In the current router DSL, using the +match+ DSL
method will match all verbs for the path to the
specified endpoint.

In the vast majority of cases, people are
currently using +match+ when they actually mean
+get+. This introduces security implications.

This commit disallows calling +match+ without
an HTTP verb constraint by default. To explicitly
match all verbs, this commit also adds a
:via => :all option to +match+.

Closes #5964

ActionController::RoutingError are raised in router execution time and can not be
rescued in a controller.

Add index method to FormBuilder. Useful when you use field_for and need to know the index number into the iteration.

'itemscope' is defined within HTML5 for use in microdata markup. See
http://www.whatwg.org/specs/web-apps/current-work/multipage/microdata.ht
ml#attr-itemscope

This reverts commit 174cf8b2, reversing
changes made to 7ecd6a73.
The reverted commit improved the performance in the wrong place, now we
have added this 6ddbd184 improvement.

stringified keys

closes #5672

config.action_view.prefix_partial_path_with_controller_namespace

This allows you to choose to render @post using
/posts/_post.erb instead of /admin/posts/_post.erb
inside Admin::PostsController.

Closes #5632

If embedding auth_token in remote forms is off and we
pass a value for auth_token it should respect it.

Changed default value for `config.action_view.embed_authenticity_token_in_remote_forms`
to `false`. This change breaks remote forms that need to work also without javascript,
so if you need such behavior, you can either set it to `true` or explicitly pass
`:authenticity_token => true` in form options

There is a regression introduced in 16ee611f, which breaks
remote forms that should also work without javascript. This commit
introduces config option that allows to configure this behavior
defaulting to the old behavior (ie. include authenticity token
in remote forms by default)

Conflicts:

	actionpack/CHANGELOG.md

hash.

Closes #2492 and #5615

See issue #393, issue #4000, issue #5190, and issue #5191. Adds a newline after the textarea opening tag based on @codykrieger's original patch so that we don't cause regressions in Haml-using apps. The regression caused textarea tags to add newlines to the field unintentionally (each update/save added an extra newline.)

Also fix 6 more tests that didn't yet have the newline expectation.

if you want to read the file you may need to ask if there is something
to read from

objectify_options method should be applied to the proper options arg.

See explanation and example of the bug - https://github.com/kryzhovnik/rails_field_error_proc_bug_example

Previously `rendered_format` was set only based on mime types
passed in Accept header, which was wrong if first type from
Accept was different than rendered partial. The fix is to simply
move setting rendered_format to the place where template
is available and grab format from the template. If it fails
we can fallback to formats passed by Accept header.

When someone accidentally passes a string to sanitize like:

sanitize("<span>foo</span>", :tags => "b")

there is no indication that it's the wrong way and span
will not be removed.

Commit: 7a0cf2f5

By default, resources routes are created with :resource/:id. A model
defining to_param can make prettier urls by using something more
readable than an integer ID, but since the route picks it up as :id you
wind up with awkward User.find_by_username(params[:id]) calls.

By overriding the key to be used in @request.params you can be more
obvious in your intent.

Commit 56089ca9 introduced a backward
incompatible change by changing the method signature of the FormBuilder.
This brings back the same method signature warning in case someone gives
a block to the builder.

More info: https://github.com/rails/rails/commit/56089ca986c767763f29159c8de0aa1ebabfd4d2#commitcomment-1116166