actionview 4.1.13 → 6.1.3.1

data/lib/action_view/helpers/javascript_helper.rb

@@ -1,34 +1,39 @@
-require 'action_view/helpers/tag_helper'
+# frozen_string_literal: true
+
+require "action_view/helpers/tag_helper"
 
 module ActionView
-  module Helpers
+  module Helpers #:nodoc:
     module JavaScriptHelper
       JS_ESCAPE_MAP = {
         '\\'    => '\\\\',
-        '</'    => '<\/',
+        "</"    => '<\/',
         "\r\n"  => '\n',
         "\n"    => '\n',
         "\r"    => '\n',
         '"'     => '\\"',
-        "'"     => "\\'"
+        "'"     => "\\'",
+        "`"     => "\\`",
+        "$"     => "\\$"
       }
 
-      JS_ESCAPE_MAP["\342\200\250".force_encoding(Encoding::UTF_8).encode!] = '&#x2028;'
-      JS_ESCAPE_MAP["\342\200\251".force_encoding(Encoding::UTF_8).encode!] = '&#x2029;'
+      JS_ESCAPE_MAP[(+"\342\200\250").force_encoding(Encoding::UTF_8).encode!] = "&#x2028;"
+      JS_ESCAPE_MAP[(+"\342\200\251").force_encoding(Encoding::UTF_8).encode!] = "&#x2029;"
 
       # Escapes carriage returns and single and double quotes for JavaScript segments.
       #
       # Also available through the alias j(). This is particularly helpful in JavaScript
       # responses, like:
       #
-      #   $('some_element').replaceWith('<%=j render 'some/element_template' %>');
+      #   $('some_element').replaceWith('<%= j render 'some/element_template' %>');
       def escape_javascript(javascript)
-        if javascript
-          result = javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"'])/u) {|match| JS_ESCAPE_MAP[match] }
-          javascript.html_safe? ? result.html_safe : result
+        javascript = javascript.to_s
+        if javascript.empty?
+          result = ""
         else
-          ''
+          result = javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"']|[`]|[$])/u, JS_ESCAPE_MAP)
         end
+        javascript.html_safe? ? result.html_safe : result
       end
 
       alias_method :j, :escape_javascript
@@ -46,13 +51,26 @@ module ActionView
       # +html_options+ may be a hash of attributes for the <tt>\<script></tt>
       # tag.
       #
-      #   javascript_tag "alert('All is good')", defer: 'defer'
-      #   # => <script defer="defer">alert('All is good')</script>
+      #   javascript_tag "alert('All is good')", type: 'application/javascript'
+      #
+      # Returns:
+      #   <script type="application/javascript">
+      #   //<![CDATA[
+      #   alert('All is good')
+      #   //]]>
+      #   </script>
       #
       # Instead of passing the content as an argument, you can also use a block
       # in which case, you pass your +html_options+ as the first parameter.
       #
-      #   <%= javascript_tag defer: 'defer' do -%>
+      #   <%= javascript_tag type: 'application/javascript' do -%>
+      #     alert('All is good')
+      #   <% end -%>
+      #
+      # If you have a content security policy enabled then you can add an automatic
+      # nonce value by passing <tt>nonce: true</tt> as part of +html_options+. Example:
+      #
+      #   <%= javascript_tag nonce: true do -%>
       #     alert('All is good')
       #   <% end -%>
       def javascript_tag(content_or_options_with_block = nil, html_options = {}, &block)
@@ -64,7 +82,11 @@ module ActionView
             content_or_options_with_block
           end
 
