Switch from unofficial rails_xss gem to official rails plugin for rails_xss

19 files changed, 2526 insertions, 0 deletions

diff --git a/vendor/plugins/rails_xss/test/active_record_helper_test.rb b/vendor/plugins/rails_xss/test/active_record_helper_test.rb
new file mode 100644
index 000000000..728ec0ac6
--- /dev/null
+++ b/vendor/plugins/rails_xss/test/active_record_helper_test.rb
@@ -0,0 +1,74 @@
+require 'test_helper'
+
+class ActiveRecordHelperTest < ActionView::TestCase
+  silence_warnings do
+    Post = Struct.new("Post", :title, :author_name, :body, :secret, :written_on)
+    Post.class_eval do
+      alias_method :title_before_type_cast, :title unless respond_to?(:title_before_type_cast)
+      alias_method :body_before_type_cast, :body unless respond_to?(:body_before_type_cast)
+      alias_method :author_name_before_type_cast, :author_name unless respond_to?(:author_name_before_type_cast)
+    end
+  end
+
+  def setup_post
+    @post = Post.new
+    def @post.errors
+      Class.new {
+        def on(field)
+          case field.to_s
+          when "author_name"
+            "can't be empty"
+          when "body"
+            true
+          else
+            false
+          end
+        end
+        def empty?() false end
+        def count() 1 end
+        def full_messages() [ "Author name can't be empty" ] end
+      }.new
+    end
+
+    def @post.new_record?() true end
+    def @post.to_param() nil end
+
+    def @post.column_for_attribute(attr_name)
+      Post.content_columns.select { |column| column.name == attr_name }.first
+    end
+
+    silence_warnings do
+      def Post.content_columns() [ Column.new(:string, "title", "Title"), Column.new(:text, "body", "Body") ] end
+    end
+
+    @post.title       = "Hello World"
+    @post.author_name = ""
+    @post.body        = "Back to the hill and over it again!"
+    @post.secret = 1
+    @post.written_on  = Date.new(2004, 6, 15)
+  end
+
+  def setup
+    setup_post
+
+    @response = ActionController::TestResponse.new
+
+    @controller = Object.new
+    def @controller.url_for(options)
+      options = options.symbolize_keys
+
+      [options[:action], options[:id].to_param].compact.join('/')
+    end
+  end
+
+  def test_text_field_with_errors_is_safe
+    assert text_field("post", "author_name").html_safe?
+  end
+
+  def test_text_field_with_errors
+    assert_dom_equal(
+      %(<div class="fieldWithErrors"><input id="post_author_name" name="post[author_name]" size="30" type="text" value="" /></div>),
+      text_field("post", "author_name")
+    )
+  end
+end
diff --git a/vendor/plugins/rails_xss/test/asset_tag_helper_test.rb b/vendor/plugins/rails_xss/test/asset_tag_helper_test.rb
new file mode 100644
index 000000000..f58feda3d
--- /dev/null
+++ b/vendor/plugins/rails_xss/test/asset_tag_helper_test.rb
@@ -0,0 +1,49 @@
+require 'test_helper'
+
+class AssetTagHelperTest < ActionView::TestCase
+  def setup
+    @controller = Class.new do
+      attr_accessor :request
+      def url_for(*args) "http://www.example.com" end
+    end.new
+  end
+
+  def test_auto_discovery_link_tag
+    assert_dom_equal(%(<link href="http://www.example.com" rel="Not so alternate" title="ATOM" type="application/atom+xml" />),
+                     auto_discovery_link_tag(:atom, {}, {:rel => "Not so alternate"}))
+  end
+
+  def test_javascript_include_tag_with_blank_asset_id
+    ENV["RAILS_ASSET_ID"] = ""
+    assert_dom_equal(%(<script src="/javascripts/test.js" type="text/javascript"></script>\n<script src="/javascripts/prototype.js" type="text/javascript"></script>\n<script src="/javascripts/effects.js" type="text/javascript"></script>\n<script src="/javascripts/dragdrop.js" type="text/javascript"></script>\n<script src="/javascripts/controls.js" type="text/javascript"></script>\n<script src="/javascripts/application.js" type="text/javascript"></script>),
+                     javascript_include_tag("test", :defaults))
+  end
+
+  def test_javascript_include_tag_with_given_asset_id
+    ENV["RAILS_ASSET_ID"] = "1"
+    assert_dom_equal(%(<script src="/javascripts/prototype.js?1" type="text/javascript"></script>\n<script src="/javascripts/effects.js?1" type="text/javascript"></script>\n<script src="/javascripts/dragdrop.js?1" type="text/javascript"></script>\n<script src="/javascripts/controls.js?1" type="text/javascript"></script>\n<script src="/javascripts/application.js?1" type="text/javascript"></script>),
+                     javascript_include_tag(:defaults))
+    ENV["RAILS_ASSET_ID"] = ""
+  end
+
+  def test_javascript_include_tag_is_html_safe
+    assert javascript_include_tag(:defaults).html_safe?
+    assert javascript_include_tag("prototype").html_safe?
+  end
+
+  def test_stylesheet_link_tag
+    assert_dom_equal(%(<link href="http://www.example.com/styles/style.css" media="screen" rel="stylesheet" type="text/css" />),
+                     stylesheet_link_tag("http://www.example.com/styles/style"))
+  end
+
+  def test_stylesheet_link_tag_is_html_safe
+    assert stylesheet_link_tag('dir/file').html_safe?
+    assert stylesheet_link_tag('dir/other/file', 'dir/file2').html_safe?
+    assert stylesheet_tag('dir/file', {}).html_safe?
+  end
+
+  def test_image_tag
+    assert_dom_equal(%(<img alt="Mouse" onmouseover="this.src='/images/mouse_over.png'" onmouseout="this.src='/images/mouse.png'" src="/images/mouse.png" />),
+                     image_tag("mouse.png", :mouseover => image_path("mouse_over.png")))
+  end
+end
diff --git a/vendor/plugins/rails_xss/test/caching_test.rb b/vendor/plugins/rails_xss/test/caching_test.rb
new file mode 100644
index 000000000..3ea41e8b5
--- /dev/null
+++ b/vendor/plugins/rails_xss/test/caching_test.rb
@@ -0,0 +1,54 @@
+require 'test_helper'
+
+CACHE_DIR = 'test_cache'
+# Don't change '/../temp/' cavalierly or you might hose something you don't want hosed
+FILE_STORE_PATH = File.join(File.dirname(__FILE__), '/../temp/', CACHE_DIR)
+ActionController::Base.page_cache_directory = FILE_STORE_PATH
+ActionController::Base.cache_store = :file_store, FILE_STORE_PATH
+
+class FragmentCachingTestController < ActionController::Base
+  def some_action; end;
+end
+
+class FragmentCachingTest < ActionController::TestCase
+  def setup
+    ActionController::Base.perform_caching = true
+    @store = ActiveSupport::Cache::MemoryStore.new
+    ActionController::Base.cache_store = @store
+    @controller = FragmentCachingTestController.new
+    @params = {:controller => 'posts', :action => 'index'}
+    @request = ActionController::TestRequest.new
+    @response = ActionController::TestResponse.new
+    @controller.params = @params
+    @controller.request = @request
+    @controller.response = @response
+    @controller.send(:initialize_current_url)
+    @controller.send(:initialize_template_class, @response)
+    @controller.send(:assign_shortcuts, @request, @response)
+  end
+
+  def test_fragment_for
+    @store.write('views/expensive', 'fragment content')
+    fragment_computed = false
+
+    buffer = 'generated till now -> '.html_safe
+    @controller.fragment_for(buffer, 'expensive') { fragment_computed = true }
+
+    assert !fragment_computed
+    assert_equal 'generated till now -> fragment content', buffer
+  end
+
+  def test_html_safety
+    assert_nil @store.read('views/name')
+    content = 'value'.html_safe
+    assert_equal content, @controller.write_fragment('name', content)
+
+    cached = @store.read('views/name')
+    assert_equal content, cached
+    assert_equal String, cached.class
+
+    html_safe = @controller.read_fragment('name')
+    assert_equal content, html_safe
+    assert html_safe.html_safe?
+  end
+end
diff --git a/vendor/plugins/rails_xss/test/content_for_test.rb b/vendor/plugins/rails_xss/test/content_for_test.rb
new file mode 100644
index 000000000..45ba6762c
--- /dev/null
+++ b/vendor/plugins/rails_xss/test/content_for_test.rb
@@ -0,0 +1,39 @@
+require 'test_helper'
+
+class ContentForTest < ActionView::TestCase
+
+  def test_content_for_should_yield_html_safe_string
+    content_for(:testing, "Some <p>html</p>")
+    content = instance_variable_get(:"@content_for_testing")
+    assert content.html_safe?
+  end
+
+  def test_content_for_should_escape_content
+    content_for(:testing, "Some <p>html</p>")
+    content = instance_variable_get(:"@content_for_testing")
+    expected = %{Some &lt;p&gt;html&lt;/p&gt;}
+    assert_dom_equal expected, content
+  end
+
+  def test_content_for_should_not_escape_html_safe_content
+    content_for(:testing, "Some <p>html</p>".html_safe)
+    content = instance_variable_get(:"@content_for_testing")
+    expected = %{Some <p>html</p>}
+    assert_dom_equal expected, content
+  end
+
+  def test_content_for_should_escape_content_from_block
+    content_for(:testing){ "Some <p>html</p>" }
+    content = instance_variable_get(:"@content_for_testing")
+    expected = %{Some &lt;p&gt;html&lt;/p&gt;}
+    assert_dom_equal expected, content
+  end
+
+  def test_content_for_should_not_escape_html_safe_content_from_block
+    content_for(:testing){ "Some <p>html</p>".html_safe }
+    content = instance_variable_get(:"@content_for_testing")
+    expected = %{Some <p>html</p>}
+    assert_dom_equal expected, content
+  end
+
+end
diff --git a/vendor/plugins/rails_xss/test/date_helper_test.rb b/vendor/plugins/rails_xss/test/date_helper_test.rb
new file mode 100644
index 000000000..daf010274
--- /dev/null
+++ b/vendor/plugins/rails_xss/test/date_helper_test.rb
@@ -0,0 +1,29 @@
+require 'test_helper'
+
+class DateHelperTest < ActionView::TestCase
+  silence_warnings do
+    Post = Struct.new("Post", :id, :written_on, :updated_at)
+  end
+
+  def test_select_html_safety
+    assert select_day(16).html_safe?
+    assert select_month(8).html_safe?
+    assert select_year(Time.mktime(2003, 8, 16, 8, 4, 18)).html_safe?
+    assert select_minute(Time.mktime(2003, 8, 16, 8, 4, 18)).html_safe?
+    assert select_second(Time.mktime(2003, 8, 16, 8, 4, 18)).html_safe?
+
+    assert select_minute(8, :use_hidden => true).html_safe?
+    assert select_month(8, :prompt => 'Choose month').html_safe?
+
+    assert select_time(Time.mktime(2003, 8, 16, 8, 4, 18), {}, :class => 'selector').html_safe?
+    assert select_date(Time.mktime(2003, 8, 16), :date_separator => " / ", :start_year => 2003, :end_year => 2005, :prefix => "date[first]").html_safe?
+  end
+  
+  def test_object_select_html_safety
+    @post = Post.new
+    @post.written_on = Date.new(2004, 6, 15)
+
+    assert date_select("post", "written_on", :default => Time.local(2006, 9, 19, 15, 16, 35), :include_blank => true).html_safe?    
+    assert time_select("post", "written_on", :ignore_date => true).html_safe?    
+  end
+end
diff --git a/vendor/plugins/rails_xss/test/deprecated_output_safety_test.rb b/vendor/plugins/rails_xss/test/deprecated_output_safety_test.rb
new file mode 100644
index 000000000..e16f7ce0d
--- /dev/null
+++ b/vendor/plugins/rails_xss/test/deprecated_output_safety_test.rb
@@ -0,0 +1,112 @@
+require 'test_helper'
+
+class DeprecatedOutputSafetyTest < ActiveSupport::TestCase
+  def setup
+    @string = "hello"
+  end
+
+  test "A string can be marked safe using html_safe!" do
+    assert_deprecated do
+      @string.html_safe!
+      assert @string.html_safe?
+    end
+  end
+
+  test "Marking a string safe returns the string using html_safe!" do
+    assert_deprecated do
+      assert_equal @string, @string.html_safe!
+    end
+  end
+
+  test "Adding a safe string to another safe string returns a safe string using html_safe!" do
+    assert_deprecated do
+      @other_string = "other".html_safe!
+      @string.html_safe!
+      @combination = @other_string + @string
+
+      assert_equal "otherhello", @combination
+      assert @combination.html_safe?
+    end
+  end
+
+  test "Adding an unsafe string to a safe string returns an unsafe string using html_safe!" do
+    assert_deprecated do
+      @other_string = "other".html_safe!
+      @combination = @other_string + "<foo>"
+      @other_combination = @string + "<foo>"
+
+      assert_equal "other<foo>", @combination
+      assert_equal "hello<foo>", @other_combination
+
+      assert !@combination.html_safe?
+      assert !@other_combination.html_safe?
+    end
+  end
+
+  test "Concatting safe onto unsafe yields unsafe using html_safe!" do
+    assert_deprecated do
+      @other_string = "other"
+      @string.html_safe!
+
+      @other_string.concat(@string)
+      assert !@other_string.html_safe?
+    end
+  end
+
+  test "Concatting unsafe onto safe yields unsafe using html_safe!" do
+    assert_deprecated do
+      @other_string = "other".html_safe!
+      string = @other_string.concat("<foo>")
+      assert_equal "other<foo>", string
+      assert !string.html_safe?
