require "action_view/helpers/javascript_helper" require "active_support/core_ext/array/access" require "active_support/core_ext/hash/keys" require "active_support/core_ext/string/output_safety" module ActionView # = Action View URL Helpers module Helpers #:nodoc: # Provides a set of methods for making links and getting URLs that # depend on the routing subsystem (see ActionDispatch::Routing). # This allows you to use the same format for links in views # and controllers. module UrlHelper # This helper may be included in any class that includes the # URL helpers of a routes (routes.url_helpers). Some methods # provided here will only work in the context of a request # (link_to_unless_current, for instance), which must be provided # as a method called #request on the context. BUTTON_TAG_METHOD_VERBS = %w{patch put delete} extend ActiveSupport::Concern include TagHelper module ClassMethods def _url_for_modules ActionView::RoutingUrlFor end end # Basic implementation of url_for to allow use helpers without routes existence def url_for(options = nil) # :nodoc: case options when String options when :back _back_url else raise ArgumentError, "arguments passed to url_for can't be handled. Please require " + "routes or provide your own implementation" end end def _back_url # :nodoc: _filtered_referrer || "javascript:history.back()" end protected :_back_url def _filtered_referrer # :nodoc: if controller.respond_to?(:request) referrer = controller.request.env["HTTP_REFERER"] if referrer && URI(referrer).scheme != "javascript" referrer end end rescue URI::InvalidURIError end protected :_filtered_referrer # Creates an anchor element of the given +name+ using a URL created by the set of +options+. # See the valid options in the documentation for +url_for+. It's also possible to # pass a String instead of an options hash, which generates an anchor element that uses the # value of the String as the href for the link. Using a :back Symbol instead # of an options hash will generate a link to the referrer (a JavaScript back link # will be used in place of a referrer if none exists). If +nil+ is passed as the name # the value of the link itself will become the name. # # ==== Signatures # # link_to(body, url, html_options = {}) # # url is a String; you can use URL helpers like # # posts_path # # link_to(body, url_options = {}, html_options = {}) # # url_options, except :method, is passed to url_for # # link_to(options = {}, html_options = {}) do # # name # end # # link_to(url, html_options = {}) do # # name # end # # ==== Options # * :data - This option can be used to add custom data attributes. # * method: symbol of HTTP verb - This modifier will dynamically # create an HTML form and immediately submit the form for processing using # the HTTP verb specified. Useful for having links perform a POST operation # in dangerous actions like deleting a record (which search bots can follow # while spidering your site). Supported verbs are :post, :delete, :patch, and :put. # Note that if the user has JavaScript disabled, the request will fall back # to using GET. If href: '#' is used and the user has JavaScript # disabled clicking the link will have no effect. If you are relying on the # POST behavior, you should check for it in your controller's action by using # the request object's methods for post?, delete?, patch?, or put?. # * remote: true - This will allow the unobtrusive JavaScript # driver to make an Ajax request to the URL in question instead of following # the link. The drivers each provide mechanisms for listening for the # completion of the Ajax request and performing JavaScript operations once # they're complete # # ==== Data attributes # # * confirm: 'question?' - This will allow the unobtrusive JavaScript # driver to prompt with the question specified (in this case, the # resulting text would be question?. If the user accepts, the # link is processed normally, otherwise no action is taken. # * :disable_with - Value of this parameter will be # used as the value for a disabled version of the submit # button when the form is submitted. This feature is provided # by the unobtrusive JavaScript driver. # # ==== Examples # Because it relies on +url_for+, +link_to+ supports both older-style controller/action/id arguments # and newer RESTful routes. Current Rails style favors RESTful routes whenever possible, so base # your application on resources and use # # link_to "Profile", profile_path(@profile) # # => Profile # # or the even pithier # # link_to "Profile", @profile # # => Profile # # in place of the older more verbose, non-resource-oriented # # link_to "Profile", controller: "profiles", action: "show", id: @profile # # => Profile # # Similarly, # # link_to "Profiles", profiles_path # # => Profiles # # is better than # # link_to "Profiles", controller: "profiles" # # => Profiles # # You can use a block as well if your link target is hard to fit into the name parameter. ERB example: # # <%= link_to(@profile) do %> # <%= @profile.name %> -- Check it out! # <% end %> # # => # David -- Check it out! # # # Classes and ids for CSS are easy to produce: # # link_to "Articles", articles_path, id: "news", class: "article" # # => Articles # # Be careful when using the older argument style, as an extra literal hash is needed: # # link_to "Articles", { controller: "articles" }, id: "news", class: "article" # # => Articles # # Leaving the hash off gives the wrong link: # # link_to "WRONG!", controller: "articles", id: "news", class: "article" # # => WRONG! # # +link_to+ can also produce links with anchors or query strings: # # link_to "Comment wall", profile_path(@profile, anchor: "wall") # # => Comment wall # # link_to "Ruby on Rails search", controller: "searches", query: "ruby on rails" # # => Ruby on Rails search # # link_to "Nonsense search", searches_path(foo: "bar", baz: "quux") # # => Nonsense search # # The only option specific to +link_to+ (:method) is used as follows: # # link_to("Destroy", "http://www.example.com", method: :delete) # # => Destroy # # You can also use custom data attributes using the :data option: # # link_to "Visit Other Site", "http://www.rubyonrails.org/", data: { confirm: "Are you sure?" } # # => Visit Other Site # # Also you can set any link attributes such as target, rel, type: # # link_to "External link", "http://www.rubyonrails.org/", target: "_blank", rel: "nofollow" # # => External link def link_to(name = nil, options = nil, html_options = nil, &block) html_options, options, name = options, name, block if block_given? options ||= {} html_options = convert_options_to_data_attributes(options, html_options) url = url_for(options) html_options["href".freeze] ||= url content_tag("a".freeze, name || url, html_options, &block) end # Generates a form containing a single button that submits to the URL created # by the set of +options+. This is the safest method to ensure links that # cause changes to your data are not triggered by search bots or accelerators. # If the HTML button does not work with your layout, you can also consider # using the +link_to+ method with the :method modifier as described in # the +link_to+ documentation. # # By default, the generated form element has a class name of button_to # to allow styling of the form itself and its children. This can be changed # using the :form_class modifier within +html_options+. You can control # the form submission and input element behavior using +html_options+. # This method accepts the :method modifier described in the +link_to+ documentation. # If no :method modifier is given, it will default to performing a POST operation. # You can also disable the button by passing disabled: true in +html_options+. # If you are using RESTful routes, you can pass the :method # to change the HTTP verb used to submit the form. # # ==== Options # The +options+ hash accepts the same options as +url_for+. # # There are a few special +html_options+: # * :method - Symbol of HTTP verb. Supported verbs are :post, :get, # :delete, :patch, and :put. By default it will be :post. # * :disabled - If set to true, it will generate a disabled button. # * :data - This option can be used to add custom data attributes. # * :remote - If set to true, will allow the Unobtrusive JavaScript drivers to control the # submit behavior. By default this behavior is an ajax submit. # * :form - This hash will be form attributes # * :form_class - This controls the class of the form within which the submit button will # be placed # * :params - Hash of parameters to be rendered as hidden fields within the form. # # ==== Data attributes # # * :confirm - This will use the unobtrusive JavaScript driver to # prompt with the question specified. If the user accepts, the link is # processed normally, otherwise no action is taken. # * :disable_with - Value of this parameter will be # used as the value for a disabled version of the submit # button when the form is submitted. This feature is provided # by the unobtrusive JavaScript driver. # # ==== Examples # <%= button_to "New", action: "new" %> # # => "
" # # <%= button_to "New", new_articles_path %> # # => "" # # <%= button_to [:make_happy, @user] do %> # Make happy <%= @user.name %> # <% end %> # # => "" # # <%= button_to "New", { action: "new" }, form_class: "new-thing" %> # # => "" # # # <%= button_to "Create", { action: "create" }, remote: true, form: { "data-type" => "json" } %> # # => "" # # # <%= button_to "Delete Image", { action: "delete", id: @image.id }, # method: :delete, data: { confirm: "Are you sure?" } %> # # => "" # # # <%= button_to('Destroy', 'http://www.example.com', # method: "delete", remote: true, data: { confirm: 'Are you sure?', disable_with: 'loading...' }) %> # # => "" # # def button_to(name = nil, options = nil, html_options = nil, &block) html_options, options = options, name if block_given? options ||= {} html_options ||= {} html_options = html_options.stringify_keys url = options.is_a?(String) ? options : url_for(options) remote = html_options.delete("remote") params = html_options.delete("params") method = html_options.delete("method").to_s method_tag = BUTTON_TAG_METHOD_VERBS.include?