-        content_tag(:script, javascript_cdata_section(content), html_options)
+        if html_options[:nonce] == true
+          html_options[:nonce] = content_security_policy_nonce
+        end
+
+        content_tag("script", javascript_cdata_section(content), html_options)
       end
 
       def javascript_cdata_section(content) #:nodoc:

data/lib/action_view/helpers/number_helper.rb

@@ -1,13 +1,12 @@
-# encoding: utf-8
+# frozen_string_literal: true
 
-require 'active_support/core_ext/hash/keys'
-require 'active_support/core_ext/string/output_safety'
-require 'active_support/number_helper'
+require "active_support/core_ext/hash/keys"
+require "active_support/core_ext/string/output_safety"
+require "active_support/number_helper"
 
 module ActionView
   # = Action View Number Helpers
   module Helpers #:nodoc:
-
     # Provides methods for converting numbers into formatted strings.
     # Methods are provided for phone numbers, currency, percentage,
     # precision, positional notation, file size and pretty printing.
@@ -15,7 +14,6 @@ module ActionView
     # Most methods expect a +number+ argument, and will return it
     # unchanged if can't be converted into a valid number.
     module NumberHelper
-
       # Raised when argument +number+ param given to the helpers is invalid and
       # the option :raise is set to  +true+.
       class InvalidNumberError < StandardError
@@ -25,7 +23,7 @@ module ActionView
         end
       end
 
