end for "safe_in_place_edit_for" - the actual invoked implementation
+  # of the dynamically created functions.
+  #
+  def safe_in_place_edit_backend( object, attribute, options )
+    @item = object.to_s.camelize.constantize.find( params[ :id ] )
+
+    lock_version = nil
+    lock_version = @item.lock_version.to_s if ( @item.respond_to?( :lock_version ) )
+
+    if ( params.include?( :lock_version ) and lock_version != params[ :lock_version ] )
+      render( { :status => 500, :text => "Somebody else already edited this #{ object.to_s.humanize.downcase }. Reload the page to obtain the updated version." } )
+      return
+    else
+      begin
+
+        # Call "touch" to make sure the item is modified even if the user has
+        # actually just submitted the form with an unchanged variable. This
+        # makes sure that Rails sees the object as 'dirty' and saves it. For
+        # objects with lock versions, that means the lock version always
+        # increments. The JavaScript code has to assume such an increment and
+        # has no clear way to know if it doesn't happen; we could dream up
+        # something complex but simpler just to ensure Rails is in step.
+        #
+        # In the worst possible case, JavaScript and Rails end up out of step
+        # with the lock version and the user gets told there's a mismatch. A
+        # page reload later and everything is sorted out.
+
+        success = @item.update_attribute( attribute, params[ :value ] )
+        success = @item.touch if ( success && ! lock_version.nil? && @item.lock_version.to_s == lock_version )
+
+        raise "Unable to save changes to database" unless ( success )
+
+      rescue => error
+        render( { :status => 500, :text => error.message } )
+        return
+
+      end
+    end
+
+    value = @item.send( attribute )
+
+    if ( ( value.is_a? TrueClass ) || ( value.is_a? FalseClass ) )
+      value = value ? 'Yes' : 'No'
+    else
+      value = ERB::Util::html_escape( value.to_s )
+    end
+
+    render( { :text => value } )
+  end
+end

data/lib/safe_in_place_editing/helper_methods.rb

@@ -0,0 +1,287 @@
+########################################################################
+# File::    safe_in_place_editing_helper.rb
+# (C)::     Hipposoft 2008, 2009
+#
+# Purpose:: Safe, lockable in-place editing - helper methods.
+# ----------------------------------------------------------------------
+#           24-Jun-2008 (ADH): Created.
+#           22-Oct-2013 (ADH): Incorporated into 'gemified' sources.
+########################################################################
+
+module SafeInPlaceEditingHelper
+
+  # == Overview
+  #
+  # API equivalent of in_place_editor circa 2009, except fixes various bugs
+  # (see README.rdoc for the rationale) and:
+  #
+  # * New option ":lock_var", which is the name of a global variable to be
+  #   used in the JS domain to track the lock version at the client side. By
+  #   default set to nil, meaning no optimistic locking support. Options
+  #   value ":lock_version" MUST be set to the lock version of the object for
+  #   which the in-place editor is being created in this case. The variable
+  #   is incremented each time the object is successfully updated through the
+  #   in-place editor, since the server will have incremented its lock version
+  #   so the client must keep in step. If someone else edits the item, the
+  #   client and server lock versions will not match and the update will fail,
+  #   which is the desired result.
+  #
+  # * The ":save_text" option is set to "OK" by default, since I detest that
+  #   nasty lower case "ok" button that's produced by the JS code otherwise.
+  #
+  # * The ":cancel_text" option is set to "Cancel" by default to match the
+  #   above change.
+  #
+  # * New option ":is_boolean" indicating a true/false popup should be offered
+  #   instead of a text field; if omitted, a text field is assumed. If present
+  #   and 'true', additional optional value ":first_value" says whether or not
+  #   the pop-up menu should start with True/Yes (if ":first_value"'s value is
+  #   itself true), or False/No (if ":first_value"'s value is itself false, or
+  #   if the option is omitted).
+  #
+  # Custom on-failure and on-complete functions are used. To try and reduce
+  # the code bulk for each instance of the editor, hard-coded JS function names
+  # are used with the support code placed in 'safe_in_place_editing.js'. See
+  # there for a reference implementation if intending to write customised
+  # equivalents. To override the default names of these functions for any
+  # reason, give the names as strings in options properties :on_complete and
+  # :on_failure, then make sure appropriate JS functions are actually defined.
