actionview 4.2.11.1 → 5.2.7.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 71fb7b73001ccc9220ba0da089fc3336a3a18620ca13a18730fa91d4799fbf58
-  data.tar.gz: a87ef6a72900a81c7cff2d00f3fac65006c0f95935b7bf366c1f4bfa1210b6d1
+  metadata.gz: 0b2a6c8b465b9914ab6831b8972018525cb2fc2a0c7f950a693ba7895ff52923
+  data.tar.gz: 1e9b4548ad481fed3e2b7dec7d256a611e858c8eee70e118d38daaa93f72f7b8
 SHA512:
-  metadata.gz: ea93cb6a5de3af579900cf1534b50842c6d197062ee7a01a9f499287dbbb8f6f3d9c32abfadba3c2d1868b8deddc70594c3e5767744031e47961d5da15cb5e54
-  data.tar.gz: e59b44cf756ed5bf55ef96709055a04413dfba03fa083c32ef709eb266267ac774bc7d83c08c696a16c98e5dd93a412a531372eee7546bcc8e856e1304dcf618
+  metadata.gz: a2e838a423037a30cf4e4e12e8aab64c8e8493f1a370f921be0f7cfbfa92669da4f13cf7cd3c03c42d2c3a2f516b661ba1ca7baa4cf409bf3709b12d3b9692af
+  data.tar.gz: a705450df376aa7abcdd1762ee4f5a9cfc3165bd5102c7c82a7209f8910bd8d46f52d014c3a3feb5f22bfac327414dfeacd75d948b0e2f0ae5d746f0aab71dc7

data/CHANGELOG.md

@@ -1,357 +1,237 @@
-## Rails 4.2.11.1 (March 11, 2019) ##
-
-*   No changes.
+## Rails 5.2.7.1 (April 26, 2022) ##
 
+*   Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`.
 
-## Rails 4.2.11 (November 27, 2018) ##
+    Escape dangerous characters in names of tags and names of attributes in the
+    tag helpers, following the XML specification. Rename the option
+    `:escape_attributes` to `:escape`, to simplify by applying the option to the
+    whole tag.
 
-*   No changes.
+    *Álvaro Martín Fraguas*
 
 
-## Rails 4.2.10 (September 27, 2017) ##
+## Rails 5.2.7 (March 10, 2022) ##
 
 *   No changes.
 
 
-## Rails 4.2.9 (June 26, 2017) ##
+## Rails 5.2.6.3 (March 08, 2022) ##
 
 *   No changes.
 
 
-## Rails 4.2.8 (February 21, 2017) ##
+## Rails 5.2.6.2 (February 11, 2022) ##
 
 *   No changes.
 
 
-## Rails 4.2.7 (July 12, 2016) ##
+## Rails 5.2.6.1 (February 11, 2022) ##
 
 *   No changes.
 
 
-## Rails 4.2.6 (March 07, 2016) ##
-
-*   Fix stripping the digest from the automatically generated img tag alt
-    attribute when assets are handled by Sprockets >=3.0.
-
-    *Bart de Water*
-
-*   Create a new `ActiveSupport::SafeBuffer` instance when `content_for` is flushed.
-
-    Fixes #19890
-
-    *Yoong Kang Lim*
-
-*   Respect value of `:object` if `:object` is false when rendering.
-
-    Fixes #22260.
-
-    *Yuichiro Kaneko*
-
-*   Generate `week_field` input values using a 1-based index and not a 0-based index
-    as per the W3 spec: http://www.w3.org/TR/html-markup/datatypes.html#form.data.week
-
-    *Christoph Geschwind*
-
-
-## Rails 4.2.5.2 (February 26, 2016) ##
-
-*   Do not allow render with unpermitted parameter.
-
-    Fixes CVE-2016-2098.
-
-    *Arthur Neves*
-
-
-## Rails 4.2.5.1 (January 25, 2015) ##
-
-*   Adds boolean argument outside_app_allowed to `ActionView::Resolver#find_templates`
-    method.
-
-    *Aaron Patterson*
-
-
-## Rails 4.2.5 (November 12, 2015) ##
-
-*   Fix `mail_to` when called with `nil` as argument.
-
-    *Rafael Mendonça França*
-
-*   `url_for` does not modify its arguments when generating polymorphic URLs.
-
-    *Bernerd Schaefer*
-
+## Rails 5.2.6 (May 05, 2021) ##
 