+    end
+  end
+
+  test "Concatting safe onto safe yields safe using html_safe!" do
+    assert_deprecated do
+      @other_string = "other".html_safe!
+      @string.html_safe!
+
+      @other_string.concat(@string)
+      assert @other_string.html_safe?
+    end
+  end
+
+  test "Concatting safe onto unsafe with << yields unsafe using html_safe!" do
+    assert_deprecated do
+      @other_string = "other"
+      @string.html_safe!
+
+      @other_string << @string
+      assert !@other_string.html_safe?
+    end
+  end
+
+  test "Concatting unsafe onto safe with << yields unsafe using html_safe!" do
+    assert_deprecated do
+      @other_string = "other".html_safe!
+      string = @other_string << "<foo>"
+      assert_equal "other<foo>", string
+      assert !string.html_safe?
+    end
+  end
+
+  test "Concatting safe onto safe with << yields safe using html_safe!" do
+    assert_deprecated do
+      @other_string = "other".html_safe!
+      @string.html_safe!
+
+      @other_string << @string
+      assert @other_string.html_safe?
+    end
+  end
+
+  test "Concatting a fixnum to safe always yields safe using html_safe!" do
+    assert_deprecated do
+      @string.html_safe!
+      @string.concat(13)
+      assert_equal "hello".concat(13), @string
+      assert @string.html_safe?
+    end
+  end
+end
diff --git a/vendor/plugins/rails_xss/test/erb_util_test.rb b/vendor/plugins/rails_xss/test/erb_util_test.rb
new file mode 100644
index 000000000..9a04d38e6
--- /dev/null
+++ b/vendor/plugins/rails_xss/test/erb_util_test.rb
@@ -0,0 +1,36 @@
+require 'test_helper'
+
+class ErbUtilTest < Test::Unit::TestCase
+  include ERB::Util
+
+  ERB::Util::HTML_ESCAPE.each do |given, expected|
+    define_method "test_html_escape_#{expected.gsub(/\W/, '')}" do
+      assert_equal expected, html_escape(given)
+    end
+
+    unless given == '"'
+      define_method "test_json_escape_#{expected.gsub(/\W/, '')}" do
+        assert_equal ERB::Util::JSON_ESCAPE[given], json_escape(given)
+      end
+    end
+  end
+  
+  def test_html_escape_is_html_safe
+    escaped = h("<p>")
+    assert_equal "&lt;p&gt;", escaped
+    assert escaped.html_safe?
+  end
+
+  def test_html_escape_passes_html_escpe_unmodified
+    escaped = h("<p>".html_safe)
+    assert_equal "<p>", escaped
+    assert escaped.html_safe?
+  end
+
+  def test_rest_in_ascii
+    (0..127).to_a.map {|int| int.chr }.each do |chr|
+      next if %w(& " < >).include?(chr)
+      assert_equal chr, html_escape(chr)
+    end
+  end
+end
diff --git a/vendor/plugins/rails_xss/test/form_helper_test.rb b/vendor/plugins/rails_xss/test/form_helper_test.rb
new file mode 100644
index 000000000..e5580d26c
--- /dev/null
+++ b/vendor/plugins/rails_xss/test/form_helper_test.rb
@@ -0,0 +1,1447 @@
+require 'test_helper'
+
+silence_warnings do
+  Post = Struct.new(:title, :author_name, :body, :secret, :written_on, :cost)
+  Post.class_eval do
+    alias_method :title_before_type_cast, :title unless respond_to?(:title_before_type_cast)
+    alias_method :body_before_type_cast, :body unless respond_to?(:body_before_type_cast)
+    alias_method :author_name_before_type_cast, :author_name unless respond_to?(:author_name_before_type_cast)
+    alias_method :secret?, :secret
+
+    def new_record=(boolean)
+      @new_record = boolean
+    end
+
+    def new_record?
+      @new_record
+    end
+
+    attr_accessor :author
+    def author_attributes=(attributes); end
+
+    attr_accessor :comments
+    def comments_attributes=(attributes); end
+
+    attr_accessor :tags
+    def tags_attributes=(attributes); end
+  end
+
+  class Comment
+    attr_reader :id
+    attr_reader :post_id
+    def initialize(id = nil, post_id = nil); @id, @post_id = id, post_id end
+    def save; @id = 1; @post_id = 1 end
+    def new_record?; @id.nil? end
+    def to_param; @id; end
+    def name
+      @id.nil? ? "new #{self.class.name.downcase}" : "#{self.class.name.downcase} ##{@id}"
+    end
+
+    attr_accessor :relevances
+    def relevances_attributes=(attributes); end
+
+  end
+
+  class Tag
+    attr_reader :id
+    attr_reader :post_id
+    def initialize(id = nil, post_id = nil); @id, @post_id = id, post_id end
+    def save; @id = 1; @post_id = 1 end
+    def new_record?; @id.nil? end
+    def to_param; @id; end
+    def value
+      @id.nil? ? "new #{self.class.name.downcase}" : "#{self.class.name.downcase} ##{@id}"
+    end
+
+    attr_accessor :relevances
+    def relevances_attributes=(attributes); end
+
+  end
+
+  class CommentRelevance
+    attr_reader :id
+    attr_reader :comment_id
+    def initialize(id = nil, comment_id = nil); @id, @comment_id = id, comment_id end
+    def save; @id = 1; @comment_id = 1 end
+    def new_record?; @id.nil? end
+    def to_param; @id; end
+    def value
+      @id.nil? ? "new #{self.class.name.downcase}" : "#{self.class.name.downcase} ##{@id}"
+    end
+  end
+
+  class TagRelevance
+    attr_reader :id
+    attr_reader :tag_id
+    def initialize(id = nil, tag_id = nil); @id, @tag_id = id, tag_id end
+    def save; @id = 1; @tag_id = 1 end
+    def new_record?; @id.nil? end
+    def to_param; @id; end
+    def value
+      @id.nil? ? "new #{self.class.name.downcase}" : "#{self.class.name.downcase} ##{@id}"
+    end
+  end
+
+  class Author < Comment
+    attr_accessor :post
+    def post_attributes=(attributes); end
+  end
+end
+
+class FormHelperTest < ActionView::TestCase
+  tests ActionView::Helpers::FormHelper
+
+  def setup
+    super
+
+    # Create "label" locale for testing I18n label helpers
+    I18n.backend.store_translations 'label', {
+      :helpers => {
+        :label => {
+          :post => {
+            :body => "Write entire text here"
+          }
+        }
+      }
+    }
+
+    @post = Post.new
+    @comment = Comment.new
+    def @post.errors()
+      Class.new{
+        def on(field); "can't be empty" if field == "author_name"; end
+        def empty?() false end
+        def count() 1 end
+        def full_messages() [ "Author name can't be empty" ] end
+      }.new
+    end
+    def @post.id; 123; end
+    def @post.id_before_type_cast; 123; end
+    def @post.to_param; '123'; end
+
+    @post.title       = "Hello World"
+    @post.author_name = ""
+    @post.body        = "Back to the hill and over it again!"
+    @post.secret      = 1
+    @post.written_on  = Date.new(2004, 6, 15)
+
+    def Post.human_attribute_name(attribute)
+      attribute.to_s == "cost" ? "Total cost" : attribute.to_s.humanize
+    end
+
+    @controller = Class.new do
+      attr_reader :url_for_options
+      def url_for(options)
+        @url_for_options = options
+        "http://www.example.com"
+      end
+    end
+    @controller = @controller.new
+  end
+
+  def test_label
+    assert_dom_equal('<label for="post_title">Title</label>', label("post", "title"))
+    assert_dom_equal('<label for="post_title">The title goes here</label>', label("post", "title", "The title goes here"))
+    assert_dom_equal(
+      '<label class="title_label" for="post_title">Title</label>',
+      label("post", "title", nil, :class => 'title_label')
+    )
+    assert_dom_equal('<label for="post_secret">Secret?</label>', label("post", "secret?"))
+  end
+
+  def test_label_with_symbols
+    assert_dom_equal('<label for="post_title">Title</label>', label(:post, :title))
+    assert_dom_equal('<label for="post_secret">Secret?</label>', label(:post, :secret?))
+  end
+
+  def test_label_with_locales_strings
+    old_locale, I18n.locale = I18n.locale, :label
+    assert_dom_equal('<label for="post_body">Write entire text here</label>', label("post", "body"))
+  ensure
+    I18n.locale = old_locale
+  end
+
+  def test_label_with_human_attribute_name
+    old_locale, I18n.locale = I18n.locale, :label
+    assert_dom_equal('<label for="post_cost">Total cost</label>', label(:post, :cost))
+  ensure
+    I18n.locale = old_locale
+  end
+
+  def test_label_with_locales_symbols
+    old_locale, I18n.locale = I18n.locale, :label
+    assert_dom_equal('<label for="post_body">Write entire text here</label>', label(:post, :body))
+  ensure
+    I18n.locale = old_locale
+  end
+
+  def test_label_with_for_attribute_as_symbol
+    assert_dom_equal('<label for="my_for">Title</label>', label(:post, :title, nil, :for => "my_for"))
+  end
+
+  def test_label_with_for_attribute_as_string
+    assert_dom_equal('<label for="my_for">Title</label>', label(:post, :title, nil, "for" => "my_for"))
+  end
+
+  def test_label_with_id_attribute_as_symbol
+    assert_dom_equal('<label for="post_title" id="my_id">Title</label>', label(:post, :title, nil, :id => "my_id"))
+  end
+
+  def test_label_with_id_attribute_as_string
+    assert_dom_equal('<label for="post_title" id="my_id">Title</label>', label(:post, :title, nil, "id" => "my_id"))
+  end
+
+  def test_label_with_for_and_id_attributes_as_symbol
+    assert_dom_equal('<label for="my_for" id="my_id">Title</label>', label(:post, :title, nil, :for => "my_for", :id => "my_id"))
+  end
+
+  def test_label_with_for_and_id_attributes_as_string
+    assert_dom_equal('<label for="my_for" id="my_id">Title</label>', label(:post, :title, nil, "for" => "my_for", "id" => "my_id"))
+  end
+
+  def test_label_for_radio_buttons_with_value
+    assert_dom_equal('<label for="post_title_great_title">The title goes here</label>', label("post", "title", "The title goes here", :value => "great_title"))
+    assert_dom_equal('<label for="post_title_great_title">The title goes here</label>', label("post", "title", "The title goes here", :value => "great title"))
+  end
+
+  def test_text_field
+    assert_dom_equal(
+      '<input id="post_title" name="post[title]" size="30" type="text" value="Hello World" />', text_field("post", "title")
+    )
+    assert_dom_equal(
+      '<input id="post_title" name="post[title]" size="30" type="password" value="Hello World" />', password_field("post", "title")
+    )
+    assert_dom_equal(
+      '<input id="person_name" name="person[name]" size="30" type="password" />', password_field("person", "name")
+    )
+  end
+
+  def test_text_field_with_escapes
+    @post.title = "<b>Hello World</b>"
+    assert_dom_equal(
+      '<input id="post_title" name="post[title]" size="30" type="text" value="&lt;b&gt;Hello World&lt;/b&gt;" />', text_field("post", "title")
+    )
+  end
+
+  def test_text_field_with_html_entities
+    @post.title = "The HTML Entity for & is &amp;"
+    assert_dom_equal(
+      '<input id="post_title" name="post[title]" size="30" type="text" value="The HTML Entity for &amp; is &amp;amp;" />',
+      text_field("post", "title")
+    )
+  end
+
+  def test_text_field_with_options
+    expected = '<input id="post_title" name="post[title]" size="35" type="text" value="Hello World" />'
+    assert_dom_equal expected, text_field("post", "title", "size" => 35)
+    assert_dom_equal expected, text_field("post", "title", :size => 35)
+  end
+
+  def test_text_field_assuming_size
+    expected = '<input id="post_title" maxlength="35" name="post[title]" size="35" type="text" value="Hello World" />'
+    assert_dom_equal expected, text_field("post", "title", "maxlength" => 35)
+    assert_dom_equal expected, text_field("post", "title", :maxlength => 35)
+  end
+
+  def test_text_field_removing_size
+    expected = '<input id="post_title" maxlength="35" name="post[title]" type="text" value="Hello World" />'
+    assert_dom_equal expected, text_field("post", "title", "maxlength" => 35, "size" => nil)
+    assert_dom_equal expected, text_field("post", "title", :maxlength => 35, :size => nil)
+  end
+
+  def test_text_field_doesnt_change_param_values
+    object_name = 'post[]'
+    expected = '<input id="post_123_title" name="post[123][title]" size="30" type="text" value="Hello World" />'
+    assert_equal expected, text_field(object_name, "title")
+    assert_equal object_name, "post[]"
+  end
+
+  def test_hidden_field
+    assert_dom_equal '<input id="post_title" name="post[title]" type="hidden" value="Hello World" />',
+      hidden_field("post", "title")
+      assert_dom_equal '<input id="post_secret" name="post[secret]" type="hidden" value="1" />',
+        hidden_field("post", "secret?")
