13 files changed, 98 insertions, 144 deletions

diff --git a/actionview/lib/action_view/helpers/atom_feed_helper.rb b/actionview/lib/action_view/helpers/atom_feed_helper.rb
index 227ad4cdfa..d8be4e5678 100644
--- a/actionview/lib/action_view/helpers/atom_feed_helper.rb
+++ b/actionview/lib/action_view/helpers/atom_feed_helper.rb
@@ -174,7 +174,7 @@ module ActionView
         #
         # * <tt>:published</tt>: Time first published. Defaults to the created_at attribute on the record if one such exists.
         # * <tt>:updated</tt>: Time of update. Defaults to the updated_at attribute on the record if one such exists.
-        # * <tt>:url</tt>: The URL for this entry. Defaults to the polymorphic_url for the record.
+        # * <tt>:url</tt>: The URL for this entry or false or nil for not having a link tag. Defaults to the polymorphic_url for the record.
         # * <tt>:id</tt>: The ID for this entry. Defaults to "tag:#{@view.request.host},#{@feed_options[:schema_date]}:#{record.class}/#{record.id}"
         # * <tt>:type</tt>: The TYPE for this entry. Defaults to "text/html".
         def entry(record, options = {})
@@ -191,7 +191,8 @@ module ActionView
 
             type = options.fetch(:type, 'text/html')
 
-            @xml.link(:rel => 'alternate', :type => type, :href => options[:url] || @view.polymorphic_url(record))
+            url = options.fetch(:url) { @view.polymorphic_url(record) }
+            @xml.link(:rel => 'alternate', :type => type, :href => url) if url
 
             yield AtomBuilder.new(@xml)
           end
diff --git a/actionview/lib/action_view/helpers/date_helper.rb b/actionview/lib/action_view/helpers/date_helper.rb
index 4b4f0ae577..46ce7cf0be 100644
--- a/actionview/lib/action_view/helpers/date_helper.rb
+++ b/actionview/lib/action_view/helpers/date_helper.rb
@@ -177,6 +177,8 @@ module ActionView
       #   and +:name+ (string). A format string would be something like "%{name} (%<number>02d)" for example.
       #   See <tt>Kernel.sprintf</tt> for documentation on format sequences.
       # * <tt>:date_separator</tt>    - Specifies a string to separate the date fields. Default is "" (i.e. nothing).
+      # * <tt>:time_separator</tt>    - Specifies a string to separate the time fields. Default is "" (i.e. nothing).
+      # * <tt>:datetime_separator</tt>- Specifies a string to separate the date and time fields. Default is "" (i.e. nothing).
       # * <tt>:start_year</tt>        - Set the start year for the year select. Default is <tt>Date.today.year - 5</tt> if
       #   you are creating new record. While editing existing record, <tt>:start_year</tt> defaults to
       #   the current selected year minus 5.
diff --git a/actionview/lib/action_view/helpers/form_tag_helper.rb b/actionview/lib/action_view/helpers/form_tag_helper.rb
index 93c04fbec6..8bb243b8b7 100644
--- a/actionview/lib/action_view/helpers/form_tag_helper.rb
+++ b/actionview/lib/action_view/helpers/form_tag_helper.rb
@@ -777,10 +777,10 @@ module ActionView
       #   # => <input id="quantity" name="quantity" min="1" max="9" type="number" />
       #
       #   number_field_tag 'quantity', nil, min: 1, max: 10
-      #   # => <input id="quantity" name="quantity" min="1" max="9" type="number" />
+      #   # => <input id="quantity" name="quantity" min="1" max="10" type="number" />
       #
       #   number_field_tag 'quantity', nil, min: 1, max: 10, step: 2
-      #   # => <input id="quantity" name="quantity" min="1" max="9" step="2" type="number" />
+      #   # => <input id="quantity" name="quantity" min="1" max="10" step="2" type="number" />
       #
       #   number_field_tag 'quantity', '1', class: 'special_input', disabled: true
       #   # => <input disabled="disabled" class="special_input" id="quantity" name="quantity" type="number" value="1" />
diff --git a/actionview/lib/action_view/helpers/sanitize_helper.rb b/actionview/lib/action_view/helpers/sanitize_helper.rb
index 7cb55cc214..463a4e9f60 100644
--- a/actionview/lib/action_view/helpers/sanitize_helper.rb
+++ b/actionview/lib/action_view/helpers/sanitize_helper.rb
@@ -1,5 +1,4 @@
 require 'active_support/core_ext/object/try'
-require 'active_support/deprecation'
 require 'rails-html-sanitizer'
 
