actionview 4.2.11.1 → 6.0.3.1

data/lib/action_view/helpers/number_helper.rb

@@ -1,13 +1,12 @@
-# encoding: utf-8
+# frozen_string_literal: true
 
-require 'active_support/core_ext/hash/keys'
-require 'active_support/core_ext/string/output_safety'
-require 'active_support/number_helper'
+require "active_support/core_ext/hash/keys"
+require "active_support/core_ext/string/output_safety"
+require "active_support/number_helper"
 
 module ActionView
   # = Action View Number Helpers
   module Helpers #:nodoc:
-
     # Provides methods for converting numbers into formatted strings.
     # Methods are provided for phone numbers, currency, percentage,
     # precision, positional notation, file size and pretty printing.
@@ -15,7 +14,6 @@ module ActionView
     # Most methods expect a +number+ argument, and will return it
     # unchanged if can't be converted into a valid number.
     module NumberHelper
-
       # Raised when argument +number+ param given to the helpers is invalid and
       # the option :raise is set to  +true+.
       class InvalidNumberError < StandardError
@@ -25,7 +23,7 @@ module ActionView
         end
       end
 
-      # Formats a +number+ into a US phone number (e.g., (555)
+      # Formats a +number+ into a phone number (US by default e.g., (555)
       # 123-9876). You can customize the format in the +options+ hash.
       #
       # ==== Options
@@ -37,6 +35,8 @@ module ActionView
       #   end of the generated number.
       # * <tt>:country_code</tt> - Sets the country code for the phone
       #   number.
+      # * <tt>:pattern</tt> - Specifies how the number is divided into three
+      #   groups with the custom regexp to override the default format.
       # * <tt>:raise</tt> - If true, raises +InvalidNumberError+ when
       #   the argument is invalid.
       #
@@ -54,6 +54,11 @@ module ActionView
       #
       #   number_to_phone(1235551234, country_code: 1, extension: 1343, delimiter: ".")
       #   # => +1.123.555.1234 x 1343
+      #
+      #   number_to_phone(75561234567, pattern: /(\d{1,4})(\d{4})(\d{4})$/, area_code: true)
+      #   # => "(755) 6123-4567"
+      #   number_to_phone(13312345678, pattern: /(\d{3})(\d{4})(\d{4})$/)
+      #   # => "133-1234-5678"
       def number_to_phone(number, options = {})
         return unless number
         options = options.symbolize_keys
@@ -65,6 +70,14 @@ module ActionView
       # Formats a +number+ into a currency string (e.g., $13.65). You
       # can customize the format in the +options+ hash.
       #
+      # The currency unit and number formatting of the current locale will be used
+      # unless otherwise specified in the provided options. No currency conversion
+      # is performed. If the user is given a way to change their locale, they will
+      # also be able to change the relative value of the currency displayed with
+      # this helper. If your application will ever support multiple locales, you
+      # may want to specify a constant <tt>:locale</tt> option or consider
+      # using a library capable of currency conversion.
+      #
       # ==== Options
       #
       # * <tt>:locale</tt> - Sets the locale to be used for formatting
@@ -81,12 +94,15 @@ module ActionView
       #   (defaults to "%u%n").  Fields are <tt>%u</tt> for the
       #   currency, and <tt>%n</tt> for the number.
       # * <tt>:negative_format</tt> - Sets the format for negative
-      #   numbers (defaults to prepending an hyphen to the formatted
+      #   numbers (defaults to prepending a hyphen to the formatted
       #   number given by <tt>:format</tt>).  Accepts the same fields
       #   than <tt>:format</tt>, except <tt>%n</tt> is here the
       #   absolute value of the number.
       # * <tt>:raise</tt> - If true, raises +InvalidNumberError+ when
       #   the argument is invalid.
+      # * <tt>:strip_insignificant_zeros</tt> - If +true+ removes
+      #   insignificant zeros after the decimal separator (defaults to
+      #   +false+).
       #
       # ==== Examples
       #
@@ -98,12 +114,16 @@ module ActionView
       #
       #   number_to_currency("123a456", raise: true)           # => InvalidNumberError
       #
+      #   number_to_currency(-0.456789, precision: 0)
+      #   # => "$0"
       #   number_to_currency(-1234567890.50, negative_format: "(%u%n)")
       #   # => ($1,234,567,890.50)
       #   number_to_currency(1234567890.50, unit: "R$", separator: ",", delimiter: "")
       #   # => R$1234567890,50
       #   number_to_currency(1234567890.50, unit: "R$", separator: ",", delimiter: "", format: "%n %u")
       #   # => 1234567890,50 R$
+      #   number_to_currency(1234567890.50, strip_insignificant_zeros: true)
+      #   # => "$1,234,567,890.5"
       def number_to_currency(number, options = {})
         delegate_number_helper_method(:number_to_currency, number, options)
       end
@@ -117,8 +137,8 @@ module ActionView
       #   (defaults to current locale).
       # * <tt>:precision</tt> - Sets the precision of the number
       #   (defaults to 3).
-      # * <tt>:significant</tt> - If +true+, precision will be the #
-      #   of significant_digits. If +false+, the # of fractional
+      # * <tt>:significant</tt> - If +true+, precision will be the number
+      #   of significant_digits. If +false+, the number of fractional
       #   digits (defaults to +false+).
