actionview 4.1.13 → 6.1.3.1

data/lib/action_view/helpers/rendering_helper.rb

@@ -1,5 +1,7 @@
+# frozen_string_literal: true
+
 module ActionView
-  module Helpers
+  module Helpers #:nodoc:
     # = Action View Rendering
     #
     # Implements methods that allow rendering from a view context.
@@ -11,28 +13,37 @@ module ActionView
       # * <tt>:partial</tt> - See <tt>ActionView::PartialRenderer</tt>.
       # * <tt>:file</tt> - Renders an explicit template file (this used to be the old default), add :locals to pass in those.
       # * <tt>:inline</tt> - Renders an inline template similar to how it's done in the controller.
-      # * <tt>:text</tt> - Renders the text passed in out.
       # * <tt>:plain</tt> - Renders the text passed in out. Setting the content
-      # type as <tt>text/plain</tt>.
-      # * <tt>:html</tt> - Renders the html safe string passed in out, otherwise
-      # performs html escape on the string first. Setting the content type as
-      # <tt>text/html</tt>.
+      #   type as <tt>text/plain</tt>.
+      # * <tt>:html</tt> - Renders the HTML safe string passed in out, otherwise
+      #   performs HTML escape on the string first. Setting the content type as
+      #   <tt>text/html</tt>.
       # * <tt>:body</tt> - Renders the text passed in, and inherits the content
-      # type of <tt>text/html</tt> from <tt>ActionDispatch::Response</tt>
-      # object.
+      #   type of <tt>text/plain</tt> from <tt>ActionDispatch::Response</tt>
+      #   object.
+      #
+      # If no <tt>options</tt> hash is passed or if <tt>:update</tt> is specified, then:
+      #
+      # If an object responding to +render_in+ is passed, +render_in+ is called on the object,
+      # passing in the current view context.
       #
-      # If no options hash is passed or :update specified, the default is to render a partial and use the second parameter
-      # as the locals hash.
+      # Otherwise, a partial is rendered using the second parameter as the locals hash.
       def render(options = {}, locals = {}, &block)
         case options
         when Hash
-          if block_given?
-            view_renderer.render_partial(self, options.merge(:partial => options[:layout]), &block)
-          else
-            view_renderer.render(self, options)
+          in_rendering_context(options) do |renderer|
+            if block_given?
+              view_renderer.render_partial(self, options.merge(partial: options[:layout]), &block)
+            else
+              view_renderer.render(self, options)
+            end
           end
         else
-          view_renderer.render_partial(self, :partial => options, :locals => locals)
+          if options.respond_to?(:render_in)
+            options.render_in(self, &block)
+          else
+            view_renderer.render_partial(self, partial: options, locals: locals, &block)
+          end
         end
       end
 

data/lib/action_view/helpers/sanitize_helper.rb

@@ -1,73 +1,93 @@
-require 'active_support/core_ext/object/try'
-require 'action_view/vendor/html-scanner'
+# frozen_string_literal: true
+
+require "rails-html-sanitizer"
 