-## Rails 4.2.4 (August 24, 2015) ##
-
-* No Changes *
-
-
-## Rails 4.2.3 (June 25, 2015) ##
-
-*   `translate` should handle `raise` flag correctly in case of both main and default
-    translation is missing.
-
-    Fixes #19967
-
-    *Bernard Potocki*
-
-*   `translate` allows `default: [[]]` again for a default value of `[]`.
-
-    Fixes #19640.
-
-    *Adam Prescott*
-
-*   `translate` should accept nils as members of the `:default`
-    parameter without raising a translation missing error.  Fixes a
-    regression introduced 362557e.
-
-    Fixes #19419
-
-    *Justin Coyne*
-
-*   `number_to_percentage` does not crash with `Float::NAN` or `Float::INFINITY`
-    as input when `precision: 0` is used.
-
-    Fixes #19227.
-
-    *Yves Senn*
-
-
-## Rails 4.2.2 (June 16, 2015) ##
-
-* No Changes *
-
-
-## Rails 4.2.1 (March 19, 2015) ##
-
-*   Default translations that have a lower precedence than an html safe default,
-    but are not themselves safe, should not be marked as html_safe.
-
-    *Justin Coyne*
+*   No changes.
 
-*   Added an explicit error message, in `ActionView::PartialRenderer`
-    for partial `rendering`, when the value of option `as` has invalid characters.
 
-    *Angelo Capilleri*
+## Rails 5.2.5 (March 26, 2021) ##
 
+*   No changes.
 
-## Rails 4.2.0 (December 20, 2014) ##
 
-*   Local variable in a partial is now available even if a falsy value is
-    passed to `:object` when rendering a partial.
+## Rails 5.2.4.6 (May 05, 2021) ##
 
-    Fixes #17373.
+*   No changes.
 
-    *Agis Anastasopoulos*
 
-*   Add support for `:enforce_utf8` option in `form_for`.
+## Rails 5.2.4.5 (February 10, 2021) ##
 
-    This is the same option that was added in 06388b0 to `form_tag` and allows
-    users to skip the insertion of the UTF8 enforcer tag in a form.
+*   No changes.
 
-    * claudiob *
 
-*   Fix a bug that <%= foo(){ %> and <%= foo()do %> in view templates were not regarded
-    as Ruby block calls.
+## Rails 5.2.4.4 (September 09, 2020) ##
 
-    * Akira Matsuda *
+*   [CVE-2020-15169] Fix potential XSS vulnerability in the `translate`/`t` helper
 
-*   Update `select_tag` to work correctly with `:include_blank` option passing a string.
+    *Jonathan Hefner*
 
-    Fixes #16483.
 
-    *Frank Groeneveld*
+## Rails 5.2.4.3 (May 18, 2020) ##
 
-*   Changed the meaning of `render "foo/bar"`.
+*   [CVE-2020-8167] Check that request is same-origin prior to including CSRF token in XHRs
 
-    Previously, calling `render "foo/bar"` in a controller action is equivalent
-    to `render file: "foo/bar"`. In Rails 4.2, this has been changed to mean
-    `render template: "foo/bar"` instead. If you need to render a file, please
-    change your code to use the explicit form (`render file: "foo/bar"`) instead.
 
