actiontext 7.1.3.4 → 7.2.0.beta1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d51a41ff03b550ac428a52ce89ee785539d2ac0b386c5597f4c06b763070d054
-  data.tar.gz: 85028cdc38e4448c321e17190924c602f7bd940588307ef42206c7e0842ba31a
+  metadata.gz: d497d50205633b66005bfcfe850ee8d5404c0b3b9f953a14356bb912c8b3b4d5
+  data.tar.gz: '099e3d4dca02f13983f06b8ffcf6c49a1bb2f3cb66ae94e8534c0764f8b56700'
 SHA512:
-  metadata.gz: 417dec3ad3e197b566e52b5b42356481d6a5f54e1a792b5f16c7eeaa45137b2a4bdeeb32e83fd890d884fc60864e7d6062ebe25115710a40de06df3c93812c95
-  data.tar.gz: ab1691bf97b79a8f2b644b6bf324c06fc663fd8ca2ba4641a906fcf7062a4c4acb4103b25b405561fc21e81198ce7b7541a9d02921d137ae14de6eb75d01b1c7
+  metadata.gz: e9acfe56af6ec22cf0448fc42c7dc3cba769bbbce316efa926869ac083db8491a547366ae5beede3da8a02b75c1cbb6f7a8e252c0519fbd7c282af841835a644
+  data.tar.gz: 9beaaede36bf8158e2fee2e6d5f2fb02dbaabeb86a279ee7ca0e9ef87b5cc710d3ea454ae3e8723235eb8b2d2bc2586e540f89623c2609fd3620207e2785c042

data/CHANGELOG.md

@@ -1,34 +1,32 @@
-## Rails 7.1.3.4 (June 04, 2024) ##
+## Rails 7.2.0.beta1 (May 29, 2024) ##
 
-*   Sanitize ActionText HTML ContentAttachment in Trix edit view
-    [CVE-2024-32464]
+*   Use `includes` instead of `eager_load` for `with_all_rich_text`.
 
+    *Petrik de Heus*
 
-## Rails 7.1.3.3 (May 16, 2024) ##
+*   Delegate `ActionText::Content#deconstruct` to `Nokogiri::XML::DocumentFragment#elements`.
 
-*   Upgrade Trix to 1.3.2 to fix [CVE-2024-34341](https://github.com/basecamp/trix/security/advisories/GHSA-qjqp-xr96-cj99).
+    ```ruby
+    content = ActionText::Content.new <<~HTML
+      <h1>Hello, world</h1>
 
-    *Rafael Mendonça França*
+      <div>The body</div>
+    HTML
 
+    content => [h1, div]
 
-## Rails 7.1.3.2 (February 21, 2024) ##
+    assert_pattern { h1 => { content: "Hello, world" } }
+    assert_pattern { div => { content: "The body" } }
+    ```
 
-*   No changes.
-
-
-## Rails 7.1.3.1 (February 21, 2024) ##
-
-*   No changes.
-
-
-## Rails 7.1.3 (January 16, 2024) ##
-
-*   No changes.
+    *Sean Doyle*
 
+*   Fix all Action Text database related models to respect
+    `ActiveRecord::Base.table_name_prefix` configuration.
 
-## Rails 7.1.2 (November 10, 2023) ##
+    *Chedli Bourguiba*
 
-*   Compile ESM package that can be used directly in the browser as `actiontext.esm.js`.
+*   Compile ESM package that can be used directly in the browser as actiontext.esm.js
 