-      # Formats a +number+ into a US phone number (e.g., (555)
+      # Formats a +number+ into a phone number (US by default e.g., (555)
       # 123-9876). You can customize the format in the +options+ hash.
       #
       # ==== Options
@@ -37,6 +35,8 @@ module ActionView
       #   end of the generated number.
       # * <tt>:country_code</tt> - Sets the country code for the phone
       #   number.
+      # * <tt>:pattern</tt> - Specifies how the number is divided into three
+      #   groups with the custom regexp to override the default format.
       # * <tt>:raise</tt> - If true, raises +InvalidNumberError+ when
       #   the argument is invalid.
       #
@@ -54,6 +54,11 @@ module ActionView
       #
       #   number_to_phone(1235551234, country_code: 1, extension: 1343, delimiter: ".")
       #   # => +1.123.555.1234 x 1343
+      #
+      #   number_to_phone(75561234567, pattern: /(\d{1,4})(\d{4})(\d{4})$/, area_code: true)
+      #   # => "(755) 6123-4567"
+      #   number_to_phone(13312345678, pattern: /(\d{3})(\d{4})(\d{4})$/)
+      #   # => "133-1234-5678"
       def number_to_phone(number, options = {})
         return unless number
         options = options.symbolize_keys
@@ -65,6 +70,14 @@ module ActionView
       # Formats a +number+ into a currency string (e.g., $13.65). You
       # can customize the format in the +options+ hash.
       #
+      # The currency unit and number formatting of the current locale will be used
+      # unless otherwise specified in the provided options. No currency conversion
+      # is performed. If the user is given a way to change their locale, they will
+      # also be able to change the relative value of the currency displayed with
+      # this helper. If your application will ever support multiple locales, you
+      # may want to specify a constant <tt>:locale</tt> option or consider
+      # using a library capable of currency conversion.
+      #
       # ==== Options
       #
       # * <tt>:locale</tt> - Sets the locale to be used for formatting
@@ -81,12 +94,15 @@ module ActionView
       #   (defaults to "%u%n").  Fields are <tt>%u</tt> for the
       #   currency, and <tt>%n</tt> for the number.
       # * <tt>:negative_format</tt> - Sets the format for negative
-      #   numbers (defaults to prepending an hyphen to the formatted
+      #   numbers (defaults to prepending a hyphen to the formatted
       #   number given by <tt>:format</tt>).  Accepts the same fields
       #   than <tt>:format</tt>, except <tt>%n</tt> is here the
       #   absolute value of the number.
       # * <tt>:raise</tt> - If true, raises +InvalidNumberError+ when
       #   the argument is invalid.
+      # * <tt>:strip_insignificant_zeros</tt> - If +true+ removes
+      #   insignificant zeros after the decimal separator (defaults to
+      #   +false+).
       #
       # ==== Examples
       #
@@ -98,12 +114,16 @@ module ActionView
       #
       #   number_to_currency("123a456", raise: true)           # => InvalidNumberError
       #
+      #   number_to_currency(-0.456789, precision: 0)
+      #   # => "$0"
       #   number_to_currency(-1234567890.50, negative_format: "(%u%n)")
       #   # => ($1,234,567,890.50)
       #   number_to_currency(1234567890.50, unit: "R$", separator: ",", delimiter: "")
       #   # => R$1234567890,50
       #   number_to_currency(1234567890.50, unit: "R$", separator: ",", delimiter: "", format: "%n %u")
       #   # => 1234567890,50 R$
+      #   number_to_currency(1234567890.50, strip_insignificant_zeros: true)
+      #   # => "$1,234,567,890.5"
       def number_to_currency(number, options = {})
         delegate_number_helper_method(:number_to_currency, number, options)
       end
@@ -117,8 +137,8 @@ module ActionView
       #   (defaults to current locale).
       # * <tt>:precision</tt> - Sets the precision of the number
       #   (defaults to 3).
-      # * <tt>:significant</tt> - If +true+, precision will be the #
-      #   of significant_digits. If +false+, the # of fractional
+      # * <tt>:significant</tt> - If +true+, precision will be the number
+      #   of significant_digits. If +false+, the number of fractional
       #   digits (defaults to +false+).
       # * <tt>:separator</tt> - Sets the separator between the
       #   fractional and integer digits (defaults to ".").
@@ -141,7 +161,7 @@ module ActionView
       #   number_to_percentage(302.24398923423, precision: 5)              # => 302.24399%
       #   number_to_percentage(1000, locale: :fr)                          # => 1 000,000%
       #   number_to_percentage("98a")                                      # => 98a%
-      #   number_to_percentage(100, format: "%n  %")                       # => 100  %
+      #   number_to_percentage(100, format: "%n  %")                       # => 100.000  %
       #
       #   number_to_percentage("98a", raise: true)                         # => InvalidNumberError
       def number_to_percentage(number, options = {})
@@ -160,6 +180,9 @@ module ActionView
       #   to ",").
       # * <tt>:separator</tt> - Sets the separator between the
       #   fractional and integer digits (defaults to ".").
+      # * <tt>:delimiter_pattern</tt> - Sets a custom regular expression used for
+      #   deriving the placement of delimiter. Helpful when using currency formats
+      #   like INR.
       # * <tt>:raise</tt> - If true, raises +InvalidNumberError+ when
       #   the argument is invalid.
       #
@@ -176,6 +199,9 @@ module ActionView
       #   number_with_delimiter(98765432.98, delimiter: " ", separator: ",")
       #   # => 98 765 432,98
       #
+      #   number_with_delimiter("123456.78",
+      #     delimiter_pattern: /(\d+?)(?=(\d\d)+(\d)(?!\d))/)    # => "1,23,456.78"
+      #
       #  number_with_delimiter("112a", raise: true)              # => raise InvalidNumberError
       def number_with_delimiter(number, options = {})
         delegate_number_helper_method(:number_to_delimited, number, options)
@@ -192,8 +218,8 @@ module ActionView
       #   (defaults to current locale).
       # * <tt>:precision</tt> - Sets the precision of the number
       #   (defaults to 3).
-      # * <tt>:significant</tt> - If +true+, precision will be the #
-      #   of significant_digits. If +false+, the # of fractional
+      # * <tt>:significant</tt> - If +true+, precision will be the number
+      #   of significant_digits. If +false+, the number of fractional
       #   digits (defaults to +false+).
       # * <tt>:separator</tt> - Sets the separator between the
       #   fractional and integer digits (defaults to ".").
@@ -227,7 +253,7 @@ module ActionView
       end
 
