actionview 4.1.16 → 4.2.0.beta1

data/lib/action_view/helpers/javascript_helper.rb

@@ -47,7 +47,13 @@ module ActionView
       # tag.
       #
       #   javascript_tag "alert('All is good')", defer: 'defer'
-      #   # => <script defer="defer">alert('All is good')</script>
+      # 
+      # Returns: 
+      #   <script defer="defer">
+      #   //<![CDATA[
+      #   alert('All is good')
+      #   //]]>
+      #   </script>
       #
       # Instead of passing the content as an argument, you can also use a block
       # in which case, you pass your +html_options+ as the first parameter.

data/lib/action_view/helpers/number_helper.rb

@@ -266,14 +266,8 @@ module ActionView
       #   number_to_human_size(1234567, precision: 2)                        # => 1.2 MB
       #   number_to_human_size(483989, precision: 2)                         # => 470 KB
       #   number_to_human_size(1234567, precision: 2, separator: ',')        # => 1,2 MB
-      #
-      # Non-significant zeros after the fractional separator are
-      # stripped out by default (set
-      # <tt>:strip_insignificant_zeros</tt> to +false+ to change
-      # that):
-      #
-      #   number_to_human_size(1234567890123, precision: 5)        # => "1.1229 TB"
-      #   number_to_human_size(524288000, precision: 5)            # => "500 MB"
+      #   number_to_human_size(1234567890123, precision: 5)                  # => "1.1228 TB"
+      #   number_to_human_size(524288000, precision: 5)                      # => "500 MB"
       def number_to_human_size(number, options = {})
         delegate_number_helper_method(:number_to_human_size, number, options)
       end
@@ -343,11 +337,15 @@ module ActionView
       #                           separator: ',',
       #                           significant: false)                   # => "1,2 Million"
       #
+      #   number_to_human(500000000, precision: 5)                      # => "500 Million"
+      #   number_to_human(12345012345, significant: false)              # => "12.345 Billion"
+      #
       # Non-significant zeros after the decimal separator are stripped
       # out by default (set <tt>:strip_insignificant_zeros</tt> to
       # +false+ to change that):
-      #   number_to_human(12345012345, significant_digits: 6)       # => "12.345 Billion"
-      #   number_to_human(500000000, precision: 5)                  # => "500 Million"
+      #
+      # number_to_human(12.00001)                                       # => "12"
+      # number_to_human(12.00001, strip_insignificant_zeros: false)     # => "12.0"
       #
       # ==== Custom Unit Quantifiers
       #

data/lib/action_view/helpers/output_safety_helper.rb

@@ -17,10 +17,10 @@ module ActionView #:nodoc:
         stringish.to_s.html_safe
       end
 
-      # This method returns a html safe string similar to what <tt>Array#join</tt>
-      # would return. All items in the array, including the supplied separator, are
-      # html escaped unless they are html safe, and the returned string is marked
-      # as html safe.
+      # This method returns an HTML safe string similar to what <tt>Array#join</tt>
+      # would return. The array is flattened, and all items, including
+      # the supplied separator, are HTML escaped unless they are HTML
+      # safe, and the returned string is marked as HTML safe.
       #
       #   safe_join(["<p>foo</p>".html_safe, "<p>bar</p>"], "<br />")
       #   # => "<p>foo</p>&lt;br /&gt;&lt;p&gt;bar&lt;/p&gt;"
@@ -29,9 +29,9 @@ module ActionView #:nodoc:
       #   # => "<p>foo</p><br /><p>bar</p>"
       #
       def safe_join(array, sep=$,)
-        sep = ERB::Util.html_escape(sep)
+        sep = ERB::Util.unwrapped_html_escape(sep)
 
