actionview 4.2.11.1 → 6.0.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 71fb7b73001ccc9220ba0da089fc3336a3a18620ca13a18730fa91d4799fbf58
-  data.tar.gz: a87ef6a72900a81c7cff2d00f3fac65006c0f95935b7bf366c1f4bfa1210b6d1
+  metadata.gz: 6ae3e4955963f84b4299850e39bf729597e07e7c0f9af6d79258a65131053f22
+  data.tar.gz: 609472d2030d8e4d54964169fe770a58e2a908f2a5b7c4e207a6496a8e4cd6a4
 SHA512:
-  metadata.gz: ea93cb6a5de3af579900cf1534b50842c6d197062ee7a01a9f499287dbbb8f6f3d9c32abfadba3c2d1868b8deddc70594c3e5767744031e47961d5da15cb5e54
-  data.tar.gz: e59b44cf756ed5bf55ef96709055a04413dfba03fa083c32ef709eb266267ac774bc7d83c08c696a16c98e5dd93a412a531372eee7546bcc8e856e1304dcf618
+  metadata.gz: f0c4acc4e8cfb5e67b19ed61155b56ecb6b627d1e172ea8b38db4d2a6a4a2ec41db356581993e9ca228029896bdca775e40f4dba2a37120a3cb7b061a0d6d096
+  data.tar.gz: e2789295904614c027c6f4d1bade6b8d1beeae00d2cc224b59ee83af0073ce126d4f2bb5f210c2cd362668266f578449f6d022eb62fd0b216e9c83dba750a31e

data/CHANGELOG.md

@@ -1,357 +1,366 @@
-## Rails 4.2.11.1 (March 11, 2019) ##
-
-*   No changes.
+## Rails 6.0.4 (June 15, 2021) ##
 
+*   SanitizeHelper.sanitized_allowed_attributes and SanitizeHelper.sanitized_allowed_tags
+    call safe_list_sanitizer's class method
 
-## Rails 4.2.11 (November 27, 2018) ##
+    Fixes #39586
 
-*   No changes.
+    *Taufiq Muhammadi*
 
 
-## Rails 4.2.10 (September 27, 2017) ##
+## Rails 6.0.3.7 (May 05, 2021) ##
 
 *   No changes.
 
 
-## Rails 4.2.9 (June 26, 2017) ##
+## Rails 6.0.3.6 (March 26, 2021) ##
 
 *   No changes.
 
 
-## Rails 4.2.8 (February 21, 2017) ##
+## Rails 6.0.3.5 (February 10, 2021) ##
 
 *   No changes.
 
 
-## Rails 4.2.7 (July 12, 2016) ##
+## Rails 6.0.3.4 (October 07, 2020) ##
 
 *   No changes.
 
 
-## Rails 4.2.6 (March 07, 2016) ##
+## Rails 6.0.3.3 (September 09, 2020) ##
 
-*   Fix stripping the digest from the automatically generated img tag alt
-    attribute when assets are handled by Sprockets >=3.0.
+*   [CVE-2020-8185] Fix potential XSS vulnerability in the `translate`/`t` helper.
 
-    *Bart de Water*
+    *Jonathan Hefner*
 
-*   Create a new `ActiveSupport::SafeBuffer` instance when `content_for` is flushed.
 
-    Fixes #19890
+## Rails 6.0.3.2 (June 17, 2020) ##
 
-    *Yoong Kang Lim*
+*   No changes.
 
-*   Respect value of `:object` if `:object` is false when rendering.
 
-    Fixes #22260.
+## Rails 6.0.3.1 (May 18, 2020) ##
 
-    *Yuichiro Kaneko*
+*   [CVE-2020-8167] Check that request is same-origin prior to including CSRF token in XHRs
 
-*   Generate `week_field` input values using a 1-based index and not a 0-based index
-    as per the W3 spec: http://www.w3.org/TR/html-markup/datatypes.html#form.data.week
 
-    *Christoph Geschwind*
+## Rails 6.0.3 (May 06, 2020) ##
 
+*   annotated_source_code returns an empty array so TemplateErrors without a
+    template in the backtrace are surfaced properly by DebugExceptions.
 