+  end
+
+  def test_hidden_field_with_escapes
+    @post.title = "<b>Hello World</b>"
+    assert_dom_equal '<input id="post_title" name="post[title]" type="hidden" value="&lt;b&gt;Hello World&lt;/b&gt;" />',
+      hidden_field("post", "title")
+  end
+
+  def test_hidden_field_with_options
+    assert_dom_equal '<input id="post_title" name="post[title]" type="hidden" value="Something Else" />',
+      hidden_field("post", "title", :value => "Something Else")
+  end
+
+  def test_check_box
+    assert_dom_equal(
+      '<input name="post[secret]" type="hidden" value="0" /><input checked="checked" id="post_secret" name="post[secret]" type="checkbox" value="1" />',
+      check_box("post", "secret")
+    )
+    @post.secret = 0
+    assert_dom_equal(
+      '<input name="post[secret]" type="hidden" value="0" /><input id="post_secret" name="post[secret]" type="checkbox" value="1" />',
+      check_box("post", "secret")
+    )
+    assert_dom_equal(
+      '<input name="post[secret]" type="hidden" value="0" /><input checked="checked" id="post_secret" name="post[secret]" type="checkbox" value="1" />',
+      check_box("post", "secret" ,{"checked"=>"checked"})
+    )
+    @post.secret = true
+    assert_dom_equal(
+      '<input name="post[secret]" type="hidden" value="0" /><input checked="checked" id="post_secret" name="post[secret]" type="checkbox" value="1" />',
+      check_box("post", "secret")
+    )
+    assert_dom_equal(
+      '<input name="post[secret]" type="hidden" value="0" /><input checked="checked" id="post_secret" name="post[secret]" type="checkbox" value="1" />',
+      check_box("post", "secret?")
+    )
+
+    @post.secret = ['0']
+    assert_dom_equal(
+      '<input name="post[secret]" type="hidden" value="0" /><input id="post_secret" name="post[secret]" type="checkbox" value="1" />',
+      check_box("post", "secret")
+    )
+    @post.secret = ['1']
+    assert_dom_equal(
+      '<input name="post[secret]" type="hidden" value="0" /><input checked="checked" id="post_secret" name="post[secret]" type="checkbox" value="1" />',
+      check_box("post", "secret")
+    )
+  end
+
+  def test_check_box_with_explicit_checked_and_unchecked_values
+    @post.secret = "on"
+    assert_dom_equal(
+      '<input name="post[secret]" type="hidden" value="off" /><input checked="checked" id="post_secret" name="post[secret]" type="checkbox" value="on" />',
+      check_box("post", "secret", {}, "on", "off")
+    )
+  end
+
+  def test_checkbox_disabled_still_submits_checked_value
+    assert_dom_equal(
+      '<input name="post[secret]" type="hidden" value="1" /><input checked="checked" disabled="disabled" id="post_secret" name="post[secret]" type="checkbox" value="1" />',
+      check_box("post", "secret", { :disabled => :true })
+    )
+  end
+
+  def test_radio_button
+    assert_dom_equal('<input checked="checked" id="post_title_hello_world" name="post[title]" type="radio" value="Hello World" />',
+      radio_button("post", "title", "Hello World")
+    )
+    assert_dom_equal('<input id="post_title_goodbye_world" name="post[title]" type="radio" value="Goodbye World" />',
+      radio_button("post", "title", "Goodbye World")
+    )
+    assert_dom_equal('<input id="item_subobject_title_inside_world" name="item[subobject][title]" type="radio" value="inside world"/>',
+      radio_button("item[subobject]", "title", "inside world")
+    )
+  end
+
+  def test_radio_button_is_checked_with_integers
+    assert_dom_equal('<input checked="checked" id="post_secret_1" name="post[secret]" type="radio" value="1" />',
+      radio_button("post", "secret", "1")
+   )
+  end
+
+  def test_radio_button_respects_passed_in_id
+     assert_dom_equal('<input checked="checked" id="foo" name="post[secret]" type="radio" value="1" />',
+       radio_button("post", "secret", "1", :id=>"foo")
+    )
+  end
+
+  def test_radio_button_with_booleans
+    assert_dom_equal('<input id="post_secret_true" name="post[secret]" type="radio" value="true" />',
+      radio_button("post", "secret", true)
+    )
+
+    assert_dom_equal('<input id="post_secret_false" name="post[secret]" type="radio" value="false" />',
+      radio_button("post", "secret", false)
+    )
+  end
+
+  def test_text_area
+    assert_dom_equal(
+      '<textarea cols="40" id="post_body" name="post[body]" rows="20">Back to the hill and over it again!</textarea>',
+      text_area("post", "body")
+    )
+  end
+
+  def test_text_area_with_escapes
+    @post.body        = "Back to <i>the</i> hill and over it again!"
+    assert_dom_equal(
+      '<textarea cols="40" id="post_body" name="post[body]" rows="20">Back to &lt;i&gt;the&lt;/i&gt; hill and over it again!</textarea>',
+      text_area("post", "body")
+    )
+  end
+
+  def test_text_area_with_alternate_value
+    assert_dom_equal(
+      '<textarea cols="40" id="post_body" name="post[body]" rows="20">Testing alternate values.</textarea>',
+      text_area("post", "body", :value => 'Testing alternate values.')
+    )
+  end
+
+  def test_text_area_with_html_entities
+    @post.body        = "The HTML Entity for & is &amp;"
+    assert_dom_equal(
+      '<textarea cols="40" id="post_body" name="post[body]" rows="20">The HTML Entity for &amp; is &amp;amp;</textarea>',
+      text_area("post", "body")
+    )
+  end
+
+  def test_text_area_with_size_option
+    assert_dom_equal(
+      '<textarea cols="183" id="post_body" name="post[body]" rows="820">Back to the hill and over it again!</textarea>',
+      text_area("post", "body", :size => "183x820")
+    )
+  end
+
+  def test_explicit_name
+    assert_dom_equal(
+      '<input id="post_title" name="dont guess" size="30" type="text" value="Hello World" />', text_field("post", "title", "name" => "dont guess")
+    )
+    assert_dom_equal(
+      '<textarea cols="40" id="post_body" name="really!" rows="20">Back to the hill and over it again!</textarea>',
+      text_area("post", "body", "name" => "really!")
+    )
+    assert_dom_equal(
+      '<input name="i mean it" type="hidden" value="0" /><input checked="checked" id="post_secret" name="i mean it" type="checkbox" value="1" />',
+      check_box("post", "secret", "name" => "i mean it")
+    )
+    assert_dom_equal text_field("post", "title", "name" => "dont guess"),
+                 text_field("post", "title", :name => "dont guess")
+    assert_dom_equal text_area("post", "body", "name" => "really!"),
+                 text_area("post", "body", :name => "really!")
+    assert_dom_equal check_box("post", "secret", "name" => "i mean it"),
+                 check_box("post", "secret", :name => "i mean it")
+  end
+
+  def test_explicit_id
+    assert_dom_equal(
+      '<input id="dont guess" name="post[title]" size="30" type="text" value="Hello World" />', text_field("post", "title", "id" => "dont guess")
+    )
+    assert_dom_equal(
+      '<textarea cols="40" id="really!" name="post[body]" rows="20">Back to the hill and over it again!</textarea>',
+      text_area("post", "body", "id" => "really!")
+    )
+    assert_dom_equal(
+      '<input name="post[secret]" type="hidden" value="0" /><input checked="checked" id="i mean it" name="post[secret]" type="checkbox" value="1" />',
+      check_box("post", "secret", "id" => "i mean it")
+    )
+    assert_dom_equal text_field("post", "title", "id" => "dont guess"),
+                 text_field("post", "title", :id => "dont guess")
+    assert_dom_equal text_area("post", "body", "id" => "really!"),
+                 text_area("post", "body", :id => "really!")
+    assert_dom_equal check_box("post", "secret", "id" => "i mean it"),
+                 check_box("post", "secret", :id => "i mean it")
+  end
+
+  def test_auto_index
+    pid = @post.id
+    assert_dom_equal(
+      "<label for=\"post_#{pid}_title\">Title</label>",
+      label("post[]", "title")
+    )
+    assert_dom_equal(
+      "<input id=\"post_#{pid}_title\" name=\"post[#{pid}][title]\" size=\"30\" type=\"text\" value=\"Hello World\" />", text_field("post[]","title")
+    )
+    assert_dom_equal(
+      "<textarea cols=\"40\" id=\"post_#{pid}_body\" name=\"post[#{pid}][body]\" rows=\"20\">Back to the hill and over it again!</textarea>",
+      text_area("post[]", "body")
+    )
+    assert_dom_equal(
+      "<input name=\"post[#{pid}][secret]\" type=\"hidden\" value=\"0\" /><input checked=\"checked\" id=\"post_#{pid}_secret\" name=\"post[#{pid}][secret]\" type=\"checkbox\" value=\"1\" />",
+      check_box("post[]", "secret")
+    )
+   assert_dom_equal(
+"<input checked=\"checked\" id=\"post_#{pid}_title_hello_world\" name=\"post[#{pid}][title]\" type=\"radio\" value=\"Hello World\" />",
+      radio_button("post[]", "title", "Hello World")
+    )
+    assert_dom_equal("<input id=\"post_#{pid}_title_goodbye_world\" name=\"post[#{pid}][title]\" type=\"radio\" value=\"Goodbye World\" />",
+      radio_button("post[]", "title", "Goodbye World")
+    )
+  end
+
+  def test_form_for
+    form_for(:post, @post, :html => { :id => 'create-post' }) do |f|
+      concat f.label(:title)
+      concat f.text_field(:title)
+      concat f.text_area(:body)
+      concat f.check_box(:secret)
+      concat f.submit('Create post')
+    end
+
+    expected =
+      "<form action='http://www.example.com' id='create-post' method='post'>" +
+      "<label for='post_title'>Title</label>" +
+      "<input name='post[title]' size='30' type='text' id='post_title' value='Hello World' />" +
+      "<textarea name='post[body]' id='post_body' rows='20' cols='40'>Back to the hill and over it again!</textarea>" +
+      "<input name='post[secret]' type='hidden' value='0' />" +
+      "<input name='post[secret]' checked='checked' type='checkbox' id='post_secret' value='1' />" +
+      "<input name='commit' id='post_submit' type='submit' value='Create post' />" +
+      "</form>"
+
+    assert_dom_equal expected, output_buffer
+  end
+
+  def test_form_for_with_method
+    form_for(:post, @post, :html => { :id => 'create-post', :method => :put }) do |f|
+      concat f.text_field(:title)
+      concat f.text_area(:body)
+      concat f.check_box(:secret)
+    end
+
+    expected =
+      "<form action='http://www.example.com' id='create-post' method='post'>" +
+      "<div style='margin:0;padding:0;display:inline'><input name='_method' type='hidden' value='put' /></div>" +
+      "<input name='post[title]' size='30' type='text' id='post_title' value='Hello World' />" +
+      "<textarea name='post[body]' id='post_body' rows='20' cols='40'>Back to the hill and over it again!</textarea>" +
+      "<input name='post[secret]' type='hidden' value='0' />" +
+      "<input name='post[secret]' checked='checked' type='checkbox' id='post_secret' value='1' />" +
+      "</form>"
+
+    assert_dom_equal expected, output_buffer
+  end
+
+  def test_form_for_without_object
+    form_for(:post, :html => { :id => 'create-post' }) do |f|
+      concat f.text_field(:title)
+      concat f.text_area(:body)
+      concat f.check_box(:secret)
+    end
+
+    expected =
+      "<form action='http://www.example.com' id='create-post' method='post'>" +
+      "<input name='post[title]' size='30' type='text' id='post_title' value='Hello World' />" +
+      "<textarea name='post[body]' id='post_body' rows='20' cols='40'>Back to the hill and over it again!</textarea>" +
+      "<input name='post[secret]' type='hidden' value='0' />" +
+      "<input name='post[secret]' checked='checked' type='checkbox' id='post_secret' value='1' />" +
+      "</form>"
+
+    assert_dom_equal expected, output_buffer
+  end
+
+  def test_form_for_with_index
+    form_for("post[]", @post) do |f|
+      concat f.label(:title)
+      concat f.text_field(:title)
+      concat f.text_area(:body)
+      concat f.check_box(:secret)
+    end
+
+    expected =
+      "<form action='http://www.example.com' method='post'>" +
+      "<label for=\"post_123_title\">Title</label>" +
+      "<input name='post[123][title]' size='30' type='text' id='post_123_title' value='Hello World' />" +
+      "<textarea name='post[123][body]' id='post_123_body' rows='20' cols='40'>Back to the hill and over it again!</textarea>" +
+      "<input name='post[123][secret]' type='hidden' value='0' />" +
+      "<input name='post[123][secret]' checked='checked' type='checkbox' id='post_123_secret' value='1' />" +
+      "</form>"
+
+    assert_dom_equal expected, output_buffer
+  end
+
+  def test_form_for_with_nil_index_option_override
+    form_for("post[]", @post, :index => nil) do |f|
+      concat f.text_field(:title)
+      concat f.text_area(:body)
+      concat f.check_box(:secret)
+    end
+
+    expected =
+      "<form action='http://www.example.com' method='post'>" +
+      "<input name='post[][title]' size='30' type='text' id='post__title' value='Hello World' />" +
+      "<textarea name='post[][body]' id='post__body' rows='20' cols='40'>Back to the hill and over it again!</textarea>" +
+      "<input name='post[][secret]' type='hidden' value='0' />" +
+      "<input name='post[][secret]' checked='checked' type='checkbox' id='post__secret' value='1' />" +
+      "</form>"
+
+    assert_dom_equal expected, output_buffer
+  end
+
+  def test_nested_fields_for
+    form_for(:post, @post) do |f|
+      f.fields_for(:comment, @post) do |c|
+        concat c.text_field(:title)
+      end
+    end
+
+    expected = "<form action='http://www.example.com' method='post'>" +
+               "<input name='post[comment][title]' size='30' type='text' id='post_comment_title' value='Hello World' />" +
+               "</form>"
+
+    assert_dom_equal expected, output_buffer
+  end
+
+  def test_nested_fields_for_with_nested_collections
+    form_for('post[]', @post) do |f|
+      concat f.text_field(:title)
+      f.fields_for('comment[]', @comment) do |c|
+        concat c.text_field(:name)
+      end
+    end
+
+    expected = "<form action='http://www.example.com' method='post'>" +
+               "<input name='post[123][title]' size='30' type='text' id='post_123_title' value='Hello World' />" +
+               "<input name='post[123][comment][][name]' size='30' type='text' id='post_123_comment__name' value='new comment' />" +
+               "</form>"
+
+    assert_dom_equal expected, output_buffer
+  end
+
+  def test_nested_fields_for_with_index_and_parent_fields
+    form_for('post', @post, :index => 1) do |c|
+      concat c.text_field(:title)
