aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/lib/action_view
diff options
context:
space:
mode:
Diffstat (limited to 'actionpack/lib/action_view')
-rw-r--r--actionpack/lib/action_view/helpers.rb2
-rw-r--r--actionpack/lib/action_view/helpers/csrf_helper.rb12
-rw-r--r--actionpack/lib/action_view/helpers/form_helper.rb20
-rw-r--r--actionpack/lib/action_view/helpers/form_tag_helper.rb6
-rw-r--r--actionpack/lib/action_view/helpers/javascript_helper.rb2
-rw-r--r--actionpack/lib/action_view/helpers/tag_helper.rb2
-rw-r--r--actionpack/lib/action_view/helpers/text_helper.rb6
-rw-r--r--actionpack/lib/action_view/render/rendering.rb2
8 files changed, 35 insertions, 17 deletions
diff --git a/actionpack/lib/action_view/helpers.rb b/actionpack/lib/action_view/helpers.rb
index ceb0e18d80..b4f649385a 100644
--- a/actionpack/lib/action_view/helpers.rb
+++ b/actionpack/lib/action_view/helpers.rb
@@ -7,6 +7,7 @@ module ActionView #:nodoc:
autoload :AtomFeedHelper, 'action_view/helpers/atom_feed_helper'
autoload :CacheHelper, 'action_view/helpers/cache_helper'
autoload :CaptureHelper, 'action_view/helpers/capture_helper'
+ autoload :CsrfHelper, 'action_view/helpers/csrf_helper'
autoload :DateHelper, 'action_view/helpers/date_helper'
autoload :DebugHelper, 'action_view/helpers/debug_helper'
autoload :FormHelper, 'action_view/helpers/form_helper'
@@ -40,6 +41,7 @@ module ActionView #:nodoc:
include AtomFeedHelper
include CacheHelper
include CaptureHelper
+ include CsrfHelper
include DateHelper
include DebugHelper
include FormHelper
diff --git a/actionpack/lib/action_view/helpers/csrf_helper.rb b/actionpack/lib/action_view/helpers/csrf_helper.rb
new file mode 100644
index 0000000000..41c6b67f91
--- /dev/null
+++ b/actionpack/lib/action_view/helpers/csrf_helper.rb
@@ -0,0 +1,12 @@
+module ActionView
+ module Helpers
+ module CsrfHelper
+ # Returns a meta tag with the request forgery protection token for forms to use. Put this in your head.
+ def csrf_meta_tag
+ if protect_against_forgery?
+ %(<meta name="csrf-param" content="#{Rack::Utils.escape_html(request_forgery_protection_token)}"/>\n<meta name="csrf-token" content="#{Rack::Utils.escape_html(form_authenticity_token)}"/>).html_safe
+ end
+ end
+ end
+ end
+end
diff --git a/actionpack/lib/action_view/helpers/form_helper.rb b/actionpack/lib/action_view/helpers/form_helper.rb
index 4d29a03b92..305d6b3128 100644
--- a/actionpack/lib/action_view/helpers/form_helper.rb
+++ b/actionpack/lib/action_view/helpers/form_helper.rb
@@ -309,7 +309,7 @@ module ActionView
options[:html][:remote] = true if options.delete(:remote)
- concat(form_tag(options.delete(:url) || {}, options.delete(:html) || {}))
+ safe_concat(form_tag(options.delete(:url) || {}, options.delete(:html) || {}))
fields_for(object_name, *(args << options), &proc)
safe_concat('</form>')
end
@@ -1172,7 +1172,9 @@ module ActionView
def fields_for_with_nested_attributes(association_name, args, block)
name = "#{object_name}[#{association_name}_attributes]"
- association = args.first.to_model if args.first.respond_to?(:to_model)
+ options = args.extract_options!
+ association = args.shift
+ association = association.to_model if association.respond_to?(:to_model)
if association.respond_to?(:new_record?)
association = [association] if @object.send(association_name).is_a?(Array)
@@ -1181,20 +1183,22 @@ module ActionView
end
if association.is_a?(Array)
- explicit_child_index = args.last[:child_index] if args.last.is_a?(Hash)
+ explicit_child_index = options[:child_index]
association.map do |child|
- fields_for_nested_model("#{name}[#{explicit_child_index || nested_child_index(name)}]", child, args, block)
+ fields_for_nested_model("#{name}[#{explicit_child_index || nested_child_index(name)}]", child, options, block)
end.join
elsif association
- fields_for_nested_model(name, association, args, block)
+ fields_for_nested_model(name, association, options, block)
end
end
- def fields_for_nested_model(name, object, args, block)
+ def fields_for_nested_model(name, object, options, block)
+ object = object.to_model if object.respond_to?(:to_model)
+
if object.new_record?