       # * <tt>:separator</tt> - Sets the separator between the
       #   fractional and integer digits (defaults to ".").
@@ -141,7 +161,7 @@ module ActionView
       #   number_to_percentage(302.24398923423, precision: 5)              # => 302.24399%
       #   number_to_percentage(1000, locale: :fr)                          # => 1 000,000%
       #   number_to_percentage("98a")                                      # => 98a%
-      #   number_to_percentage(100, format: "%n  %")                       # => 100  %
+      #   number_to_percentage(100, format: "%n  %")                       # => 100.000  %
       #
       #   number_to_percentage("98a", raise: true)                         # => InvalidNumberError
       def number_to_percentage(number, options = {})
@@ -160,6 +180,9 @@ module ActionView
       #   to ",").
       # * <tt>:separator</tt> - Sets the separator between the
       #   fractional and integer digits (defaults to ".").
+      # * <tt>:delimiter_pattern</tt> - Sets a custom regular expression used for
+      #   deriving the placement of delimiter. Helpful when using currency formats
+      #   like INR.
       # * <tt>:raise</tt> - If true, raises +InvalidNumberError+ when
       #   the argument is invalid.
       #
@@ -176,6 +199,9 @@ module ActionView
       #   number_with_delimiter(98765432.98, delimiter: " ", separator: ",")
       #   # => 98 765 432,98
       #
+      #   number_with_delimiter("123456.78",
+      #     delimiter_pattern: /(\d+?)(?=(\d\d)+(\d)(?!\d))/)    # => "1,23,456.78"
+      #
       #  number_with_delimiter("112a", raise: true)              # => raise InvalidNumberError
       def number_with_delimiter(number, options = {})
         delegate_number_helper_method(:number_to_delimited, number, options)
@@ -192,8 +218,8 @@ module ActionView
       #   (defaults to current locale).
       # * <tt>:precision</tt> - Sets the precision of the number
       #   (defaults to 3).
-      # * <tt>:significant</tt> - If +true+, precision will be the #
-      #   of significant_digits. If +false+, the # of fractional
+      # * <tt>:significant</tt> - If +true+, precision will be the number
+      #   of significant_digits. If +false+, the number of fractional
       #   digits (defaults to +false+).
       # * <tt>:separator</tt> - Sets the separator between the
       #   fractional and integer digits (defaults to ".").
@@ -240,8 +266,8 @@ module ActionView
       #   (defaults to current locale).
       # * <tt>:precision</tt> - Sets the precision of the number
       #   (defaults to 3).
-      # * <tt>:significant</tt> - If +true+, precision will be the #
-      #   of significant_digits. If +false+, the # of fractional
+      # * <tt>:significant</tt> - If +true+, precision will be the number
+      #   of significant_digits. If +false+, the number of fractional
       #   digits (defaults to +true+)
       # * <tt>:separator</tt> - Sets the separator between the
       #   fractional and integer digits (defaults to ".").
@@ -250,8 +276,6 @@ module ActionView
       # * <tt>:strip_insignificant_zeros</tt> - If +true+ removes
       #   insignificant zeros after the decimal separator (defaults to
       #   +true+)
-      # * <tt>:prefix</tt> - If +:si+ formats the number using the SI
-      #   prefix (defaults to :binary)
       # * <tt>:raise</tt> - If true, raises +InvalidNumberError+ when
       #   the argument is invalid.
       #
@@ -263,6 +287,8 @@ module ActionView
       #   number_to_human_size(1234567)                                      # => 1.18 MB
       #   number_to_human_size(1234567890)                                   # => 1.15 GB
       #   number_to_human_size(1234567890123)                                # => 1.12 TB
+      #   number_to_human_size(1234567890123456)                             # => 1.1 PB
+      #   number_to_human_size(1234567890123456789)                          # => 1.07 EB
       #   number_to_human_size(1234567, precision: 2)                        # => 1.2 MB
       #   number_to_human_size(483989, precision: 2)                         # => 470 KB
       #   number_to_human_size(1234567, precision: 2, separator: ',')        # => 1,2 MB
@@ -280,7 +306,7 @@ module ActionView
       # See <tt>number_to_human_size</tt> if you want to print a file
       # size.
       #
-      # You can also define you own unit-quantifier names if you want
+      # You can also define your own unit-quantifier names if you want
       # to use other decimal units (eg.: 1500 becomes "1.5
       # kilometers", 0.150 becomes "150 milliliters", etc). You may
       # define a wide range of unit quantifiers, even fractional ones
@@ -292,8 +318,8 @@ module ActionView
       #   (defaults to current locale).
       # * <tt>:precision</tt> - Sets the precision of the number
       #   (defaults to 3).
-      # * <tt>:significant</tt> - If +true+, precision will be the #
-      #   of significant_digits. If +false+, the # of fractional
+      # * <tt>:significant</tt> - If +true+, precision will be the number
+      #   of significant_digits. If +false+, the number of fractional
       #   digits (defaults to +true+)
       # * <tt>:separator</tt> - Sets the separator between the
       #   fractional and integer digits (defaults to ".").
@@ -379,54 +405,53 @@ module ActionView
       end
 