+      c.fields_for('comment', @comment, :index => 1) do |r|
+        concat r.text_field(:name)
+      end
+    end
+
+    expected = "<form action='http://www.example.com' method='post'>" +
+               "<input name='post[1][title]' size='30' type='text' id='post_1_title' value='Hello World' />" +
+               "<input name='post[1][comment][1][name]' size='30' type='text' id='post_1_comment_1_name' value='new comment' />" +
+               "</form>"
+
+    assert_dom_equal expected, output_buffer
+  end
+
+  def test_form_for_with_index_and_nested_fields_for
+    form_for(:post, @post, :index => 1) do |f|
+      f.fields_for(:comment, @post) do |c|
+        concat c.text_field(:title)
+      end
+    end
+
+    expected = "<form action='http://www.example.com' method='post'>" +
+               "<input name='post[1][comment][title]' size='30' type='text' id='post_1_comment_title' value='Hello World' />" +
+               "</form>"
+
+    assert_dom_equal expected, output_buffer
+  end
+
+  def test_nested_fields_for_with_index_on_both
+    form_for(:post, @post, :index => 1) do |f|
+      f.fields_for(:comment, @post, :index => 5) do |c|
+        concat c.text_field(:title)
+      end
+    end
+
+    expected = "<form action='http://www.example.com' method='post'>" +
+               "<input name='post[1][comment][5][title]' size='30' type='text' id='post_1_comment_5_title' value='Hello World' />" +
+               "</form>"
+
+    assert_dom_equal expected, output_buffer
+  end
+
+  def test_nested_fields_for_with_auto_index
+    form_for("post[]", @post) do |f|
+      f.fields_for(:comment, @post) do |c|
+        concat c.text_field(:title)
+      end
+    end
+
+    expected = "<form action='http://www.example.com' method='post'>" +
+               "<input name='post[123][comment][title]' size='30' type='text' id='post_123_comment_title' value='Hello World' />" +
+               "</form>"
+
+    assert_dom_equal expected, output_buffer
+  end
+
+  def test_nested_fields_for_with_index_radio_button
+    form_for(:post, @post) do |f|
+      f.fields_for(:comment, @post, :index => 5) do |c|
+        concat c.radio_button(:title, "hello")
+      end
+    end
+
+    expected = "<form action='http://www.example.com' method='post'>" +
+               "<input name='post[comment][5][title]' type='radio' id='post_comment_5_title_hello' value='hello' />" +
+               "</form>"
+
+    assert_dom_equal expected, output_buffer
+  end
+
+  def test_nested_fields_for_with_auto_index_on_both
+    form_for("post[]", @post) do |f|
+      f.fields_for("comment[]", @post) do |c|
+        concat c.text_field(:title)
+      end
+    end
+
+    expected = "<form action='http://www.example.com' method='post'>" +
+               "<input name='post[123][comment][123][title]' size='30' type='text' id='post_123_comment_123_title' value='Hello World' />" +
+               "</form>"
+
+    assert_dom_equal expected, output_buffer
+  end
+
+  def test_nested_fields_for_with_index_and_auto_index
+    form_for("post[]", @post) do |f|
+      f.fields_for(:comment, @post, :index => 5) do |c|
+        concat c.text_field(:title)
+      end
+    end
+
+    form_for(:post, @post, :index => 1) do |f|
+      f.fields_for("comment[]", @post) do |c|
+        concat c.text_field(:title)
+      end
+    end
+
+    expected = "<form action='http://www.example.com' method='post'>" +
+               "<input name='post[123][comment][5][title]' size='30' type='text' id='post_123_comment_5_title' value='Hello World' />" +
+               "</form>" +
+               "<form action='http://www.example.com' method='post'>" +
+               "<input name='post[1][comment][123][title]' size='30' type='text' id='post_1_comment_123_title' value='Hello World' />" +
+               "</form>"
+
+    assert_dom_equal expected, output_buffer
+  end
+
+  def test_nested_fields_for_with_a_new_record_on_a_nested_attributes_one_to_one_association
+    @post.author = Author.new
+
+    form_for(:post, @post) do |f|
+      concat f.text_field(:title)
+      f.fields_for(:author) do |af|
+        concat af.text_field(:name)
+      end
+    end
+
+    expected = '<form action="http://www.example.com" method="post">' +
+               '<input name="post[title]" size="30" type="text" id="post_title" value="Hello World" />' +
+               '<input id="post_author_attributes_name" name="post[author_attributes][name]" size="30" type="text" value="new author" />' +
+               '</form>'
+
+    assert_dom_equal expected, output_buffer
+  end
+
+  def test_nested_fields_for_with_explicitly_passed_object_on_a_nested_attributes_one_to_one_association
+    form_for(:post, @post) do |f|
+      f.fields_for(:author, Author.new(123)) do |af|
+        assert_not_nil af.object
+        assert_equal 123, af.object.id
+      end
+    end
+  end
+
+  def test_nested_fields_for_with_an_existing_record_on_a_nested_attributes_one_to_one_association
+    @post.author = Author.new(321)
+
+    form_for(:post, @post) do |f|
+      concat f.text_field(:title)
+      f.fields_for(:author) do |af|
+        concat af.text_field(:name)
+      end
+    end
+
+    expected = '<form action="http://www.example.com" method="post">' +
+               '<input name="post[title]" size="30" type="text" id="post_title" value="Hello World" />' +
+               '<input id="post_author_attributes_name" name="post[author_attributes][name]" size="30" type="text" value="author #321" />' +
+               '<input id="post_author_attributes_id" name="post[author_attributes][id]" type="hidden" value="321" />' +
+               '</form>'
+
+    assert_dom_equal expected, output_buffer
+  end
+  
+  def test_nested_fields_for_with_existing_records_on_a_nested_attributes_one_to_one_association_with_explicit_hidden_field_placement
+    @post.author = Author.new(321)
+
+    form_for(:post, @post) do |f|
+      concat f.text_field(:title)
+      f.fields_for(:author) do |af|
+        concat af.hidden_field(:id)
+        concat af.text_field(:name)
+      end
+    end
+    
+    expected = '<form action="http://www.example.com" method="post">' +
+               '<input name="post[title]" size="30" type="text" id="post_title" value="Hello World" />' +
+               '<input id="post_author_attributes_id" name="post[author_attributes][id]" type="hidden" value="321" />' +
+               '<input id="post_author_attributes_name" name="post[author_attributes][name]" size="30" type="text" value="author #321" />' +
+               '</form>'
+
+    assert_dom_equal expected, output_buffer
+  end
+
+  def test_nested_fields_for_with_existing_records_on_a_nested_attributes_collection_association
+    @post.comments = Array.new(2) { |id| Comment.new(id + 1) }
+
+    form_for(:post, @post) do |f|
+      concat f.text_field(:title)
+      @post.comments.each do |comment|
+        f.fields_for(:comments, comment) do |cf|
+          concat cf.text_field(:name)
+        end
+      end
+    end
+
+    expected = '<form action="http://www.example.com" method="post">' +
+               '<input name="post[title]" size="30" type="text" id="post_title" value="Hello World" />' +
+               '<input id="post_comments_attributes_0_name" name="post[comments_attributes][0][name]" size="30" type="text" value="comment #1" />' +
+               '<input id="post_comments_attributes_0_id" name="post[comments_attributes][0][id]" type="hidden" value="1" />' +
+               '<input id="post_comments_attributes_1_name" name="post[comments_attributes][1][name]" size="30" type="text" value="comment #2" />' +
+               '<input id="post_comments_attributes_1_id" name="post[comments_attributes][1][id]" type="hidden" value="2" />' +
+               '</form>'
+
+    assert_dom_equal expected, output_buffer
+  end
+
+  def test_nested_fields_for_with_existing_records_on_a_nested_attributes_collection_association_with_explicit_hidden_field_placement
+    @post.comments = Array.new(2) { |id| Comment.new(id + 1) }
+
+    form_for(:post, @post) do |f|
+      concat f.text_field(:title)
+      @post.comments.each do |comment|
+        f.fields_for(:comments, comment) do |cf|
+          concat cf.hidden_field(:id)
+          concat cf.text_field(:name)
+        end
+      end
+    end
+    
+    expected = '<form action="http://www.example.com" method="post">' +
+               '<input name="post[title]" size="30" type="text" id="post_title" value="Hello World" />' +
+               '<input id="post_comments_attributes_0_id" name="post[comments_attributes][0][id]" type="hidden" value="1" />' +
+               '<input id="post_comments_attributes_0_name" name="post[comments_attributes][0][name]" size="30" type="text" value="comment #1" />' +
+               '<input id="post_comments_attributes_1_id" name="post[comments_attributes][1][id]" type="hidden" value="2" />' +
+               '<input id="post_comments_attributes_1_name" name="post[comments_attributes][1][name]" size="30" type="text" value="comment #2" />' +
+               '</form>'
+
+    assert_dom_equal expected, output_buffer
+  end
+
+  def test_nested_fields_for_with_new_records_on_a_nested_attributes_collection_association
+    @post.comments = [Comment.new, Comment.new]
+
+    form_for(:post, @post) do |f|
+      concat f.text_field(:title)
+      @post.comments.each do |comment|
+        f.fields_for(:comments, comment) do |cf|
+          concat cf.text_field(:name)
+        end
+      end
+    end
+
+    expected = '<form action="http://www.example.com" method="post">' +
+               '<input name="post[title]" size="30" type="text" id="post_title" value="Hello World" />' +
+               '<input id="post_comments_attributes_0_name" name="post[comments_attributes][0][name]" size="30" type="text" value="new comment" />' +
+               '<input id="post_comments_attributes_1_name" name="post[comments_attributes][1][name]" size="30" type="text" value="new comment" />' +
+               '</form>'
+
+    assert_dom_equal expected, output_buffer
+  end
+
+  def test_nested_fields_for_with_existing_and_new_records_on_a_nested_attributes_collection_association
+    @post.comments = [Comment.new(321), Comment.new]
+
+    form_for(:post, @post) do |f|
+      concat f.text_field(:title)
+      @post.comments.each do |comment|
+        f.fields_for(:comments, comment) do |cf|
+          concat cf.text_field(:name)
+        end
+      end
+    end
+
+    expected = '<form action="http://www.example.com" method="post">' +
+               '<input name="post[title]" size="30" type="text" id="post_title" value="Hello World" />' +
+               '<input id="post_comments_attributes_0_name" name="post[comments_attributes][0][name]" size="30" type="text" value="comment #321" />' +
+               '<input id="post_comments_attributes_0_id" name="post[comments_attributes][0][id]" type="hidden" value="321" />' +
+               '<input id="post_comments_attributes_1_name" name="post[comments_attributes][1][name]" size="30" type="text" value="new comment" />' +
+               '</form>'
+
+    assert_dom_equal expected, output_buffer
+  end
+
+  def test_nested_fields_for_with_an_empty_supplied_attributes_collection
+    form_for(:post, @post) do |f|
+      concat f.text_field(:title)
+      f.fields_for(:comments, []) do |cf|
+        concat cf.text_field(:name)
+      end
+    end
+
+    expected = '<form action="http://www.example.com" method="post">' +
+               '<input name="post[title]" size="30" type="text" id="post_title" value="Hello World" />' +
+               '</form>'
+
+    assert_dom_equal expected, output_buffer
+  end
+
+  def test_nested_fields_for_with_existing_records_on_a_supplied_nested_attributes_collection
+    @post.comments = Array.new(2) { |id| Comment.new(id + 1) }
+
+    form_for(:post, @post) do |f|
+      concat f.text_field(:title)
+      f.fields_for(:comments, @post.comments) do |cf|
+        concat cf.text_field(:name)
+      end
+    end
+
+    expected = '<form action="http://www.example.com" method="post">' +
+               '<input name="post[title]" size="30" type="text" id="post_title" value="Hello World" />' +
+               '<input id="post_comments_attributes_0_name" name="post[comments_attributes][0][name]" size="30" type="text" value="comment #1" />' +
+               '<input id="post_comments_attributes_0_id" name="post[comments_attributes][0][id]" type="hidden" value="1" />' +
+               '<input id="post_comments_attributes_1_name" name="post[comments_attributes][1][name]" size="30" type="text" value="comment #2" />' +
+               '<input id="post_comments_attributes_1_id" name="post[comments_attributes][1][id]" type="hidden" value="2" />' +
+               '</form>'
+
+    assert_dom_equal expected, output_buffer
+  end
+
+  def test_nested_fields_for_on_a_nested_attributes_collection_association_yields_only_builder
+    @post.comments = [Comment.new(321), Comment.new]
+    yielded_comments = []
+
+    form_for(:post, @post) do |f|
+      concat f.text_field(:title)
+      f.fields_for(:comments) do |cf|
+        concat cf.text_field(:name)
+        yielded_comments << cf.object
+      end
+    end
+
+    expected = '<form action="http://www.example.com" method="post">' +
+               '<input name="post[title]" size="30" type="text" id="post_title" value="Hello World" />' +
+               '<input id="post_comments_attributes_0_name" name="post[comments_attributes][0][name]" size="30" type="text" value="comment #321" />' +
+               '<input id="post_comments_attributes_0_id" name="post[comments_attributes][0][id]" type="hidden" value="321" />' +
+               '<input id="post_comments_attributes_1_name" name="post[comments_attributes][1][name]" size="30" type="text" value="new comment" />' +
+               '</form>'
+
+    assert_dom_equal expected, output_buffer
+    assert_equal yielded_comments, @post.comments
+  end
+
+  def test_nested_fields_for_with_child_index_option_override_on_a_nested_attributes_collection_association
+    @post.comments = []
+
+    form_for(:post, @post) do |f|
+      f.fields_for(:comments, Comment.new(321), :child_index => 'abc') do |cf|
+        concat cf.text_field(:name)
+      end
+    end
+
+    expected = '<form action="http://www.example.com" method="post">' +
+               '<input id="post_comments_attributes_abc_name" name="post[comments_attributes][abc][name]" size="30" type="text" value="comment #321" />' +
