Merge branch 'master' of github.com:lifo/docrails

6 files changed, 33 insertions, 17 deletions

diff --git a/actionpack/lib/action_view/helpers/csrf_helper.rb b/actionpack/lib/action_view/helpers/csrf_helper.rb
new file mode 100644
index 0000000000..41c6b67f91
--- /dev/null
+++ b/actionpack/lib/action_view/helpers/csrf_helper.rb
@@ -0,0 +1,12 @@
+module ActionView
+  module Helpers
+    module CsrfHelper
+      # Returns a meta tag with the request forgery protection token for forms to use. Put this in your head.
+      def csrf_meta_tag
+        if protect_against_forgery?
+          %(<meta name="csrf-param" content="#{Rack::Utils.escape_html(request_forgery_protection_token)}"/>\n<meta name="csrf-token" content="#{Rack::Utils.escape_html(form_authenticity_token)}"/>).html_safe
+        end
+      end
+    end
+  end
+end
diff --git a/actionpack/lib/action_view/helpers/form_helper.rb b/actionpack/lib/action_view/helpers/form_helper.rb
index 4d29a03b92..305d6b3128 100644
--- a/actionpack/lib/action_view/helpers/form_helper.rb
+++ b/actionpack/lib/action_view/helpers/form_helper.rb
@@ -309,7 +309,7 @@ module ActionView
 
         options[:html][:remote] = true if options.delete(:remote)
 
-        concat(form_tag(options.delete(:url) || {}, options.delete(:html) || {}))
+        safe_concat(form_tag(options.delete(:url) || {}, options.delete(:html) || {}))
         fields_for(object_name, *(args << options), &proc)
         safe_concat('</form>')
       end
@@ -1172,7 +1172,9 @@ module ActionView
 
         def fields_for_with_nested_attributes(association_name, args, block)
           name = "#{object_name}[#{association_name}_attributes]"
-          association = args.first.to_model if args.first.respond_to?(:to_model)
+          options = args.extract_options!
+          association = args.shift
+          association = association.to_model if association.respond_to?(:to_model)
 
           if association.respond_to?(:new_record?)
             association = [association] if @object.send(association_name).is_a?(Array)
@@ -1181,20 +1183,22 @@ module ActionView
           end
 
           if association.is_a?(Array)
-            explicit_child_index = args.last[:child_index] if args.last.is_a?(Hash)
+            explicit_child_index = options[:child_index]
             association.map do |child|
-              fields_for_nested_model("#{name}[#{explicit_child_index || nested_child_index(name)}]", child, args, block)
+              fields_for_nested_model("#{name}[#{explicit_child_index || nested_child_index(name)}]", child, options, block)
             end.join
           elsif association
-            fields_for_nested_model(name, association, args, block)
+            fields_for_nested_model(name, association, options, block)
           end
         end
 
-        def fields_for_nested_model(name, object, args, block)
+        def fields_for_nested_model(name, object, options, block)
+          object = object.to_model if object.respond_to?(:to_model)
+
           if object.new_record?
-            @template.fields_for(name, object, *args, &block)
+            @template.fields_for(name, object, options, &block)
           else
-            @template.fields_for(name, object, *args) do |builder|
+            @template.fields_for(name, object, options) do |builder|
               block.call(builder)
               @template.concat builder.hidden_field(:id) unless builder.emitted_hidden_id?
             end
diff --git a/actionpack/lib/action_view/helpers/form_tag_helper.rb b/actionpack/lib/action_view/helpers/form_tag_helper.rb
index ba1b0bcc20..6ed6c3101b 100644
--- a/actionpack/lib/action_view/helpers/form_tag_helper.rb
+++ b/actionpack/lib/action_view/helpers/form_tag_helper.rb
@@ -441,8 +441,8 @@ module ActionView
       #   # => <fieldset class="format"><p><input id="name" name="name" type="text" /></p></fieldset>
       def field_set_tag(legend = nil, options = nil, &block)
         content = capture(&block)
-        concat(tag(:fieldset, options, true))
-        concat(content_tag(:legend, legend)) unless legend.blank?
+        safe_concat(tag(:fieldset, options, true))
+        safe_concat(content_tag(:legend, legend)) unless legend.blank?
         concat(content)
         safe_concat("</fieldset>")
       end
@@ -477,7 +477,7 @@ module ActionView
 