 module ActionView
   # = Action View Sanitize Helpers
-  module Helpers
+  module Helpers #:nodoc:
     # The SanitizeHelper module provides a set of methods for scrubbing text of undesired HTML elements.
     # These helper methods extend Action View making them callable within your template files.
     module SanitizeHelper
       extend ActiveSupport::Concern
-      # This +sanitize+ helper will html encode all tags and strip all attributes that
-      # aren't specifically allowed.
+      # Sanitizes HTML input, stripping all but known-safe tags and attributes.
       #
-      # It also strips href/src tags with invalid protocols, like javascript: especially.
-      # It does its best to counter any  tricks that hackers may use, like throwing in
-      # unicode/ascii/hex values to get past the javascript: filters. Check out
-      # the extensive test suite.
+      # It also strips href/src attributes with unsafe protocols like
+      # <tt>javascript:</tt>, while also protecting against attempts to use Unicode,
+      # ASCII, and hex character references to work around these protocol filters.
+      # All special characters will be escaped.
       #
-      #   <%= sanitize @article.body %>
+      # The default sanitizer is Rails::Html::SafeListSanitizer. See {Rails HTML
+      # Sanitizers}[https://github.com/rails/rails-html-sanitizer] for more information.
       #
-      # You can add or remove tags/attributes if you want to customize it a bit.
-      # See ActionView::Base for full docs on the available options. You can add
-      # tags/attributes for single uses of +sanitize+ by passing either the
-      # <tt>:attributes</tt> or <tt>:tags</tt> options:
+      # Custom sanitization rules can also be provided.
       #
-      # Normal Use
+      # Please note that sanitizing user-provided text does not guarantee that the
+      # resulting markup is valid or even well-formed.
       #
-      #   <%= sanitize @article.body %>
+      # ==== Options
       #
-      # Custom Use (only the mentioned tags and attributes are allowed, nothing else)
+      # * <tt>:tags</tt> - An array of allowed tags.
+      # * <tt>:attributes</tt> - An array of allowed attributes.
+      # * <tt>:scrubber</tt> - A {Rails::Html scrubber}[https://github.com/rails/rails-html-sanitizer]
+      #   or {Loofah::Scrubber}[https://github.com/flavorjones/loofah] object that
+      #   defines custom sanitization rules. A custom scrubber takes precedence over
+      #   custom tags and attributes.
       #
-      #   <%= sanitize @article.body, tags: %w(table tr td), attributes: %w(id class style) %>
+      # ==== Examples
       #
-      # Add table tags to the default allowed tags
+      # Normal use:
       #
-      #   class Application < Rails::Application
-      #     config.action_view.sanitized_allowed_tags = ['table', 'tr', 'td']
-      #   end
+      #   <%= sanitize @comment.body %>
       #
-      # Remove tags to the default allowed tags
+      # Providing custom lists of permitted tags and attributes:
       #
-      #   class Application < Rails::Application
-      #     config.after_initialize do
-      #       ActionView::Base.sanitized_allowed_tags.delete 'div'
+      #   <%= sanitize @comment.body, tags: %w(strong em a), attributes: %w(href) %>
+      #
+      # Providing a custom Rails::Html scrubber:
+      #
+      #   class CommentScrubber < Rails::Html::PermitScrubber
+      #     def initialize
+      #       super
+      #       self.tags = %w( form script comment blockquote )
+      #       self.attributes = %w( style )
+      #     end
+      #
+      #     def skip_node?(node)
+      #       node.text?
       #     end
       #   end
       #
-      # Change allowed default attributes
+      #   <%= sanitize @comment.body, scrubber: CommentScrubber.new %>
+      #
+      # See {Rails HTML Sanitizer}[https://github.com/rails/rails-html-sanitizer] for
+      # documentation about Rails::Html scrubbers.
+      #
+      # Providing a custom Loofah::Scrubber:
       #
-      #   class Application < Rails::Application
-      #     config.action_view.sanitized_allowed_attributes = ['id', 'class', 'style']
+      #   scrubber = Loofah::Scrubber.new do |node|
+      #     node.remove if node.name == 'script'
       #   end
       #
-      # Please note that sanitizing user-provided text does not guarantee that the
-      # resulting markup is valid (conforming to a document type) or even well-formed.
-      # The output may still contain e.g. unescaped '<', '>', '&' characters and
-      # confuse browsers.
+      #   <%= sanitize @comment.body, scrubber: scrubber %>
+      #
+      # See {Loofah's documentation}[https://github.com/flavorjones/loofah] for more
+      # information about defining custom Loofah::Scrubber objects.
       #
+      # To set the default allowed tags or attributes across your application:
+      #
+      #   # In config/application.rb
+      #   config.action_view.sanitized_allowed_tags = ['strong', 'em', 'a']
+      #   config.action_view.sanitized_allowed_attributes = ['href', 'title']
       def sanitize(html, options = {})
-        self.class.white_list_sanitizer.sanitize(html, options).try(:html_safe)
+        self.class.safe_list_sanitizer.sanitize(html, options)&.html_safe
       end
 
       # Sanitizes a block of CSS code. Used by +sanitize+ when it comes across a style attribute.
       def sanitize_css(style)
-        self.class.white_list_sanitizer.sanitize_css(style)
+        self.class.safe_list_sanitizer.sanitize_css(style)
       end
 