+               '<input id="post_comments_attributes_abc_id" name="post[comments_attributes][abc][id]" type="hidden" value="321" />' +
+               '</form>'
+
+    assert_dom_equal expected, output_buffer
+  end
+
+  def test_nested_fields_uses_unique_indices_for_different_collection_associations
+    @post.comments = [Comment.new(321)]
+    @post.tags = [Tag.new(123), Tag.new(456)]
+    @post.comments[0].relevances = []
+    @post.tags[0].relevances = []
+    @post.tags[1].relevances = []
+    form_for(:post, @post) do |f|
+      f.fields_for(:comments, @post.comments[0]) do |cf|
+        concat cf.text_field(:name)
+        cf.fields_for(:relevances, CommentRelevance.new(314)) do |crf|
+          concat crf.text_field(:value)
+        end
+      end
+      f.fields_for(:tags, @post.tags[0]) do |tf|
+        concat tf.text_field(:value)
+        tf.fields_for(:relevances, TagRelevance.new(3141)) do |trf|
+          concat trf.text_field(:value)
+        end
+      end
+      f.fields_for('tags', @post.tags[1]) do |tf|
+        concat tf.text_field(:value)
+        tf.fields_for(:relevances, TagRelevance.new(31415)) do |trf|
+          concat trf.text_field(:value)
+        end
+      end
+    end
+
+    expected = '<form action="http://www.example.com" method="post">' +
+               '<input id="post_comments_attributes_0_name" name="post[comments_attributes][0][name]" size="30" type="text" value="comment #321" />' +
+               '<input id="post_comments_attributes_0_relevances_attributes_0_value" name="post[comments_attributes][0][relevances_attributes][0][value]" size="30" type="text" value="commentrelevance #314" />' +
+               '<input id="post_comments_attributes_0_relevances_attributes_0_id" name="post[comments_attributes][0][relevances_attributes][0][id]" type="hidden" value="314" />' +
+               '<input id="post_comments_attributes_0_id" name="post[comments_attributes][0][id]" type="hidden" value="321" />' +
+               '<input id="post_tags_attributes_0_value" name="post[tags_attributes][0][value]" size="30" type="text" value="tag #123" />' +
+               '<input id="post_tags_attributes_0_relevances_attributes_0_value" name="post[tags_attributes][0][relevances_attributes][0][value]" size="30" type="text" value="tagrelevance #3141" />' +
+               '<input id="post_tags_attributes_0_relevances_attributes_0_id" name="post[tags_attributes][0][relevances_attributes][0][id]" type="hidden" value="3141" />' +
+               '<input id="post_tags_attributes_0_id" name="post[tags_attributes][0][id]" type="hidden" value="123" />' +
+               '<input id="post_tags_attributes_1_value" name="post[tags_attributes][1][value]" size="30" type="text" value="tag #456" />' +
+               '<input id="post_tags_attributes_1_relevances_attributes_0_value" name="post[tags_attributes][1][relevances_attributes][0][value]" size="30" type="text" value="tagrelevance #31415" />' +
+               '<input id="post_tags_attributes_1_relevances_attributes_0_id" name="post[tags_attributes][1][relevances_attributes][0][id]" type="hidden" value="31415" />' +
+               '<input id="post_tags_attributes_1_id" name="post[tags_attributes][1][id]" type="hidden" value="456" />' +
+               '</form>'
+
+    assert_dom_equal expected, output_buffer
+  end
+
+  def test_fields_for
+    fields_for(:post, @post) do |f|
+      concat f.text_field(:title)
+      concat f.text_area(:body)
+      concat f.check_box(:secret)
+    end
+
+    expected =
+      "<input name='post[title]' size='30' type='text' id='post_title' value='Hello World' />" +
+      "<textarea name='post[body]' id='post_body' rows='20' cols='40'>Back to the hill and over it again!</textarea>" +
+      "<input name='post[secret]' type='hidden' value='0' />" +
+      "<input name='post[secret]' checked='checked' type='checkbox' id='post_secret' value='1' />"
+
+    assert_dom_equal expected, output_buffer
+  end
+
+  def test_fields_for_with_index
+    fields_for("post[]", @post) do |f|
+      concat f.text_field(:title)
+      concat f.text_area(:body)
+      concat f.check_box(:secret)
+    end
+
+    expected =
+      "<input name='post[123][title]' size='30' type='text' id='post_123_title' value='Hello World' />" +
+      "<textarea name='post[123][body]' id='post_123_body' rows='20' cols='40'>Back to the hill and over it again!</textarea>" +
+      "<input name='post[123][secret]' type='hidden' value='0' />" +
+      "<input name='post[123][secret]' checked='checked' type='checkbox' id='post_123_secret' value='1' />"
+
+    assert_dom_equal expected, output_buffer
+  end
+
+  def test_fields_for_with_nil_index_option_override
+    fields_for("post[]", @post, :index => nil) do |f|
+      concat f.text_field(:title)
+      concat f.text_area(:body)
+      concat f.check_box(:secret)
+    end
+
+    expected =
+      "<input name='post[][title]' size='30' type='text' id='post__title' value='Hello World' />" +
+      "<textarea name='post[][body]' id='post__body' rows='20' cols='40'>Back to the hill and over it again!</textarea>" +
+      "<input name='post[][secret]' type='hidden' value='0' />" +
+      "<input name='post[][secret]' checked='checked' type='checkbox' id='post__secret' value='1' />"
+
+    assert_dom_equal expected, output_buffer
+  end
+
+  def test_fields_for_with_index_option_override
+    fields_for("post[]", @post, :index => "abc") do |f|
+      concat f.text_field(:title)
+      concat f.text_area(:body)
+      concat f.check_box(:secret)
+    end
+
+    expected =
+      "<input name='post[abc][title]' size='30' type='text' id='post_abc_title' value='Hello World' />" +
+      "<textarea name='post[abc][body]' id='post_abc_body' rows='20' cols='40'>Back to the hill and over it again!</textarea>" +
+      "<input name='post[abc][secret]' type='hidden' value='0' />" +
+      "<input name='post[abc][secret]' checked='checked' type='checkbox' id='post_abc_secret' value='1' />"
+
+    assert_dom_equal expected, output_buffer
+  end
+
+  def test_fields_for_without_object
+    fields_for(:post) do |f|
+      concat f.text_field(:title)
+      concat f.text_area(:body)
+      concat f.check_box(:secret)
+    end
+
+    expected =
+      "<input name='post[title]' size='30' type='text' id='post_title' value='Hello World' />" +
+      "<textarea name='post[body]' id='post_body' rows='20' cols='40'>Back to the hill and over it again!</textarea>" +
+      "<input name='post[secret]' type='hidden' value='0' />" +
+      "<input name='post[secret]' checked='checked' type='checkbox' id='post_secret' value='1' />"
+
+    assert_dom_equal expected, output_buffer
+  end
+
+  def test_fields_for_with_only_object
+    fields_for(@post) do |f|
+      concat f.text_field(:title)
+      concat f.text_area(:body)
+      concat f.check_box(:secret)
+    end
+
+    expected =
+      "<input name='post[title]' size='30' type='text' id='post_title' value='Hello World' />" +
+      "<textarea name='post[body]' id='post_body' rows='20' cols='40'>Back to the hill and over it again!</textarea>" +
+      "<input name='post[secret]' type='hidden' value='0' />" +
+      "<input name='post[secret]' checked='checked' type='checkbox' id='post_secret' value='1' />"
+
+    assert_dom_equal expected, output_buffer
+  end
+
+  def test_fields_for_object_with_bracketed_name
+    fields_for("author[post]", @post) do |f|
+      concat f.label(:title)
+      concat f.text_field(:title)
+    end
+
+    assert_dom_equal "<label for=\"author_post_title\">Title</label>" +
+    "<input name='author[post][title]' size='30' type='text' id='author_post_title' value='Hello World' />",
+      output_buffer
+  end
+
+  def test_fields_for_object_with_bracketed_name_and_index
+    fields_for("author[post]", @post, :index => 1) do |f|
+      concat f.label(:title)
+      concat f.text_field(:title)
+    end
+
+    assert_dom_equal "<label for=\"author_post_1_title\">Title</label>" +
+      "<input name='author[post][1][title]' size='30' type='text' id='author_post_1_title' value='Hello World' />",
+      output_buffer
+  end
+
+  def test_form_builder_does_not_have_form_for_method
+    assert ! ActionView::Helpers::FormBuilder.instance_methods.include?('form_for')
+  end
+
+  def test_form_for_and_fields_for
+    form_for(:post, @post, :html => { :id => 'create-post' }) do |post_form|
+      concat post_form.text_field(:title)
+      concat post_form.text_area(:body)
+
+      fields_for(:parent_post, @post) do |parent_fields|
+        concat parent_fields.check_box(:secret)
+      end
+    end
+
+    expected =
+      "<form action='http://www.example.com' id='create-post' method='post'>" +
+      "<input name='post[title]' size='30' type='text' id='post_title' value='Hello World' />" +
+      "<textarea name='post[body]' id='post_body' rows='20' cols='40'>Back to the hill and over it again!</textarea>" +
+      "<input name='parent_post[secret]' type='hidden' value='0' />" +
+      "<input name='parent_post[secret]' checked='checked' type='checkbox' id='parent_post_secret' value='1' />" +
+      "</form>"
+
+    assert_dom_equal expected, output_buffer
+  end
+
+  def test_form_for_and_fields_for_with_object
+    form_for(:post, @post, :html => { :id => 'create-post' }) do |post_form|
+      concat post_form.text_field(:title)
+      concat post_form.text_area(:body)
+
+      post_form.fields_for(@comment) do |comment_fields|
+        concat comment_fields.text_field(:name)
+      end
+    end
+
+    expected =
+      "<form action='http://www.example.com' id='create-post' method='post'>" +
+      "<input name='post[title]' size='30' type='text' id='post_title' value='Hello World' />" +
+      "<textarea name='post[body]' id='post_body' rows='20' cols='40'>Back to the hill and over it again!</textarea>" +
+      "<input name='post[comment][name]' type='text' id='post_comment_name' value='new comment' size='30' />" +
+      "</form>"
+
+    assert_dom_equal expected, output_buffer
+  end
+
+  class LabelledFormBuilder < ActionView::Helpers::FormBuilder
+    (field_helpers - %w(hidden_field)).each do |selector|
+      src, line = <<-END_SRC, __LINE__ + 1
+        def #{selector}(field, *args, &proc)
+          ("<label for='\#{field}'>\#{field.to_s.humanize}:</label> " + super + "<br/>").html_safe
+        end
+      END_SRC
+      class_eval src, __FILE__, line
+    end
+  end
+
+  def test_form_for_with_labelled_builder
+    form_for(:post, @post, :builder => LabelledFormBuilder) do |f|
+      concat f.text_field(:title)
+      concat f.text_area(:body)
+      concat f.check_box(:secret)
+    end
+
+    expected =
+      "<form action='http://www.example.com' method='post'>" +
+      "<label for='title'>Title:</label> <input name='post[title]' size='30' type='text' id='post_title' value='Hello World' /><br/>" +
+      "<label for='body'>Body:</label> <textarea name='post[body]' id='post_body' rows='20' cols='40'>Back to the hill and over it again!</textarea><br/>" +
+      "<label for='secret'>Secret:</label> <input name='post[secret]' type='hidden' value='0' /><input name='post[secret]' checked='checked' type='checkbox' id='post_secret' value='1' /><br/>" +
+      "</form>"
+
+    assert_dom_equal expected, output_buffer
+  end
+
+  def test_default_form_builder
+    old_default_form_builder, ActionView::Base.default_form_builder =
+      ActionView::Base.default_form_builder, LabelledFormBuilder
+
+    form_for(:post, @post) do |f|
+      concat f.text_field(:title)
+      concat f.text_area(:body)
+      concat f.check_box(:secret)
+    end
+
+    expected =
+      "<form action='http://www.example.com' method='post'>" +
+      "<label for='title'>Title:</label> <input name='post[title]' size='30' type='text' id='post_title' value='Hello World' /><br/>" +
+      "<label for='body'>Body:</label> <textarea name='post[body]' id='post_body' rows='20' cols='40'>Back to the hill and over it again!</textarea><br/>" +
+      "<label for='secret'>Secret:</label> <input name='post[secret]' type='hidden' value='0' /><input name='post[secret]' checked='checked' type='checkbox' id='post_secret' value='1' /><br/>" +
+      "</form>"
+
+    assert_dom_equal expected, output_buffer
+  ensure
+    ActionView::Base.default_form_builder = old_default_form_builder
+  end
+
+  def test_default_form_builder_with_active_record_helpers
+    form_for(:post, @post) do |f|
+       concat f.error_message_on('author_name')
+       concat f.error_messages
+    end
+
+    expected = %(<form action='http://www.example.com' method='post'>) +
+               %(<div class='formError'>can't be empty</div>) +
+               %(<div class="errorExplanation" id="errorExplanation"><h2>1 error prohibited this post from being saved</h2><p>There were problems with the following fields:</p><ul><li>Author name can't be empty</li></ul></div>) +
+               %(</form>)
+
+    assert_dom_equal expected, output_buffer
+
+  end
+
+  def test_default_form_builder_no_instance_variable
+    post = @post
+    @post = nil
+
+    form_for(:post, post) do |f|
+       concat f.error_message_on('author_name')
+       concat f.error_messages
+    end
+
+    expected = %(<form action='http://www.example.com' method='post'>) +
+               %(<div class='formError'>can't be empty</div>) +
+               %(<div class="errorExplanation" id="errorExplanation"><h2>1 error prohibited this post from being saved</h2><p>There were problems with the following fields:</p><ul><li>Author name can't be empty</li></ul></div>) +
+               %(</form>)
+
+    assert_dom_equal expected, output_buffer
+
+  end
+  
+  def test_default_form_builder_without_object
+
+    form_for(:post) do |f|
+       concat f.error_message_on('author_name')
+       concat f.error_messages
+    end
+
+    expected = %(<form action='http://www.example.com' method='post'>) +
+               %(<div class='formError'>can't be empty</div>) +
+               %(<div class="errorExplanation" id="errorExplanation"><h2>1 error prohibited this post from being saved</h2><p>There were problems with the following fields:</p><ul><li>Author name can't be empty</li></ul></div>) +
+               %(</form>)
+
+    assert_dom_equal expected, output_buffer
+
+  end
+
+  # Perhaps this test should be moved to prototype helper tests.