       # Formats the bytes in +number+ into a more understandable
-      # representation (e.g., giving it 1500 yields 1.5 KB). This
+      # representation (e.g., giving it 1500 yields 1.46 KB). This
       # method is useful for reporting file sizes to users. You can
       # customize the format in the +options+ hash.
       #
@@ -240,8 +266,8 @@ module ActionView
       #   (defaults to current locale).
       # * <tt>:precision</tt> - Sets the precision of the number
       #   (defaults to 3).
-      # * <tt>:significant</tt> - If +true+, precision will be the #
-      #   of significant_digits. If +false+, the # of fractional
+      # * <tt>:significant</tt> - If +true+, precision will be the number
+      #   of significant_digits. If +false+, the number of fractional
       #   digits (defaults to +true+)
       # * <tt>:separator</tt> - Sets the separator between the
       #   fractional and integer digits (defaults to ".").
@@ -250,8 +276,6 @@ module ActionView
       # * <tt>:strip_insignificant_zeros</tt> - If +true+ removes
       #   insignificant zeros after the decimal separator (defaults to
       #   +true+)
-      # * <tt>:prefix</tt> - If +:si+ formats the number using the SI
-      #   prefix (defaults to :binary)
       # * <tt>:raise</tt> - If true, raises +InvalidNumberError+ when
       #   the argument is invalid.
       #
@@ -263,31 +287,27 @@ module ActionView
       #   number_to_human_size(1234567)                                      # => 1.18 MB
       #   number_to_human_size(1234567890)                                   # => 1.15 GB
       #   number_to_human_size(1234567890123)                                # => 1.12 TB
+      #   number_to_human_size(1234567890123456)                             # => 1.1 PB
+      #   number_to_human_size(1234567890123456789)                          # => 1.07 EB
       #   number_to_human_size(1234567, precision: 2)                        # => 1.2 MB
       #   number_to_human_size(483989, precision: 2)                         # => 470 KB
       #   number_to_human_size(1234567, precision: 2, separator: ',')        # => 1,2 MB
-      #
-      # Non-significant zeros after the fractional separator are
-      # stripped out by default (set
-      # <tt>:strip_insignificant_zeros</tt> to +false+ to change
-      # that):
-      #
-      #   number_to_human_size(1234567890123, precision: 5)        # => "1.1229 TB"
-      #   number_to_human_size(524288000, precision: 5)            # => "500 MB"
+      #   number_to_human_size(1234567890123, precision: 5)                  # => "1.1228 TB"
+      #   number_to_human_size(524288000, precision: 5)                      # => "500 MB"
       def number_to_human_size(number, options = {})
         delegate_number_helper_method(:number_to_human_size, number, options)
       end
 
       # Pretty prints (formats and approximates) a number in a way it
-      # is more readable by humans (eg.: 1200000000 becomes "1.2
+      # is more readable by humans (e.g.: 1200000000 becomes "1.2
       # Billion"). This is useful for numbers that can get very large
       # (and too hard to read).
       #
       # See <tt>number_to_human_size</tt> if you want to print a file
       # size.
       #
-      # You can also define you own unit-quantifier names if you want
-      # to use other decimal units (eg.: 1500 becomes "1.5
+      # You can also define your own unit-quantifier names if you want
+      # to use other decimal units (e.g.: 1500 becomes "1.5
       # kilometers", 0.150 becomes "150 milliliters", etc). You may
       # define a wide range of unit quantifiers, even fractional ones
       # (centi, deci, mili, etc).
@@ -298,8 +318,8 @@ module ActionView
       #   (defaults to current locale).
       # * <tt>:precision</tt> - Sets the precision of the number
       #   (defaults to 3).
-      # * <tt>:significant</tt> - If +true+, precision will be the #
-      #   of significant_digits. If +false+, the # of fractional
+      # * <tt>:significant</tt> - If +true+, precision will be the number
+      #   of significant_digits. If +false+, the number of fractional
       #   digits (defaults to +true+)
       # * <tt>:separator</tt> - Sets the separator between the
       #   fractional and integer digits (defaults to ".").
@@ -312,12 +332,12 @@ module ActionView
       #   string containing an i18n scope where to find this hash. It
       #   might have the following keys:
       #   * *integers*: <tt>:unit</tt>, <tt>:ten</tt>,
-      #     *<tt>:hundred</tt>, <tt>:thousand</tt>, <tt>:million</tt>,
-      #     *<tt>:billion</tt>, <tt>:trillion</tt>,
-      #     *<tt>:quadrillion</tt>
+      #     <tt>:hundred</tt>, <tt>:thousand</tt>, <tt>:million</tt>,
+      #     <tt>:billion</tt>, <tt>:trillion</tt>,
+      #     <tt>:quadrillion</tt>
       #   * *fractionals*: <tt>:deci</tt>, <tt>:centi</tt>,
-      #     *<tt>:mili</tt>, <tt>:micro</tt>, <tt>:nano</tt>,
-      #     *<tt>:pico</tt>, <tt>:femto</tt>
+      #     <tt>:mili</tt>, <tt>:micro</tt>, <tt>:nano</tt>,
+      #     <tt>:pico</tt>, <tt>:femto</tt>
       # * <tt>:format</tt> - Sets the format of the output string
       #   (defaults to "%n %u"). The field types are:
       #   * %u - The quantifier (ex.: 'thousand')
@@ -343,11 +363,15 @@ module ActionView
       #                           separator: ',',
       #                           significant: false)                   # => "1,2 Million"
       #
+      #   number_to_human(500000000, precision: 5)                      # => "500 Million"
+      #   number_to_human(12345012345, significant: false)              # => "12.345 Billion"
+      #
       # Non-significant zeros after the decimal separator are stripped
       # out by default (set <tt>:strip_insignificant_zeros</tt> to
       # +false+ to change that):
-      #   number_to_human(12345012345, significant_digits: 6)       # => "12.345 Billion"
-      #   number_to_human(500000000, precision: 5)                  # => "500 Million"
+      #
+      # number_to_human(12.00001)                                       # => "12"
+      # number_to_human(12.00001, strip_insignificant_zeros: false)     # => "12.0"
       #
       # ==== Custom Unit Quantifiers
       #
@@ -381,54 +405,53 @@ module ActionView
       end
 