     *Matias Grunberg*
 
@@ -36,7 +34,7 @@
 
     *Matias Grunberg*
 
-*   Upgrade Trix to 2.0.7.
+*   Upgrade Trix to 2.0.7
 
     *Hartley McGuire*
 
@@ -44,82 +42,4 @@
 
     *Hartley McGuire*
 
-
-## Rails 7.1.1 (October 11, 2023) ##
-
-*   No changes.
-
-
-## Rails 7.1.0 (October 05, 2023) ##
-
-*   No changes.
-
-
-## Rails 7.1.0.rc2 (October 01, 2023) ##
-
-*   No changes.
-
-
-## Rails 7.1.0.rc1 (September 27, 2023) ##
-
-*   No changes.
-
-
-## Rails 7.1.0.beta1 (September 13, 2023) ##
-
-*   Use `Rails::HTML5::SafeListSanitizer` by default in the Rails 7.1 configuration if it is
-    supported.
-
-    Action Text's sanitizer can be configured by setting
-    `config.action_text.sanitizer_vendor`. Supported values are `Rails::HTML4::Sanitizer` or
-    `Rails::HTML5::Sanitizer`.
-
-    The Rails 7.1 configuration will set this to `Rails::HTML5::Sanitizer` when it is supported, and
-    fall back to `Rails::HTML4::Sanitizer`. Previous configurations default to
-    `Rails::HTML4::Sanitizer`.
-
-    As a result of this change, the defaults for `ActionText::ContentHelper.allowed_tags` and
-    `.allowed_attributes` are applied at runtime, so the value of these attributes is now 'nil'
-    unless set by the application. You may call `sanitizer_allowed_tags` or
-    `sanitizer_allowed_attributes` to inspect the tags and attributes being allowed by the
-    sanitizer.
-
-    *Mike Dalessio*
-
-*   Attachables now can override default attachment missing template.
-
-    When rendering Action Text attachments where the underlying attachable model has
-    been removed, a fallback template is used. You now can override this template on
-    a per-model basis. For example, you could render a placeholder image for a file
-    attachment or the text "Deleted User" for a User attachment.
-
-    *Matt Swanson*, *Joel Drapper*
-
-*   Update bundled Trix version from `1.3.1` to `2.0.4`.
-
-    *Sarah Ridge*, *Sean Doyle*
-
-*   Apply `field_error_proc` to `rich_text_area` form fields.
-
-    *Kaíque Kandy Koga*
-
-*   Action Text attachment URLs rendered in a background job (a la Turbo
-    Streams) now use `Rails.application.default_url_options` and
-    `Rails.application.config.force_ssl` instead of `http://example.org`.
-
-    *Jonathan Hefner*
-
-*   Support `strict_loading:` option for `has_rich_text` declaration
-
-    *Sean Doyle*
-
-*   Update ContentAttachment so that it can encapsulate arbitrary HTML content in a document.
-
-    *Jamis Buck*
-
-*   Fix an issue that caused the content layout to render multiple times when a
-    rich_text field was updated.
-
-    *Jacob Herrington*
-
-Please check [7-0-stable](https://github.com/rails/rails/blob/7-0-stable/actiontext/CHANGELOG.md) for previous changes.
+Please check [7-1-stable](https://github.com/rails/rails/blob/7-1-stable/actiontext/CHANGELOG.md) for previous changes.

data/app/assets/javascripts/actiontext.esm.js

@@ -771,9 +771,9 @@ function start() {
 }
 
 function didClick(event) {
-  const button = event.target.closest("button, input");
-  if (button && button.type === "submit" && button.form) {
-    submitButtonsByForm.set(button.form, button);
+  const {target: target} = event;
+  if ((target.tagName == "INPUT" || target.tagName == "BUTTON") && target.type == "submit" && target.form) {
+    submitButtonsByForm.set(target.form, target);
   }
 }
 

data/app/assets/javascripts/actiontext.js

@@ -753,9 +753,9 @@
     }
   }
   function didClick(event) {
-    const button = event.target.closest("button, input");
-    if (button && button.type === "submit" && button.form) {
-      submitButtonsByForm.set(button.form, button);
+    const {target: target} = event;
+    if ((target.tagName == "INPUT" || target.tagName == "BUTTON") && target.type == "submit" && target.form) {
+      submitButtonsByForm.set(target.form, target);
     }
   }
   function didSubmitForm(event) {

data/app/helpers/action_text/content_helper.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+# :markup: markdown
+
 require "rails-html-sanitizer"
 
 module ActionText
@@ -14,15 +16,6 @@ module ActionText
       sanitize_action_text_content(render_action_text_attachments(content))
     end
 