+  def test_remote_form_for_with_labelled_builder
+    self.extend ActionView::Helpers::PrototypeHelper
+
+     remote_form_for(:post, @post, :builder => LabelledFormBuilder) do |f|
+       concat f.text_field(:title)
+       concat f.text_area(:body)
+       concat f.check_box(:secret)
+     end
+
+     expected =
+       %(<form action="http://www.example.com" onsubmit="new Ajax.Request('http://www.example.com', {asynchronous:true, evalScripts:true, parameters:Form.serialize(this)}); return false;" method="post">) +
+       "<label for='title'>Title:</label> <input name='post[title]' size='30' type='text' id='post_title' value='Hello World' /><br/>" +
+       "<label for='body'>Body:</label> <textarea name='post[body]' id='post_body' rows='20' cols='40'>Back to the hill and over it again!</textarea><br/>" +
+       "<label for='secret'>Secret:</label> <input name='post[secret]' type='hidden' value='0' /><input name='post[secret]' checked='checked' type='checkbox' id='post_secret' value='1' /><br/>" +
+       "</form>"
+
+     assert_dom_equal expected, output_buffer
+  end
+
+  def test_fields_for_with_labelled_builder
+    fields_for(:post, @post, :builder => LabelledFormBuilder) do |f|
+      concat f.text_field(:title)
+      concat f.text_area(:body)
+      concat f.check_box(:secret)
+    end
+
+    expected =
+      "<label for='title'>Title:</label> <input name='post[title]' size='30' type='text' id='post_title' value='Hello World' /><br/>" +
+      "<label for='body'>Body:</label> <textarea name='post[body]' id='post_body' rows='20' cols='40'>Back to the hill and over it again!</textarea><br/>" +
+      "<label for='secret'>Secret:</label> <input name='post[secret]' type='hidden' value='0' /><input name='post[secret]' checked='checked' type='checkbox' id='post_secret' value='1' /><br/>"
+
+    assert_dom_equal expected, output_buffer
+  end
+
+  def test_form_for_with_labelled_builder_with_nested_fields_for_without_options_hash
+    klass = nil
+
+    form_for(:post, @post, :builder => LabelledFormBuilder) do |f|
+      f.fields_for(:comments, Comment.new) do |nested_fields|
+        klass = nested_fields.class
+        ''
+      end
+    end
+
+    assert_equal LabelledFormBuilder, klass
+  end
+
+  def test_form_for_with_labelled_builder_with_nested_fields_for_with_options_hash
+    klass = nil
+
+    form_for(:post, @post, :builder => LabelledFormBuilder) do |f|
+      f.fields_for(:comments, Comment.new, :index => 'foo') do |nested_fields|
+        klass = nested_fields.class
+        ''
+      end
+    end
+
+    assert_equal LabelledFormBuilder, klass
+  end
+
+  class LabelledFormBuilderSubclass < LabelledFormBuilder; end
+
+  def test_form_for_with_labelled_builder_with_nested_fields_for_with_custom_builder
+    klass = nil
+
+    form_for(:post, @post, :builder => LabelledFormBuilder) do |f|
+      f.fields_for(:comments, Comment.new, :builder => LabelledFormBuilderSubclass) do |nested_fields|
+        klass = nested_fields.class
+        ''
+      end
+    end
+
+    assert_equal LabelledFormBuilderSubclass, klass
+  end
+
+  def test_form_for_with_html_options_adds_options_to_form_tag
+    form_for(:post, @post, :html => {:id => 'some_form', :class => 'some_class'}) do |f| end
+    expected = "<form action=\"http://www.example.com\" class=\"some_class\" id=\"some_form\" method=\"post\"></form>"
+
+    assert_dom_equal expected, output_buffer
+  end
+
+  def test_form_for_with_string_url_option
+    form_for(:post, @post, :url => 'http://www.otherdomain.com') do |f| end
+
+    assert_equal '<form action="http://www.otherdomain.com" method="post"></form>', output_buffer
+  end
+
+  def test_form_for_with_hash_url_option
+    form_for(:post, @post, :url => {:controller => 'controller', :action => 'action'}) do |f| end
+
+    assert_equal 'controller', @controller.url_for_options[:controller]
+    assert_equal 'action', @controller.url_for_options[:action]
+  end
+
+  def test_form_for_with_record_url_option
+    form_for(:post, @post, :url => @post) do |f| end
+
+    expected = "<form action=\"/posts/123\" method=\"post\"></form>"
+    assert_equal expected, output_buffer
+  end
+
+  def test_form_for_with_existing_object
+    form_for(@post) do |f| end
+
+    expected = "<form action=\"/posts/123\" class=\"edit_post\" id=\"edit_post_123\" method=\"post\"><div style=\"margin:0;padding:0;display:inline\"><input name=\"_method\" type=\"hidden\" value=\"put\" /></div></form>"
+    assert_equal expected, output_buffer
+  end
+
+  def test_form_for_with_new_object
+    post = Post.new
+    post.new_record = true
+    def post.id() nil end
+
+    form_for(post) do |f| end
+
+    expected = "<form action=\"/posts\" class=\"new_post\" id=\"new_post\" method=\"post\"></form>"
+    assert_equal expected, output_buffer
+  end
+
+  def test_form_for_with_existing_object_in_list
+    @post.new_record = false
+    @comment.save
+
+    form_for([@post, @comment]) {}
+
+    expected = %(<form action="#{comment_path(@post, @comment)}" class="edit_comment" id="edit_comment_1" method="post"><div style="margin:0;padding:0;display:inline"><input name="_method" type="hidden" value="put" /></div></form>)
+    assert_dom_equal expected, output_buffer
+  end
+
+  def test_form_for_with_new_object_in_list
+    @post.new_record = false
+
+    form_for([@post, @comment]) {}
+
+    expected = %(<form action="#{comments_path(@post)}" class="new_comment" id="new_comment" method="post"></form>)
+    assert_dom_equal expected, output_buffer
+  end
+
+  def test_form_for_with_existing_object_and_namespace_in_list
+    @post.new_record = false
+    @comment.save
+
+    form_for([:admin, @post, @comment]) {}
+
+    expected = %(<form action="#{admin_comment_path(@post, @comment)}" class="edit_comment" id="edit_comment_1" method="post"><div style="margin:0;padding:0;display:inline"><input name="_method" type="hidden" value="put" /></div></form>)
+    assert_dom_equal expected, output_buffer
+  end
+
+  def test_form_for_with_new_object_and_namespace_in_list
+    @post.new_record = false
+
+    form_for([:admin, @post, @comment]) {}
+
+    expected = %(<form action="#{admin_comments_path(@post)}" class="new_comment" id="new_comment" method="post"></form>)
+    assert_dom_equal expected, output_buffer
+  end
+
+  def test_form_for_with_existing_object_and_custom_url
+    form_for(@post, :url => "/super_posts") do |f| end
+
+    expected = "<form action=\"/super_posts\" class=\"edit_post\" id=\"edit_post_123\" method=\"post\"><div style=\"margin:0;padding:0;display:inline\"><input name=\"_method\" type=\"hidden\" value=\"put\" /></div></form>"
+    assert_equal expected, output_buffer
+  end
+
+  def test_remote_form_for_with_html_options_adds_options_to_form_tag
+    self.extend ActionView::Helpers::PrototypeHelper
+
+    remote_form_for(:post, @post, :html => {:id => 'some_form', :class => 'some_class'}) do |f| end
+    expected = "<form action=\"http://www.example.com\" class=\"some_class\" id=\"some_form\" method=\"post\" onsubmit=\"new Ajax.Request('http://www.example.com', {asynchronous:true, evalScripts:true, parameters:Form.serialize(this)}); return false;\"></form>"
+
+    assert_dom_equal expected, output_buffer
+  end
+
+  protected
+    def comments_path(post)
+      "/posts/#{post.id}/comments"
+    end
+    alias_method :post_comments_path, :comments_path
+
+    def comment_path(post, comment)
+      "/posts/#{post.id}/comments/#{comment.id}"
+    end
+    alias_method :post_comment_path, :comment_path
+
+    def admin_comments_path(post)
+      "/admin/posts/#{post.id}/comments"
+    end
+    alias_method :admin_post_comments_path, :admin_comments_path
+
+    def admin_comment_path(post, comment)
+      "/admin/posts/#{post.id}/comments/#{comment.id}"
+    end
+    alias_method :admin_post_comment_path, :admin_comment_path
+
+    def posts_path
+      "/posts"
+    end
+
+    def post_path(post)
+      "/posts/#{post.id}"
+    end
+
+    def protect_against_forgery?