-    *Jeremy Jackson*
+## Rails 5.2.4.2 (March 19, 2020) ##
 
-*   Add support for ARIA attributes in tags.
+*   Fix possible XSS vector in `escape_javascript` helper
 
-    Example:
+    CVE-2020-5267
 
-        <%= f.text_field :name, aria: { required: "true", hidden: "false" } %>
+    *Aaron Patterson*
 
-    now generates:
 
-         <input aria-hidden="false" aria-required="true" id="user_name" name="user[name]" type="text">
+## Rails 5.2.4.1 (December 18, 2019) ##
 
-    *Paola Garcia Casadiego*
+*   No changes.
 
-*   Provide a `builder` object when using the `label` form helper in block form.
 
-    The new `builder` object responds to `translation`, allowing I18n fallback support
-    when you want to customize how a particular label is presented.
+## Rails 5.2.4 (November 27, 2019) ##
 
-    *Alex Robbin*
+*   Allow programmatic click events to trigger Rails UJS click handlers.
+    Programmatic click events (eg. ones generated by `Rails.fire(link, "click")`) don't specify a button. These events were being incorrectly stopped by code meant to ignore scroll wheel and right clicks introduced in #34573.
 
-*   Add I18n support for input/textarea placeholder text.
+    *Sudara Williams*
 
-    Placeholder I18n follows the same convention as `label` I18n.
 
-    *Alex Robbin*
+## Rails 5.2.3 (March 27, 2019) ##
 
-*   Fix that render layout: 'messages/layout' should also be added to the dependency tracker tree.
+*   Prevent non-primary mouse keys from triggering Rails UJS click handlers.
+    Firefox fires click events even if the click was triggered by non-primary mouse keys such as right- or scroll-wheel-clicks.
+    For example, right-clicking a link such as the one described below (with an underlying ajax request registered on click) should not cause that request to occur.
 
-    *DHH*
+    ```
+    <%= link_to 'Remote', remote_path, class: 'remote', remote: true, data: { type: :json } %>
+    ```
 
-*   Add `PartialIteration` object used when rendering collections.
+    Fixes #34541
 
-    The iteration object is available as the local variable
-    `#{template_name}_iteration` when rendering partials with collections.
+    *Wolfgang Hobmaier*
 
-    It gives access to the `size` of the collection being iterated over,
-    the current `index` and two convenience methods `first?` and `last?`.
 
-    *Joel Junström*, *Lucas Uyezu*
+## Rails 5.2.2.1 (March 11, 2019) ##
 
-*   Return an absolute instead of relative path from an asset url in the case
-    of the `asset_host` proc returning nil.
+*   Only accept formats from registered mime types
 
-    *Jolyon Pawlyn*
+    A lack of filtering on mime types could allow an attacker to read
+    arbitrary files on the target server or to perform a denial of service
+    attack.
 
-*   Fix `html_escape_once` to properly handle hex escape sequences (e.g. &#x1a2b;).
+    Fixes CVE-2019-5418
+    Fixes CVE-2019-5419
 
-    *John F. Douthat*
+    *John Hawthorn*, *Eileen M. Uchitelle*, *Aaron Patterson*
 
-*   Added String support for min and max properties for date field helpers.
 
-    *Todd Bealmear*
+## Rails 5.2.2 (December 04, 2018) ##
 
-*   The `highlight` helper now accepts a block to be used instead of the `highlighter`
-    option.
+*   No changes.
 
-    *Lucas Mazza*
 
-*   The `except` and `highlight` helpers now accept regular expressions.
+## Rails 5.2.1.1 (November 27, 2018) ##
 
-    *Jan Szumiec*
+*   No changes.
 
-*   Flatten the array parameter in `safe_join`, so it behaves consistently with
-    `Array#join`.
 
-    *Paul Grayson*
+## Rails 5.2.1 (August 07, 2018) ##
 
-*   Honor `html_safe` on array elements in tag values, as we do for plain string
-    values.
+*   Fix leak of `skip_default_ids` and `allow_method_names_outside_object` options
+    to HTML attributes.
 