       private
+        def delegate_number_helper_method(method, number, options)
+          return unless number
+          options = escape_unsafe_options(options.symbolize_keys)
 
-      def delegate_number_helper_method(method, number, options)
-        return unless number
-        options = escape_unsafe_options(options.symbolize_keys)
-
-        wrap_with_output_safety_handling(number, options.delete(:raise)) {
-          ActiveSupport::NumberHelper.public_send(method, number, options)
-        }
-      end
+          wrap_with_output_safety_handling(number, options.delete(:raise)) {
+            ActiveSupport::NumberHelper.public_send(method, number, options)
+          }
+        end
 
-      def escape_unsafe_options(options)
-        options[:format]          = ERB::Util.html_escape(options[:format]) if options[:format]
-        options[:negative_format] = ERB::Util.html_escape(options[:negative_format]) if options[:negative_format]
-        options[:separator]       = ERB::Util.html_escape(options[:separator]) if options[:separator]
-        options[:delimiter]       = ERB::Util.html_escape(options[:delimiter]) if options[:delimiter]
-        options[:unit]            = ERB::Util.html_escape(options[:unit]) if options[:unit] && !options[:unit].html_safe?
-        options[:units]           = escape_units(options[:units]) if options[:units] && Hash === options[:units]
-        options
-      end
+        def escape_unsafe_options(options)
+          options[:format]          = ERB::Util.html_escape(options[:format]) if options[:format]
+          options[:negative_format] = ERB::Util.html_escape(options[:negative_format]) if options[:negative_format]
+          options[:separator]       = ERB::Util.html_escape(options[:separator]) if options[:separator]
+          options[:delimiter]       = ERB::Util.html_escape(options[:delimiter]) if options[:delimiter]
+          options[:unit]            = ERB::Util.html_escape(options[:unit]) if options[:unit] && !options[:unit].html_safe?
+          options[:units]           = escape_units(options[:units]) if options[:units] && Hash === options[:units]
+          options
+        end
 
-      def escape_units(units)
-        Hash[units.map do |k, v|
-          [k, ERB::Util.html_escape(v)]
-        end]
-      end
+        def escape_units(units)
+          units.transform_values do |v|
+            ERB::Util.html_escape(v)
+          end
+        end
 
-      def wrap_with_output_safety_handling(number, raise_on_invalid, &block)
-        valid_float = valid_float?(number)
-        raise InvalidNumberError, number if raise_on_invalid && !valid_float
+        def wrap_with_output_safety_handling(number, raise_on_invalid, &block)
+          valid_float = valid_float?(number)
+          raise InvalidNumberError, number if raise_on_invalid && !valid_float
 