-## Rails 4.2.5.2 (February 26, 2016) ##
+    *Guilherme Mansur*, *Kasper Timm Hansen*
 
-*   Do not allow render with unpermitted parameter.
+*   Add autoload for SyntaxErrorInTemplate so syntax errors are correctly raised by DebugExceptions.
 
-    Fixes CVE-2016-2098.
+    *Guilherme Mansur*, *Gannon McGibbon*
 
-    *Arthur Neves*
 
+## Rails 6.0.2.2 (March 19, 2020) ##
 
-## Rails 4.2.5.1 (January 25, 2015) ##
+*   Fix possible XSS vector in escape_javascript helper
 
-*   Adds boolean argument outside_app_allowed to `ActionView::Resolver#find_templates`
-    method.
+    CVE-2020-5267
 
     *Aaron Patterson*
 
 
-## Rails 4.2.5 (November 12, 2015) ##
-
-*   Fix `mail_to` when called with `nil` as argument.
+## Rails 6.0.2.1 (December 18, 2019) ##
 
-    *Rafael Mendonça França*
-
-*   `url_for` does not modify its arguments when generating polymorphic URLs.
-
-    *Bernerd Schaefer*
+*   No changes.
 
 
-## Rails 4.2.4 (August 24, 2015) ##
+## Rails 6.0.2 (December 13, 2019) ##
 
-* No Changes *
+*   No changes.
 
 
-## Rails 4.2.3 (June 25, 2015) ##
+## Rails 6.0.1 (November 5, 2019) ##
 
-*   `translate` should handle `raise` flag correctly in case of both main and default
-    translation is missing.
+*   UJS avoids `Element.closest()` for IE 9 compatibility.
 
-    Fixes #19967
+    *George Claghorn*
 
-    *Bernard Potocki*
 
-*   `translate` allows `default: [[]]` again for a default value of `[]`.
+## Rails 6.0.0 (August 16, 2019) ##
 
-    Fixes #19640.
+*   ActionView::Helpers::SanitizeHelper: support rails-html-sanitizer 1.1.0.
 
-    *Adam Prescott*
+    *Juanito Fatas*
 
-*   `translate` should accept nils as members of the `:default`
-    parameter without raising a translation missing error.  Fixes a
-    regression introduced 362557e.
 
-    Fixes #19419
+## Rails 6.0.0.rc2 (July 22, 2019) ##
 
-    *Justin Coyne*
+*   Fix `select_tag` so that it doesn't change `options` when `include_blank` is present.
 
-*   `number_to_percentage` does not crash with `Float::NAN` or `Float::INFINITY`
-    as input when `precision: 0` is used.
+    *Younes SERRAJ*
 
-    Fixes #19227.
 
-    *Yves Senn*
+## Rails 6.0.0.rc1 (April 24, 2019) ##
 
+*   Fix partial caching skips same item issue
 
-## Rails 4.2.2 (June 16, 2015) ##
+    If we render cached collection partials with repeated items, those repeated items
+    will get skipped. For example, if you have 5 identical items in your collection, Rails
+    only renders the first one when `cached` is set to true. But it should render all
+    5 items instead.
 
-* No Changes *
+    Fixes #35114.
 
+    *Stan Lo*
 
-## Rails 4.2.1 (March 19, 2015) ##
+*   Only clear ActionView cache in development on file changes
 
-*   Default translations that have a lower precedence than an html safe default,
-    but are not themselves safe, should not be marked as html_safe.
+    To speed up development mode, view caches are only cleared when files in
+    the view paths have changed. Applications which have implemented custom
+    `ActionView::Resolver` subclasses may need to add their own cache clearing.
 
-    *Justin Coyne*
+    *John Hawthorn*
 
-*   Added an explicit error message, in `ActionView::PartialRenderer`
-    for partial `rendering`, when the value of option `as` has invalid characters.
+*   Fix `ActionView::FixtureResolver` so that it handles template variants correctly.
 