-        array.map { |i| ERB::Util.html_escape(i) }.join(sep).html_safe
+        array.flatten.map! { |i| ERB::Util.unwrapped_html_escape(i) }.join(sep).html_safe
       end
     end
   end

data/lib/action_view/helpers/rendering_helper.rb

@@ -13,13 +13,13 @@ module ActionView
       # * <tt>:inline</tt> - Renders an inline template similar to how it's done in the controller.
       # * <tt>:text</tt> - Renders the text passed in out.
       # * <tt>:plain</tt> - Renders the text passed in out. Setting the content
-      # type as <tt>text/plain</tt>.
-      # * <tt>:html</tt> - Renders the html safe string passed in out, otherwise
-      # performs html escape on the string first. Setting the content type as
-      # <tt>text/html</tt>.
+      #   type as <tt>text/plain</tt>.
+      # * <tt>:html</tt> - Renders the HTML safe string passed in out, otherwise
+      #   performs HTML escape on the string first. Setting the content type as
+      #   <tt>text/html</tt>.
       # * <tt>:body</tt> - Renders the text passed in, and inherits the content
-      # type of <tt>text/html</tt> from <tt>ActionDispatch::Response</tt>
-      # object.
+      #   type of <tt>text/html</tt> from <tt>ActionDispatch::Response</tt>
+      #   object.
       #
       # If no options hash is passed or :update specified, the default is to render a partial and use the second parameter
       # as the locals hash.

data/lib/action_view/helpers/sanitize_helper.rb

@@ -1,5 +1,6 @@
 require 'active_support/core_ext/object/try'
-require 'action_view/vendor/html-scanner'
+require 'active_support/deprecation'
+require 'rails-deprecated_sanitizer'
 
 module ActionView
   # = Action View Sanitize Helpers
@@ -8,7 +9,7 @@ module ActionView
     # These helper methods extend Action View making them callable within your template files.
     module SanitizeHelper
       extend ActiveSupport::Concern
-      # This +sanitize+ helper will html encode all tags and strip all attributes that
+      # This +sanitize+ helper will HTML encode all tags and strip all attributes that
       # aren't specifically allowed.
       #
       # It also strips href/src tags with invalid protocols, like javascript: especially.
@@ -27,14 +28,36 @@ module ActionView
       #
       #   <%= sanitize @article.body %>
       #
-      # Custom Use (only the mentioned tags and attributes are allowed, nothing else)
+      # Custom Use - Custom Scrubber
+      # (supply a Loofah::Scrubber that does the sanitization)
+      #
+      # scrubber can either wrap a block:
+      # scrubber = Loofah::Scrubber.new do |node|
+      #   node.text = "dawn of cats"
+      # end
+      #
+      # or be a subclass of Loofah::Scrubber which responds to scrub:
+      # class KittyApocalypse < Loofah::Scrubber
+      #   def scrub(node)
+      #     node.text = "dawn of cats"
+      #   end
+      # end
+      # scrubber = KittyApocalypse.new
+      #
+      # <%= sanitize @article.body, scrubber: scrubber %>
+      #
+      # A custom scrubber takes precedence over custom tags and attributes
+      # Learn more about scrubbers here: https://github.com/flavorjones/loofah
+      #
+      # Custom Use - tags and attributes
+      # (only the mentioned tags and attributes are allowed, nothing else)
       #
       #   <%= sanitize @article.body, tags: %w(table tr td), attributes: %w(id class style) %>
       #
       # Add table tags to the default allowed tags
       #
       #   class Application < Rails::Application
-      #     config.action_view.sanitized_allowed_tags = ['table', 'tr', 'td']
+      #     config.action_view.sanitized_allowed_tags = 'table', 'tr', 'td'
       #   end
       #
       # Remove tags to the default allowed tags
@@ -65,9 +88,9 @@ module ActionView
         self.class.white_list_sanitizer.sanitize_css(style)
       end
 
-      # Strips all HTML tags from the +html+, including comments. This uses the
-      # html-scanner tokenizer and so its HTML parsing ability is limited by
-      # that of html-scanner.
+      # Strips all HTML tags from the +html+, including comments. This uses
+      # Nokogiri for tokenization (via Loofah) and so its HTML parsing ability
+      # is limited by that of Nokogiri.
       #
       #   strip_tags("Strip <i>these</i> tags!")
       #   # => Strip these tags!
@@ -98,47 +121,42 @@ module ActionView
       module ClassMethods #:nodoc:
         attr_writer :full_sanitizer, :link_sanitizer, :white_list_sanitizer
 