+  #
+  #
+  # == Original In Place Editor documentation
+  #
+  # This is copied from the repository at:
+  #
+  # * https://github.com/amerine/in_place_editing
+  #
+  # ...many thanks to those involved.
+  #
+  # Makes an HTML element specified by the DOM ID +field_id+ become an in-place
+  # editor of a property.
+  #
+  # A form is automatically created and displayed when the user clicks the element,
+  # something like this:
+  #
+  #   <form id="myElement-in-place-edit-form" target="specified url">
+  #     <input name="value" text="The content of myElement"/>
+  #     <input type="submit" value="ok"/>
+  #     <a onclick="javascript to cancel the editing">cancel</a>
+  #   </form>
+  # 
+  # The form is serialized and sent to the server using an AJAX call, the action on
+  # the server should process the value and return the updated value in the body of
+  # the reponse. The element will automatically be updated with the changed value
+  # (as returned from the server).
+  #
+  # options with (Must be a function) means that you must pass a string like:
+  #
+  #   function(transport, element) {what_to_do()}
+  # 
+  # Required +options+ are:
+  # <tt>:url</tt>::       Specifies the url where the updated value should
+  #                       be sent after the user presses "ok".
+  # 
+  # Addtional +options+ are:
+  # <tt>:rows</tt>::                    Number of rows (more than 1 will use a TEXTAREA)
+  # <tt>:cols</tt>::                    Number of characters the text input should span (works for both INPUT and TEXTAREA)
+  # <tt>:size</tt>::                    Synonym for :cols when using a single line text input.
+  # <tt>:cancel_text</tt>::             The text on the cancel link. (default: "cancel")
+  # <tt>:save_text</tt>::               The text on the save link. (default: "ok")
+  # <tt>:loading_text</tt>::            The text to display while the data is being loaded from the server (default: "Loading...")
+  # <tt>:saving_text</tt>::             The text to display when submitting to the server (default: "Saving...")
+  # <tt>:external_control</tt>::        The id of an external control used to enter edit mode.
+  # <tt>:load_text_url</tt>::           URL where initial value of editor (content) is retrieved.
+  # <tt>:options</tt>::                 Pass through options to the AJAX call (see prototype's Ajax.Updater)
+  # <tt>:with</tt>::                    JavaScript snippet that should return what is to be sent
+  #                                     in the AJAX call, +form+ is an implicit parameter
+  # <tt>:script</tt>::                  Instructs the in-place editor to evaluate the remote JavaScript response (default: false)
+  # <tt>:click_to_edit_text</tt>::      The text shown during mouseover the editable text (default: "Click to edit")
+  # <tt>:on_complete</tt>::             (Must be a function)Code run if update successful with server. Also if user cancels the form (see https://prototype.lighthouseapp.com/projects/8887/tickets/243).
+  # <tt>:on_failure</tt>::              (Must be a function)Code run if update failed with server
+  #
+  def safe_in_place_editor( field_id, options = {} )
+
+    # Set up some default values
+
+    options[ :with ] ||= "Form.serialize(form).replace(/\\+/g,'%20')"
+
+    if protect_against_forgery?
+      options[ :with ] += " + '&authenticity_token=' + encodeURIComponent('#{ form_authenticity_token }')"
+    end
+
+    options[ :on_complete ] ||= 'safeInPlaceEditorOnComplete'
+    options[ :on_failure  ] ||= 'safeInPlaceEditorOnFailure'
+    options[ :save_text   ] ||= 'OK'
+    options[ :cancel_text ] ||= 'Cancel'
+
+    # Preliminary script data
+
+    if ( options.include?( :lock_var ) )
+      function = "window['#{ options[ :lock_var ] }']=#{ options[ :lock_version ] };"
+    else
+      function = ''
+    end
+
+    function_name = options[ :is_boolean ] ? 'InPlaceCollectionEditor' : 'InPlaceEditor'
+
+    function << "new Ajax.#{ function_name }("
+    function << "'#{ field_id }', "
+    function << "'#{ url_for( options[ :url ] ) }'"
+
+    # Map Rails in-place editor options to JS in-place editor options - see:
+    #
+    #   http://github.com/madrobby/scriptaculous/wikis/ajax-inplaceeditor
+
+    js_options = {}
+
+    js_options[ 'rows'                ] =   options[ :rows    ] if options[ :rows    ]
+    js_options[ 'cols'                ] =   options[ :cols    ] if options[ :cols    ]
+    js_options[ 'size'                ] =   options[ :size    ] if options[ :size    ]
+    js_options[ 'ajaxOptions'         ] =   options[ :options ] if options[ :options ]