(method) ? method_tag(method) : "".freeze.html_safe form_method = method == "get" ? "get" : "post" form_options = html_options.delete("form") || {} form_options[:class] ||= html_options.delete("form_class") || "button_to" form_options[:method] = form_method form_options[:action] = url form_options[:'data-remote'] = true if remote request_token_tag = if form_method == "post" request_method = method.empty? ? "post" : method token_tag(nil, form_options: { action: url, method: request_method }) else "".freeze end html_options = convert_options_to_data_attributes(options, html_options) html_options["type"] = "submit" button = if block_given? content_tag("button", html_options, &block) else html_options["value"] = name || url tag("input", html_options) end inner_tags = method_tag.safe_concat(button).safe_concat(request_token_tag) if params to_form_params(params).each do |param| inner_tags.safe_concat tag(:input, type: "hidden", name: param[:name], value: param[:value]) end end content_tag("form", inner_tags, form_options) end # Creates a link tag of the given +name+ using a URL created by the set of # +options+ unless the current request URI is the same as the links, in # which case only the name is returned (or the given block is yielded, if # one exists). You can give +link_to_unless_current+ a block which will # specialize the default behavior (e.g., show a "Start Here" link rather # than the link's text). # # ==== Examples # Let's say you have a navigation menu... # # # # If in the "about" action, it will render... # # # # ...but if in the "index" action, it will render: # # # # The implicit block given to +link_to_unless_current+ is evaluated if the current # action is the action given. So, if we had a comments page and wanted to render a # "Go Back" link instead of a link to the comments page, we could do something like this... # # <%= # link_to_unless_current("Comment", { controller: "comments", action: "new" }) do # link_to("Go back", { controller: "posts", action: "index" }) # end # %> def link_to_unless_current(name, options = {}, html_options = {}, &block) link_to_unless current_page?(options), name, options, html_options, &block end # Creates a link tag of the given +name+ using a URL created by the set of # +options+ unless +condition+ is true, in which case only the name is # returned. To specialize the default behavior (i.e., show a login link rather # than just the plaintext link text), you can pass a block that # accepts the name or the full argument list for +link_to_unless+. # # ==== Examples # <%= link_to_unless(@current_user.nil?, "Reply", { action: "reply" }) %> # # If the user is logged in... # # => Reply # # <%= # link_to_unless(@current_user.nil?, "Reply", { action: "reply" }) do |name| # link_to(name, { controller: "accounts", action: "signup" }) # end # %> # # If the user is logged in... # # => Reply # # If not... # # => Reply def link_to_unless(condition, name, options = {}, html_options = {}, &block) link_to_if !condition, name, options, html_options, &block end # Creates a link tag of the given +name+ using a URL created by the set of # +options+ if +condition+ is true, otherwise only the name is # returned. To specialize the default behavior, you can pass a block that # accepts the name or the full argument list for +link_to_unless+ (see the examples # in +link_to_unless+). # # ==== Examples # <%= link_to_if(@current_user.nil?, "Login", { controller: "sessions", action: "new" }) %> # # If the user isn't logged in... # # => Login # # <%= # link_to_if(@current_user.nil?, "Login", { controller: "sessions", action: "new" }) do # link_to(@current_user.login, { controller: "accounts", action: "show", id: @current_user }) # end # %> # # If the user isn't logged in... # # => Login # # If they are logged in... # # => my_username def link_to_if(condition, name, options = {}, html_options = {}, &block) if condition link_to(name, options, html_options) else if block_given? block.arity <= 1 ? capture(name, &block) : capture(name, options, html_options, &block) else ERB::Util.html_escape(name) end end end # Creates a mailto link tag to the specified +email_address+, which is # also used as the name of the link unless +name+ is specified. Additional # HTML attributes for the link can be passed in +html_options+. # # +mail_to+ has several methods for customizing the email itself by # passing special keys to +html_options+. # # ==== Options # * :subject - Preset the subject line of the email. # * :body - Preset the body of the email. # * :cc - Carbon Copy additional recipients on the email. # * :bcc - Blind Carbon Copy additional recipients on the email. # * :reply_to - Preset the Reply-To field of the email. # # ==== Obfuscation # Prior to Rails 4.0, +mail_to+ provided options for encoding the address # in order to hinder email harvesters. To take advantage of these options, # install the +actionview-encoded_mail_to+ gem. # # ==== Examples # mail_to "me@domain.com" # # => me@domain.com # # mail_to "me@domain.com", "My email" # # => My email # # mail_to "me@domain.com", "My email", cc: "ccaddress@domain.com", # subject: "This is an example email" # # => My email # # You can use a block as well if your link target is hard to fit into the name parameter. ERB example: # # <%= mail_to "me@domain.com" do %> # Email me: me@domain.com # <% end %> # # => # Email me: me@domain.com # def mail_to(email_address, name = nil, html_options = {}, &block) html_options, name = name, nil if block_given? html_options = (html_options || {}).stringify_keys extras = %w{ cc bcc body subject reply_to }.map! { |item| option = html_options.delete(item).presence || next "#{item.dasherize}=#{ERB::Util.url_encode(option)}" }.compact extras = extras.empty? ? "".freeze : "?" + extras.join("&") encoded_email_address = ERB::Util.url_encode(email_address).gsub("%40", "@") html_options["href"] = "mailto:#{encoded_email_address}#{extras}" content_tag("a".freeze, name || email_address, html_options, &block) end # True if the current request URI was generated by the given +options+. # # ==== Examples # Let's say we're in the http://www.example.com/shop/checkout?order=desc&page=1 action. # # current_page?