-    def sanitize_content_attachment(content_attachment)
-      sanitizer.sanitize(
-        content_attachment,
-        tags: sanitizer_allowed_tags,
-        attributes: sanitizer_allowed_attributes,
-        scrubber: scrubber,
-      )
-    end
-
     def sanitize_action_text_content(content)
       sanitizer.sanitize(
         content.to_html,

data/app/helpers/action_text/tag_helper.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+# :markup: markdown
+
 require "active_support/core_ext/object/try"
 require "action_view/helpers/tags/placeholderable"
 
@@ -7,20 +9,24 @@ module ActionText
   module TagHelper
     cattr_accessor(:id, instance_accessor: false) { 0 }
 
-    # Returns a +trix-editor+ tag that instantiates the Trix JavaScript editor as well as a hidden field
-    # that Trix will write to on changes, so the content will be sent on form submissions.
+    # Returns a `trix-editor` tag that instantiates the Trix JavaScript editor as
+    # well as a hidden field that Trix will write to on changes, so the content will
+    # be sent on form submissions.
+    #
+    # #### Options
+    # *   `:class` - Defaults to "trix-content" so that default styles will be
+    #     applied. Setting this to a different value will prevent default styles
+    #     from being applied.
+    # *   `[:data][:direct_upload_url]` - Defaults to `rails_direct_uploads_url`.
+    # *   `[:data][:blob_url_template]` - Defaults to
+    #     `rails_service_blob_url(":signed_id", ":filename")`.
     #
-    # ==== Options
-    # * <tt>:class</tt> - Defaults to "trix-content" so that default styles will be applied.
-    #   Setting this to a different value will prevent default styles from being applied.
-    # * <tt>[:data][:direct_upload_url]</tt> - Defaults to +rails_direct_uploads_url+.
-    # * <tt>[:data][:blob_url_template]</tt> - Defaults to <tt>rails_service_blob_url(":signed_id", ":filename")</tt>.
     #
-    # ==== Example
+    # #### Example
     #
-    #   rich_text_area_tag "content", message.content
-    #   # <input type="hidden" name="content" id="trix_input_post_1">
-    #   # <trix-editor id="content" input="trix_input_post_1" class="trix-content" ...></trix-editor>
+    #     rich_text_area_tag "content", message.content
+    #     # <input type="hidden" name="content" id="trix_input_post_1">
+    #     # <trix-editor id="content" input="trix_input_post_1" class="trix-content" ...></trix-editor>
     def rich_text_area_tag(name, value = nil, options = {})
       options = options.symbolize_keys
       form = options.delete(:form)
@@ -56,23 +62,27 @@ module ActionView::Helpers
   end
 
   module FormHelper
-    # Returns a +trix-editor+ tag that instantiates the Trix JavaScript editor as well as a hidden field
-    # that Trix will write to on changes, so the content will be sent on form submissions.
+    # Returns a `trix-editor` tag that instantiates the Trix JavaScript editor as
+    # well as a hidden field that Trix will write to on changes, so the content will
+    # be sent on form submissions.
+    #
+    # #### Options
+    # *   `:class` - Defaults to "trix-content" which ensures default styling is
+    #     applied.
+    # *   `:value` - Adds a default value to the HTML input tag.
+    # *   `[:data][:direct_upload_url]` - Defaults to `rails_direct_uploads_url`.
+    # *   `[:data][:blob_url_template]` - Defaults to
+    #     `rails_service_blob_url(":signed_id", ":filename")`.
     #
-    # ==== Options
-    # * <tt>:class</tt> - Defaults to "trix-content" which ensures default styling is applied.
-    # * <tt>:value</tt> - Adds a default value to the HTML input tag.
-    # * <tt>[:data][:direct_upload_url]</tt> - Defaults to +rails_direct_uploads_url+.
-    # * <tt>[:data][:blob_url_template]</tt> - Defaults to <tt>rails_service_blob_url(":signed_id", ":filename")</tt>.
     #
-    # ==== Example
-    #   rich_text_area :message, :content
-    #   # <input type="hidden" name="message[content]" id="message_content_trix_input_message_1">
-    #   # <trix-editor id="content" input="message_content_trix_input_message_1" class="trix-content" ...></trix-editor>
+    # #### Example
+    #     rich_text_area :message, :content
+    #     # <input type="hidden" name="message[content]" id="message_content_trix_input_message_1">
+    #     # <trix-editor id="content" input="message_content_trix_input_message_1" class="trix-content" ...></trix-editor>
     #
-    #   rich_text_area :message, :content, value: "<h1>Default message</h1>"
-    #   # <input type="hidden" name="message[content]" id="message_content_trix_input_message_1" value="<h1>Default message</h1>">
-    #   # <trix-editor id="content" input="message_content_trix_input_message_1" class="trix-content" ...></trix-editor>
+    #     rich_text_area :message, :content, value: "<h1>Default message</h1>"
+    #     # <input type="hidden" name="message[content]" id="message_content_trix_input_message_1" value="<h1>Default message</h1>">
+    #     # <trix-editor id="content" input="message_content_trix_input_message_1" class="trix-content" ...></trix-editor>
     def rich_text_area(object_name, method, options = {})
       Tags::ActionText.new(object_name, method, self, options).render
     end
@@ -81,9 +91,9 @@ module ActionView::Helpers
   class FormBuilder
     # Wraps ActionView::Helpers::FormHelper#rich_text_area for form builders:
     #
-    #   <%= form_with model: @message do |f| %>
-    #     <%= f.rich_text_area :content %>
-    #   <% end %>
+    #     <%= form_with model: @message do |f| %>
+    #       <%= f.rich_text_area :content %>
+    #     <% end %>
     #
     # Please refer to the documentation of the base helper for details.
     def rich_text_area(method, options = {})