-        def sanitized_protocol_separator
-          white_list_sanitizer.protocol_separator
-        end
+        [:protocol_separator,
+         :uri_attributes,
+         :bad_tags,
+         :allowed_css_properties,
+         :allowed_css_keywords,
+         :shorthand_css_properties,
+         :allowed_protocols].each do |meth|
+          meth_name = "sanitized_#{meth}"
+          imp = lambda do |name|
+            ActiveSupport::Deprecation.warn("#{name} is deprecated and has no effect.")
+          end
 
-        def sanitized_uri_attributes
-          white_list_sanitizer.uri_attributes
+          define_method(meth_name) { imp.(meth_name) }
+          define_method("#{meth_name}=") { |value| imp.("#{meth_name}=") }
         end
 
-        def sanitized_bad_tags
-          white_list_sanitizer.bad_tags
+        # Vendors the full, link and white list sanitizers.
+        # This uses html-scanner for the HTML sanitization.
+        # In the next Rails version this will use Rails::Html::Sanitizer instead.
+        # To get this new behavior now, in your Gemfile, add:
+        #
+        #  gem 'rails-html-sanitizer'
+        #
+        def sanitizer_vendor
+          Rails::DeprecatedSanitizer
         end
 
         def sanitized_allowed_tags
-          white_list_sanitizer.allowed_tags
+          sanitizer_vendor.white_list_sanitizer.allowed_tags
         end
 
         def sanitized_allowed_attributes
-          white_list_sanitizer.allowed_attributes
-        end
-
-        def sanitized_allowed_css_properties
-          white_list_sanitizer.allowed_css_properties
-        end
-
-        def sanitized_allowed_css_keywords
-          white_list_sanitizer.allowed_css_keywords
-        end
-
-        def sanitized_shorthand_css_properties
-          white_list_sanitizer.shorthand_css_properties
+          sanitizer_vendor.white_list_sanitizer.allowed_attributes
         end
 
-        def sanitized_allowed_protocols
-          white_list_sanitizer.allowed_protocols
-        end
-
-        def sanitized_protocol_separator=(value)
-          white_list_sanitizer.protocol_separator = value
-        end
-
-        # Gets the HTML::FullSanitizer instance used by +strip_tags+. Replace with
+        # Gets the Rails::Html::FullSanitizer instance used by +strip_tags+. Replace with
         # any object that responds to +sanitize+.
         #
         #   class Application < Rails::Application
@@ -146,21 +164,21 @@ module ActionView
         #   end
         #
         def full_sanitizer
-          @full_sanitizer ||= HTML::FullSanitizer.new
+          @full_sanitizer ||= sanitizer_vendor.full_sanitizer.new
         end
 
-        # Gets the HTML::LinkSanitizer instance used by +strip_links+. Replace with
-        # any object that responds to +sanitize+.
+        # Gets the Rails::Html::LinkSanitizer instance used by +strip_links+.
+        # Replace with any object that responds to +sanitize+.
         #
         #   class Application < Rails::Application
         #     config.action_view.link_sanitizer = MySpecialSanitizer.new
         #   end
         #
         def link_sanitizer
-          @link_sanitizer ||= HTML::LinkSanitizer.new
+          @link_sanitizer ||= sanitizer_vendor.link_sanitizer.new
         end
 