-      # Strips all HTML tags from the +html+, including comments. This uses the
-      # html-scanner tokenizer and so its HTML parsing ability is limited by
-      # that of html-scanner.
+      # Strips all HTML tags from +html+, including comments and special characters.
       #
       #   strip_tags("Strip <i>these</i> tags!")
       #   # => Strip these tags!
@@ -77,11 +97,14 @@ module ActionView
       #
       #   strip_tags("<div id='top-bar'>Welcome to my website!</div>")
       #   # => Welcome to my website!
+      #
+      #   strip_tags("> A quote from Smith & Wesson")
+      #   # => &gt; A quote from Smith &amp; Wesson
       def strip_tags(html)
         self.class.full_sanitizer.sanitize(html)
       end
 
-      # Strips all link tags from +text+ leaving just the link text.
+      # Strips all link tags from +html+ leaving just the link text.
       #
       #   strip_links('<a href="http://www.rubyonrails.org">Ruby on Rails</a>')
       #   # => Ruby on Rails
@@ -91,164 +114,56 @@ module ActionView
       #
       #   strip_links('Blog: <a href="http://www.myblog.com/" class="nav" target=\"_blank\">Visit</a>.')
       #   # => Blog: Visit.
+      #
+      #   strip_links('<<a href="https://example.org">malformed & link</a>')
+      #   # => &lt;malformed &amp; link
       def strip_links(html)
         self.class.link_sanitizer.sanitize(html)
       end
 
       module ClassMethods #:nodoc:
-        attr_writer :full_sanitizer, :link_sanitizer, :white_list_sanitizer
-
-        def sanitized_protocol_separator
-          white_list_sanitizer.protocol_separator
-        end
+        attr_writer :full_sanitizer, :link_sanitizer, :safe_list_sanitizer
 
-        def sanitized_uri_attributes
-          white_list_sanitizer.uri_attributes
-        end
-
-        def sanitized_bad_tags
-          white_list_sanitizer.bad_tags
+        def sanitizer_vendor
+          Rails::Html::Sanitizer
         end
 
         def sanitized_allowed_tags
-          white_list_sanitizer.allowed_tags
+          sanitizer_vendor.safe_list_sanitizer.allowed_tags
         end
 
         def sanitized_allowed_attributes
-          white_list_sanitizer.allowed_attributes
+          sanitizer_vendor.safe_list_sanitizer.allowed_attributes
         end
 
-        def sanitized_allowed_css_properties
-          white_list_sanitizer.allowed_css_properties
-        end
-
-        def sanitized_allowed_css_keywords
-          white_list_sanitizer.allowed_css_keywords
-        end
-
-        def sanitized_shorthand_css_properties
-          white_list_sanitizer.shorthand_css_properties
-        end
-
-        def sanitized_allowed_protocols
-          white_list_sanitizer.allowed_protocols
-        end
-
-        def sanitized_protocol_separator=(value)
-          white_list_sanitizer.protocol_separator = value
-        end
-
-        # Gets the HTML::FullSanitizer instance used by +strip_tags+. Replace with
+        # Gets the Rails::Html::FullSanitizer instance used by +strip_tags+. Replace with
         # any object that responds to +sanitize+.
         #
         #   class Application < Rails::Application
         #     config.action_view.full_sanitizer = MySpecialSanitizer.new
         #   end
-        #
         def full_sanitizer
-          @full_sanitizer ||= HTML::FullSanitizer.new
+          @full_sanitizer ||= sanitizer_vendor.full_sanitizer.new
         end
 
-        # Gets the HTML::LinkSanitizer instance used by +strip_links+. Replace with
-        # any object that responds to +sanitize+.
+        # Gets the Rails::Html::LinkSanitizer instance used by +strip_links+.
+        # Replace with any object that responds to +sanitize+.
         #
         #   class Application < Rails::Application
         #     config.action_view.link_sanitizer = MySpecialSanitizer.new
         #   end
-        #
         def link_sanitizer
-          @link_sanitizer ||= HTML::LinkSanitizer.new
+          @link_sanitizer ||= sanitizer_vendor.link_sanitizer.new
         end
 