       private
+        def delegate_number_helper_method(method, number, options)
+          return unless number
+          options = escape_unsafe_options(options.symbolize_keys)
 
-      def delegate_number_helper_method(method, number, options)
-        return unless number
-        options = escape_unsafe_options(options.symbolize_keys)
-
-        wrap_with_output_safety_handling(number, options.delete(:raise)) {
-          ActiveSupport::NumberHelper.public_send(method, number, options)
-        }
-      end
+          wrap_with_output_safety_handling(number, options.delete(:raise)) {
+            ActiveSupport::NumberHelper.public_send(method, number, options)
+          }
+        end
 
-      def escape_unsafe_options(options)
-        options[:format]          = ERB::Util.html_escape(options[:format]) if options[:format]
-        options[:negative_format] = ERB::Util.html_escape(options[:negative_format]) if options[:negative_format]
-        options[:separator]       = ERB::Util.html_escape(options[:separator]) if options[:separator]
-        options[:delimiter]       = ERB::Util.html_escape(options[:delimiter]) if options[:delimiter]
-        options[:unit]            = ERB::Util.html_escape(options[:unit]) if options[:unit] && !options[:unit].html_safe?
-        options[:units]           = escape_units(options[:units]) if options[:units] && Hash === options[:units]
-        options
-      end
+        def escape_unsafe_options(options)
+          options[:format]          = ERB::Util.html_escape(options[:format]) if options[:format]
+          options[:negative_format] = ERB::Util.html_escape(options[:negative_format]) if options[:negative_format]
+          options[:separator]       = ERB::Util.html_escape(options[:separator]) if options[:separator]
+          options[:delimiter]       = ERB::Util.html_escape(options[:delimiter]) if options[:delimiter]
+          options[:unit]            = ERB::Util.html_escape(options[:unit]) if options[:unit] && !options[:unit].html_safe?
+          options[:units]           = escape_units(options[:units]) if options[:units] && Hash === options[:units]
+          options
+        end
 
-      def escape_units(units)
-        Hash[units.map do |k, v|
-          [k, ERB::Util.html_escape(v)]
-        end]
-      end
+        def escape_units(units)
+          Hash[units.map do |k, v|
+            [k, ERB::Util.html_escape(v)]
+          end]
+        end
 