-    *Paul Grayson*
+    *Yurii Cherniavskyi*
 
-*   Add `ActionView::Template::Handler.unregister_template_handler`.
+*   Fix issue with `button_to`'s `to_form_params`
 
-    It performs the opposite of `ActionView::Template::Handler.register_template_handler`.
+    `button_to` was throwing exception when invoked with `params` hash that
+    contains symbol and string keys. The reason for the exception was that
+    `to_form_params` was comparing the given symbol and string keys.
 
-    *Zuhao Wan*
+    The issue is fixed by turning all keys to strings inside
+    `to_form_params` before comparing them.
 
-*   Bring `cache_digest` rake tasks up-to-date with the latest API changes.
+    *Georgi Georgiev*
 
-    *Jiri Pospisil*
+*   Fix JavaScript views rendering does not work with Firefox when using
+    Content Security Policy.
 
-*   Allow custom `:host` option to be passed to `asset_url` helper that
-    overwrites `config.action_controller.asset_host` for particular asset.
+    Fixes #32577.
 
-    *Hubert Łępicki*
+    *Yuji Yaginuma*
 
-*   Deprecate `AbstractController::Base.parent_prefixes`.
-    Override `AbstractController::Base.local_prefixes` when you want to change
-    where to find views.
+*   Add the `nonce: true` option for `javascript_include_tag` helper to
+    support automatic nonce generation for Content Security Policy.
+    Works the same way as `javascript_tag nonce: true` does.
 
-    *Nick Sutterer*
+    *Yaroslav Markin*
 
-*   Take label values into account when doing I18n lookups for model attributes.
 
-    The following:
+## Rails 5.2.0 (April 09, 2018) ##
 
-        # form.html.erb
-        <%= form_for @post do |f| %>
-          <%= f.label :type, value: "long" %>
-        <% end %>
+*   Pass the `:skip_pipeline` option in `image_submit_tag` when calling `path_to_image`.
 
-        # en.yml
-        en:
-          activerecord:
-            attributes:
-              post/long: "Long-form Post"
+    Fixes #32248.
 
-    Used to simply return "long", but now it will return "Long-form
-    Post".
+    *Andrew White*
 
-    *Joshua Cody*
+*   Allow the use of callable objects as group methods for grouped selects.
 
-*   Change `asset_path` to use File.join to create proper paths:
+    Until now, the `option_groups_from_collection_for_select` method was only able to
+    handle method names as `group_method` and `group_label_method` parameters,
+    it is now able to receive procs and other callable objects too.
 
-    Before:
+    *Jérémie Bonal*
 
-        https://some.host.com//assets/some.js
+*   Add `preload_link_tag` helper.
 
-    After:
+    This helper that allows to the browser to initiate early fetch of resources
+    (different to the specified in `javascript_include_tag` and `stylesheet_link_tag`).
+    Additionally, this sends Early Hints if supported by browser.
 
-        https://some.host.com/assets/some.js
+    *Guillermo Iguaran*
 
-    *Peter Schröder*
+*   Change `form_with` to generates ids by default.
 
-*   Change `favicon_link_tag` default mimetype from `image/vnd.microsoft.icon` to
-    `image/x-icon`.
+    When `form_with` was introduced we disabled the automatic generation of ids
+    that was enabled in `form_for`. This usually is not an good idea since labels don't work
+    when the input doesn't have an id and it made harder to test with Capybara.
 
-    Before:
+    You can still disable the automatic generation of ids setting `config.action_view.form_with_generates_ids`
+    to `false.`
 
-        # => favicon_link_tag 'myicon.ico'
-        <link href="/assets/myicon.ico" rel="shortcut icon" type="image/vnd.microsoft.icon" />
+    *Nick Pezza*
 
-    After:
+*   Fix issues with `field_error_proc` wrapping `optgroup` and select divider `option`.
 
-        # => favicon_link_tag 'myicon.ico'
-        <link href="/assets/myicon.ico" rel="shortcut icon" type="image/x-icon" />
+    Fixes #31088
 
-    *Geoffroy Lorieux*
+    *Matthias Neumayr*
 
-*   Remove wrapping div with inline styles for hidden form fields.
+*   Remove deprecated Erubis ERB handler.
 
