Merge remote branch 'rails/master'

7 files changed, 296 insertions, 28 deletions

diff --git a/actionpack/test/controller/caching_test.rb b/actionpack/test/controller/caching_test.rb
index 4431eb2e2a..c161bea945 100644
--- a/actionpack/test/controller/caching_test.rb
+++ b/actionpack/test/controller/caching_test.rb
@@ -644,21 +644,6 @@ class FragmentCachingTest < ActionController::TestCase
     assert_equal 'will not expire ;-)', @store.read('views/primalgrasp')
   end
 
-  def test_fragment_for_with_disabled_caching
-    @controller.perform_caching = false
-
-    @store.write('views/expensive', 'fragment content')
-    fragment_computed = false
-
-    view_context = @controller.view_context
-
-    buffer = 'generated till now -> '.html_safe
-    buffer << view_context.send(:fragment_for, 'expensive') { fragment_computed = true }
-
-    assert fragment_computed
-    assert_equal 'generated till now -> ', buffer
-  end
-
   def test_fragment_for
     @store.write('views/expensive', 'fragment content')
     fragment_computed = false
diff --git a/actionpack/test/controller/new_base/render_rjs_test.rb b/actionpack/test/controller/new_base/render_rjs_test.rb
index b602b9f8e9..74bf865b54 100644
--- a/actionpack/test/controller/new_base/render_rjs_test.rb
+++ b/actionpack/test/controller/new_base/render_rjs_test.rb
@@ -2,7 +2,10 @@ require 'abstract_unit'
 
 module RenderRjs
   class BasicController < ActionController::Base
+    layout "application", :only => :index_respond_to
+
     self.view_paths = [ActionView::FixtureResolver.new(
+      "layouts/application.html.erb"           => "",
       "render_rjs/basic/index.js.rjs"          => "page[:customer].replace_html render(:partial => 'customer')",
       "render_rjs/basic/index_html.js.rjs"     => "page[:customer].replace_html :partial => 'customer'",
       "render_rjs/basic/index_no_js.js.erb"    => "<%= render(:partial => 'developer') %>",
diff --git a/actionpack/test/dispatch/routing_test.rb b/actionpack/test/dispatch/routing_test.rb
index ffa4f50b00..a294535e88 100644
--- a/actionpack/test/dispatch/routing_test.rb
+++ b/actionpack/test/dispatch/routing_test.rb
@@ -34,6 +34,33 @@ class TestRoutingMapper < ActionDispatch::IntegrationTest
         end
       end
 
+      resources :users do
+        shallow do
+          resources :photos do
+            resources :types do
+              member do
+                post :preview
+              end
+              collection do
+                delete :erase
+              end
+            end
+          end
+        end
+      end
+      
+      shallow do
+        resources :teams do
+          resources :players
+        end
+      
+        resources :countries do
+          resources :cities do
+            resources :places
+          end
+        end
+      end
+
       match 'account/logout' => redirect("/logout"), :as => :logout_redirect
       match 'account/login', :to => redirect("/login")
 
@@ -69,8 +96,17 @@ class TestRoutingMapper < ActionDispatch::IntegrationTest
       end
 
       scope 'pt', :name_prefix => 'pt' do
-        resources :projects, :path_names => { :edit => 'editar' }, :path => 'projetos'
-        resource  :admin,    :path_names => { :new => 'novo' },    :path => 'administrador'
+        resources :projects, :path_names => { :edit => 'editar', :new => 'novo' }, :path => 'projetos' do
+          post :preview, :on => :new
+        end
+        resource  :admin,    :path_names => { :new => 'novo' },    :path => 'administrador' do
+          post :preview, :on => :new
+        end
+        resources :products, :path_names => { :new => 'novo' } do
+          new do
+            post :preview
+          end
+        end
       end
 
       resources :projects, :controller => :project do
@@ -119,6 +155,10 @@ class TestRoutingMapper < ActionDispatch::IntegrationTest
       end
 
       resources :replies do
+        new do
+          post :preview
+        end
+
         member do
           put :answer, :to => :mark_as_answer
           delete :answer, :to => :unmark_as_answer
@@ -189,10 +229,13 @@ class TestRoutingMapper < ActionDispatch::IntegrationTest
         root :to => 'projects#index'
       end
 