+      false
+    end
+end
diff --git a/vendor/plugins/rails_xss/test/form_tag_helper_test.rb b/vendor/plugins/rails_xss/test/form_tag_helper_test.rb
new file mode 100644
index 000000000..41eeceeb3
--- /dev/null
+++ b/vendor/plugins/rails_xss/test/form_tag_helper_test.rb
@@ -0,0 +1,354 @@
+require 'test_helper'
+
+class FormTagHelperTest < ActionView::TestCase
+  def setup
+    @controller = Class.new do
+      def url_for(options)
+        "http://www.example.com"
+      end
+    end
+    @controller = @controller.new
+  end
+
+  VALID_HTML_ID = /^[A-Za-z][-_:.A-Za-z0-9]*$/ # see http://www.w3.org/TR/html4/types.html#type-name
+
+  def test_check_box_tag
+    actual = check_box_tag "admin"
+    expected = %(<input id="admin" name="admin" type="checkbox" value="1" />)
+    assert_dom_equal expected, actual
+  end
+
+  def test_check_box_tag_id_sanitized
+    label_elem = root_elem(check_box_tag("project[2][admin]"))
+    assert_match VALID_HTML_ID, label_elem['id']
+  end
+
+  def test_form_tag
+    actual = form_tag
+    expected = %(<form action="http://www.example.com" method="post">)
+    assert_dom_equal expected, actual
+  end
+
+  def test_form_tag_multipart
+    actual = form_tag({}, { 'multipart' => true })
+    expected = %(<form action="http://www.example.com" enctype="multipart/form-data" method="post">)
+    assert_dom_equal expected, actual
+  end
+
+  def test_form_tag_with_method_put
+    actual = form_tag({}, { :method => :put })
+    expected = %(<form action="http://www.example.com" method="post"><div style='margin:0;padding:0;display:inline'><input type="hidden" name="_method" value="put" /></div>)
+    assert_dom_equal expected, actual
+  end
+
+  def test_form_tag_with_method_delete
+    actual = form_tag({}, { :method => :delete })
+    expected = %(<form action="http://www.example.com" method="post"><div style='margin:0;padding:0;display:inline'><input type="hidden" name="_method" value="delete" /></div>)
+    assert_dom_equal expected, actual
+  end
+
+  def test_form_tag_with_block_in_erb
+    __in_erb_template = ''
+    form_tag("http://example.com") { concat "Hello world!" }
+
+    expected = %(<form action="http://example.com" method="post">Hello world!</form>)
+    assert_dom_equal expected, output_buffer
+  end
+
+  def test_form_tag_with_block_and_method_in_erb
+    __in_erb_template = ''
+    form_tag("http://example.com", :method => :put) { concat "Hello world!" }
+
+    expected = %(<form action="http://example.com" method="post"><div style='margin:0;padding:0;display:inline'><input type="hidden" name="_method" value="put" /></div>Hello world!</form>)
+    assert_dom_equal expected, output_buffer
+  end
+
+  def test_hidden_field_tag
+    actual = hidden_field_tag "id", 3
+    expected = %(<input id="id" name="id" type="hidden" value="3" />)
+    assert_dom_equal expected, actual
+  end
+
+  def test_hidden_field_tag_id_sanitized
+    input_elem = root_elem(hidden_field_tag("item[][title]"))
+    assert_match VALID_HTML_ID, input_elem['id']
+  end
+
+  def test_file_field_tag
+    assert_dom_equal "<input name=\"picsplz\" type=\"file\" id=\"picsplz\" />", file_field_tag("picsplz")
+  end
+
+  def test_file_field_tag_with_options
+    assert_dom_equal "<input name=\"picsplz\" type=\"file\" id=\"picsplz\" class=\"pix\"/>", file_field_tag("picsplz", :class => "pix")
+  end
+
+  def test_password_field_tag
+    actual = password_field_tag
+    expected = %(<input id="password" name="password" type="password" />)
+    assert_dom_equal expected, actual
+  end
+
+  def test_radio_button_tag
+    actual = radio_button_tag "people", "david"
+    expected = %(<input id="people_david" name="people" type="radio" value="david" />)
+    assert_dom_equal expected, actual
+
+    actual = radio_button_tag("num_people", 5)
+    expected = %(<input id="num_people_5" name="num_people" type="radio" value="5" />)
+    assert_dom_equal expected, actual
+
+    actual = radio_button_tag("gender", "m") + radio_button_tag("gender", "f")
+    expected = %(<input id="gender_m" name="gender" type="radio" value="m" /><input id="gender_f" name="gender" type="radio" value="f" />)
+    assert_dom_equal expected, actual
+
+    actual = radio_button_tag("opinion", "-1") + radio_button_tag("opinion", "1")
+    expected = %(<input id="opinion_-1" name="opinion" type="radio" value="-1" /><input id="opinion_1" name="opinion" type="radio" value="1" />)
+    assert_dom_equal expected, actual
+
+    actual = radio_button_tag("person[gender]", "m")
+    expected = %(<input id="person_gender_m" name="person[gender]" type="radio" value="m" />)
+    assert_dom_equal expected, actual
+  end
+
+  def test_select_tag
+    actual = select_tag "people", "<option>david</option>".html_safe
+    expected = %(<select id="people" name="people"><option>david</option></select>)
+    assert_dom_equal expected, actual
+  end
+
+  def test_select_tag_with_multiple
+    actual = select_tag "colors", "<option>Red</option><option>Blue</option><option>Green</option>".html_safe, :multiple => :true
+    expected = %(<select id="colors" multiple="multiple" name="colors"><option>Red</option><option>Blue</option><option>Green</option></select>)
+    assert_dom_equal expected, actual
+  end
+
+  def test_select_tag_disabled
+    actual = select_tag "places", "<option>Home</option><option>Work</option><option>Pub</option>".html_safe, :disabled => :true
+    expected = %(<select id="places" disabled="disabled" name="places"><option>Home</option><option>Work</option><option>Pub</option></select>)
+    assert_dom_equal expected, actual
+  end
+
+  def test_select_tag_id_sanitized
+    input_elem = root_elem(select_tag("project[1]people", "<option>david</option>"))
+    assert_match VALID_HTML_ID, input_elem['id']
+  end
+
+  def test_select_tag_with_array_options
+    assert_deprecated /array/ do
+      select_tag "people", ["<option>david</option>"]
+    end
+  end
+
+  def test_text_area_tag_size_string
+    actual = text_area_tag "body", "hello world", "size" => "20x40"
+    expected = %(<textarea cols="20" id="body" name="body" rows="40">hello world</textarea>)
+    assert_dom_equal expected, actual
+  end
+
+  def test_text_area_tag_size_symbol
+    actual = text_area_tag "body", "hello world", :size => "20x40"
+    expected = %(<textarea cols="20" id="body" name="body" rows="40">hello world</textarea>)
+    assert_dom_equal expected, actual
+  end
+
+  def test_text_area_tag_should_disregard_size_if_its_given_as_an_integer
+    actual = text_area_tag "body", "hello world", :size => 20
+    expected = %(<textarea id="body" name="body">hello world</textarea>)
+    assert_dom_equal expected, actual
+  end
+
+  def test_text_area_tag_id_sanitized
+    input_elem = root_elem(text_area_tag("item[][description]"))
+    assert_match VALID_HTML_ID, input_elem['id']
+  end
+
+  def test_text_area_tag_escape_content
+    actual = text_area_tag "body", "<b>hello world</b>", :size => "20x40"
+    expected = %(<textarea cols="20" id="body" name="body" rows="40">&lt;b&gt;hello world&lt;/b&gt;</textarea>)
+    assert_dom_equal expected, actual
+  end
+
+  def test_text_area_tag_unescaped_content
+    actual = text_area_tag "body", "<b>hello world</b>", :size => "20x40", :escape => false
+    expected = %(<textarea cols="20" id="body" name="body" rows="40"><b>hello world</b></textarea>)
+    assert_dom_equal expected, actual
+  end
+
+  def test_text_area_tag_unescaped_nil_content
+    actual = text_area_tag "body", nil, :escape => false
+    expected = %(<textarea id="body" name="body"></textarea>)
+    assert_dom_equal expected, actual
+  end
+
+  def test_text_field_tag
+    actual = text_field_tag "title", "Hello!"
+    expected = %(<input id="title" name="title" type="text" value="Hello!" />)
+    assert_dom_equal expected, actual
+  end
+
+  def test_text_field_tag_class_string
+    actual = text_field_tag "title", "Hello!", "class" => "admin"
+    expected = %(<input class="admin" id="title" name="title" type="text" value="Hello!" />)
+    assert_dom_equal expected, actual
+  end
+
+  def test_text_field_tag_size_symbol
+    actual = text_field_tag "title", "Hello!", :size => 75
+    expected = %(<input id="title" name="title" size="75" type="text" value="Hello!" />)
+    assert_dom_equal expected, actual
+  end
+
+  def test_text_field_tag_size_string
+    actual = text_field_tag "title", "Hello!", "size" => "75"
+    expected = %(<input id="title" name="title" size="75" type="text" value="Hello!" />)
+    assert_dom_equal expected, actual
+  end
+
+  def test_text_field_tag_maxlength_symbol
+    actual = text_field_tag "title", "Hello!", :maxlength => 75
+    expected = %(<input id="title" name="title" maxlength="75" type="text" value="Hello!" />)
+    assert_dom_equal expected, actual
+  end
+
+  def test_text_field_tag_maxlength_string
+    actual = text_field_tag "title", "Hello!", "maxlength" => "75"
+    expected = %(<input id="title" name="title" maxlength="75" type="text" value="Hello!" />)
+    assert_dom_equal expected, actual
+  end
+
+  def test_text_field_disabled
+    actual = text_field_tag "title", "Hello!", :disabled => :true
+    expected = %(<input id="title" name="title" disabled="disabled" type="text" value="Hello!" />)
+    assert_dom_equal expected, actual
+  end
+
+  def test_text_field_tag_with_multiple_options
+    actual = text_field_tag "title", "Hello!", :size => 70, :maxlength => 80
+    expected = %(<input id="title" name="title" size="70" maxlength="80" type="text" value="Hello!" />)
+    assert_dom_equal expected, actual
+  end
+
+  def test_text_field_tag_id_sanitized
+    input_elem = root_elem(text_field_tag("item[][title]"))
+    assert_match VALID_HTML_ID, input_elem['id']
+  end
+
+  def test_label_tag_without_text
+    actual = label_tag "title"
+    expected = %(<label for="title">Title</label>)
+    assert_dom_equal expected, actual
+  end
+
+  def test_label_tag_with_symbol
+    actual = label_tag :title
+    expected = %(<label for="title">Title</label>)
+    assert_dom_equal expected, actual
+  end
+
+  def test_label_tag_with_text
+    actual = label_tag "title", "My Title"
+    expected = %(<label for="title">My Title</label>)
+    assert_dom_equal expected, actual
+  end
+
+  def test_label_tag_class_string
+    actual = label_tag "title", "My Title", "class" => "small_label"
+    expected = %(<label for="title" class="small_label">My Title</label>)
+    assert_dom_equal expected, actual
+  end
+
+  def test_label_tag_id_sanitized
+    label_elem = root_elem(label_tag("item[title]"))
+    assert_match VALID_HTML_ID, label_elem['for']
+  end
+
+  def test_boolean_options
+    assert_dom_equal %(<input checked="checked" disabled="disabled" id="admin" name="admin" readonly="readonly" type="checkbox" value="1" />), check_box_tag("admin", 1, true, 'disabled' => true, :readonly => "yes")
+    assert_dom_equal %(<input checked="checked" id="admin" name="admin" type="checkbox" value="1" />), check_box_tag("admin", 1, true, :disabled => false, :readonly => nil)
+    assert_dom_equal %(<input type="checkbox" />), tag(:input, :type => "checkbox", :checked => false)
+    assert_dom_equal %(<select id="people" multiple="multiple" name="people[]"><option>david</option></select>), select_tag("people", "<option>david</option>".html_safe, :multiple => true)
+    assert_dom_equal %(<select id="people_" multiple="multiple" name="people[]"><option>david</option></select>), select_tag("people[]", "<option>david</option>".html_safe, :multiple => true)
+    assert_dom_equal %(<select id="people" name="people"><option>david</option></select>), select_tag("people", "<option>david</option>".html_safe, :multiple => nil)
+  end
+
+  def test_stringify_symbol_keys
+    actual = text_field_tag "title", "Hello!", :id => "admin"
+    expected = %(<input id="admin" name="title" type="text" value="Hello!" />)
+    assert_dom_equal expected, actual
+  end
+
+  def test_submit_tag
+    assert_dom_equal(
+      %(<input name='commit' onclick="if (window.hiddenCommit) { window.hiddenCommit.setAttribute('value', this.value); }else { hiddenCommit = document.createElement('input');hiddenCommit.type = 'hidden';hiddenCommit.value = this.value;hiddenCommit.name = this.name;this.form.appendChild(hiddenCommit); }this.setAttribute('originalValue', this.value);this.disabled = true;this.value='Saving...';alert('hello!');result = (this.form.onsubmit ? (this.form.onsubmit() ? this.form.submit() : false) : this.form.submit());if (result == false) { this.value = this.getAttribute('originalValue');this.disabled = false; }return result;" type="submit" value="Save" />),
+      submit_tag("Save", :disable_with => "Saving...", :onclick => "alert('hello!')")
+    )
+  end
+
+  def test_submit_tag_with_no_onclick_options
+    assert_dom_equal(
+      %(<input name='commit' onclick="if (window.hiddenCommit) { window.hiddenCommit.setAttribute('value', this.value); }else { hiddenCommit = document.createElement('input');hiddenCommit.type = 'hidden';hiddenCommit.value = this.value;hiddenCommit.name = this.name;this.form.appendChild(hiddenCommit); }this.setAttribute('originalValue', this.value);this.disabled = true;this.value='Saving...';result = (this.form.onsubmit ? (this.form.onsubmit() ? this.form.submit() : false) : this.form.submit());if (result == false) { this.value = this.getAttribute('originalValue');this.disabled = false; }return result;" type="submit" value="Save" />),
+      submit_tag("Save", :disable_with => "Saving...")
+    )
+  end
+
+  def test_submit_tag_with_confirmation
+    assert_dom_equal(
+      %(<input name='commit' type='submit' value='Save' onclick="if (!confirm('Are you sure?')) return false; return true;"/>),
+      submit_tag("Save", :confirm => "Are you sure?")
+    )
+  end
+
+  def test_submit_tag_with_confirmation_and_with_disable_with
+    assert_dom_equal(
+      %(<input name="commit" onclick="if (!confirm('Are you sure?')) return false; if (window.hiddenCommit) { window.hiddenCommit.setAttribute('value', this.value); }else { hiddenCommit = document.createElement('input');hiddenCommit.type = 'hidden';hiddenCommit.value = this.value;hiddenCommit.name = this.name;this.form.appendChild(hiddenCommit); }this.setAttribute('originalValue', this.value);this.disabled = true;this.value='Saving...';result = (this.form.onsubmit ? (this.form.onsubmit() ? this.form.submit() : false) : this.form.submit());if (result == false) { this.value = this.getAttribute('originalValue');this.disabled = false; }return result;" type="submit" value="Save" />),
+      submit_tag("Save", :disable_with => "Saving...", :confirm => "Are you sure?")
+    )
+  end
+
+  def test_image_submit_tag_with_confirmation
+    assert_dom_equal(
+      %(<input type="image" src="/images/save.gif" onclick="return confirm('Are you sure?');"/>),
+      image_submit_tag("save.gif", :confirm => "Are you sure?")
+    )
+  end
+
+  def test_pass
+    assert_equal 1, 1
+  end
+
+  def test_field_set_tag_in_erb
+    __in_erb_template = ''
+    field_set_tag("Your details") { concat "Hello world!" }
+
+    expected = %(<fieldset><legend>Your details</legend>Hello world!</fieldset>)
+    assert_dom_equal expected, output_buffer
+
+    self.output_buffer = ''.html_safe
+    field_set_tag { concat "Hello world!" }
+
+    expected = %(<fieldset>Hello world!</fieldset>)
+    assert_dom_equal expected, output_buffer
+
+    self.output_buffer = ''.html_safe
+    field_set_tag('') { concat "Hello world!" }
+
+    expected = %(<fieldset>Hello world!</fieldset>)
+    assert_dom_equal expected, output_buffer
+
+    self.output_buffer = ''.html_safe
+    field_set_tag('', :class => 'format') { concat "Hello world!" }
+
+    expected = %(<fieldset class="format">Hello world!</fieldset>)
+    assert_dom_equal expected, output_buffer
+  end
+
+  def protect_against_forgery?