 module ActionView
@@ -9,76 +8,77 @@ module ActionView
     # These helper methods extend Action View making them callable within your template files.
     module SanitizeHelper
       extend ActiveSupport::Concern
-      # This +sanitize+ helper will HTML encode all tags and strip all attributes that
-      # aren't specifically allowed.
+      # Sanitizes HTML input, stripping all tags and attributes that aren't whitelisted.
       #
-      # It also strips href/src tags with invalid protocols, like javascript: especially.
-      # It does its best to counter any  tricks that hackers may use, like throwing in
-      # unicode/ascii/hex values to get past the javascript: filters. Check out
-      # the extensive test suite.
+      # It also strips href/src attributes with unsafe protocols like
+      # <tt>javascript:</tt>, while also protecting against attempts to use Unicode,
+      # ASCII, and hex character references to work around these protocol filters.
       #
-      #   <%= sanitize @article.body %>
+      # The default sanitizer is Rails::Html::WhiteListSanitizer. See {Rails HTML
+      # Sanitizers}[https://github.com/rails/rails-html-sanitizer] for more information.
       #
-      # You can add or remove tags/attributes if you want to customize it a bit.
-      # See ActionView::Base for full docs on the available options. You can add
-      # tags/attributes for single uses of +sanitize+ by passing either the
-      # <tt>:attributes</tt> or <tt>:tags</tt> options:
+      # Custom sanitization rules can also be provided.
       #
-      # Normal Use
-      #
-      #   <%= sanitize @article.body %>
+      # Please note that sanitizing user-provided text does not guarantee that the
+      # resulting markup is valid or even well-formed. For example, the output may still
+      # contain unescaped characters like <tt><</tt>, <tt>></tt>, or <tt>&</tt>.
       #
-      # Custom Use - Custom Scrubber
-      # (supply a Loofah::Scrubber that does the sanitization)
+      # ==== Options
       #
-      # scrubber can either wrap a block:
-      # scrubber = Loofah::Scrubber.new do |node|
-      #   node.text = "dawn of cats"
-      # end
+      # * <tt>:tags</tt> - An array of allowed tags.
+      # * <tt>:attributes</tt> - An array of allowed attributes.
+      # * <tt>:scrubber</tt> - A {Rails::Html scrubber}[https://github.com/rails/rails-html-sanitizer]
+      #   or {Loofah::Scrubber}[https://github.com/flavorjones/loofah] object that
+      #   defines custom sanitization rules. A custom scrubber takes precedence over
+      #   custom tags and attributes.
       #
-      # or be a subclass of Loofah::Scrubber which responds to scrub:
-      # class KittyApocalypse < Loofah::Scrubber
-      #   def scrub(node)
-      #     node.text = "dawn of cats"
-      #   end
-      # end
-      # scrubber = KittyApocalypse.new
+      # ==== Examples
       #
-      # <%= sanitize @article.body, scrubber: scrubber %>
+      # Normal use:
       #
-      # A custom scrubber takes precedence over custom tags and attributes
-      # Learn more about scrubbers here: https://github.com/flavorjones/loofah
+      #   <%= sanitize @comment.body %>
       #
-      # Custom Use - tags and attributes
-      # (only the mentioned tags and attributes are allowed, nothing else)
+      # Providing custom whitelisted tags and attributes:
       #
-      #   <%= sanitize @article.body, tags: %w(table tr td), attributes: %w(id class style) %>
+      #   <%= sanitize @comment.body, tags: %w(strong em a), attributes: %w(href) %>
       #
-      # Add table tags to the default allowed tags
+      # Providing a custom Rails::Html scrubber:
       #
-      #   class Application < Rails::Application
-      #     config.action_view.sanitized_allowed_tags = ['table', 'tr', 'td']
-      #   end
+      #   class CommentScrubber < Rails::Html::PermitScrubber
+      #     def allowed_node?(node)
+      #       !%w(form script comment blockquote).include?(node.name)
+      #     end
       #
-      # Remove tags to the default allowed tags
+      #     def skip_node?(node)
+      #       node.text?
+      #     end
       #
-      #   class Application < Rails::Application
-      #     config.after_initialize do
-      #       ActionView::Base.sanitized_allowed_tags.delete 'div'
+      #     def scrub_attribute?(name)
+      #       name == 'style'
       #     end
       #   end
       #
-      # Change allowed default attributes
+      #   <%= sanitize @comment.body, scrubber: CommentScrubber.new %>
+      #
+      # See {Rails HTML Sanitizer}[https://github.com/rails/rails-html-sanitizer] for
+      # documentation about Rails::Html scrubbers.
       #
-      #   class Application < Rails::Application
-      #     config.action_view.sanitized_allowed_attributes = ['id', 'class', 'style']
+      # Providing a custom Loofah::Scrubber:
+      #
+      #   scrubber = Loofah::Scrubber.new do |node|
+      #     node.remove if node.name == 'script'
       #   end
       #
-      # Please note that sanitizing user-provided text does not guarantee that the
-      # resulting markup is valid (conforming to a document type) or even well-formed.
-      # The output may still contain e.g. unescaped '<', '>', '&' characters and
-      # confuse browsers.
+      #   <%= sanitize @comment.body, scrubber: scrubber %>
+      #
+      # See {Loofah's documentation}[https://github.com/flavorjones/loofah] for more
+      # information about defining custom Loofah::Scrubber objects.
       #
+      # To set the default allowed tags or attributes across your application:
+      #
+      #   # In config/application.rb
+      #   config.action_view.sanitized_allowed_tags = ['strong', 'em', 'a']
+      #   config.action_view.sanitized_allowed_attributes = ['href', 'title']
       def sanitize(html, options = {})
         self.class.white_list_sanitizer.sanitize(html, options).try(:html_safe)
       end
@@ -88,9 +88,7 @@ module ActionView
         self.class.white_list_sanitizer.sanitize_css(style)
       end
 