data/app/models/action_text/encrypted_rich_text.rb

@@ -1,9 +1,9 @@
 # frozen_string_literal: true
 
+# :markup: markdown
+
 module ActionText
   class EncryptedRichText < RichText
-    self.table_name = "action_text_rich_texts"
-
     encrypts :body
   end
 end

data/app/models/action_text/record.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+# :markup: markdown
+
 module ActionText
   class Record < ActiveRecord::Base # :nodoc:
     self.abstract_class = true

data/app/models/action_text/rich_text.rb

@@ -1,55 +1,87 @@
 # frozen_string_literal: true
 
+# :markup: markdown
+
 module ActionText
-  # = Action Text \RichText
+  # # Action Text RichText
   #
-  # The RichText record holds the content produced by the Trix editor in a serialized +body+ attribute.
-  # It also holds all the references to the embedded files, which are stored using Active Storage.
-  # This record is then associated with the Active Record model the application desires to have
-  # rich text content using the +has_rich_text+ class method.
+  # The RichText record holds the content produced by the Trix editor in a
+  # serialized `body` attribute. It also holds all the references to the embedded
+  # files, which are stored using Active Storage. This record is then associated
+  # with the Active Record model the application desires to have rich text content
+  # using the `has_rich_text` class method.
   #
-  #   class Message < ActiveRecord::Base
-  #     has_rich_text :content
-  #   end
+  #     class Message < ActiveRecord::Base
+  #       has_rich_text :content
+  #     end
   #
-  #   message = Message.create!(content: "<h1>Funny times!</h1>")
-  #   message.content #=> #<ActionText::RichText....
-  #   message.content.to_s # => "<h1>Funny times!</h1>"
-  #   message.content.to_plain_text # => "Funny times!"
+  #     message = Message.create!(content: "<h1>Funny times!</h1>")
+  #     message.content #=> #<ActionText::RichText....
+  #     message.content.to_s # => "<h1>Funny times!</h1>"
+  #     message.content.to_plain_text # => "Funny times!"
   #
+  #     message = Message.create!(content: "<div onclick='action()'>safe<script>unsafe</script></div>")
+  #     message.content #=> #<ActionText::RichText....
+  #     message.content.to_s # => "<div>safeunsafe</div>"
+  #     message.content.to_plain_text # => "safeunsafe"
   class RichText < Record
-    self.table_name = "action_text_rich_texts"
+    ##
+    # :method: to_s
+    #
+    # Safely transforms RichText into an HTML String.
+    #
+    #     message = Message.create!(content: "<h1>Funny times!</h1>")
+    #     message.content.to_s # => "<h1>Funny times!</h1>"
+    #
+    #     message = Message.create!(content: "<div onclick='action()'>safe<script>unsafe</script></div>")
+    #     message.content.to_s # => "<div>safeunsafe</div>"
 
     serialize :body, coder: ActionText::Content
     delegate :to_s, :nil?, to: :body
 