-    *Angelo Capilleri*
+    *Edward Rudd*
 
+*   `ActionView::TemplateRender.render(file: )` now renders the file directly,
+    without using any handlers, using the new `Template::RawFile` class.
 
-## Rails 4.2.0 (December 20, 2014) ##
+    *John Hawthorn*, *Cliff Pruitt*
 
-*   Local variable in a partial is now available even if a falsy value is
-    passed to `:object` when rendering a partial.
 
-    Fixes #17373.
+## Rails 6.0.0.beta3 (March 11, 2019) ##
 
-    *Agis Anastasopoulos*
+*   Only accept formats from registered mime types
 
-*   Add support for `:enforce_utf8` option in `form_for`.
+    A lack of filtering on mime types could allow an attacker to read
+    arbitrary files on the target server or to perform a denial of service
+    attack.
 
-    This is the same option that was added in 06388b0 to `form_tag` and allows
-    users to skip the insertion of the UTF8 enforcer tag in a form.
+    Fixes CVE-2019-5418
+    Fixes CVE-2019-5419
 
-    * claudiob *
+    *John Hawthorn*, *Eileen M. Uchitelle*, *Aaron Patterson*
 
-*   Fix a bug that <%= foo(){ %> and <%= foo()do %> in view templates were not regarded
-    as Ruby block calls.
 
-    * Akira Matsuda *
+## Rails 6.0.0.beta2 (February 25, 2019) ##
 
-*   Update `select_tag` to work correctly with `:include_blank` option passing a string.
+*   `ActionView::Template.finalize_compiled_template_methods` is deprecated with
+    no replacement.
 
-    Fixes #16483.
+    *tenderlove*
 
-    *Frank Groeneveld*
+*   `config.action_view.finalize_compiled_template_methods` is deprecated with
+    no replacement.
 
-*   Changed the meaning of `render "foo/bar"`.
+    *tenderlove*
 
-    Previously, calling `render "foo/bar"` in a controller action is equivalent
-    to `render file: "foo/bar"`. In Rails 4.2, this has been changed to mean
-    `render template: "foo/bar"` instead. If you need to render a file, please
-    change your code to use the explicit form (`render file: "foo/bar"`) instead.
+*   Ensure unique DOM IDs for collection inputs with float values.
 
-    *Jeremy Jackson*
+    Fixes #34974.
 
-*   Add support for ARIA attributes in tags.
+    *Mark Edmondson*
 
-    Example:
+*   Single arity template handlers are deprecated.  Template handlers must
+    now accept two parameters, the view object and the source for the view object.
 
-        <%= f.text_field :name, aria: { required: "true", hidden: "false" } %>
+    *tenderlove*
 
-    now generates:
 
-         <input aria-hidden="false" aria-required="true" id="user_name" name="user[name]" type="text">
+## Rails 6.0.0.beta1 (January 18, 2019) ##
 
-    *Paola Garcia Casadiego*
+*   [Rename npm package](https://github.com/rails/rails/pull/34905) from
+    [`rails-ujs`](https://www.npmjs.com/package/rails-ujs) to
+    [`@rails/ujs`](https://www.npmjs.com/package/@rails/ujs).
 
-*   Provide a `builder` object when using the `label` form helper in block form.
+    *Javan Makhmali*
 
-    The new `builder` object responds to `translation`, allowing I18n fallback support
-    when you want to customize how a particular label is presented.
+*   Remove deprecated `image_alt` helper.
 
-    *Alex Robbin*
+    *Rafael Mendonça França*
 
-*   Add I18n support for input/textarea placeholder text.
+*   Fix the need of `#protect_against_forgery?` method defined in
+    `ActionView::Base` subclasses. This prevents the use of forms and buttons.
 
-    Placeholder I18n follows the same convention as `label` I18n.
+    *Genadi Samokovarov*
 
-    *Alex Robbin*
+*   Fix UJS permanently showing disabled text in a[data-remote][data-disable-with] elements within forms.
 