-        # Gets the HTML::WhiteListSanitizer instance used by sanitize and +sanitize_css+.
+        # Gets the Rails::Html::SafeListSanitizer instance used by sanitize and +sanitize_css+.
         # Replace with any object that responds to +sanitize+.
         #
         #   class Application < Rails::Application
-        #     config.action_view.white_list_sanitizer = MySpecialSanitizer.new
-        #   end
-        #
-        def white_list_sanitizer
-          @white_list_sanitizer ||= HTML::WhiteListSanitizer.new
-        end
-
-        # Adds valid HTML attributes that the +sanitize+ helper checks for URIs.
-        #
-        #   class Application < Rails::Application
-        #     config.action_view.sanitized_uri_attributes = ['lowsrc', 'target']
+        #     config.action_view.safe_list_sanitizer = MySpecialSanitizer.new
         #   end
-        #
-        def sanitized_uri_attributes=(attributes)
-          HTML::WhiteListSanitizer.uri_attributes.merge(attributes)
-        end
-
-        # Adds to the Set of 'bad' tags for the +sanitize+ helper.
-        #
-        #   class Application < Rails::Application
-        #     config.action_view.sanitized_bad_tags = ['embed', 'object']
-        #   end
-        #
-        def sanitized_bad_tags=(attributes)
-          HTML::WhiteListSanitizer.bad_tags.merge(attributes)
-        end
-
-        # Adds to the Set of allowed tags for the +sanitize+ helper.
-        #
-        #   class Application < Rails::Application
-        #     config.action_view.sanitized_allowed_tags = ['table', 'tr', 'td']
-        #   end
-        #
-        def sanitized_allowed_tags=(attributes)
-          HTML::WhiteListSanitizer.allowed_tags.merge(attributes)
-        end
-
-        # Adds to the Set of allowed HTML attributes for the +sanitize+ helper.
-        #
-        #   class Application < Rails::Application
-        #     config.action_view.sanitized_allowed_attributes = ['onclick', 'longdesc']
-        #   end
-        #
-        def sanitized_allowed_attributes=(attributes)
-          HTML::WhiteListSanitizer.allowed_attributes.merge(attributes)
-        end
-
-        # Adds to the Set of allowed CSS properties for the #sanitize and +sanitize_css+ helpers.
-        #
-        #   class Application < Rails::Application
-        #     config.action_view.sanitized_allowed_css_properties = ['expression']
-        #   end
-        #
-        def sanitized_allowed_css_properties=(attributes)
-          HTML::WhiteListSanitizer.allowed_css_properties.merge(attributes)
-        end
-
-        # Adds to the Set of allowed CSS keywords for the +sanitize+ and +sanitize_css+ helpers.
-        #
-        #   class Application < Rails::Application
-        #     config.action_view.sanitized_allowed_css_keywords = ['expression']
-        #   end
-        #
-        def sanitized_allowed_css_keywords=(attributes)
-          HTML::WhiteListSanitizer.allowed_css_keywords.merge(attributes)
-        end
-
-        # Adds to the Set of allowed shorthand CSS properties for the +sanitize+ and +sanitize_css+ helpers.
-        #
-        #   class Application < Rails::Application
-        #     config.action_view.sanitized_shorthand_css_properties = ['expression']
-        #   end
-        #
-        def sanitized_shorthand_css_properties=(attributes)
-          HTML::WhiteListSanitizer.shorthand_css_properties.merge(attributes)
-        end
-
-        # Adds to the Set of allowed protocols for the +sanitize+ helper.
-        #
-        #   class Application < Rails::Application
-        #     config.action_view.sanitized_allowed_protocols = ['ssh', 'feed']
-        #   end
-        #
-        def sanitized_allowed_protocols=(attributes)
-          HTML::WhiteListSanitizer.allowed_protocols.merge(attributes)
+        def safe_list_sanitizer
+          @safe_list_sanitizer ||= sanitizer_vendor.safe_list_sanitizer.new
         end
       end
     end

data/lib/action_view/helpers/tag_helper.rb

@@ -1,35 +1,240 @@
-require 'active_support/core_ext/string/output_safety'
-require 'set'
+# frozen_string_literal: true
+
+require "active_support/core_ext/string/output_safety"
+require "set"
 