-      def wrap_with_output_safety_handling(number, raise_on_invalid, &block)
-        valid_float = valid_float?(number)
-        raise InvalidNumberError, number if raise_on_invalid && !valid_float
+        def wrap_with_output_safety_handling(number, raise_on_invalid, &block)
+          valid_float = valid_float?(number)
+          raise InvalidNumberError, number if raise_on_invalid && !valid_float
 
-        formatted_number = yield
+          formatted_number = yield
 
-        if valid_float || number.html_safe?
-          formatted_number.html_safe
-        else
-          formatted_number
+          if valid_float || number.html_safe?
+            formatted_number.html_safe
+          else
+            formatted_number
+          end
         end
-      end
 
-      def valid_float?(number)
-        !parse_float(number, false).nil?
-      end
+        def valid_float?(number)
+          !parse_float(number, false).nil?
+        end
 
-      def parse_float(number, raise_error)
-        Float(number)
-      rescue ArgumentError, TypeError
-        raise InvalidNumberError, number if raise_error
-      end
+        def parse_float(number, raise_error)
+          Float(number)
+        rescue ArgumentError, TypeError
+          raise InvalidNumberError, number if raise_error
+        end
     end
   end
 end

data/lib/action_view/helpers/output_safety_helper.rb

@@ -1,4 +1,6 @@
-require 'active_support/core_ext/string/output_safety'
+# frozen_string_literal: true
+
+require "active_support/core_ext/string/output_safety"
 
 module ActionView #:nodoc:
   # = Action View Raw Output Helper
@@ -22,17 +24,47 @@ module ActionView #:nodoc:
       # the supplied separator, are HTML escaped unless they are HTML
       # safe, and the returned string is marked as HTML safe.
       #
-      #   safe_join(["<p>foo</p>".html_safe, "<p>bar</p>"], "<br />")
+      #   safe_join([raw("<p>foo</p>"), "<p>bar</p>"], "<br />")
       #   # => "<p>foo</p>&lt;br /&gt;&lt;p&gt;bar&lt;/p&gt;"
       #
-      #   safe_join(["<p>foo</p>".html_safe, "<p>bar</p>".html_safe], "<br />".html_safe)
+      #   safe_join([raw("<p>foo</p>"), raw("<p>bar</p>")], raw("<br />"))
       #   # => "<p>foo</p><br /><p>bar</p>"
       #
-      def safe_join(array, sep=$,)
+      def safe_join(array, sep = $,)
         sep = ERB::Util.unwrapped_html_escape(sep)
 
         array.flatten.map! { |i| ERB::Util.unwrapped_html_escape(i) }.join(sep).html_safe
       end
+
+      # Converts the array to a comma-separated sentence where the last element is
+      # joined by the connector word. This is the html_safe-aware version of
+      # ActiveSupport's {Array#to_sentence}[https://api.rubyonrails.org/classes/Array.html#method-i-to_sentence].
+      #
+      def to_sentence(array, options = {})
+        options.assert_valid_keys(:words_connector, :two_words_connector, :last_word_connector, :locale)
+
+        default_connectors = {
+          words_connector: ", ",
+          two_words_connector: " and ",
+          last_word_connector: ", and "
+        }
+        if defined?(I18n)
+          i18n_connectors = I18n.translate(:'support.array', locale: options[:locale], default: {})
+          default_connectors.merge!(i18n_connectors)
+        end
+        options = default_connectors.merge!(options)
+
+        case array.length
+        when 0
+          "".html_safe
+        when 1
+          ERB::Util.html_escape(array[0])
+        when 2
+          safe_join([array[0], array[1]], options[:two_words_connector])
+        else
+          safe_join([safe_join(array[0...-1], options[:words_connector]), options[:last_word_connector], array[-1]], nil)
+        end
+      end
     end
   end
 end