- @template.fields_for(name, object, *args, &block)
+ @template.fields_for(name, object, options, &block)
else
- @template.fields_for(name, object, *args) do |builder|
+ @template.fields_for(name, object, options) do |builder|
block.call(builder)
@template.concat builder.hidden_field(:id) unless builder.emitted_hidden_id?
end
diff --git a/actionpack/lib/action_view/helpers/form_tag_helper.rb b/actionpack/lib/action_view/helpers/form_tag_helper.rb
index ba1b0bcc20..6ed6c3101b 100644
--- a/actionpack/lib/action_view/helpers/form_tag_helper.rb
+++ b/actionpack/lib/action_view/helpers/form_tag_helper.rb
@@ -441,8 +441,8 @@ module ActionView
# # => <fieldset class="format"><p><input id="name" name="name" type="text" /></p></fieldset>
def field_set_tag(legend = nil, options = nil, &block)
content = capture(&block)
- concat(tag(:fieldset, options, true))
- concat(content_tag(:legend, legend)) unless legend.blank?
+ safe_concat(tag(:fieldset, options, true))
+ safe_concat(content_tag(:legend, legend)) unless legend.blank?
concat(content)
safe_concat("</fieldset>")
end
@@ -477,7 +477,7 @@ module ActionView
def form_tag_in_block(html_options, &block)
content = capture(&block)
- concat(form_tag_html(html_options))
+ safe_concat(form_tag_html(html_options))
concat(content)
safe_concat("</form>")
end
diff --git a/actionpack/lib/action_view/helpers/javascript_helper.rb b/actionpack/lib/action_view/helpers/javascript_helper.rb
index 7dca9849c0..8fdaa8cf8d 100644
--- a/actionpack/lib/action_view/helpers/javascript_helper.rb
+++ b/actionpack/lib/action_view/helpers/javascript_helper.rb
@@ -86,7 +86,7 @@ module ActionView
tag = content_tag(:script, javascript_cdata_section(content), html_options.merge(:type => Mime::JS))
if block_called_from_erb?(block)
- concat(tag)
+ safe_concat(tag)
else
tag
end
diff --git a/actionpack/lib/action_view/helpers/tag_helper.rb b/actionpack/lib/action_view/helpers/tag_helper.rb
index ed80e07c78..a3a8185f40 100644
--- a/actionpack/lib/action_view/helpers/tag_helper.rb
+++ b/actionpack/lib/action_view/helpers/tag_helper.rb
@@ -72,7 +72,7 @@ module ActionView
content_tag = content_tag_string(name, capture(&block), options, escape)
if block_called_from_erb?(block)
- concat(content_tag)
+ safe_concat(content_tag)
else
content_tag
end
diff --git a/actionpack/lib/action_view/helpers/text_helper.rb b/actionpack/lib/action_view/helpers/text_helper.rb
index 2e02f6637a..644f34dbbe 100644
--- a/actionpack/lib/action_view/helpers/text_helper.rb
+++ b/actionpack/lib/action_view/helpers/text_helper.rb
@@ -187,7 +187,7 @@ module ActionView
# pluralize(0, 'person')
# # => 0 people
def pluralize(count, singular, plural = nil)
- "#{count || 0} " + ((count == 1 || count == '1') ? singular : (plural || singular.pluralize))
+ "#{count || 0} " + ((count == 1 || count =~ /^1(\.0+)?$/) ? singular : (plural || singular.pluralize))
end
# Wraps the +text+ into lines no longer than +line_width+ width. This method
@@ -327,12 +327,12 @@ module ActionView
# # => "<p class='description'>Look ma! A class!</p>"
def simple_format(text, html_options={})
start_tag = tag('p', html_options, true)
- text = text.to_s.dup
+ text = h(text)
text.gsub!(/\r\n?/, "\n") # \r\n and \r -> \n
text.gsub!(/\n\n+/, "</p>\n\n#{start_tag}") # 2+ newline -> paragraph
text.gsub!(/([^\n]\n)(?=[^\n])/, '\1<br />') # 1 newline -> br
text.insert 0, start_tag
- text << "</p>"
+ text.safe_concat("</p>")
end
# Turns all URLs and e-mail addresses into clickable links. The <tt>:link</tt> option
diff --git a/actionpack/lib/action_view/render/rendering.rb b/actionpack/lib/action_view/render/rendering.rb
index 7c33f1334a..abc7c09991 100644
--- a/actionpack/lib/action_view/render/rendering.rb
+++ b/actionpack/lib/action_view/render/rendering.rb
@@ -19,7 +19,7 @@ module ActionView
options[:locals] ||= {}
if block_given?
- return concat(_render_partial(options.merge(:partial => layout), &block))
+ return safe_concat(_render_partial(options.merge(:partial => layout), &block))
elsif options.key?(:partial)
return _render_partial(options)
end
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-15 19:05:29 +0000