 module ActionView
   # = Action View Tag Helpers
   module Helpers #:nodoc:
-    # Provides methods to generate HTML tags programmatically when you can't use
-    # a Builder. By default, they output XHTML compliant tags.
+    # Provides methods to generate HTML tags programmatically both as a modern
+    # HTML5 compliant builder style and legacy XHTML compliant tags.
     module TagHelper
       extend ActiveSupport::Concern
       include CaptureHelper
+      include OutputSafetyHelper
+
+      BOOLEAN_ATTRIBUTES = %w(allowfullscreen allowpaymentrequest async autofocus
+                              autoplay checked compact controls declare default
+                              defaultchecked defaultmuted defaultselected defer
+                              disabled enabled formnovalidate hidden indeterminate
+                              inert ismap itemscope loop multiple muted nohref
+                              nomodule noresize noshade novalidate nowrap open
+                              pauseonexit playsinline readonly required reversed
+                              scoped seamless selected sortable truespeed
+                              typemustmatch visible).to_set
+
+      BOOLEAN_ATTRIBUTES.merge(BOOLEAN_ATTRIBUTES.map(&:to_sym))
+      BOOLEAN_ATTRIBUTES.freeze
+
+      ARIA_PREFIXES = ["aria", :aria].to_set.freeze
+      DATA_PREFIXES = ["data", :data].to_set.freeze
+
+      TAG_TYPES = {}
+      TAG_TYPES.merge! BOOLEAN_ATTRIBUTES.index_with(:boolean)
+      TAG_TYPES.merge! DATA_PREFIXES.index_with(:data)
+      TAG_TYPES.merge! ARIA_PREFIXES.index_with(:aria)
+      TAG_TYPES.freeze
+
+      PRE_CONTENT_STRINGS             = Hash.new { "" }
+      PRE_CONTENT_STRINGS[:textarea]  = "\n"
+      PRE_CONTENT_STRINGS["textarea"] = "\n"
+
+      class TagBuilder #:nodoc:
+        include CaptureHelper
+        include OutputSafetyHelper
+
+        VOID_ELEMENTS = %i(area base br col embed hr img input keygen link meta param source track wbr).to_set
+
+        def initialize(view_context)
+          @view_context = view_context
+        end
+
+        def p(*arguments, **options, &block)
+          tag_string(:p, *arguments, **options, &block)
+        end
+
+        def tag_string(name, content = nil, escape_attributes: true, **options, &block)
+          content = @view_context.capture(self, &block) if block_given?
+          if VOID_ELEMENTS.include?(name) && content.nil?
+            "<#{name.to_s.dasherize}#{tag_options(options, escape_attributes)}>".html_safe
+          else
+            content_tag_string(name.to_s.dasherize, content || "", options, escape_attributes)
+          end
+        end
+
+        def content_tag_string(name, content, options, escape = true)
+          tag_options = tag_options(options, escape) if options
+          content     = ERB::Util.unwrapped_html_escape(content) if escape
+          "<#{name}#{tag_options}>#{PRE_CONTENT_STRINGS[name]}#{content}</#{name}>".html_safe
+        end
+
+        def tag_options(options, escape = true)
+          return if options.blank?
+          output = +""
+          sep    = " "
+          options.each_pair do |key, value|
+            type = TAG_TYPES[key]
+            if type == :data && value.is_a?(Hash)
+              value.each_pair do |k, v|
+                next if v.nil?
+                output << sep
+                output << prefix_tag_option(key, k, v, escape)
+              end
+            elsif type == :aria && value.is_a?(Hash)
+              value.each_pair do |k, v|
+                next if v.nil?
+
+                case v
+                when Array, Hash
+                  tokens = TagHelper.build_tag_values(v)
+                  next if tokens.none?
+
+                  v = safe_join(tokens, " ")
+                else
+                  v = v.to_s
+                end
+
+                output << sep
+                output << prefix_tag_option(key, k, v, escape)
+              end
+            elsif type == :boolean
+              if value
+                output << sep
+                output << boolean_tag_option(key)
+              end
+            elsif !value.nil?
+              output << sep
+              output << tag_option(key, value, escape)
+            end
+          end
+          output unless output.empty?
+        end
 