(action: 'process') # # => false # # current_page?(action: 'checkout') # # => true # # current_page?(controller: 'library', action: 'checkout') # # => false # # current_page?(controller: 'shop', action: 'checkout') # # => true # # current_page?(controller: 'shop', action: 'checkout', order: 'asc') # # => false # # current_page?(controller: 'shop', action: 'checkout', order: 'desc', page: '1') # # => true # # current_page?(controller: 'shop', action: 'checkout', order: 'desc', page: '2') # # => false # # current_page?('http://www.example.com/shop/checkout') # # => true # # current_page?('/shop/checkout') # # => true # # current_page?('http://www.example.com/shop/checkout?order=desc&page=1') # # => true # # Let's say we're in the http://www.example.com/products action with method POST in case of invalid product. # # current_page?(controller: 'product', action: 'index') # # => false # # We can also pass in the symbol arguments instead of strings. # def current_page?(options) unless request raise "You cannot use helpers that need to determine the current " \ "page unless your view context provides a Request object " \ "in a #request method" end return false unless request.get? || request.head? url_string = URI.parser.unescape(url_for(options)).force_encoding(Encoding::BINARY) # We ignore any extra parameters in the request_uri if the # submitted url doesn't have any either. This lets the function # work with things like ?order=asc request_uri = url_string.index("?") ? request.fullpath : request.path request_uri = URI.parser.unescape(request_uri).force_encoding(Encoding::BINARY) url_string.chomp!("/") if url_string.start_with?("/") && url_string != "/" if %r{^\w+://}.match?(url_string) url_string == "#{request.protocol}#{request.host_with_port}#{request_uri}" else url_string == request_uri end end private def convert_options_to_data_attributes(options, html_options) if html_options html_options = html_options.stringify_keys html_options["data-remote"] = "true".freeze if link_to_remote_options?(options) || link_to_remote_options?(html_options) method = html_options.delete("method".freeze) add_method_to_attributes!(html_options, method) if method html_options else link_to_remote_options?(options) ? { "data-remote" => "true".freeze } : {} end end def link_to_remote_options?(options) if options.is_a?(Hash) options.delete("remote".freeze) || options.delete(:remote) end end def add_method_to_attributes!(html_options, method) if method && method.to_s.downcase != "get".freeze && html_options["rel".freeze] !~ /nofollow/ html_options["rel".freeze] = "#{html_options["rel".freeze]} nofollow".lstrip end html_options["data-method".freeze] = method end def token_tag(token = nil, form_options: {}) if token != false && protect_against_forgery? token ||= form_authenticity_token(form_options: form_options) tag(:input, type: "hidden", name: request_forgery_protection_token.to_s, value: token) else "".freeze end end def method_tag(method) tag("input", type: "hidden", name: "_method", value: method.to_s) end # Returns an array of hashes each containing :name and :value keys # suitable for use as the names and values of form input fields: # # to_form_params(name: 'David', nationality: 'Danish') # # => [{name: :name, value: 'David'}, {name: 'nationality', value: 'Danish'}] # # to_form_params(country: {name: 'Denmark'}) # # => [{name: 'country[name]', value: 'Denmark'}] # # to_form_params(countries: ['Denmark', 'Sweden']}) # # => [{name: 'countries[]', value: 'Denmark'}, {name: 'countries[]', value: 'Sweden'}] # # An optional namespace can be passed to enclose key names: # # to_form_params({ name: 'Denmark' }, 'country') # # => [{name: 'country[name]', value: 'Denmark'}] def to_form_params(attribute, namespace = nil) # :nodoc: attribute = if attribute.respond_to?(:permitted?) unless attribute.permitted? raise ArgumentError, "Attempting to generate a buttom from non-sanitized request parameters!" \ " Whitelist and sanitize passed parameters to be secure." end attribute.to_h else attribute end params = [] case attribute when Hash attribute.each do |key, value| prefix = namespace ? "#{namespace}[#{key}]" : key params.push(*to_form_params(value, prefix)) end when Array array_prefix = "#{namespace}[]" attribute.each do |value| params.push(*to_form_params(value, array_prefix)) end else params << { name: namespace, value: attribute.to_param } end params.sort_by { |pair| pair[:name] } end end end end