4 files changed, 33 insertions, 12 deletions

diff --git a/actionpack/lib/action_view/helpers/form_helper.rb b/actionpack/lib/action_view/helpers/form_helper.rb
index 2267f3c185..252fe1ed03 100644
--- a/actionpack/lib/action_view/helpers/form_helper.rb
+++ b/actionpack/lib/action_view/helpers/form_helper.rb
@@ -656,15 +656,16 @@ module ActionView
       #     'Accept <a href="/terms">Terms</a>.'.html_safe
       #   end
       def label(object_name, method, content_or_options = nil, options = nil, &block)
+        options ||= {}
+
         content_is_options = content_or_options.is_a?(Hash)
         if content_is_options || block_given?
-          options = content_or_options if content_is_options
+          options.merge!(content_or_options) if content_is_options
           text = nil
         else
           text = content_or_options
         end
 
-        options ||= {}
         InstanceTag.new(object_name, method, self, options.delete(:object)).to_label_tag(text, options, &block)
       end
 
@@ -1072,7 +1073,7 @@ module ActionView
           options["cols"], options["rows"] = size.split("x") if size.respond_to?(:split)
         end
 
-        content_tag("textarea", "\n#{options.delete('value') || value_before_type_cast(object)}", options)
+        content_tag("textarea", options.delete('value') || value_before_type_cast(object), options)
       end
 
       def to_check_box_tag(options = {}, checked_value = "1", unchecked_value = "0")
diff --git a/actionpack/lib/action_view/helpers/form_tag_helper.rb b/actionpack/lib/action_view/helpers/form_tag_helper.rb
index 4ce878f26a..066b98d4a2 100644
--- a/actionpack/lib/action_view/helpers/form_tag_helper.rb
+++ b/actionpack/lib/action_view/helpers/form_tag_helper.rb
@@ -2,6 +2,7 @@ require 'cgi'
 require 'action_view/helpers/tag_helper'
 require 'active_support/core_ext/object/blank'
 require 'active_support/core_ext/string/output_safety'
+require 'active_support/core_ext/module/attribute_accessors'
 
 module ActionView
   # = Action View Form Tag Helpers
@@ -17,6 +18,9 @@ module ActionView
       include UrlHelper
       include TextHelper
 
+      mattr_accessor :embed_authenticity_token_in_remote_forms
+      self.embed_authenticity_token_in_remote_forms = true
+
       # Starts a form tag that points the action to an url configured with <tt>url_for_options</tt> just like
       # ActionController::Base#url_for. The method for the form defaults to POST.
       #
@@ -27,9 +31,11 @@ module ActionView
       #   is added to simulate the verb over post.
       # * <tt>:authenticity_token</tt> - Authenticity token to use in the form. Use only if you need to
       #   pass custom authenticity token string, or to not add authenticity_token field at all
-      #   (by passing <tt>false</tt>). If this is a remote form, the authenticity_token will by default
-      #   not be included as the ajax handler will get it from the meta-tag (but you can force it to be
-      #   rendered anyway in that case by passing <tt>true</tt>).
+      #   (by passing <tt>false</tt>).  Remote forms may omit the embedded authenticity token
+      #   by setting <tt>config.action_view.embed_authenticity_token_in_remote_forms = false</tt>.
+      #   This is helpful when you're fragment-caching the form. Remote forms get the
+      #   authenticity from the <tt>meta</tt> tag, so embedding is unnecessary unless you
+      #   support browsers without JavaScript.
       # * A list of parameters to feed to the URL the form will be posted to.
       # * <tt>:remote</tt> - If set to true, will allow the Unobtrusive JavaScript drivers to control the
       #   submit behavior. By default this behavior is an ajax submit.
@@ -611,16 +617,18 @@ module ActionView
             # responsibility of the caller to escape all the values.
             html_options["action"]  = url_for(url_for_options)
             html_options["accept-charset"] = "UTF-8"
-            
+
             html_options["data-remote"] = true if html_options.delete("remote")
 
-            if html_options["data-remote"] && html_options["authenticity_token"] == true
+            if html_options["data-remote"] &&
+               !embed_authenticity_token_in_remote_forms &&
+               html_options["authenticity_token"].blank?
+              # The authenticity token is taken from the meta tag in this case
+              html_options["authenticity_token"] = false
+            elsif html_options["authenticity_token"] == true
               # Include the default authenticity_token, which is only generated when its set to nil,
               # but we needed the true value to override the default of no authenticity_token on data-remote.
               html_options["authenticity_token"] = nil
-            elsif html_options["data-remote"]
-              # The authenticity token is taken from the meta tag in this case
-              html_options["authenticity_token"] = false
             end
           end
         end
diff --git a/actionpack/lib/action_view/helpers/tag_helper.rb b/actionpack/lib/action_view/helpers/tag_helper.rb
index 8c33ef09fa..2b0dd96435 100644
--- a/actionpack/lib/action_view/helpers/tag_helper.rb
+++ b/actionpack/lib/action_view/helpers/tag_helper.rb
@@ -17,6 +17,10 @@ module ActionView
                            autofocus novalidate formnovalidate open pubdate).to_set
       BOOLEAN_ATTRIBUTES.merge(BOOLEAN_ATTRIBUTES.map {|attribute| attribute.to_sym })
 
+      PRE_CONTENT_STRINGS = {
+        :textarea => "\n"
+      }
+
       # Returns an empty HTML tag of type +name+ which by default is XHTML
       # compliant. Set +open+ to true to create an open tag compatible
       # with HTML 4.0 and below. Add HTML attributes by passing an attributes
@@ -125,7 +129,7 @@ module ActionView
 
         def content_tag_string(name, content, options, escape = true)
           tag_options = tag_options(options, escape) if options
-          "<#{name}#{tag_options}>#{escape ? ERB::Util.h(content) : content}</#{name}>".html_safe
+          "<#{name}#{tag_options}>#{PRE_CONTENT_STRINGS[name.to_sym]}#{escape ? ERB::Util.h(content) : content}</#{name}>".html_safe
         end
 
         def tag_options(options, escape = true)
diff --git a/actionpack/lib/action_view/railtie.rb b/actionpack/lib/action_view/railtie.rb
index 80391d72cc..5086fdc6a3 100644
--- a/actionpack/lib/action_view/railtie.rb
+++ b/actionpack/lib/action_view/railtie.rb
@@ -7,6 +7,14 @@ module ActionView
     config.action_view = ActiveSupport::OrderedOptions.new
     config.action_view.stylesheet_expansions = {}
     config.action_view.javascript_expansions = { :defaults => %w(jquery jquery_ujs) }
+    config.action_view.embed_authenticity_token_in_remote_forms = true
+
+    initializer "action_view.embed_authenticity_token_in_remote_forms" do |app|
+      ActiveSupport.on_load(:action_view) do
+        ActionView::Helpers::FormTagHelper.embed_authenticity_token_in_remote_forms =
+          app.config.action_view.delete(:embed_authenticity_token_in_remote_forms)
+      end
+    end
 
     initializer "action_view.cache_asset_ids" do |app|
       unless app.config.cache_classes