-      # Strips all HTML tags from the +html+, including comments. This uses
-      # Nokogiri for tokenization (via Loofah) and so its HTML parsing ability
-      # is limited by that of Nokogiri.
+      # Strips all HTML tags from +html+, including comments.
       #
       #   strip_tags("Strip <i>these</i> tags!")
       #   # => Strip these tags!
@@ -104,7 +102,7 @@ module ActionView
         self.class.full_sanitizer.sanitize(html)
       end
 
-      # Strips all link tags from +text+ leaving just the link text.
+      # Strips all link tags from +html+ leaving just the link text.
       #
       #   strip_links('<a href="http://www.rubyonrails.org">Ruby on Rails</a>')
       #   # => Ruby on Rails
@@ -167,30 +165,6 @@ module ActionView
         def white_list_sanitizer
           @white_list_sanitizer ||= sanitizer_vendor.white_list_sanitizer.new
         end
-
-        ##
-        # :method: sanitized_allowed_tags=
-        #
-        # :call-seq: sanitized_allowed_tags=(tags)
-        #
-        # Replaces the allowed tags for the +sanitize+ helper.
-        #
-        #   class Application < Rails::Application
-        #     config.action_view.sanitized_allowed_tags = ['table', 'tr', 'td']
-        #   end
-        #
-
-        ##
-        # :method: sanitized_allowed_attributes=
-        #
-        # :call-seq: sanitized_allowed_attributes=(attributes)
-        #
-        # Replaces the allowed HTML attributes for the +sanitize+ helper.
-        #
-        #   class Application < Rails::Application
-        #     config.action_view.sanitized_allowed_attributes = ['onclick', 'longdesc']
-        #   end
-        #
       end
     end
   end
diff --git a/actionview/lib/action_view/helpers/tags/base.rb b/actionview/lib/action_view/helpers/tags/base.rb
index f8abb19698..7740c60eac 100644
--- a/actionview/lib/action_view/helpers/tags/base.rb
+++ b/actionview/lib/action_view/helpers/tags/base.rb
@@ -32,12 +32,19 @@ module ActionView
           unless object.nil?
             method_before_type_cast = @method_name + "_before_type_cast"
 
-            object.respond_to?(method_before_type_cast) ?
-              object.send(method_before_type_cast) :
+            if value_came_from_user?(object) && object.respond_to?(method_before_type_cast)
+              object.public_send(method_before_type_cast)
+            else
               value(object)
+            end
           end
         end
 
+        def value_came_from_user?(object)
+          method_name = "#{@method_name}_came_from_user?"
+          !object.respond_to?(method_name) || object.public_send(method_name)
+        end
+
         def retrieve_object(object)
           if object
             object
diff --git a/actionview/lib/action_view/helpers/translation_helper.rb b/actionview/lib/action_view/helpers/translation_helper.rb
index 8324f12a88..342361217c 100644
--- a/actionview/lib/action_view/helpers/translation_helper.rb
+++ b/actionview/lib/action_view/helpers/translation_helper.rb
@@ -40,12 +40,14 @@ module ActionView
         remaining_defaults = Array(options.delete(:default))
         options[:default] = remaining_defaults.shift if remaining_defaults.first.kind_of? String
 