         def form_tag_in_block(html_options, &block)
           content = capture(&block)
-          concat(form_tag_html(html_options))
+          safe_concat(form_tag_html(html_options))
           concat(content)
           safe_concat("</form>")
         end
diff --git a/actionpack/lib/action_view/helpers/javascript_helper.rb b/actionpack/lib/action_view/helpers/javascript_helper.rb
index 7dca9849c0..8fdaa8cf8d 100644
--- a/actionpack/lib/action_view/helpers/javascript_helper.rb
+++ b/actionpack/lib/action_view/helpers/javascript_helper.rb
@@ -86,7 +86,7 @@ module ActionView
         tag = content_tag(:script, javascript_cdata_section(content), html_options.merge(:type => Mime::JS))
 
         if block_called_from_erb?(block)
-          concat(tag)
+          safe_concat(tag)
         else
           tag
         end
diff --git a/actionpack/lib/action_view/helpers/tag_helper.rb b/actionpack/lib/action_view/helpers/tag_helper.rb
index ed80e07c78..a3a8185f40 100644
--- a/actionpack/lib/action_view/helpers/tag_helper.rb
+++ b/actionpack/lib/action_view/helpers/tag_helper.rb
@@ -72,7 +72,7 @@ module ActionView
           content_tag = content_tag_string(name, capture(&block), options, escape)
 
           if block_called_from_erb?(block)
-            concat(content_tag)
+            safe_concat(content_tag)
           else
             content_tag
           end
diff --git a/actionpack/lib/action_view/helpers/text_helper.rb b/actionpack/lib/action_view/helpers/text_helper.rb
index 2e02f6637a..e1ce65f90a 100644
--- a/actionpack/lib/action_view/helpers/text_helper.rb
+++ b/actionpack/lib/action_view/helpers/text_helper.rb
@@ -187,7 +187,7 @@ module ActionView
       #   pluralize(0, 'person')
       #   # => 0 people
       def pluralize(count, singular, plural = nil)
-        "#{count || 0} " + ((count == 1 || count == '1') ? singular : (plural || singular.pluralize))
+        "#{count || 0} " + ((count == 1 || count =~ /^1(\.0+)?$/) ? singular : (plural || singular.pluralize))
       end
 
       # Wraps the +text+ into lines no longer than +line_width+ width. This method
@@ -327,12 +327,12 @@ module ActionView
       #   # => "<p class='description'>Look ma! A class!</p>"
       def simple_format(text, html_options={})
         start_tag = tag('p', html_options, true)
-        text = text.to_s.dup
+        text = h(text)
         text.gsub!(/\r\n?/, "\n")                    # \r\n and \r -> \n
         text.gsub!(/\n\n+/, "</p>\n\n#{start_tag}")  # 2+ newline  -> paragraph
         text.gsub!(/([^\n]\n)(?=[^\n])/, '\1<br />') # 1 newline   -> br
         text.insert 0, start_tag
-        text << "</p>"
+        text.safe_concat("</p>")
       end
 
       # Turns all URLs and e-mail addresses into clickable links. The <tt>:link</tt> option
@@ -415,7 +415,7 @@ module ActionView
       #                {:first => 'Emily', :middle => 'Shannon', :maiden => 'Pike', :last => 'Hicks'},
       #               {:first => 'June', :middle => 'Dae', :last => 'Jones'}]
       #   <% @items.each do |item| %>
-      #     <tr class="<%= cycle("even", "odd", :name => "row_class") -%>">
+      #     <tr class="<%= cycle("odd", "even", :name => "row_class") -%>">
       #       <td>
       #         <% item.values.each do |value| %>
       #           <%# Create a named cycle "colors" %>