data/lib/action_view/helpers/rendering_helper.rb

@@ -1,5 +1,7 @@
+# frozen_string_literal: true
+
 module ActionView
-  module Helpers
+  module Helpers #:nodoc:
     # = Action View Rendering
     #
     # Implements methods that allow rendering from a view context.
@@ -11,14 +13,13 @@ module ActionView
       # * <tt>:partial</tt> - See <tt>ActionView::PartialRenderer</tt>.
       # * <tt>:file</tt> - Renders an explicit template file (this used to be the old default), add :locals to pass in those.
       # * <tt>:inline</tt> - Renders an inline template similar to how it's done in the controller.
-      # * <tt>:text</tt> - Renders the text passed in out.
       # * <tt>:plain</tt> - Renders the text passed in out. Setting the content
       #   type as <tt>text/plain</tt>.
       # * <tt>:html</tt> - Renders the HTML safe string passed in out, otherwise
       #   performs HTML escape on the string first. Setting the content type as
       #   <tt>text/html</tt>.
       # * <tt>:body</tt> - Renders the text passed in, and inherits the content
-      #   type of <tt>text/html</tt> from <tt>ActionDispatch::Response</tt>
+      #   type of <tt>text/plain</tt> from <tt>ActionDispatch::Response</tt>
       #   object.
       #
       # If no options hash is passed or :update specified, the default is to render a partial and use the second parameter
@@ -26,13 +27,15 @@ module ActionView
       def render(options = {}, locals = {}, &block)
         case options
         when Hash
-          if block_given?
-            view_renderer.render_partial(self, options.merge(:partial => options[:layout]), &block)
-          else
-            view_renderer.render(self, options)
+          in_rendering_context(options) do |renderer|
+            if block_given?
+              view_renderer.render_partial(self, options.merge(partial: options[:layout]), &block)
+            else
+              view_renderer.render(self, options)
+            end
           end
         else
-          view_renderer.render_partial(self, :partial => options, :locals => locals)
+          view_renderer.render_partial(self, partial: options, locals: locals, &block)
         end
       end
 

data/lib/action_view/helpers/sanitize_helper.rb

@@ -1,28 +1,28 @@
-require 'active_support/core_ext/object/try'
-require 'active_support/deprecation'
-require 'rails-html-sanitizer'
+# frozen_string_literal: true
+
+require "rails-html-sanitizer"
 
 module ActionView
   # = Action View Sanitize Helpers
-  module Helpers
+  module Helpers #:nodoc:
     # The SanitizeHelper module provides a set of methods for scrubbing text of undesired HTML elements.
     # These helper methods extend Action View making them callable within your template files.
     module SanitizeHelper
       extend ActiveSupport::Concern
-      # Sanitizes HTML input, stripping all tags and attributes that aren't whitelisted.
+      # Sanitizes HTML input, stripping all but known-safe tags and attributes.
       #
       # It also strips href/src attributes with unsafe protocols like
       # <tt>javascript:</tt>, while also protecting against attempts to use Unicode,
       # ASCII, and hex character references to work around these protocol filters.
+      # All special characters will be escaped.
       #
-      # The default sanitizer is Rails::Html::WhiteListSanitizer. See {Rails HTML
+      # The default sanitizer is Rails::Html::SafeListSanitizer. See {Rails HTML
       # Sanitizers}[https://github.com/rails/rails-html-sanitizer] for more information.
       #
       # Custom sanitization rules can also be provided.
       #
       # Please note that sanitizing user-provided text does not guarantee that the
-      # resulting markup is valid or even well-formed. For example, the output may still
-      # contain unescaped characters like <tt><</tt>, <tt>></tt>, or <tt>&</tt>.
+      # resulting markup is valid or even well-formed.
       #
       # ==== Options
       #
@@ -39,24 +39,22 @@ module ActionView
       #
       #   <%= sanitize @comment.body %>
       #
-      # Providing custom whitelisted tags and attributes:
+      # Providing custom lists of permitted tags and attributes:
       #
       #   <%= sanitize @comment.body, tags: %w(strong em a), attributes: %w(href) %>
       #
       # Providing a custom Rails::Html scrubber:
       #
       #   class CommentScrubber < Rails::Html::PermitScrubber
-      #     def allowed_node?(node)
-      #       !%w(form script comment blockquote).include?(node.name)
+      #     def initialize
+      #       super
+      #       self.tags = %w( form script comment blockquote )
+      #       self.attributes = %w( style )
       #     end
       #
       #     def skip_node?(node)
       #       node.text?
       #     end
-      #
-      #     def scrub_attribute?(name)
-      #       name == 'style'
-      #     end
       #   end
       #
       #   <%= sanitize @comment.body, scrubber: CommentScrubber.new %>
@@ -81,15 +79,15 @@ module ActionView
       #   config.action_view.sanitized_allowed_tags = ['strong', 'em', 'a']
       #   config.action_view.sanitized_allowed_attributes = ['href', 'title']
       def sanitize(html, options = {})
-        self.class.white_list_sanitizer.sanitize(html, options).try(:html_safe)
+        self.class.safe_list_sanitizer.sanitize(html, options)&.html_safe
       end
 