-        # If the user has specified rescue_format then pass it all through, otherwise use
-        # raise and do the work ourselves
-        options[:raise] ||= ActionView::Base.raise_on_missing_translations
-
-        raise_error = options[:raise] || options.key?(:rescue_format)
-        unless raise_error
+        # If the user has explicitly decided to NOT raise errors, pass that option to I18n.
+        # Otherwise, tell I18n to raise an exception, which we rescue further in this method.
+        # Note: `raise_error` refers to us re-raising the error in this method. I18n is forced to raise by default.
+        if options[:raise] == false || (options.key?(:rescue_format) && options[:rescue_format].nil?)
+          raise_error = false
+          options[:raise] = false
+        else
+          raise_error = options[:raise] || options[:rescue_format] || ActionView::Base.raise_on_missing_translations
           options[:raise] = true
         end
 
diff --git a/actionview/lib/action_view/model_naming.rb b/actionview/lib/action_view/model_naming.rb
index d42e436b17..b6ed13424e 100644
--- a/actionview/lib/action_view/model_naming.rb
+++ b/actionview/lib/action_view/model_naming.rb
@@ -1,5 +1,5 @@
 module ActionView
-  module ModelNaming
+  module ModelNaming #:nodoc:
     # Converts the given object to an ActiveModel compliant one.
     def convert_to_model(object)
       object.respond_to?(:to_model) ? object.to_model : object
diff --git a/actionview/lib/action_view/record_identifier.rb b/actionview/lib/action_view/record_identifier.rb
index c8484bed34..6c6e69101b 100644
--- a/actionview/lib/action_view/record_identifier.rb
+++ b/actionview/lib/action_view/record_identifier.rb
@@ -103,7 +103,7 @@ module ActionView
     # make sure yourself that your dom ids are valid, in case you overwrite this method.
     def record_key_for_dom_id(record)
       key = convert_to_model(record).to_key
-      key ? key.join('_') : key
+      key ? key.join(JOIN) : key
     end
   end
 end
diff --git a/actionview/lib/action_view/renderer/partial_renderer.rb b/actionview/lib/action_view/renderer/partial_renderer.rb
index 610396506f..6c3015180a 100644
--- a/actionview/lib/action_view/renderer/partial_renderer.rb
+++ b/actionview/lib/action_view/renderer/partial_renderer.rb
@@ -73,7 +73,7 @@ module ActionView
   #
   #   <%= render partial: "account", locals: { user: @buyer } %>
   #
-  # == Rendering a collection of partials
+  # == \Rendering a collection of partials
   #
   # The example of partial use describes a familiar pattern where a template needs to iterate over an array and
   # render a sub template for each of the elements. This pattern has been implemented as a single method that
@@ -105,7 +105,7 @@ module ActionView
   # NOTE: Due to backwards compatibility concerns, the collection can't be one of hashes. Normally you'd also
   # just keep domain objects, like Active Records, in there.
   #
-  # == Rendering shared partials
+  # == \Rendering shared partials
   #
   # Two controllers can share a set of partials and render them like this:
   #
@@ -113,7 +113,7 @@ module ActionView
   #
   # This will render the partial "advertisement/_ad.html.erb" regardless of which controller this is being called from.
   #
-  # == Rendering objects that respond to `to_partial_path`
+  # == \Rendering objects that respond to `to_partial_path`
   #
   # Instead of explicitly naming the location of a partial, you can also let PartialRenderer do the work
   # and pick the proper path by checking `to_partial_path` method.
@@ -127,7 +127,7 @@ module ActionView
   #  # <%= render partial: "posts/post", collection: @posts %>
   #  <%= render partial: @posts %>
   #
-  # == Rendering the default case
+  # == \Rendering the default case
   #
   # If you're not going to be using any of the options like collections or layouts, you can also use the short-hand
   # defaults of render to render partials. Examples:
@@ -147,7 +147,7 @@ module ActionView
   #  # <%= render partial: "posts/post", collection: @posts %>
   #  <%= render @posts %>
   #
-  # == Rendering partials with layouts
+  # == \Rendering partials with layouts
   #
   # Partials can have their own layouts applied to them. These layouts are different than the ones that are
   # specified globally for the entire action, but they work in a similar fashion. Imagine a list with two types
diff --git a/actionview/lib/action_view/rendering.rb b/actionview/lib/action_view/rendering.rb
index abd3b77c67..1e8e7415d1 100644
--- a/actionview/lib/action_view/rendering.rb
+++ b/actionview/lib/action_view/rendering.rb
@@ -92,12 +92,15 @@ module ActionView
       # Find and render a template based on the options given.
       # :api: private
       def _render_template(options) #:nodoc:
-        variant = options[:variant]
+        variant = options.delete(:variant)
+        assigns = options.delete(:assigns)
+        context = view_context
 
