7 files changed, 31 insertions, 19 deletions

diff --git a/actionpack/lib/action_controller/flash.rb b/actionpack/lib/action_controller/flash.rb
index 692168f230..0148fb5c04 100644
--- a/actionpack/lib/action_controller/flash.rb
+++ b/actionpack/lib/action_controller/flash.rb
@@ -28,7 +28,6 @@ module ActionController #:nodoc:
       base.class_eval do
         include InstanceMethods
         alias_method_chain :assign_shortcuts, :flash
-        alias_method_chain :process_cleanup,  :flash
         alias_method_chain :reset_session,    :flash
       end
     end
@@ -166,11 +165,7 @@ module ActionController #:nodoc:
         def assign_shortcuts_with_flash(request, response) #:nodoc:
           assign_shortcuts_without_flash(request, response)
           flash(:refresh)
-        end
-    
-        def process_cleanup_with_flash
-          flash.sweep if @_session
-          process_cleanup_without_flash
+          flash.sweep if @_session && !component_request?
         end
     end
   end
diff --git a/actionpack/lib/action_controller/record_identifier.rb b/actionpack/lib/action_controller/record_identifier.rb
index 22dbc8bbc5..643ff7e5f4 100644
--- a/actionpack/lib/action_controller/record_identifier.rb
+++ b/actionpack/lib/action_controller/record_identifier.rb
@@ -33,11 +33,17 @@ module ActionController
 
     # Returns plural/singular for a record or class. Example:
     #
-    #   partial_path(post)   # => "posts/post"
-    #   partial_path(Person) # => "people/person"
-    def partial_path(record_or_class)
+    #   partial_path(post)                   # => "posts/post"
+    #   partial_path(Person)                 # => "people/person"
+    #   partial_path(Person, "admin/games")  # => "admin/people/person"
+    def partial_path(record_or_class, controller_path = nil)
       klass = class_from_record_or_class(record_or_class)
-      "#{klass.name.tableize}/#{klass.name.demodulize.underscore}"
+
+      if controller_path && controller_path.include?("/")
+        "#{File.dirname(controller_path)}/#{klass.name.tableize}/#{klass.name.demodulize.underscore}"
+      else
+        "#{klass.name.tableize}/#{klass.name.demodulize.underscore}"
+      end
     end
 
     # The DOM class convention is to use the singular form of an object or class. Examples:
diff --git a/actionpack/lib/action_controller/request_forgery_protection.rb b/actionpack/lib/action_controller/request_forgery_protection.rb
index 5daf14eb30..139e91ecf9 100644
--- a/actionpack/lib/action_controller/request_forgery_protection.rb
+++ b/actionpack/lib/action_controller/request_forgery_protection.rb
@@ -105,12 +105,12 @@ module ActionController #:nodoc:
       # Sets the token value for the current session.  Pass a <tt>:secret</tt> option
       # in +protect_from_forgery+ to add a custom salt to the hash.
       def form_authenticity_token
-        @form_authenticity_token ||= if request_forgery_protection_options[:secret]
+        @form_authenticity_token ||= if !session.respond_to?(:session_id)
+          raise InvalidAuthenticityToken, "Request Forgery Protection requires a valid session.  Use #allow_forgery_protection to disable it, or use a valid session."
+        elsif request_forgery_protection_options[:secret]
           authenticity_token_from_session_id
         elsif session.respond_to?(:dbman) && session.dbman.respond_to?(:generate_digest)
           authenticity_token_from_cookie_session
-        elsif session.nil?
-          raise InvalidAuthenticityToken, "Request Forgery Protection requires a valid session.  Use #allow_forgery_protection to disable it, or use a valid session."
         else
           raise InvalidAuthenticityToken, "No :secret given to the #protect_from_forgery call.  Set that or use a session store capable of generating its own keys (Cookie Session Store)."
         end
diff --git a/actionpack/lib/action_controller/routing/segments.rb b/actionpack/lib/action_controller/routing/segments.rb
index 24ea8c7f2d..b142d18b47 100644
--- a/actionpack/lib/action_controller/routing/segments.rb
+++ b/actionpack/lib/action_controller/routing/segments.rb
@@ -244,11 +244,12 @@ module ActionController
     end
 