-        # Gets the HTML::WhiteListSanitizer instance used by sanitize and +sanitize_css+.
+        # Gets the Rails::Html::WhiteListSanitizer instance used by sanitize and +sanitize_css+.
         # Replace with any object that responds to +sanitize+.
         #
         #   class Application < Rails::Application
@@ -168,87 +186,27 @@ module ActionView
         #   end
         #
         def white_list_sanitizer
-          @white_list_sanitizer ||= HTML::WhiteListSanitizer.new
-        end
-
-        # Adds valid HTML attributes that the +sanitize+ helper checks for URIs.
-        #
-        #   class Application < Rails::Application
-        #     config.action_view.sanitized_uri_attributes = ['lowsrc', 'target']
-        #   end
-        #
-        def sanitized_uri_attributes=(attributes)
-          HTML::WhiteListSanitizer.uri_attributes.merge(attributes)
+          @white_list_sanitizer ||= sanitizer_vendor.white_list_sanitizer.new
         end
 
-        # Adds to the Set of 'bad' tags for the +sanitize+ helper.
+        # Replaces the allowed tags for the +sanitize+ helper.
         #
         #   class Application < Rails::Application
-        #     config.action_view.sanitized_bad_tags = ['embed', 'object']
+        #     config.action_view.sanitized_allowed_tags = 'table', 'tr', 'td'
         #   end
         #
-        def sanitized_bad_tags=(attributes)
-          HTML::WhiteListSanitizer.bad_tags.merge(attributes)
+        def sanitized_allowed_tags=(tags)
+          sanitizer_vendor.white_list_sanitizer.allowed_tags = tags
         end
 
-        # Adds to the Set of allowed tags for the +sanitize+ helper.
-        #
-        #   class Application < Rails::Application
-        #     config.action_view.sanitized_allowed_tags = ['table', 'tr', 'td']
-        #   end
-        #
-        def sanitized_allowed_tags=(attributes)
-          HTML::WhiteListSanitizer.allowed_tags.merge(attributes)
-        end
-
-        # Adds to the Set of allowed HTML attributes for the +sanitize+ helper.
+        # Replaces the allowed HTML attributes for the +sanitize+ helper.
         #
         #   class Application < Rails::Application
         #     config.action_view.sanitized_allowed_attributes = ['onclick', 'longdesc']
         #   end
         #
         def sanitized_allowed_attributes=(attributes)
-          HTML::WhiteListSanitizer.allowed_attributes.merge(attributes)
-        end
-
-        # Adds to the Set of allowed CSS properties for the #sanitize and +sanitize_css+ helpers.
-        #
-        #   class Application < Rails::Application
-        #     config.action_view.sanitized_allowed_css_properties = ['expression']
-        #   end
-        #
-        def sanitized_allowed_css_properties=(attributes)
-          HTML::WhiteListSanitizer.allowed_css_properties.merge(attributes)
-        end
-
-        # Adds to the Set of allowed CSS keywords for the +sanitize+ and +sanitize_css+ helpers.
-        #
-        #   class Application < Rails::Application
-        #     config.action_view.sanitized_allowed_css_keywords = ['expression']
-        #   end
-        #
-        def sanitized_allowed_css_keywords=(attributes)
-          HTML::WhiteListSanitizer.allowed_css_keywords.merge(attributes)
-        end
-
-        # Adds to the Set of allowed shorthand CSS properties for the +sanitize+ and +sanitize_css+ helpers.
-        #
-        #   class Application < Rails::Application
-        #     config.action_view.sanitized_shorthand_css_properties = ['expression']
-        #   end
-        #
-        def sanitized_shorthand_css_properties=(attributes)
-          HTML::WhiteListSanitizer.shorthand_css_properties.merge(attributes)
-        end
-
-        # Adds to the Set of allowed protocols for the +sanitize+ helper.
-        #
-        #   class Application < Rails::Application
-        #     config.action_view.sanitized_allowed_protocols = ['ssh', 'feed']
-        #   end
-        #
-        def sanitized_allowed_protocols=(attributes)
-          HTML::WhiteListSanitizer.allowed_protocols.merge(attributes)
+          sanitizer_vendor.white_list_sanitizer.allowed_attributes = attributes
         end
       end
     end

data/lib/action_view/helpers/tag_helper.rb

@@ -9,6 +9,7 @@ module ActionView
     module TagHelper
       extend ActiveSupport::Concern
       include CaptureHelper
+      include OutputSafetyHelper
 