-*   Fix that render layout: 'messages/layout' should also be added to the dependency tracker tree.
+    Fixes #33889.
 
-    *DHH*
+    *Wolfgang Hobmaier*
 
-*   Add `PartialIteration` object used when rendering collections.
+*   Prevent non-primary mouse keys from triggering Rails UJS click handlers.
+    Firefox fires click events even if the click was triggered by non-primary mouse keys such as right- or scroll-wheel-clicks.
+    For example, right-clicking a link such as the one described below (with an underlying ajax request registered on click) should not cause that request to occur.
 
-    The iteration object is available as the local variable
-    `#{template_name}_iteration` when rendering partials with collections.
+    ```
+    <%= link_to 'Remote', remote_path, class: 'remote', remote: true, data: { type: :json } %>
+    ```
 
-    It gives access to the `size` of the collection being iterated over,
-    the current `index` and two convenience methods `first?` and `last?`.
+    Fixes #34541.
 
-    *Joel Junström*, *Lucas Uyezu*
+    *Wolfgang Hobmaier*
 
-*   Return an absolute instead of relative path from an asset url in the case
-    of the `asset_host` proc returning nil.
+*   Prevent `ActionView::TextHelper#word_wrap` from unexpectedly stripping white space from the _left_ side of lines.
 
-    *Jolyon Pawlyn*
+    For example, given input like this:
 
-*   Fix `html_escape_once` to properly handle hex escape sequences (e.g. &#x1a2b;).
+    ```
+        This is a paragraph with an initial indent,
+    followed by additional lines that are not indented,
+    and finally terminated with a blockquote:
+      "A pithy saying"
+    ```
 
-    *John F. Douthat*
+    Calling `word_wrap` should not trim the indents on the first and last lines.
 
-*   Added String support for min and max properties for date field helpers.
+    Fixes #34487.
 
-    *Todd Bealmear*
+    *Lyle Mullican*
 
-*   The `highlight` helper now accepts a block to be used instead of the `highlighter`
-    option.
+*   Add allocations to template rendering instrumentation.
 
-    *Lucas Mazza*
+    Adds the allocations for template and partial rendering to the server output on render.
 
-*   The `except` and `highlight` helpers now accept regular expressions.
+    ```
+      Rendered posts/_form.html.erb (Duration: 7.1ms | Allocations: 6004)
+      Rendered posts/new.html.erb within layouts/application (Duration: 8.3ms | Allocations: 6654)
+    Completed 200 OK in 858ms (Views: 848.4ms | ActiveRecord: 0.4ms | Allocations: 1539564)
+    ```
 
-    *Jan Szumiec*
+    *Eileen M. Uchitelle*, *Aaron Patterson*
 
-*   Flatten the array parameter in `safe_join`, so it behaves consistently with
-    `Array#join`.
+*   Respect the `only_path` option passed to `url_for` when the options are passed in as an array
 
-    *Paul Grayson*
+    Fixes #33237.
 
-*   Honor `html_safe` on array elements in tag values, as we do for plain string
-    values.
+    *Joel Ambass*
 
-    *Paul Grayson*
+*   Deprecate calling private model methods from view helpers.
 
-*   Add `ActionView::Template::Handler.unregister_template_handler`.
+    For example, in methods like `options_from_collection_for_select`
+    and `collection_select` it is possible to call private methods from
+    the objects used.
 
-    It performs the opposite of `ActionView::Template::Handler.register_template_handler`.
+    Fixes #33546.
 
-    *Zuhao Wan*
+    *Ana María Martínez Gómez*
 
-*   Bring `cache_digest` rake tasks up-to-date with the latest API changes.
+*   Fix issue with `button_to`'s `to_form_params`
 
-    *Jiri Pospisil*
+    `button_to` was throwing exception when invoked with `params` hash that
+    contains symbol and string keys. The reason for the exception was that
+    `to_form_params` was comparing the given symbol and string keys.
 