-      resources :products, :constraints => { :id => /\d{4}/ } do
-        root :to => "products#root"
-        get :favorite, :on => :collection
-        resources :images
+      scope :only => [:index, :show] do
+        resources :products, :constraints => { :id => /\d{4}/ } do
+          root :to => "products#root"
+          get :favorite, :on => :collection
+          resources :images
+        end
+        resource :account
       end
 
       resource :dashboard, :constraints => { :ip => /192\.168\.1\.\d{1,3}/ }
@@ -207,6 +250,14 @@ class TestRoutingMapper < ActionDispatch::IntegrationTest
       end
 
       match "whatever/:controller(/:action(/:id))"
+
+      resource :profile do
+        get :settings
+
+        new do
+          post :preview
+        end
+      end
     end
   end
 
@@ -728,6 +779,18 @@ class TestRoutingMapper < ActionDispatch::IntegrationTest
     end
   end
 
+  def test_shallow_routes
+    with_test_routes do
+      assert_equal '/photos/4', photo_path(4)
+      assert_equal '/types/10/edit', edit_type_path(10) 
+      assert_equal '/types/5/preview', preview_type_path(5)
+      assert_equal '/photos/2/types', photo_types_path(2)
+      assert_equal '/cities/1/places', url_for(:controller => :places, :action => :index, :city_id => 1, :only_path => true)
+      assert_equal '/teams/new', url_for(:controller => :teams, :action => :new, :only_path => true)
+      assert_equal '/photos/11/types/erase', url_for(:controller => :types, :action => :erase, :photo_id => 11, :only_path => true)
+    end
+  end
+
   def test_update_project_person
     with_test_routes do
       get '/projects/1/people/2/update'
@@ -1038,6 +1101,54 @@ class TestRoutingMapper < ActionDispatch::IntegrationTest
     end
   end
 
+  def test_resource_new_actions
+    with_test_routes do
+      assert_equal '/replies/new/preview', preview_new_reply_path
+      assert_equal '/pt/projetos/novo/preview', preview_new_pt_project_path
+      assert_equal '/pt/administrador/novo/preview', preview_new_pt_admin_path
+      assert_equal '/pt/products/novo/preview', preview_new_pt_product_path
+      assert_equal '/profile/new/preview', preview_new_profile_path
+
+      post '/replies/new/preview'
+      assert_equal 'replies#preview', @response.body
+
+      post '/pt/projetos/novo/preview'
+      assert_equal 'projects#preview', @response.body
+
+      post '/pt/administrador/novo/preview'
+      assert_equal 'admins#preview', @response.body
+
+      post '/pt/products/novo/preview'
+      assert_equal 'products#preview', @response.body
+
+      post '/profile/new/preview'
+      assert_equal 'profiles#preview', @response.body
+    end
+  end
+
+  def test_resource_merges_options_from_scope
+    with_test_routes do
+      assert_raise(NameError) { new_account_path }
+
+      get '/account/new'
+      assert_equal 404, status
+    end
+  end
+
+  def test_resources_merges_options_from_scope
+    with_test_routes do
+      assert_raise(NoMethodError) { edit_product_path('1') }
+
+      get '/products/1/edit'
+      assert_equal 404, status
+
+      assert_raise(NoMethodError) { edit_product_image_path('1', '2') }
+
+      post '/products/1/images/2/edit'
+      assert_equal 404, status
+    end
+  end
+
   private
     def with_test_routes
       yield
diff --git a/actionpack/test/dispatch/show_exceptions_test.rb b/actionpack/test/dispatch/show_exceptions_test.rb
index b447b0715c..4966527f4d 100644
--- a/actionpack/test/dispatch/show_exceptions_test.rb
+++ b/actionpack/test/dispatch/show_exceptions_test.rb
@@ -53,7 +53,7 @@ class ShowExceptionsTest < ActionController::IntegrationTest
 