       # Sanitizes a block of CSS code. Used by +sanitize+ when it comes across a style attribute.
       def sanitize_css(style)
-        self.class.white_list_sanitizer.sanitize_css(style)
+        self.class.safe_list_sanitizer.sanitize_css(style)
       end
 
-      # Strips all HTML tags from +html+, including comments.
+      # Strips all HTML tags from +html+, including comments and special characters.
       #
       #   strip_tags("Strip <i>these</i> tags!")
       #   # => Strip these tags!
@@ -99,8 +97,11 @@ module ActionView
       #
       #   strip_tags("<div id='top-bar'>Welcome to my website!</div>")
       #   # => Welcome to my website!
+      #
+      #   strip_tags("> A quote from Smith & Wesson")
+      #   # => &gt; A quote from Smith &amp; Wesson
       def strip_tags(html)
-        self.class.full_sanitizer.sanitize(html, encode_special_chars: false)
+        self.class.full_sanitizer.sanitize(html)
       end
 
       # Strips all link tags from +html+ leaving just the link text.
@@ -113,25 +114,26 @@ module ActionView
       #
       #   strip_links('Blog: <a href="http://www.myblog.com/" class="nav" target=\"_blank\">Visit</a>.')
       #   # => Blog: Visit.
+      #
+      #   strip_links('<<a href="https://example.org">malformed & link</a>')
+      #   # => &lt;malformed &amp; link
       def strip_links(html)
         self.class.link_sanitizer.sanitize(html)
       end
 
       module ClassMethods #:nodoc:
-        attr_writer :full_sanitizer, :link_sanitizer, :white_list_sanitizer
+        attr_writer :full_sanitizer, :link_sanitizer, :safe_list_sanitizer
 
-        # Vendors the full, link and white list sanitizers.
-        # Provided strictly for compabitility and can be removed in Rails 5.
         def sanitizer_vendor
           Rails::Html::Sanitizer
         end
 
         def sanitized_allowed_tags
-          sanitizer_vendor.white_list_sanitizer.allowed_tags
+          safe_list_sanitizer.allowed_tags
         end
 
         def sanitized_allowed_attributes
-          sanitizer_vendor.white_list_sanitizer.allowed_attributes
+          safe_list_sanitizer.allowed_attributes
         end
 
         # Gets the Rails::Html::FullSanitizer instance used by +strip_tags+. Replace with
@@ -140,7 +142,6 @@ module ActionView
         #   class Application < Rails::Application
         #     config.action_view.full_sanitizer = MySpecialSanitizer.new
         #   end
-        #
         def full_sanitizer
           @full_sanitizer ||= sanitizer_vendor.full_sanitizer.new
         end
@@ -151,20 +152,18 @@ module ActionView
         #   class Application < Rails::Application
         #     config.action_view.link_sanitizer = MySpecialSanitizer.new
         #   end
-        #
         def link_sanitizer
           @link_sanitizer ||= sanitizer_vendor.link_sanitizer.new
         end
 
-        # Gets the Rails::Html::WhiteListSanitizer instance used by sanitize and +sanitize_css+.
+        # Gets the Rails::Html::SafeListSanitizer instance used by sanitize and +sanitize_css+.
         # Replace with any object that responds to +sanitize+.
         #
         #   class Application < Rails::Application
-        #     config.action_view.white_list_sanitizer = MySpecialSanitizer.new
+        #     config.action_view.safe_list_sanitizer = MySpecialSanitizer.new
         #   end
-        #
-        def white_list_sanitizer
-          @white_list_sanitizer ||= sanitizer_vendor.white_list_sanitizer.new
+        def safe_list_sanitizer
+          @safe_list_sanitizer ||= sanitizer_vendor.safe_list_sanitizer.new
         end
       end
     end