+        context.assign assigns if assigns
         lookup_context.rendered_format = nil if options[:formats]
         lookup_context.variants = variant if variant
 
-        view_renderer.render(view_context, options)
+        view_renderer.render(context, options)
       end
 
       # Assign the rendered format to lookup context.
diff --git a/actionview/lib/action_view/template/handlers.rb b/actionview/lib/action_view/template/handlers.rb
index 9e61ea4225..0105e88a49 100644
--- a/actionview/lib/action_view/template/handlers.rb
+++ b/actionview/lib/action_view/template/handlers.rb
@@ -7,9 +7,9 @@ module ActionView #:nodoc:
       autoload :Raw, 'action_view/template/handlers/raw'
 
       def self.extended(base)
-        base.register_default_template_handler :erb, ERB.new
+        base.register_default_template_handler :raw, Raw.new
+        base.register_template_handler :erb, ERB.new
         base.register_template_handler :builder, Builder.new
-        base.register_template_handler :raw, Raw.new
         base.register_template_handler :ruby, :source.to_proc
       end
 
diff --git a/actionview/lib/action_view/template/resolver.rb b/actionview/lib/action_view/template/resolver.rb
index 29d2e9ca90..bc0db330ea 100644
--- a/actionview/lib/action_view/template/resolver.rb
+++ b/actionview/lib/action_view/template/resolver.rb
@@ -1,7 +1,6 @@
 require "pathname"
 require "active_support/core_ext/class"
 require "active_support/core_ext/module/attribute_accessors"
-require 'active_support/core_ext/string/filters'
 require "action_view/template"
 require "thread"
 require "thread_safe"
@@ -197,24 +196,12 @@ module ActionView
       }
     end
 
-    if RUBY_VERSION >= '2.2.0'
-      def find_template_paths(query)
-        Dir[query].reject { |filename|
-          File.directory?(filename) ||
-            # deals with case-insensitive file systems.
-            !File.fnmatch(query, filename, File::FNM_EXTGLOB)
-        }
-      end
-    else
-      def find_template_paths(query)
-        # deals with case-insensitive file systems.
-        sanitizer = Hash.new { |h,dir| h[dir] = Dir["#{dir}/*"] }
-
-        Dir[query].reject { |filename|
-          File.directory?(filename) ||
-            !sanitizer[File.dirname(filename)].include?(filename)
-        }
-      end
+    def find_template_paths(query)
+      Dir[query].reject { |filename|
+        File.directory?(filename) ||
+          # deals with case-insensitive file systems.
+          !File.fnmatch(query, filename, File::FNM_EXTGLOB)
+      }
     end
 
     # Helper for building query glob string based on resolver's pattern.
@@ -251,12 +238,6 @@ module ActionView
       pieces.shift
 
       extension = pieces.pop
-      unless extension
-        ActiveSupport::Deprecation.warn(<<-MSG.squish)
-          The file #{path} did not specify a template handler. The default is
-          currently ERB, but will change to RAW in the future.
-        MSG
-      end
 
       handler = Template.handler_for_extension(extension)
       format, variant = pieces.last.split(EXTENSIONS[:variants], 2) if pieces.last
diff --git a/actionview/lib/action_view/view_paths.rb b/actionview/lib/action_view/view_paths.rb
index 2e203a7590..492f67f45d 100644
--- a/actionview/lib/action_view/view_paths.rb
+++ b/actionview/lib/action_view/view_paths.rb
@@ -16,14 +16,9 @@ module ActionView
     module ClassMethods
       def _prefixes # :nodoc:
         @_prefixes ||= begin
-          deprecated_prefixes = handle_deprecated_parent_prefixes
-          if deprecated_prefixes
-            deprecated_prefixes
-          else
-            return local_prefixes if superclass.abstract?
-
-            local_prefixes + superclass._prefixes
-          end
+          return local_prefixes if superclass.abstract?
+
+          local_prefixes + superclass._prefixes
         end
       end
 
@@ -34,17 +29,6 @@ module ActionView
       def local_prefixes
         [controller_path]
       end
-
-      def handle_deprecated_parent_prefixes # TODO: remove in 4.3/5.0.
-        return unless respond_to?(:parent_prefixes)
-
-        ActiveSupport::Deprecation.warn(<<-MSG.squish)
-          Overriding `ActionController::Base::parent_prefixes` is deprecated,
-          override `.local_prefixes` instead.
-        MSG
-
-        local_prefixes + parent_prefixes
-      end
     end
 
     # The prefixes used in render "foo" shortcuts.