   test "rescue locally from a local request" do
     @app = ProductionApp
-    ['127.0.0.1', '::1'].each do |ip_address|
+    ['127.0.0.1', '127.0.0.127', '::1', '0:0:0:0:0:0:0:1', '0:0:0:0:0:0:0:1%0'].each do |ip_address|
       self.remote_addr = ip_address
 
       get "/", {}, {'action_dispatch.show_exceptions' => true}
diff --git a/actionpack/test/template/asset_tag_helper_test.rb b/actionpack/test/template/asset_tag_helper_test.rb
index b6a6f52876..633641514e 100644
--- a/actionpack/test/template/asset_tag_helper_test.rb
+++ b/actionpack/test/template/asset_tag_helper_test.rb
@@ -404,6 +404,15 @@ class AssetTagHelperTest < ActionView::TestCase
     assert_equal %(<img alt="Rails" src="#{expected_path}" />), image_tag("rails.png")
   end
 
+  def test_image_tag_interpreting_email_cid_correctly
+    # An inline image has no need for an alt tag to be automatically generated from the cid:
+    assert_equal '<img src="cid:thi%25%25sis@acontentid" />', image_tag("cid:thi%25%25sis@acontentid")
+  end
+
+  def test_image_tag_interpreting_email_adding_optional_alt_tag
+    assert_equal '<img alt="Image" src="cid:thi%25%25sis@acontentid" />', image_tag("cid:thi%25%25sis@acontentid", :alt => "Image")
+  end
+
   def test_timebased_asset_id_with_relative_url_root
     @controller.config.relative_url_root = "/collaboration/hieraki"
     expected_time = File.stat(File.expand_path(File.dirname(__FILE__) + "/../fixtures/public/images/rails.png")).mtime.to_i.to_s
diff --git a/actionpack/test/template/tag_helper_test.rb b/actionpack/test/template/tag_helper_test.rb
index 256d9bdcde..ec5fe3d1d7 100644
--- a/actionpack/test/template/tag_helper_test.rb
+++ b/actionpack/test/template/tag_helper_test.rb
@@ -39,6 +39,8 @@ class TagHelperTest < ActionView::TestCase
                  content_tag("a", "Create", :href => "create")
     assert_equal "<p>&lt;script&gt;evil_js&lt;/script&gt;</p>",
                  content_tag(:p, '<script>evil_js</script>')
+    assert_equal "<p><script>evil_js</script></p>",
+                 content_tag(:p, '<script>evil_js</script>', nil, false)
   end
 
   def test_content_tag_with_block_in_erb
diff --git a/actionpack/test/template/text_helper_test.rb b/actionpack/test/template/text_helper_test.rb
index bb808b77a5..64f1d46413 100644
--- a/actionpack/test/template/text_helper_test.rb
+++ b/actionpack/test/template/text_helper_test.rb
@@ -7,6 +7,12 @@ rescue LoadError
   $stderr.puts "Skipping textilize tests. `gem install RedCloth` to enable."
 end
 
+begin
+  require 'bluecloth'
+rescue LoadError
+  $stderr.puts "Skipping markdown tests. 'gem install bluecloth' to enable."
+end
+
 class TextHelperTest < ActionView::TestCase
   tests ActionView::Helpers::TextHelper
   include TestingSandbox
@@ -45,19 +51,42 @@ class TextHelperTest < ActionView::TestCase
     assert simple_format("<b> test with html tags </b>").html_safe?
   end
 