-      BOOLEAN_ATTRIBUTES = %w(disabled readonly multiple checked autobuffer
-                           autoplay controls loop selected hidden scoped async
-                           defer reversed ismap seamless muted required
-                           autofocus novalidate formnovalidate open pubdate
-                           itemscope allowfullscreen default inert sortable
-                           truespeed typemustmatch).to_set
+        def boolean_tag_option(key)
+          %(#{key}="#{key}")
+        end
 
-      BOOLEAN_ATTRIBUTES.merge(BOOLEAN_ATTRIBUTES.map {|attribute| attribute.to_sym })
+        def tag_option(key, value, escape)
+          case value
+          when Array, Hash
+            value = TagHelper.build_tag_values(value) if key.to_s == "class"
+            value = escape ? safe_join(value, " ") : value.join(" ")
+          else
+            value = escape ? ERB::Util.unwrapped_html_escape(value) : value.to_s
+          end
+          value = value.gsub('"', "&quot;") if value.include?('"')
+          %(#{key}="#{value}")
+        end
 
-      PRE_CONTENT_STRINGS = {
-        :textarea => "\n"
-      }
+        private
+          def prefix_tag_option(prefix, key, value, escape)
+            key = "#{prefix}-#{key.to_s.dasherize}"
+            unless value.is_a?(String) || value.is_a?(Symbol) || value.is_a?(BigDecimal)
+              value = value.to_json
+            end
+            tag_option(key, value, escape)
+          end
 