-    We are dropping HTML 4.01 and XHTML strict compliance since input tags directly
-    inside a form are valid HTML5, and the absence of inline styles help in validating
-    for Content Security Policy.
+    *Rafael Mendonça França*
 
-    *Joost Baaij*
+*   Remove default `alt` text generation.
 
-*   `collection_check_boxes` respects `:index` option for the hidden field name.
+    Fixes #30096
 
-    Fixes #14147.
+    *Cameron Cundiff*
 
-    *Vasiliy Ermolovich*
+*   Add `srcset` option to `image_tag` helper.
 
-*   `date_select` helper with option `with_css_classes: true` does not overwrite other classes.
+    *Roberto Miranda*
 
-    *Izumi Wong-Horiuchi*
+*   Fix issues with scopes and engine on `current_page?` method.
 
-*   `number_to_percentage` does not crash with `Float::NAN` or `Float::INFINITY`
-    as input.
+    Fixes #29401.
 
-    Fixes #14405.
+    *Nikita Savrov*
 
-    *Yves Senn*
+*   Generate field ids in `collection_check_boxes` and `collection_radio_buttons`.
 
-*   Add `include_hidden` option to `collection_check_boxes` helper.
+    This makes sure that the labels are linked up with the fields.
 
-    *Vasiliy Ermolovich*
+    Fixes #29014.
 
-*   Fixed a problem where the default options for the `button_tag` helper are not
-    applied correctly.
+    *Yuji Yaginuma*
 
-    Fixes #14254.
+*   Add `:json` type to `auto_discovery_link_tag` to support [JSON Feeds](https://jsonfeed.org/version/1).
 
-    *Sergey Prikhodko*
+    *Mike Gunderloy*
 
-*   Take variants into account when calculating template digests in ActionView::Digestor.
+*   Update `distance_of_time_in_words` helper to display better error messages
+    for bad input.
 
-    The arguments to ActionView::Digestor#digest are now being passed as a hash
-    to support variants and allow more flexibility in the future. The support for
-    regular (required) arguments is deprecated and will be removed in Rails 5.0 or later.
+    *Jay Hayes*
 
-    *Piotr Chmolowski, Łukasz Strzałkowski*
 
-Please check [4-1-stable](https://github.com/rails/rails/blob/4-1-stable/actionview/CHANGELOG.md) for previous changes.
+Please check [5-1-stable](https://github.com/rails/rails/blob/5-1-stable/actionview/CHANGELOG.md) for previous changes.

data/MIT-LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2004-2014 David Heinemeier Hansson
+Copyright (c) 2004-2018 David Heinemeier Hansson
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

data/README.rdoc

@@ -9,18 +9,18 @@ used to inline short Ruby snippets inside HTML), and XML Builder.
 
 The latest version of Action View can be installed with RubyGems:
 
-  % [sudo] gem install actionview
+  $ gem install actionview
 
-Source code can be downloaded as part of the Rails project on GitHub
+Source code can be downloaded as part of the Rails project on GitHub:
 
-* https://github.com/rails/rails/tree/4-2-stable/actionview
+* https://github.com/rails/rails/tree/5-2-stable/actionview
 
 
 == License
 
 Action View is released under the MIT license:
 
-* http://www.opensource.org/licenses/MIT
+* https://opensource.org/licenses/MIT
 
 
 == Support
@@ -29,11 +29,10 @@ API documentation is at
 
 * http://api.rubyonrails.org
 
-Bug reports can be filed for the Ruby on Rails project here:
+Bug reports for the Ruby on Rails project can be filed here:
 
 * https://github.com/rails/rails/issues
 
 Feature requests should be discussed on the rails-core mailing list here:
 
 * https://groups.google.com/forum/?fromgroups#!forum/rubyonrails-core
-