-  def test_simple_format_should_escape_unsafe_input
-    assert_equal "<p>&lt;b&gt; test with unsafe string &lt;/b&gt;</p>", simple_format("<b> test with unsafe string </b>")
+  def test_simple_format_should_sanitize_unsafe_input
+    assert_equal "<p><b> test with unsafe string </b></p>", simple_format("<b> test with unsafe string </b><script>code!</script>")
+  end
+
+  def test_simple_format_should_not_sanitize_input_if_safe_option
+    assert_equal "<p><b> test with unsafe string </b><script>code!</script></p>", simple_format("<b> test with unsafe string </b><script>code!</script>", {}, :safe => true)
   end
 
-  def test_simple_format_should_not_escape_safe_input
+  def test_simple_format_should_not_sanitize_safe_input
     assert_equal "<p><b> test with safe string </b></p>", simple_format("<b> test with safe string </b>".html_safe)
   end
 
+  def test_truncate_should_be_html_safe
+    assert truncate("Hello World!", :length => 12).html_safe?
+  end
+  
   def test_truncate
     assert_equal "Hello World!", truncate("Hello World!", :length => 12)
     assert_equal "Hello Wor...", truncate("Hello World!!", :length => 12)
   end
 
+  def test_truncate_should_sanitize_unsafe_input
+    assert_equal "Hello World!", truncate("Hello <script>code!</script>World!", :length => 12)
+    assert_equal "Hello Wor...", truncate("Hello <script>code!</script>World!!", :length => 12)
+  end
+
+  def test_truncate_should_not_sanitize_input_if_safe_option
+    assert_equal "Hello <sc...", truncate("Hello <script>code!</script>World!", :length => 12, :safe => true)
+    assert_equal "Hello <sc...", truncate("Hello <script>code!</script>World!!", :length => 12, :safe => true)
+  end
+
+  def test_truncate_should_not_sanitize_safe_input
+    assert_equal "Hello <sc...", truncate("Hello <script>code!</script>World!".html_safe, :length => 12)
+    assert_equal "Hello <sc...", truncate("Hello <script>code!</script>World!!".html_safe, :length => 12)
+  end
+
   def test_truncate_should_use_default_length_of_30
     str = "This is a string that will go longer then the default truncate length of 30"
     assert_equal str[0...27] + "...", truncate(str)
@@ -93,7 +122,11 @@ class TextHelperTest < ActionView::TestCase
     end
   end
 
-  def test_highlighter
+  def test_highlight_should_be_html_safe
+    assert highlight("This is a beautiful morning", "beautiful").html_safe?
+  end
+ 
+  def test_highlight
     assert_equal(
       "This is a <strong class=\"highlight\">beautiful</strong> morning",
       highlight("This is a beautiful morning", "beautiful")
@@ -117,6 +150,27 @@ class TextHelperTest < ActionView::TestCase
     assert_equal '   ', highlight('   ', 'blank text is returned verbatim')
   end
 
+  def test_highlight_should_sanitize_unsafe_input
+    assert_equal(
+      "This is a <strong class=\"highlight\">beautiful</strong> morning",
+      highlight("This is a beautiful morning<script>code!</script>", "beautiful")
+    )
+  end
+
+  def test_highlight_should_not_sanitize_input_if_safe_option
+    assert_equal(
+      "This is a <strong class=\"highlight\">beautiful</strong> morning<script>code!</script>",
+      highlight("This is a beautiful morning<script>code!</script>", "beautiful", :safe => true)
+    )
+  end
+
+  def test_highlight_should_not_sanitize_safe_input
+    assert_equal(
+      "This is a <strong class=\"highlight\">beautiful</strong> morning<script>code!</script>",
+      highlight("This is a beautiful morning<script>code!</script>".html_safe, "beautiful")
+    )
+  end
+
   def test_highlight_with_regexp
     assert_equal(
       "This is a <strong class=\"highlight\">beautiful!</strong> morning",
@@ -163,7 +217,7 @@ class TextHelperTest < ActionView::TestCase
       highlight("<p class=\"beautiful\">This is a beautiful morning, but also a beautiful day</p>", "beautiful")
     )
     assert_equal(
-      "<p>This is a <strong class=\"highlight\">beautiful</strong> <a href=\"http://example.com/beautiful\#top?what=beautiful%20morning&when=now+then\">morning</a>, but also a <strong class=\"highlight\">beautiful</strong> day</p>",
+      "<p>This is a <strong class=\"highlight\">beautiful</strong> <a href=\"http://example.com/beautiful\#top?what=beautiful%20morning&amp;when=now+then\">morning</a>, but also a <strong class=\"highlight\">beautiful</strong> day</p>",
       highlight("<p>This is a beautiful <a href=\"http://example.com/beautiful\#top?what=beautiful%20morning&when=now+then\">morning</a>, but also a beautiful day</p>", "beautiful")
     )
   end
@@ -286,7 +340,17 @@ class TextHelperTest < ActionView::TestCase
     %{<a href="#{CGI::escapeHTML href}">#{CGI::escapeHTML link_text}</a>}
   end
 