-      # Returns an empty HTML tag of type +name+ which by default is XHTML
+          def respond_to_missing?(*args)
+            true
+          end
+
+          def method_missing(called, *args, **options, &block)
+            tag_string(called, *args, **options, &block)
+          end
+      end
+
+      # Returns an HTML tag.
+      #
+      # === Building HTML tags
+      #
+      # Builds HTML5 compliant tags with a tag proxy. Every tag can be built with:
+      #
+      #   tag.<tag name>(optional content, options)
+      #
+      # where tag name can be e.g. br, div, section, article, or any tag really.
+      #
+      # ==== Passing content
+      #
+      # Tags can pass content to embed within it:
+      #
+      #   tag.h1 'All titles fit to print' # => <h1>All titles fit to print</h1>
+      #
+      #   tag.div tag.p('Hello world!')  # => <div><p>Hello world!</p></div>
+      #
+      # Content can also be captured with a block, which is useful in templates:
+      #
+      #   <%= tag.p do %>
+      #     The next great American novel starts here.
+      #   <% end %>
+      #   # => <p>The next great American novel starts here.</p>
+      #
+      # ==== Options
+      #
+      # Use symbol keyed options to add attributes to the generated tag.
+      #
+      #   tag.section class: %w( kitties puppies )
+      #   # => <section class="kitties puppies"></section>
+      #
+      #   tag.section id: dom_id(@post)
+      #   # => <section id="<generated dom id>"></section>
+      #
+      # Pass +true+ for any attributes that can render with no values, like +disabled+ and +readonly+.
+      #
+      #   tag.input type: 'text', disabled: true
+      #   # => <input type="text" disabled="disabled">
+      #
+      # HTML5 <tt>data-*</tt> and <tt>aria-*</tt> attributes can be set with a
+      # single +data+ or +aria+ key pointing to a hash of sub-attributes.
+      #
+      # To play nicely with JavaScript conventions, sub-attributes are dasherized.
+      #
+      #   tag.article data: { user_id: 123 }
+      #   # => <article data-user-id="123"></article>
+      #
+      # Thus <tt>data-user-id</tt> can be accessed as <tt>dataset.userId</tt>.
+      #
+      # Data attribute values are encoded to JSON, with the exception of strings, symbols and
+      # BigDecimals.
+      # This may come in handy when using jQuery's HTML5-aware <tt>.data()</tt>
+      # from 1.4.3.
+      #
+      #   tag.div data: { city_state: %w( Chicago IL ) }
+      #   # => <div data-city-state="[&quot;Chicago&quot;,&quot;IL&quot;]"></div>
+      #
+      # The generated attributes are escaped by default. This can be disabled using
+      # +escape_attributes+.
+      #
+      #   tag.img src: 'open & shut.png'
+      #   # => <img src="open &amp; shut.png">
+      #
+      #   tag.img src: 'open & shut.png', escape_attributes: false
+      #   # => <img src="open & shut.png">
+      #
+      # The tag builder respects
+      # {HTML5 void elements}[https://www.w3.org/TR/html5/syntax.html#void-elements]
+      # if no content is passed, and omits closing tags for those elements.
+      #
+      #   # A standard element:
+      #   tag.div # => <div></div>
+      #
+      #   # A void element:
+      #   tag.br  # => <br>
+      #
+      # === Legacy syntax
+      #
+      # The following format is for legacy syntax support. It will be deprecated in future versions of Rails.
+      #
+      #   tag(name, options = nil, open = false, escape = true)
+      #
+      # It returns an empty HTML tag of type +name+ which by default is XHTML
       # compliant. Set +open+ to true to create an open tag compatible
       # with HTML 4.0 and below. Add HTML attributes by passing an attributes
       # hash to +options+. Set +escape+ to false to disable attribute value
       # escaping.
       #
       # ==== Options
+      #
       # You can use symbols or strings for the attribute names.
       #
       # Use +true+ with boolean attributes that can render with no value, like
@@ -38,15 +243,8 @@ module ActionView
       # HTML5 <tt>data-*</tt> attributes can be set with a single +data+ key
       # pointing to a hash of sub-attributes.
       #
-      # To play nicely with JavaScript conventions sub-attributes are dasherized.
-      # For example, a key +user_id+ would render as <tt>data-user-id</tt> and
-      # thus accessed as <tt>dataset.userId</tt>.
-      #
-      # Values are encoded to JSON, with the exception of strings and symbols.
-      # This may come in handy when using jQuery's HTML5-aware <tt>.data()</tt>
-      # from 1.4.3.
-      #
       # ==== Examples
+      #
       #   tag("br")
       #   # => <br />
       #
@@ -56,16 +254,26 @@ module ActionView
       #   tag("input", type: 'text', disabled: true)
       #   # => <input type="text" disabled="disabled" />
       #
+      #   tag("input", type: 'text', class: ["strong", "highlight"])
+      #   # => <input class="strong highlight" type="text" />
+      #
       #   tag("img", src: "open & shut.png")
       #   # => <img src="open &amp; shut.png" />
       #
-      #   tag("img", {src: "open &amp; shut.png"}, false, false)
+      #   tag("img", { src: "open &amp; shut.png" }, false, false)
       #   # => <img src="open &amp; shut.png" />
       #
-      #   tag("div", data: {name: 'Stephen', city_state: %w(Chicago IL)})
+      #   tag("div", data: { name: 'Stephen', city_state: %w(Chicago IL) })
       #   # => <div data-name="Stephen" data-city-state="[&quot;Chicago&quot;,&quot;IL&quot;]" />
-      def tag(name, options = nil, open = false, escape = true)
-        "<#{name}#{tag_options(options, escape) if options}#{open ? ">" : " />"}".html_safe
+      #
+      #   tag("div", class: { highlight: current_user.admin? })
+      #   # => <div class="highlight" />
+      def tag(name = nil, options = nil, open = false, escape = true)
+        if name.nil?
+          tag_builder
+        else
+          "<#{name}#{tag_builder.tag_options(options, escape) if options}#{open ? ">" : " />"}".html_safe
+        end
       end
 
       # Returns an HTML block tag of type +name+ surrounding the +content+. Add
@@ -73,9 +281,10 @@ module ActionView
       # Instead of passing the content as an argument, you can also use a block
       # in which case, you pass your +options+ as the second parameter.
       # Set escape to false to disable attribute value escaping.
+      # Note: this is legacy syntax, see +tag+ method description for details.
       #
       # ==== Options
-      # The +options+ hash is used with attributes with no value like (<tt>disabled</tt> and
+      # The +options+ hash can be used with attributes with no value like (<tt>disabled</tt> and
       # <tt>readonly</tt>), which you can give a value of true in the +options+ hash. You can use
       # symbols or strings for the attribute names.
       #
@@ -84,6 +293,10 @@ module ActionView
       #    # => <p>Hello world!</p>
       #   content_tag(:div, content_tag(:p, "Hello world!"), class: "strong")
       #    # => <div class="strong"><p>Hello world!</p></div>
+      #   content_tag(:div, "Hello world!", class: ["strong", "highlight"])
+      #    # => <div class="strong highlight">Hello world!</div>
+      #   content_tag(:div, "Hello world!", class: ["strong", { highlight: current_user.admin? }])
+      #    # => <div class="strong highlight">Hello world!</div>
       #   content_tag("select", options, multiple: true)
       #    # => <select multiple="multiple">...options...</select>
       #
@@ -94,12 +307,30 @@ module ActionView
       def content_tag(name, content_or_options_with_block = nil, options = nil, escape = true, &block)
         if block_given?
           options = content_or_options_with_block if content_or_options_with_block.is_a?(Hash)
-          content_tag_string(name, capture(&block), options, escape)
+          tag_builder.content_tag_string(name, capture(&block), options, escape)
         else
-          content_tag_string(name, content_or_options_with_block, options, escape)
+          tag_builder.content_tag_string(name, content_or_options_with_block, options, escape)
         end
       end
 