+    ##
+    # :method: record
+    #
+    # Returns the associated record.
     belongs_to :record, polymorphic: true, touch: true
+
+    ##
+    # :method: embeds
+    #
+    # Returns the `ActiveStorage::Blob`s of the embedded files.
     has_many_attached :embeds
 
     before_save do
       self.embeds = body.attachables.grep(ActiveStorage::Blob).uniq if body.present?
     end
 
-    # Returns the +body+ attribute as plain text with all HTML tags removed.
+    # Returns a plain-text version of the markup contained by the `body` attribute,
+    # with tags removed but HTML entities encoded.
+    #
+    #     message = Message.create!(content: "<h1>Funny times!</h1>")
+    #     message.content.to_plain_text # => "Funny times!"
+    #
+    # NOTE: that the returned string is not HTML safe and should not be rendered in
+    # browsers.
     #
-    #   message = Message.create!(content: "<h1>Funny times!</h1>")
-    #   message.content.to_plain_text # => "Funny times!"
+    #     message = Message.create!(content: "&lt;script&gt;alert()&lt;/script&gt;")
+    #     message.content.to_plain_text # => "<script>alert()</script>"
     def to_plain_text
       body&.to_plain_text.to_s
     end
 
-    # Returns the +body+ attribute in a format that makes it editable in the Trix
+    # Returns the `body` attribute in a format that makes it editable in the Trix
     # editor. Previews of attachments are rendered inline.
     #
-    #   content = "<h1>Funny Times!</h1><figure data-trix-attachment='{\"sgid\":\"..."\}'></figure>"
-    #   message = Message.create!(content: content)
-    #   message.content.to_trix_html # =>
-    #   # <div class="trix-content">
-    #   #   <h1>Funny times!</h1>
-    #   #   <figure data-trix-attachment='{\"sgid\":\"..."\}'>
-    #   #      <img src="http://example.org/rails/active_storage/.../funny.jpg">
-    #   #   </figure>
-    #   # </div>
+    #     content = "<h1>Funny Times!</h1><figure data-trix-attachment='{\"sgid\":\"..."\}'></figure>"
+    #     message = Message.create!(content: content)
+    #     message.content.to_trix_html # =>
+    #     # <div class="trix-content">
+    #     #   <h1>Funny times!</h1>
+    #     #   <figure data-trix-attachment='{\"sgid\":\"..."\}'>
+    #     #      <img src="http://example.org/rails/active_storage/.../funny.jpg">
+    #     #   </figure>
+    #     # </div>
     def to_trix_html
       body&.to_trix_html
     end

data/db/migrate/20180528164100_create_action_text_tables.rb

@@ -20,6 +20,6 @@ class CreateActionTextTables < ActiveRecord::Migration[6.0]
       setting = config.options[config.orm][:primary_key_type]
       primary_key_type = setting || :primary_key
       foreign_key_type = setting || :bigint
-      [primary_key_type, foreign_key_type]
+      [ primary_key_type, foreign_key_type ]
     end
 end

data/lib/action_text/attachable.rb

@@ -1,31 +1,33 @@
 # frozen_string_literal: true
 
+# :markup: markdown
+
 module ActionText
-  # = Action Text \Attachable
+  # # Action Text Attachable
   #
   # Include this module to make a record attachable to an ActionText::Content.
   #
-  #   class Person < ApplicationRecord
-  #     include ActionText::Attachable
-  #   end
+  #     class Person < ApplicationRecord
+  #       include ActionText::Attachable
+  #     end
   #
-  #   person = Person.create! name: "Javan"
-  #   html = %Q(<action-text-attachment sgid="#{person.attachable_sgid}"></action-text-attachment>)
-  #   content = ActionText::Content.new(html)
-  #   content.attachables # => [person]
+  #     person = Person.create! name: "Javan"
+  #     html = %Q(<action-text-attachment sgid="#{person.attachable_sgid}"></action-text-attachment>)
+  #     content = ActionText::Content.new(html)
+  #     content.attachables # => [person]
   module Attachable
     extend ActiveSupport::Concern
 