+    js_options[ 'htmlResponse'        ] = ! options[ :script  ] if options[ :script  ]
+
+    js_options[ 'cancelText'          ] = %('#{ options[ :cancel_text           ] }') if options[ :cancel_text           ]
+    js_options[ 'okText'              ] = %('#{ options[ :save_text             ] }') if options[ :save_text             ]
+    js_options[ 'loadingText'         ] = %('#{ options[ :loading_text          ] }') if options[ :loading_text          ]
+    js_options[ 'savingText'          ] = %('#{ options[ :saving_text           ] }') if options[ :saving_text           ]
+    js_options[ 'clickToEditText'     ] = %('#{ options[ :click_to_edit_text    ] }') if options[ :click_to_edit_text    ]
+    js_options[ 'textBetweenControls' ] = %('#{ options[ :text_between_controls ] }') if options[ :text_between_controls ]
+
+    js_options[ 'externalControl'     ] = "'#{          options[ :external_control ]   }'" if options[ :external_control ]
+    js_options[ 'loadTextURL'         ] = "'#{ url_for( options[ :load_text_url    ] ) }'" if options[ :load_text_url    ]
+
+    js_options[ 'callback'            ] = "function(form) { return #{ options[ :with ] }; }" if options[ :with ]
+
+    if options[ :is_boolean ]
+      if options[ :start_value ]
+        js_options[ 'collection' ] = "[['true','Yes'],['false','No']]"
+      else
+        js_options[ 'collection' ] = "[['false','No'],['true','Yes']]"
+      end
+    end
+
+    # Set up the custom on-failure and on-complete handlers
+
+    js_options[ 'onFailure' ] = "#{ options[ :on_failure ] }"
+
+    if ( options.include?( :lock_var ) )
+      js_options['onComplete'] = "function(transport, element) {#{ options[ :on_complete ] }(transport,element,'#{ options[ :lock_var ] }');}"
+    else
+      js_options['onComplete'] = "#{ options[ :on_complete ] }"
+    end
+
+    # Assemble the content
+
+    function << ( ', ' + options_for_javascript( js_options ) ) unless js_options.empty?
+    function << ')'
+
+    return javascript_tag( function )
+  end
+
+  # Close API equivalent of in_place_editor_field, except fixes various bugs
+  # (see the README for rationale). Allows either an object name in the first
+  # parameter (e.g. ":foo", in which case instance variable "@foo" must point
+  # to the object instance of interest) or an object instance (to save messing
+  # around with magic instance variables, but obtains the object name from
+  # "class.name.underscore", so may not be appropriate for unusual object
+  # classes). Anyway, clearer error reporting and the ability to pass in an
+  # object reference directly may help avoid a common error experienced with
+  # the InPlaceEditing plug-in code, as described here at the time of writing:
+  #
+  # http://oldwiki.rubyonrails.org/rails/pages/InPlaceEditing
+  #
+  # Includes the following options:
+  #
+  # * :lock_var is the name of the variable used for optimistic locking, by
+  #   default set to a row-unique value. The assumption is that this same
+  #   variable gets used throughout the row so that multiple edits on that
+  #   row all cause the same variable to be incremented. If your back-end
+  #   update function has side effects that might invalidate the value shown
+  #   in another column on that row - which would be pretty strange! - you'd
+  #   need to override the lock variable name with something that's unique to
+  #   both the row and the column. When using a lock variable, additional
+  #   option ":lock_version" is always set internally to the lock version of
+  #   the object for which the field is being built and cannot be overridden.
+  #
+  # * :with is extended to include a "lock_version" parameter in the query
+  #   string so that the client side's idea of the current object's lock
+  #   version may be communicated to the server's attribute update action.
+  #   This is done internally; there is no need to set the option yourself.
+  #
+  # The editor options also support "is_boolean", which overrides the default
+  # setting of whether or not the column value is considered to be a string
+  # or a boolean quantity. This is provided just-in-case, with no current
+  # known cases where the automatic detection isn't sufficient.
+  #
+  # The Prototype library getText function must be patched as described in
+  # the README rationale; "application.js" is a good place to do this.
+  #
+  # Note an optional fifth parameter which if 'true' will prevent HTML
+  # escaping of the value for values which are really meant to contain HTML
+  # code. Be very, very careful with this.