-*   Allow custom `:host` option to be passed to `asset_url` helper that
-    overwrites `config.action_controller.asset_host` for particular asset.
+    The issue is fixed by turning all keys to strings inside
+    `to_form_params` before comparing them.
 
-    *Hubert Łępicki*
+    *Georgi Georgiev*
 
-*   Deprecate `AbstractController::Base.parent_prefixes`.
-    Override `AbstractController::Base.local_prefixes` when you want to change
-    where to find views.
+*   Mark arrays of translations as trusted safe by using the `_html` suffix.
 
-    *Nick Sutterer*
+    Example:
 
-*   Take label values into account when doing I18n lookups for model attributes.
+        en:
+          foo_html:
+            - "One"
+            - "<strong>Two</strong>"
+            - "Three &#128075; &#128578;"
 
-    The following:
+    *Juan Broullon*
 
-        # form.html.erb
-        <%= form_for @post do |f| %>
-          <%= f.label :type, value: "long" %>
-        <% end %>
+*   Add `year_format` option to date_select tag. This option makes it possible to customize year
+    names. Lambda should be passed to use this option.
 
-        # en.yml
-        en:
-          activerecord:
-            attributes:
-              post/long: "Long-form Post"
+    Example:
 
-    Used to simply return "long", but now it will return "Long-form
-    Post".
+        date_select('user_birthday', '', start_year: 1998, end_year: 2000, year_format: ->year { "Heisei #{year - 1988}" })
 
-    *Joshua Cody*
+    The HTML produced:
 
-*   Change `asset_path` to use File.join to create proper paths:
+        <select id="user_birthday__1i" name="user_birthday[(1i)]">
+        <option value="1998">Heisei 10</option>
+        <option value="1999">Heisei 11</option>
+        <option value="2000">Heisei 12</option>
+        </select>
+        /* The rest is omitted */
 
-    Before:
+    *Koki Ryu*
 
-        https://some.host.com//assets/some.js
+*   Fix JavaScript views rendering does not work with Firefox when using
+    Content Security Policy.
 
-    After:
+    Fixes #32577.
 
-        https://some.host.com/assets/some.js
+    *Yuji Yaginuma*
 
-    *Peter Schröder*
+*   Add the `nonce: true` option for `javascript_include_tag` helper to
+    support automatic nonce generation for Content Security Policy.
+    Works the same way as `javascript_tag nonce: true` does.
 
-*   Change `favicon_link_tag` default mimetype from `image/vnd.microsoft.icon` to
-    `image/x-icon`.
+    *Yaroslav Markin*
 
-    Before:
+*   Remove `ActionView::Helpers::RecordTagHelper`.
 
-        # => favicon_link_tag 'myicon.ico'
-        <link href="/assets/myicon.ico" rel="shortcut icon" type="image/vnd.microsoft.icon" />
+    *Yoshiyuki Hirano*
 
-    After:
+*   Disable `ActionView::Template` finalizers in test environment.
 
-        # => favicon_link_tag 'myicon.ico'
-        <link href="/assets/myicon.ico" rel="shortcut icon" type="image/x-icon" />
+    Template finalization can be expensive in large view test suites.
+    Add a configuration option,
+    `action_view.finalize_compiled_template_methods`, and turn it off in
+    the test environment.
 
-    *Geoffroy Lorieux*
+    *Simon Coffey*
 
-*   Remove wrapping div with inline styles for hidden form fields.
+*   Extract the `confirm` call in its own, overridable method in `rails_ujs`.
 
-    We are dropping HTML 4.01 and XHTML strict compliance since input tags directly
-    inside a form are valid HTML5, and the absence of inline styles help in validating
-    for Content Security Policy.
+    Example:
 
-    *Joost Baaij*
+        Rails.confirm = function(message, element) {
+          return (my_bootstrap_modal_confirm(message));
+        }
 
-*   `collection_check_boxes` respects `:index` option for the hidden field name.
+    *Mathieu Mahé*
 
-    Fixes #14147.
+*   Enable select tag helper to mark `prompt` option as `selected` and/or `disabled` for `required`
+    field.
 