-        formatted_number = yield
+          formatted_number = yield
 
-        if valid_float || number.html_safe?
-          formatted_number.html_safe
-        else
-          formatted_number
+          if valid_float || number.html_safe?
+            formatted_number.html_safe
+          else
+            formatted_number
+          end
         end
-      end
 
-      def valid_float?(number)
-        !parse_float(number, false).nil?
-      end
+        def valid_float?(number)
+          !parse_float(number, false).nil?
+        end
 
-      def parse_float(number, raise_error)
-        Float(number)
-      rescue ArgumentError, TypeError
-        raise InvalidNumberError, number if raise_error
-      end
+        def parse_float(number, raise_error)
+          Float(number)
+        rescue ArgumentError, TypeError
+          raise InvalidNumberError, number if raise_error
+        end
     end
   end
 end

data/lib/action_view/helpers/output_safety_helper.rb

@@ -1,4 +1,6 @@
-require 'active_support/core_ext/string/output_safety'
+# frozen_string_literal: true
+
+require "active_support/core_ext/string/output_safety"
 
 module ActionView #:nodoc:
   # = Action View Raw Output Helper
@@ -17,21 +19,51 @@ module ActionView #:nodoc:
         stringish.to_s.html_safe
       end
 
-      # This method returns a html safe string similar to what <tt>Array#join</tt>
-      # would return. All items in the array, including the supplied separator, are
-      # html escaped unless they are html safe, and the returned string is marked
-      # as html safe.
+      # This method returns an HTML safe string similar to what <tt>Array#join</tt>
+      # would return. The array is flattened, and all items, including
+      # the supplied separator, are HTML escaped unless they are HTML
+      # safe, and the returned string is marked as HTML safe.
       #
-      #   safe_join(["<p>foo</p>".html_safe, "<p>bar</p>"], "<br />")
+      #   safe_join([raw("<p>foo</p>"), "<p>bar</p>"], "<br />")
       #   # => "<p>foo</p>&lt;br /&gt;&lt;p&gt;bar&lt;/p&gt;"
       #
-      #   safe_join(["<p>foo</p>".html_safe, "<p>bar</p>".html_safe], "<br />".html_safe)
+      #   safe_join([raw("<p>foo</p>"), raw("<p>bar</p>")], raw("<br />"))
       #   # => "<p>foo</p><br /><p>bar</p>"
       #
-      def safe_join(array, sep=$,)
-        sep = ERB::Util.html_escape(sep)
+      def safe_join(array, sep = $,)
+        sep = ERB::Util.unwrapped_html_escape(sep)
+
+        array.flatten.map! { |i| ERB::Util.unwrapped_html_escape(i) }.join(sep).html_safe
+      end
+
+      # Converts the array to a comma-separated sentence where the last element is
+      # joined by the connector word. This is the html_safe-aware version of
+      # ActiveSupport's {Array#to_sentence}[https://api.rubyonrails.org/classes/Array.html#method-i-to_sentence].
+      #
+      def to_sentence(array, options = {})
+        options.assert_valid_keys(:words_connector, :two_words_connector, :last_word_connector, :locale)
+
+        default_connectors = {
+          words_connector: ", ",
+          two_words_connector: " and ",
+          last_word_connector: ", and "
+        }
+        if defined?(I18n)
+          i18n_connectors = I18n.translate(:'support.array', locale: options[:locale], default: {})
+          default_connectors.merge!(i18n_connectors)
+        end
+        options = default_connectors.merge!(options)
 
-        array.map { |i| ERB::Util.html_escape(i) }.join(sep).html_safe
+        case array.length
+        when 0
+          "".html_safe
+        when 1
+          ERB::Util.html_escape(array[0])
+        when 2
+          safe_join([array[0], array[1]], options[:two_words_connector])
+        else
+          safe_join([safe_join(array[0...-1], options[:words_connector]), options[:last_word_connector], array[-1]], nil)
+        end
       end
     end
   end