+      # Returns a string of tokens built from +args+.
+      #
+      # ==== Examples
+      #   token_list("foo", "bar")
+      #    # => "foo bar"
+      #   token_list("foo", "foo bar")
+      #    # => "foo bar"
+      #   token_list({ foo: true, bar: false })
+      #    # => "foo"
+      #   token_list(nil, false, 123, "", "foo", { bar: true })
+      #    # => "123 foo bar"
+      def token_list(*args)
+        tokens = build_tag_values(*args).flat_map { |value| value.to_s.split(/\s+/) }.uniq
+
+        safe_join(tokens, " ")
+      end
+      alias_method :class_names, :token_list
+
       # Returns a CDATA section with the given +content+. CDATA sections
       # are used to escape blocks of text containing characters which would
       # otherwise be recognized as markup. CDATA sections begin with the string
@@ -114,7 +345,7 @@ module ActionView
       #   cdata_section("hello]]>world")
       #   # => <![CDATA[hello]]]]><![CDATA[>world]]>
       def cdata_section(content)
-        splitted = content.to_s.gsub(']]>', ']]]]><![CDATA[>')
+        splitted = content.to_s.gsub(/\]\]\>/, "]]]]><![CDATA[>")
         "<![CDATA[#{splitted}]]>".html_safe
       end
 
@@ -130,46 +361,28 @@ module ActionView
       end
 
       private
+        def build_tag_values(*args)
+          tag_values = []
 
-        def content_tag_string(name, content, options, escape = true)
-          tag_options = tag_options(options, escape) if options
-          content     = ERB::Util.h(content) if escape
-          "<#{name}#{tag_options}>#{PRE_CONTENT_STRINGS[name.to_sym]}#{content}</#{name}>".html_safe
-        end
-
-        def tag_options(options, escape = true)
-          return if options.blank?
-          attrs = []
-          options.each_pair do |key, value|
-            if key.to_s == 'data' && value.is_a?(Hash)
-              value.each_pair do |k, v|
-                attrs << data_tag_option(k, v, escape)
+          args.each do |tag_value|
+            case tag_value
+            when Hash
+              tag_value.each do |key, val|
+                tag_values << key.to_s if val && key.present?
               end
-            elsif BOOLEAN_ATTRIBUTES.include?(key)
-              attrs << boolean_tag_option(key) if value
-            elsif !value.nil?
-              attrs << tag_option(key, value, escape)
+            when Array
+              tag_values.concat build_tag_values(*tag_value)
+            else
+              tag_values << tag_value.to_s if tag_value.present?
             end
           end
-          " #{attrs.sort! * ' '}" unless attrs.empty?
-        end
-
-        def data_tag_option(key, value, escape)
-          key   = "data-#{key.to_s.dasherize}"
-          unless value.is_a?(String) || value.is_a?(Symbol) || value.is_a?(BigDecimal)
-            value = value.to_json
-          end
-          tag_option(key, value, escape)
-        end
 
-        def boolean_tag_option(key)
-          %(#{key}="#{key}")
+          tag_values
         end
+        module_function :build_tag_values
 
-        def tag_option(key, value, escape)
-          value = value.join(" ") if value.is_a?(Array)
-          value = ERB::Util.h(value) if escape
-          %(#{key}="#{value}")
+        def tag_builder
+          @tag_builder ||= TagBuilder.new(self)
         end
     end
   end