-    *Vasiliy Ermolovich*
+    Example:
 
-*   `date_select` helper with option `with_css_classes: true` does not overwrite other classes.
+        select :post,
+               :category,
+               ["lifestyle", "programming", "spiritual"],
+               { selected: "", disabled: "", prompt: "Choose one" },
+               { required: true }
 
-    *Izumi Wong-Horiuchi*
+    Placeholder option would be selected and disabled.
 
-*   `number_to_percentage` does not crash with `Float::NAN` or `Float::INFINITY`
-    as input.
+    The HTML produced:
 
-    Fixes #14405.
+        <select required="required" name="post[category]" id="post_category">
+        <option disabled="disabled" selected="selected" value="">Choose one</option>
+        <option value="lifestyle">lifestyle</option>
+        <option value="programming">programming</option>
+        <option value="spiritual">spiritual</option></select>
 
-    *Yves Senn*
+    *Sergey Prikhodko*
 
-*   Add `include_hidden` option to `collection_check_boxes` helper.
+*   Don't enforce UTF-8 by default.
 
-    *Vasiliy Ermolovich*
+    With the disabling of TLS 1.0 by most major websites, continuing to run
+    IE8 or lower becomes increasingly difficult so default to not enforcing
+    UTF-8 encoding as it's not relevant to other browsers.
 
-*   Fixed a problem where the default options for the `button_tag` helper are not
-    applied correctly.
+    *Andrew White*
 
-    Fixes #14254.
+*   Change translation key of `submit_tag` from `module_name_class_name` to `module_name/class_name`.
 
-    *Sergey Prikhodko*
+    *Rui Onodera*
 
-*   Take variants into account when calculating template digests in ActionView::Digestor.
+*   Rails 6 requires Ruby 2.5.0 or newer.
 
-    The arguments to ActionView::Digestor#digest are now being passed as a hash
-    to support variants and allow more flexibility in the future. The support for
-    regular (required) arguments is deprecated and will be removed in Rails 5.0 or later.
+    *Jeremy Daer*, *Kasper Timm Hansen*
 
-    *Piotr Chmolowski, Łukasz Strzałkowski*
 
-Please check [4-1-stable](https://github.com/rails/rails/blob/4-1-stable/actionview/CHANGELOG.md) for previous changes.
+Please check [5-2-stable](https://github.com/rails/rails/blob/5-2-stable/actionview/CHANGELOG.md) for previous changes.

data/MIT-LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2004-2014 David Heinemeier Hansson
+Copyright (c) 2004-2019 David Heinemeier Hansson
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

data/README.rdoc

@@ -5,35 +5,36 @@ view helpers that assist when building HTML forms, Atom feeds and more.
 Template formats that Action View handles are ERB (embedded Ruby, typically
 used to inline short Ruby snippets inside HTML), and XML Builder.
 
+You can read more about Action View in the {Action View Overview}[https://edgeguides.rubyonrails.org/action_view_overview.html] guide.
+
 == Download and installation
 
 The latest version of Action View can be installed with RubyGems:
 
-  % [sudo] gem install actionview
+  $ gem install actionview
 
-Source code can be downloaded as part of the Rails project on GitHub
+Source code can be downloaded as part of the Rails project on GitHub:
 
-* https://github.com/rails/rails/tree/4-2-stable/actionview
+* https://github.com/rails/rails/tree/main/actionview
 
 
 == License
 
 Action View is released under the MIT license:
 
-* http://www.opensource.org/licenses/MIT
+* https://opensource.org/licenses/MIT
 
 
 == Support
 
 API documentation is at
 
-* http://api.rubyonrails.org
+* https://api.rubyonrails.org
 
-Bug reports can be filed for the Ruby on Rails project here:
+Bug reports for the Ruby on Rails project can be filed here:
 
 * https://github.com/rails/rails/issues
 
 Feature requests should be discussed on the rails-core mailing list here:
 
-* https://groups.google.com/forum/?fromgroups#!forum/rubyonrails-core
-
+* https://discuss.rubyonrails.org/c/rubyonrails-core