     class PathSegment < DynamicSegment #:nodoc:
-      RESERVED_PCHAR = "#{Segment::RESERVED_PCHAR}/"
-      UNSAFE_PCHAR = Regexp.new("[^#{URI::REGEXP::PATTERN::UNRESERVED}#{RESERVED_PCHAR}]", false, 'N').freeze
-
       def interpolation_chunk(value_code = "#{local_name}")
-        "\#{URI.escape(#{value_code}.to_s, ActionController::Routing::PathSegment::UNSAFE_PCHAR)}"
+        "\#{#{value_code}}"
+      end
+
+      def extract_value
+        "#{local_name} = hash[:#{key}] && hash[:#{key}].collect { |path_component| URI.escape(path_component, ActionController::Routing::Segment::UNSAFE_PCHAR) }.to_param #{"|| #{default.inspect}" if default}"
       end
 
       def default
diff --git a/actionpack/lib/action_controller/session_management.rb b/actionpack/lib/action_controller/session_management.rb
index 8680104420..80a3ddd2c5 100644
--- a/actionpack/lib/action_controller/session_management.rb
+++ b/actionpack/lib/action_controller/session_management.rb
@@ -69,11 +69,16 @@ module ActionController #:nodoc:
       #   session :off, 
       #     :if => Proc.new { |req| !(req.format.html? || req.format.js?) }
       #
+      #   # turn the session back on, useful when it was turned off in the
+      #   # application controller, and you need it on in another controller
+      #   session :on
+      #
       # All session options described for ActionController::Base.process_cgi
       # are valid arguments.
       def session(*args)
         options = args.extract_options!
 
+        options[:disabled] = false if args.delete(:on)
         options[:disabled] = true if !args.empty?
         options[:only] = [*options[:only]].map { |o| o.to_s } if options[:only]
         options[:except] = [*options[:except]].map { |o| o.to_s } if options[:except]
diff --git a/actionpack/lib/action_view/helpers/sanitize_helper.rb b/actionpack/lib/action_view/helpers/sanitize_helper.rb
index 3129ff414e..6c0a7ec25c 100644
--- a/actionpack/lib/action_view/helpers/sanitize_helper.rb
+++ b/actionpack/lib/action_view/helpers/sanitize_helper.rb
@@ -48,6 +48,11 @@ module ActionView
       #     config.action_view.sanitized_allowed_attributes = 'id', 'class', 'style'
       #   end
       # 
+      # Please note that sanitizing user-provided text does not guarantee that the
+      # resulting markup is valid (conforming to a document type) or even well-formed.
+      # The output may still contain e.g. unescaped '<', '>', '&' characters and
+      # confuse browsers.
+      #
       def sanitize(html, options = {})
         self.class.white_list_sanitizer.sanitize(html, options)
       end
diff --git a/actionpack/lib/action_view/partials.rb b/actionpack/lib/action_view/partials.rb
index a708ecb3fb..6b294be6bd 100644
--- a/actionpack/lib/action_view/partials.rb
+++ b/actionpack/lib/action_view/partials.rb
@@ -119,7 +119,7 @@ module ActionView
             ""
           end
         else
-          render_partial(ActionController::RecordIdentifier.partial_path(partial_path), partial_path, local_assigns)
+          render_partial(ActionController::RecordIdentifier.partial_path(partial_path, controller.class.controller_path), partial_path, local_assigns)
         end
       end
 
@@ -147,7 +147,7 @@ module ActionView
         templates = Hash.new
         i = 0
         collection.map do |element|
-          partial_path = ActionController::RecordIdentifier.partial_path(element)
+          partial_path = ActionController::RecordIdentifier.partial_path(element, controller.class.controller_path)
           template = templates[partial_path] ||= ActionView::PartialTemplate.new(self, partial_path, nil, local_assigns)
           template.counter = i
           i += 1