-  def test_auto_linking
+  def test_auto_link_should_be_html_safe
+    email_raw    = 'santiago@wyeworks.com'
+    link_raw     = 'http://www.rubyonrails.org'
+
+    assert auto_link(nil).html_safe?
+    assert auto_link('').html_safe?
+    assert auto_link("#{link_raw} #{link_raw} #{link_raw}").html_safe?
+    assert auto_link("hello #{email_raw}").html_safe?
+  end
+
+  def test_auto_link
     email_raw    = 'david@loudthinking.com'
     email_result = %{<a href="mailto:#{email_raw}">#{email_raw}</a>}
     link_raw     = 'http://www.rubyonrails.com'
@@ -378,6 +442,21 @@ class TextHelperTest < ActionView::TestCase
     assert_equal %(<p>#{link10_result} Link</p>), auto_link("<p>#{link10_raw} Link</p>")
   end
 
+  def test_auto_link_should_sanitize_unsafe_input
+    link_raw     = %{http://www.rubyonrails.com?id=1&num=2}
+    assert_equal %{<a href="http://www.rubyonrails.com?id=1&amp;num=2">http://www.rubyonrails.com?id=1&amp;num=2</a>}, auto_link(link_raw)
+  end
+
+  def test_auto_link_should_sanitize_unsafe_input
+    link_raw     = %{http://www.rubyonrails.com?id=1&num=2}
+    assert_equal %{<a href="http://www.rubyonrails.com?id=1&num=2">http://www.rubyonrails.com?id=1&num=2</a>}, auto_link(link_raw, :safe => true)
+  end
+
+  def test_auto_link_should_not_sanitize_safe_input
+    link_raw     = %{http://www.rubyonrails.com?id=1&num=2}
+    assert_equal %{<a href="http://www.rubyonrails.com?id=1&num=2">http://www.rubyonrails.com?id=1&num=2</a>}, auto_link(link_raw.html_safe)
+  end
+
   def test_auto_link_other_protocols
     ftp_raw = 'ftp://example.com/file.txt'
     assert_equal %(Download #{generate_result(ftp_raw)}), auto_link("Download #{ftp_raw}")
@@ -587,7 +666,12 @@ class TextHelperTest < ActionView::TestCase
     assert_equal(%w{Specialized Fuji Giant}, @cycles)
   end
 
+  # TODO test textilize_without_paragraph and markdown
   if defined? RedCloth
+    def test_textilize_should_be_html_safe
+      assert textilize("*This is Textile!*  Rejoice!").html_safe?
+    end
+
     def test_textilize
       assert_equal("<p><strong>This is Textile!</strong>  Rejoice!</p>", textilize("*This is Textile!*  Rejoice!"))
     end
@@ -600,8 +684,82 @@ class TextHelperTest < ActionView::TestCase
       assert_equal("<p>This is worded &lt;strong&gt;strongly&lt;/strong&gt;</p>", textilize("This is worded <strong>strongly</strong>", :filter_html))
     end
 