+  #
+  def safe_in_place_editor_field( object, method, tag_options = {}, editor_options = {}, no_escape = false )
+
+    # Allow a symbol or object instance to be passed. Since the symbol use
+    # case involves accessing a 'magic' related instance variable name and
+    # since there are lots of examples via Google of this confusing people,
+    # raise a helpful error message if the relevant variable is missing.
+
+    if ( object.instance_of?( Symbol ) )
+      object_name = object
+      var_name = "@#{ object_name }"
+      if ( instance_variable_defined?( var_name ) )
+        object = instance_variable_get( var_name )
+      else
+        raise( 'If passing \':foo\' to in_place_editor_field, \'@foo\' must refer to the object for which the field is being built' )
+      end
+    else
+      object_name = object.class.name.underscore
+    end
+
+    # Pass the lock version in for optimistic locking support, should the
+    # object support it. The update callback function must manually compare
+    # the params[ :lock_version ] value against the lock_version.to_s()
+    # value of the object that's being updated.
+
+    if ( object.respond_to?( :lock_version ) )
+      var = "#{ object_name }_#{ object.id }_safeInPlaceEditorLockVersion"
+
+      editor_options[ :lock_version ]   = object.lock_version.to_s
+      editor_options[ :lock_var     ] ||= var
+      editor_options[ :with         ] ||= "Form.serialize(form).replace(/\\+/g,'%20')"
+      editor_options[ :with         ]  += " + '&lock_version=' + #{ var }"
+    end
+
+    # Escape the value unless told not to and construct the complete in-place
+    # editor assembly. Check for boolean values too, allowing caller-override.
+
+    column_value = object.send( method )
+
+    is_boolean = ( editor_options[ :is_boolean ] || ( column_value.is_a? TrueClass ) || ( column_value.is_a? FalseClass ) )
+
+    if ( is_boolean )
+      editor_options[ :start_value ] = !! column_value
+      column_value = column_value ? 'Yes' : 'No'
+    else
+      column_value = ERB::Util::html_escape( column_value ) unless ( no_escape )
+    end
+
+    tag_options = {
+      :id    => "#{ object_name }_#{ method }_#{ object.id }_in_place_editor",
+      :class => "in_place_editor_field"
+    }.merge!( tag_options )
+
+    editor_options[ :url ] ||= url_for( {
+      :action => "set_#{ object_name }_#{ method }",
+      :id     => object.id
+    } )
+
+    # Update the boolean value flag, unless the caller had already set one.
+
+    editor_options[ :is_boolean ] = is_boolean unless editor_options.has_key?( :is_boolean )
+
+    return content_tag( :span, column_value.html_safe, tag_options ) +
+           safe_in_place_editor( tag_options[ :id ], editor_options )
+  end
+end

data/lib/safe_in_place_editing/version.rb

@@ -0,0 +1,3 @@
+module SafeInPlaceEditing
+  VERSION = "2.0.0"
+end

metadata

@@ -0,0 +1,68 @@
+--- !ruby/object:Gem::Specification 
+name: safe_in_place_editing
+version: !ruby/object:Gem::Version 
+  version: 2.0.0
+platform: ruby
+authors: 
+- Andrew Hodgkinson
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2013-11-29 00:00:00 Z
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: railties
+  prerelease: false
+  requirement: &id001 !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        version: "3.2"
+  type: :runtime
+  version_requirements: *id001
+description: Safe In Place Editing Rails extension, providing flexible HTML safe in-place editing with string and boolean type support
+email: 
+- ahodgkin@rowing.org.uk
+executables: []
+
+extensions: []
+
+extra_rdoc_files: []
+
+files: 
+- lib/safe_in_place_editing/controller_methods.rb
+- lib/safe_in_place_editing/helper_methods.rb
+- lib/safe_in_place_editing/version.rb
+- lib/safe_in_place_editing.rb
+- app/assets/safe_in_place_editing/safe_in_place_editing.js
+- MIT-LICENSE
+- README.rdoc
+homepage: https://github.com/pond/safe_in_place_editing
+licenses: []
+
+metadata: {}
+
+post_install_message: 
+rdoc_options: []
+
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - &id002 
+    - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - *id002
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 2.1.11
+signing_key: 
+specification_version: 4
+summary: Safe In Place Editing Rails extension
+test_files: []
+