+    false
+  end
+
+  private
+
+  def root_elem(rendered_content)
+    HTML::Document.new(rendered_content).root.children[0]
+  end
+end
diff --git a/vendor/plugins/rails_xss/test/javascript_helper_test.rb b/vendor/plugins/rails_xss/test/javascript_helper_test.rb
new file mode 100644
index 000000000..691d97a15
--- /dev/null
+++ b/vendor/plugins/rails_xss/test/javascript_helper_test.rb
@@ -0,0 +1,10 @@
+require 'test_helper'
+
+class JavascriptHelperTest < ActionView::TestCase
+  def test_escape_javascript_with_safebuffer
+    given = %('quoted' "double-quoted" new-line:\n </closed>)
+    expect = %(\\'quoted\\' \\"double-quoted\\" new-line:\\n <\\/closed>)
+    assert_equal expect, escape_javascript(given)
+    assert_equal expect, escape_javascript(ActiveSupport::SafeBuffer.new(given))
+  end
+end
diff --git a/vendor/plugins/rails_xss/test/output_escaping_test.rb b/vendor/plugins/rails_xss/test/output_escaping_test.rb
new file mode 100644
index 000000000..8b6f8b83c
--- /dev/null
+++ b/vendor/plugins/rails_xss/test/output_escaping_test.rb
@@ -0,0 +1,19 @@
+require 'test_helper'
+
+class OutputEscapingTest < ActiveSupport::TestCase
+
+  test "escape_html shouldn't die when passed nil" do
+    assert ERB::Util.h(nil).blank?
+  end
+
+  test "escapeHTML should escape strings" do
+    assert_equal "&lt;&gt;&quot;", ERB::Util.h("<>\"")
+  end
+
+  test "escapeHTML shouldn't touch explicitly safe strings" do
+    # TODO this seems easier to compose and reason about, but
+    # this should be verified
+    assert_equal "<", ERB::Util.h("<".html_safe)
+  end
+
+end
diff --git a/vendor/plugins/rails_xss/test/output_safety_test.rb b/vendor/plugins/rails_xss/test/output_safety_test.rb
new file mode 100644
index 000000000..2e376477d
--- /dev/null
+++ b/vendor/plugins/rails_xss/test/output_safety_test.rb
@@ -0,0 +1,115 @@
+require 'test_helper'
+
+class OutputSafetyTest < ActiveSupport::TestCase
+  def setup
+    @string = "hello"
+    @object = Class.new(Object) do
+      def to_s
+        "other"
+      end
+    end.new
+  end
+
+  test "A string is unsafe by default" do
+    assert !@string.html_safe?
+  end
+
+  test "A string can be marked safe" do
+    string = @string.html_safe
+    assert string.html_safe?
+  end
+
+  test "Marking a string safe returns the string" do
+    assert_equal @string, @string.html_safe
+  end
+
+  test "A fixnum is safe by default" do
+    assert 5.html_safe?
+  end
+
+  test "An object is unsafe by default" do
+    assert !@object.html_safe?
+  end
+
+  test "Adding an object to a safe string returns a safe string" do
+    string = @string.html_safe
+    string << @object
+
+    assert_equal "helloother", string
+    assert string.html_safe?
+  end
+
+  test "Adding a safe string to another safe string returns a safe string" do
+    @other_string = "other".html_safe
+    string = @string.html_safe
+    @combination = @other_string + string
+
+    assert_equal "otherhello", @combination
+    assert @combination.html_safe?
+  end
+
+  test "Adding an unsafe string to a safe string escapes it and returns a safe string" do
+    @other_string = "other".html_safe
+    @combination = @other_string + "<foo>"
+    @other_combination = @string + "<foo>"
+
+    assert_equal "other&lt;foo&gt;", @combination
+    assert_equal "hello<foo>", @other_combination
+
+    assert @combination.html_safe?
+    assert !@other_combination.html_safe?
+  end
+
+  test "Concatting safe onto unsafe yields unsafe" do
+    @other_string = "other"
+
+    string = @string.html_safe
+    @other_string.concat(string)
+    assert !@other_string.html_safe?
+  end
+
+  test "Concatting unsafe onto safe yields escaped safe" do
+    @other_string = "other".html_safe
+    string = @other_string.concat("<foo>")
+    assert_equal "other&lt;foo&gt;", string
+    assert string.html_safe?
+  end
+
+  test "Concatting safe onto safe yields safe" do
+    @other_string = "other".html_safe
+    string = @string.html_safe
+
+    @other_string.concat(string)
+    assert @other_string.html_safe?
+  end
+
+  test "Concatting safe onto unsafe with << yields unsafe" do
+    @other_string = "other"
+    string = @string.html_safe
+
+    @other_string << string
+    assert !@other_string.html_safe?
+  end
+
+  test "Concatting unsafe onto safe with << yields escaped safe" do
+    @other_string = "other".html_safe
+    string = @other_string << "<foo>"
+    assert_equal "other&lt;foo&gt;", string
+    assert string.html_safe?
+  end
+
+  test "Concatting safe onto safe with << yields safe" do
+    @other_string = "other".html_safe
+    string = @string.html_safe
+
+    @other_string << string
+    assert @other_string.html_safe?
+  end
+
+  test "Concatting a fixnum to safe always yields safe" do
+    string = @string.html_safe
+    string = string.concat(13)
+    assert_equal "hello".concat(13), string
+    assert string.html_safe?
+  end
+end
diff --git a/vendor/plugins/rails_xss/test/rails_xss_test.rb b/vendor/plugins/rails_xss/test/rails_xss_test.rb
new file mode 100644
index 000000000..b6268bafd
--- /dev/null
+++ b/vendor/plugins/rails_xss/test/rails_xss_test.rb
@@ -0,0 +1,23 @@
+require 'test_helper'
+
+class RailsXssTest < ActiveSupport::TestCase
+  test "ERB::Util.h should mark its return value as safe and escape it" do
+    escaped = ERB::Util.h("<p>")
+    assert_equal "&lt;p&gt;", escaped
+    assert escaped.html_safe?
+  end
+
+  test "ERB::Util.h should leave previously safe strings alone " do
+    # TODO this seems easier to compose and reason about, but
+    # this should be verified
+    escaped = ERB::Util.h("<p>".html_safe)
+    assert_equal "<p>", escaped
+    assert escaped.html_safe?
+  end
+
+  test "ERB::Util.h should not implode when passed a non-string" do
+    assert_nothing_raised do
+      assert_equal "1", ERB::Util.h(1)
+    end
+  end
+end
diff --git a/vendor/plugins/rails_xss/test/raw_output_helper_test.rb b/vendor/plugins/rails_xss/test/raw_output_helper_test.rb
new file mode 100644
index 000000000..2a67f976e
--- /dev/null
+++ b/vendor/plugins/rails_xss/test/raw_output_helper_test.rb
@@ -0,0 +1,18 @@
+require 'test_helper'
+
+class RawOutputHelperTest < ActionView::TestCase
+
+  def setup
+    @string = "hello"
+  end
+
+  test "raw returns the safe string" do
+    result = raw(@string)
+    assert_equal @string, result
+    assert result.html_safe?
+  end
+
+  test "raw handles nil values correctly" do
+    assert_equal "", raw(nil)
+  end
+end
diff --git a/vendor/plugins/rails_xss/test/safe_buffer_test.rb b/vendor/plugins/rails_xss/test/safe_buffer_test.rb
new file mode 100644
index 000000000..a0a2eccee
--- /dev/null
+++ b/vendor/plugins/rails_xss/test/safe_buffer_test.rb
@@ -0,0 +1,51 @@
+require 'test_helper'
+
+class SafeBufferTest < ActiveSupport::TestCase
+  def setup
+    @buffer = ActiveSupport::SafeBuffer.new
+  end
+
+  test "Should look like a string" do
+    assert @buffer.is_a?(String)
+    assert_equal "", @buffer
+  end
+
+  test "Should escape a raw string which is passed to them" do
+    @buffer << "<script>"
+    assert_equal "&lt;script&gt;", @buffer
+  end
+
+  test "Should NOT escape a safe value passed to it" do
+    @buffer << "<script>".html_safe
+    assert_equal "<script>", @buffer
+  end
+
+  test "Should not mess with an innocuous string" do
+    @buffer << "Hello"
+    assert_equal "Hello", @buffer
+  end
+
+  test "Should not mess with a previously escape test" do
+    @buffer << ERB::Util.html_escape("<script>")
+    assert_equal "&lt;script&gt;", @buffer
+  end
+
+  test "Should be considered safe" do
+    assert @buffer.html_safe?
+  end
+
+  test "Should return a safe buffer when calling to_s" do
+    new_buffer = @buffer.to_s
+    assert_equal ActiveSupport::SafeBuffer, new_buffer.class
+  end
+  
+  test "Should not return a safe buffer when using sub" do
+    assert !@buffer.sub('', "asdf").html_safe?
+  end
+  
+  test "Should raise argument error when using sub!" do
+    assert_raise TypeError do
+      @buffer.sub!('', "asdf")
+    end
+  end
+end
diff --git a/vendor/plugins/rails_xss/test/tag_helper_test.rb b/vendor/plugins/rails_xss/test/tag_helper_test.rb
new file mode 100644
index 000000000..2a4280943
--- /dev/null
+++ b/vendor/plugins/rails_xss/test/tag_helper_test.rb
@@ -0,0 +1,21 @@
+require 'test_helper'
+
+class TagHelperTest < ActionView::TestCase
+
+  def test_content_tag
+    assert_equal "<a href=\"create\">Create</a>", content_tag("a", "Create", "href" => "create")
+    assert content_tag("a", "Create", "href" => "create").html_safe?
+    assert_equal content_tag("a", "Create", "href" => "create"),
+                 content_tag("a", "Create", :href => "create")
+    assert_equal "<p>&lt;script&gt;evil_js&lt;/script&gt;</p>",
+                 content_tag(:p, '<script>evil_js</script>')
+    assert_equal "<p><script>evil_js</script></p>",
+                 content_tag(:p, '<script>evil_js</script>', nil, false)
+  end
+
+  def test_tag_honors_html_safe_for_param_values
+    ['1&amp;2', '1 &lt; 2', '&#8220;test&#8220;'].each do |escaped|
+      assert_equal %(<a href="#{escaped}" />), tag('a', :href => escaped.html_safe)
+    end
+  end
+end
diff --git a/vendor/plugins/rails_xss/test/test_helper.rb b/vendor/plugins/rails_xss/test/test_helper.rb
new file mode 100644
index 000000000..d9594e446
--- /dev/null
+++ b/vendor/plugins/rails_xss/test/test_helper.rb
@@ -0,0 +1,6 @@
+abort 'RAILS_ROOT=/path/to/rails/2.3/app rake test' unless ENV['RAILS_ROOT']
+require File.expand_path('config/environment', ENV['RAILS_ROOT'])
+require File.expand_path('../../init', __FILE__)
+require 'active_support/test_case'
+require 'action_view/test_case'
+require 'test/unit'
diff --git a/vendor/plugins/rails_xss/test/text_helper_test.rb b/vendor/plugins/rails_xss/test/text_helper_test.rb
new file mode 100644
index 000000000..b74ae547c
--- /dev/null
+++ b/vendor/plugins/rails_xss/test/text_helper_test.rb
@@ -0,0 +1,30 @@
+require 'test_helper'
+
+class TextHelperTest < ActionView::TestCase
+
+  def setup
+    @controller = Class.new do
+      attr_accessor :request
+      def url_for(*args) "http://www.example.com" end
+    end.new
+  end
+
+  def test_simple_format_with_escaping_html_options
+    assert_dom_equal(%(<p class="intro">It's nice to have options.</p>),
+                     simple_format("It's nice to have options.", :class=>"intro"))
+  end
+
+  def test_simple_format_should_not_escape_safe_content
+    assert_dom_equal(%(<p>This is <script>safe_js</script>.</p>),
+                     simple_format('This is <script>safe_js</script>.'.html_safe))
+  end
+
+  def test_simple_format_escapes_unsafe_content
+    assert_dom_equal(%(<p>This is &lt;script&gt;evil_js&lt;/script&gt;.</p>),
+                     simple_format('This is <script>evil_js</script>.'))
+  end
+
+  def test_truncate_should_not_be_html_safe
+    assert !truncate("Hello World!", :length => 12).html_safe?
+  end
+end
diff --git a/vendor/plugins/rails_xss/test/url_for_test.rb b/vendor/plugins/rails_xss/test/url_for_test.rb
new file mode 100644
index 000000000..b13451bfb
--- /dev/null
+++ b/vendor/plugins/rails_xss/test/url_for_test.rb
@@ -0,0 +1,39 @@
+require 'test_helper'
+
+class UrlHelperTest < ActionView::TestCase
+
+  def abcd(hash = {})
+    hash_for(:a => :b, :c => :d).merge(hash)
+  end
+
+  def hash_for(opts = {})
+    {:controller => "foo", :action => "bar"}.merge(opts)
+  end
+
+  def test_url_for_does_not_escape_urls_if_explicitly_stated
+    assert_equal "/foo/bar?a=b&c=d", url_for(abcd(:escape => false))
+  end
+
+  def test_link_tag_with_img
+    link = link_to("<img src='/favicon.jpg' />".html_safe, "/")
+    expected = %{<a href="/"><img src='/favicon.jpg' /></a>}
+    assert_dom_equal expected, link
+  end
+
+  def test_link_to_should_not_escape_content_for_html_safe
+    link = link_to("Some <p>html</p>".html_safe, "/")
+    expected = %{<a href="/">Some <p>html</p></a>}
+    assert_dom_equal link, expected
+  end
+
+  def test_link_to_escapes_content_for_non_safe
+    link = link_to("Some <p>html</p>", "/")
+    expected = %{<a href="/">Some &lt;p&gt;html&lt;/p&gt;</a>}
+    assert_dom_equal link, expected
+  end
+
+  def test_url_for_escaping_is_safety_aware
+    assert url_for(abcd(:escape => true)).html_safe?, "escaped urls should be html_safe?"
+    assert !url_for(abcd(:escape => false)).html_safe?, "non-escaped urls should not be html_safe?"
+  end
+end