+    def test_textilize_should_sanitize_unsafe_input
+      assert_equal("<p>This is worded <strong>strongly</strong></p>", textilize("This is worded <strong>strongly</strong><script>code!</script>"))
+    end
+
+    def test_textilize_should_not_sanitize_input_if_safe_option
+      assert_equal("<p>This is worded <strong>strongly</strong><script>code!</script></p>", textilize("This is worded <strong>strongly</strong><script>code!</script>", :safe))
+    end
+
+    def test_textilize_should_not_sanitize_safe_input
+      assert_equal("<p>This is worded <strong>strongly</strong><script>code!</script></p>", textilize("This is worded <strong>strongly</strong><script>code!</script>".html_safe))
+    end
+
     def test_textilize_with_hard_breaks
       assert_equal("<p>This is one scary world.<br />\n True.</p>", textilize("This is one scary world.\n True."))
     end
+
+    def test_textilize_without_paragraph_should_be_html_safe
+      textilize_without_paragraph("*This is Textile!*  Rejoice!").html_safe?
+    end
+
+    def test_textilize_without_paragraph
+      assert_equal("<strong>This is Textile!</strong>  Rejoice!", textilize_without_paragraph("*This is Textile!*  Rejoice!"))
+    end
+
+    def test_textilize_without_paragraph_with_blank
+      assert_equal("", textilize_without_paragraph(""))
+    end
+
+    def test_textilize_without_paragraph_with_options
+      assert_equal("This is worded &lt;strong&gt;strongly&lt;/strong&gt;", textilize_without_paragraph("This is worded <strong>strongly</strong>", :filter_html))
+    end
+
+    def test_textilize_without_paragraph_should_sanitize_unsafe_input
+      assert_equal("This is worded <strong>strongly</strong>", textilize_without_paragraph("This is worded <strong>strongly</strong><script>code!</script>"))
+    end
+
+    def test_textilize_without_paragraph_should_not_sanitize_input_if_safe_option
+      assert_equal("This is worded <strong>strongly</strong><script>code!</script>", textilize_without_paragraph("This is worded <strong>strongly</strong><script>code!</script>", :safe))
+    end
+
+    def test_textilize_without_paragraph_should_not_sanitize_safe_input
+      assert_equal("This is worded <strong>strongly</strong><script>code!</script>", textilize_without_paragraph("This is worded <strong>strongly</strong><script>code!</script>".html_safe))
+    end
+
+    def test_textilize_without_paragraph_with_hard_breaks
+      assert_equal("This is one scary world.<br />\n True.", textilize_without_paragraph("This is one scary world.\n True."))
+    end
+  end
+
+  if defined? BlueCloth
+    def test_markdown_should_be_html_safe
+      assert markdown("We are using __Markdown__ now!").html_safe?
+    end
+
+    def test_markdown
+      assert_equal("<p>We are using <strong>Markdown</strong> now!</p>", markdown("We are using __Markdown__ now!"))
+    end
+
+    def test_markdown_with_blank
+      assert_equal("", markdown(""))
+    end
+
+    def test_markdown_should_sanitize_unsafe_input
+      assert_equal("<p>This is worded <strong>strongly</strong></p>", markdown("This is worded <strong>strongly</strong><script>code!</script>"))
+    end
+
+    def test_markdown_should_not_sanitize_input_if_safe_option
+      assert_equal("<p>This is worded <strong>strongly</strong><script>code!</script></p>", markdown("This is worded <strong>strongly</strong><script>code!</script>", :safe))
+    end
+
+    def test_markdown_should_not_sanitize_safe_input
+      assert_equal("<p>This is worded <strong>strongly</strong><script>code!</script></p>", markdown("This is worded <strong>strongly</strong><script>code!</script>".html_safe))
+    end
+
+    def test_markdown_with_hard_breaks
+      assert_equal("<p>This is one scary world.</p>\n\n<p>True.</p>", markdown("This is one scary world.\n\nTrue."))
+    end
   end
 end