       BOOLEAN_ATTRIBUTES = %w(disabled readonly multiple checked autobuffer
                            autoplay controls loop selected hidden scoped async
@@ -42,7 +43,8 @@ module ActionView
       # For example, a key +user_id+ would render as <tt>data-user-id</tt> and
       # thus accessed as <tt>dataset.userId</tt>.
       #
-      # Values are encoded to JSON, with the exception of strings and symbols.
+      # Values are encoded to JSON, with the exception of strings, symbols and
+      # BigDecimals.
       # This may come in handy when using jQuery's HTML5-aware <tt>.data()</tt>
       # from 1.4.3.
       #
@@ -56,6 +58,9 @@ module ActionView
       #   tag("input", type: 'text', disabled: true)
       #   # => <input type="text" disabled="disabled" />
       #
+      #   tag("input", type: 'text', class: ["strong", "highlight"])
+      #   # => <input class="strong highlight" type="text" />
+      #
       #   tag("img", src: "open & shut.png")
       #   # => <img src="open &amp; shut.png" />
       #
@@ -75,7 +80,7 @@ module ActionView
       # Set escape to false to disable attribute value escaping.
       #
       # ==== Options
-      # The +options+ hash is used with attributes with no value like (<tt>disabled</tt> and
+      # The +options+ hash can be used with attributes with no value like (<tt>disabled</tt> and
       # <tt>readonly</tt>), which you can give a value of true in the +options+ hash. You can use
       # symbols or strings for the attribute names.
       #
@@ -84,6 +89,8 @@ module ActionView
       #    # => <p>Hello world!</p>
       #   content_tag(:div, content_tag(:p, "Hello world!"), class: "strong")
       #    # => <div class="strong"><p>Hello world!</p></div>
+      #   content_tag(:div, "Hello world!", class: ["strong", "highlight"])
+      #    # => <div class="strong highlight">Hello world!</div>
       #   content_tag("select", options, multiple: true)
       #    # => <select multiple="multiple">...options...</select>
       #
@@ -133,7 +140,7 @@ module ActionView
 
         def content_tag_string(name, content, options, escape = true)
           tag_options = tag_options(options, escape) if options
-          content     = ERB::Util.h(content) if escape
+          content     = ERB::Util.unwrapped_html_escape(content) if escape
           "<#{name}#{tag_options}>#{PRE_CONTENT_STRINGS[name.to_sym]}#{content}</#{name}>".html_safe
         end
 
@@ -167,8 +174,11 @@ module ActionView
         end
 
         def tag_option(key, value, escape)
-          value = value.join(" ") if value.is_a?(Array)
-          value = ERB::Util.h(value) if escape
+          if value.is_a?(Array)
+            value = escape ? safe_join(value, " ") : value.join(" ")
+          else
+            value = escape ? ERB::Util.unwrapped_html_escape(value) : value
+          end
           %(#{key}="#{value}")
         end
     end

data/lib/action_view/helpers/tags/base.rb

@@ -25,7 +25,7 @@ module ActionView
         private
 
         def value(object)
-          object.public_send @method_name if object
+          object.send @method_name if object
         end
 
         def value_before_type_cast(object)

data/lib/action_view/helpers/tags/collection_check_boxes.rb

@@ -27,7 +27,11 @@ module ActionView
 
           # Append a hidden field to make sure something will be sent back to the
           # server if all check boxes are unchecked.
-          rendered_collection + hidden_field
+          if @options.fetch(:include_hidden, true)
+            rendered_collection + hidden_field
+          else
+            rendered_collection
+          end
         end
 
         private

data/lib/action_view/helpers/tags/collection_helpers.rb

@@ -44,7 +44,7 @@ module ActionView
         def default_html_options_for_collection(item, value) #:nodoc:
           html_options = @html_options.dup
 
-          [:checked, :selected, :disabled].each do |option|
+          [:checked, :selected, :disabled, :readonly].each do |option|
             current_value = @options[option]
             next if current_value.nil?