     LOCATOR_NAME = "attachable"
 
     class << self
-      # Extracts the +ActionText::Attachable+ from the attachment HTML node:
+      # Extracts the `ActionText::Attachable` from the attachment HTML node:
       #
-      #   person = Person.create! name: "Javan"
-      #   html = %Q(<action-text-attachment sgid="#{person.attachable_sgid}"></action-text-attachment>)
-      #   fragment = ActionText::Fragment.wrap(html)
-      #   attachment_node = fragment.find_all(ActionText::Attachment.tag_name).first
-      #   ActionText::Attachable.from_node(attachment_node) # => person
+      #     person = Person.create! name: "Javan"
+      #     html = %Q(<action-text-attachment sgid="#{person.attachable_sgid}"></action-text-attachment>)
+      #     fragment = ActionText::Fragment.wrap(html)
+      #     attachment_node = fragment.find_all(ActionText::Attachment.tag_name).first
+      #     ActionText::Attachable.from_node(attachment_node) # => person
       def from_node(node)
         if attachable = attachable_from_sgid(node["sgid"])
           attachable
@@ -57,23 +59,23 @@ module ActionText
         ActionText::Attachable.from_attachable_sgid(sgid, only: self)
       end
 
-      # Returns the path to the partial that is used for rendering missing attachables.
-      # Defaults to "action_text/attachables/missing_attachable".
+      # Returns the path to the partial that is used for rendering missing
+      # attachables. Defaults to "action_text/attachables/missing_attachable".
       #
       # Override to render a different partial:
       #
-      #   class User < ApplicationRecord
-      #     def self.to_missing_attachable_partial_path
-      #       "users/missing_attachable"
+      #     class User < ApplicationRecord
+      #       def self.to_missing_attachable_partial_path
+      #         "users/missing_attachable"
+      #       end
       #     end
-      #   end
       def to_missing_attachable_partial_path
         ActionText::Attachables::MissingAttachable::DEFAULT_PARTIAL_PATH
       end
     end
 
-    # Returns the Signed Global ID for the attachable. The purpose of the ID is
-    # set to 'attachable' so it can't be reused for other purposes.
+    # Returns the Signed Global ID for the attachable. The purpose of the ID is set
+    # to 'attachable' so it can't be reused for other purposes.
     def attachable_sgid
       to_sgid(expires_in: nil, for: LOCATOR_NAME).to_s
     end
@@ -98,30 +100,30 @@ module ActionText
       false
     end
 
-    # Returns the path to the partial that is used for rendering the attachable
-    # in Trix. Defaults to +to_partial_path+.
+    # Returns the path to the partial that is used for rendering the attachable in
+    # Trix. Defaults to `to_partial_path`.
     #
     # Override to render a different partial:
     #
-    #   class User < ApplicationRecord
-    #     def to_trix_content_attachment_partial_path
-    #       "users/trix_content_attachment"
+    #     class User < ApplicationRecord
+    #       def to_trix_content_attachment_partial_path
+    #         "users/trix_content_attachment"
+    #       end
     #     end
-    #   end
     def to_trix_content_attachment_partial_path
       to_partial_path
     end
 
     # Returns the path to the partial that is used for rendering the attachable.
-    # Defaults to +to_partial_path+.
+    # Defaults to `to_partial_path`.
     #
     # Override to render a different partial:
     #
-    #   class User < ApplicationRecord
-    #     def to_attachable_partial_path
-    #       "users/attachable"
+    #     class User < ApplicationRecord
+    #       def to_attachable_partial_path
+    #         "users/attachable"
+    #       end
     #     end
-    #   end
     def to_attachable_partial_path
       to_partial_path
     end

data/lib/action_text/attachables/content_attachment.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+# :markup: markdown
+
 module ActionText
   module Attachables
     class ContentAttachment # :nodoc:

data/lib/action_text/attachables/missing_attachable.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+# :markup: markdown
+
 module ActionText
   module Attachables
     class MissingAttachable

data/lib/action_text/attachables/remote_image.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+# :markup: markdown
+
 module ActionText
   module Attachables
     class RemoteImage