actionview 4.2.11.1 → 6.0.4.8

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 71fb7b73001ccc9220ba0da089fc3336a3a18620ca13a18730fa91d4799fbf58
-  data.tar.gz: a87ef6a72900a81c7cff2d00f3fac65006c0f95935b7bf366c1f4bfa1210b6d1
+  metadata.gz: 7d4524ccde8ccdd97c429c6fb86a446f168cd38a2fb7cb613eae1a12a856ab7b
+  data.tar.gz: af9127d2426172fd15893a0677cd47693a8b756834b75b9eba9e4d597af02129
 SHA512:
-  metadata.gz: ea93cb6a5de3af579900cf1534b50842c6d197062ee7a01a9f499287dbbb8f6f3d9c32abfadba3c2d1868b8deddc70594c3e5767744031e47961d5da15cb5e54
-  data.tar.gz: e59b44cf756ed5bf55ef96709055a04413dfba03fa083c32ef709eb266267ac774bc7d83c08c696a16c98e5dd93a412a531372eee7546bcc8e856e1304dcf618
+  metadata.gz: f05445155e060f21a2bb32165685270986019c49eb9b39c830e1acc99e6962f0f258fc3183b5cbaebfa1f69bbe10a176a4b9b653d5e53d5e0fbbbc80827a72a1
+  data.tar.gz: 216d174d5aac9ae24c91e79f1d4d7d3e9c8aec6af7ebd27d239147fd23e702827dc7730e32ee86bf8d0ec12aca358f84e1b8987406bbcfdb8100eba3970143ba

data/CHANGELOG.md

@@ -1,357 +1,413 @@
-## Rails 4.2.11.1 (March 11, 2019) ##
+## Rails 6.0.4.8 (April 26, 2022) ##
+
+*   Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`.
+
+    Escape dangerous characters in names of tags and names of attributes in the
+    tag helpers, following the XML specification. Rename the option
+    `:escape_attributes` to `:escape`, to simplify by applying the option to the
+    whole tag.
+
+    *Álvaro Martín Fraguas*
+
+
+## Rails 6.0.4.7 (March 08, 2022) ##
 
 *   No changes.
 
 
-## Rails 4.2.11 (November 27, 2018) ##
+## Rails 6.0.4.6 (February 11, 2022) ##
 
 *   No changes.
 
 
-## Rails 4.2.10 (September 27, 2017) ##
+## Rails 6.0.4.5 (February 11, 2022) ##
 
 *   No changes.
 
 
-## Rails 4.2.9 (June 26, 2017) ##
+## Rails 6.0.4.4 (December 15, 2021) ##
 
 *   No changes.
 
 
-## Rails 4.2.8 (February 21, 2017) ##
+## Rails 6.0.4.3 (December 14, 2021) ##
 
 *   No changes.
 
 
-## Rails 4.2.7 (July 12, 2016) ##
+## Rails 6.0.4.2 (December 14, 2021) ##
 
 *   No changes.
 
 
-## Rails 4.2.6 (March 07, 2016) ##
+## Rails 6.0.4.1 (August 19, 2021) ##
 
-*   Fix stripping the digest from the automatically generated img tag alt
-    attribute when assets are handled by Sprockets >=3.0.
+*   No changes.
 
-    *Bart de Water*
 
-*   Create a new `ActiveSupport::SafeBuffer` instance when `content_for` is flushed.
+## Rails 6.0.4 (June 15, 2021) ##
 
-    Fixes #19890
+*   SanitizeHelper.sanitized_allowed_attributes and SanitizeHelper.sanitized_allowed_tags
+    call safe_list_sanitizer's class method
 
-    *Yoong Kang Lim*
+    Fixes #39586
 
-*   Respect value of `:object` if `:object` is false when rendering.
+    *Taufiq Muhammadi*
 
-    Fixes #22260.
 
-    *Yuichiro Kaneko*
+## Rails 6.0.3.7 (May 05, 2021) ##
 
-*   Generate `week_field` input values using a 1-based index and not a 0-based index
-    as per the W3 spec: http://www.w3.org/TR/html-markup/datatypes.html#form.data.week
+*   No changes.
 
-    *Christoph Geschwind*
 
+## Rails 6.0.3.6 (March 26, 2021) ##
 
-## Rails 4.2.5.2 (February 26, 2016) ##
+*   No changes.
 
-*   Do not allow render with unpermitted parameter.
 
-    Fixes CVE-2016-2098.
+## Rails 6.0.3.5 (February 10, 2021) ##
 
-    *Arthur Neves*
+*   No changes.
 
 
-## Rails 4.2.5.1 (January 25, 2015) ##
+## Rails 6.0.3.4 (October 07, 2020) ##
 
-*   Adds boolean argument outside_app_allowed to `ActionView::Resolver#find_templates`
-    method.
+*   No changes.
 
-    *Aaron Patterson*
 
+## Rails 6.0.3.3 (September 09, 2020) ##
 
-## Rails 4.2.5 (November 12, 2015) ##
+*   [CVE-2020-8185] Fix potential XSS vulnerability in the `translate`/`t` helper.
 
-*   Fix `mail_to` when called with `nil` as argument.
+    *Jonathan Hefner*
 
-    *Rafael Mendonça França*
 
-*   `url_for` does not modify its arguments when generating polymorphic URLs.
+## Rails 6.0.3.2 (June 17, 2020) ##
 
-    *Bernerd Schaefer*
+*   No changes.
 
 
-## Rails 4.2.4 (August 24, 2015) ##
+## Rails 6.0.3.1 (May 18, 2020) ##
 
-* No Changes *
+*   [CVE-2020-8167] Check that request is same-origin prior to including CSRF token in XHRs
 
 
-## Rails 4.2.3 (June 25, 2015) ##
+## Rails 6.0.3 (May 06, 2020) ##
 
-*   `translate` should handle `raise` flag correctly in case of both main and default
-    translation is missing.
+*   annotated_source_code returns an empty array so TemplateErrors without a
+    template in the backtrace are surfaced properly by DebugExceptions.
 
-    Fixes #19967
+    *Guilherme Mansur*, *Kasper Timm Hansen*
 
-    *Bernard Potocki*
+*   Add autoload for SyntaxErrorInTemplate so syntax errors are correctly raised by DebugExceptions.
 
-*   `translate` allows `default: [[]]` again for a default value of `[]`.
+    *Guilherme Mansur*, *Gannon McGibbon*
 
-    Fixes #19640.
 
-    *Adam Prescott*
+## Rails 6.0.2.2 (March 19, 2020) ##
 
-*   `translate` should accept nils as members of the `:default`
-    parameter without raising a translation missing error.  Fixes a
-    regression introduced 362557e.
+*   Fix possible XSS vector in escape_javascript helper
 
-    Fixes #19419
+    CVE-2020-5267
 
-    *Justin Coyne*
+    *Aaron Patterson*
 
-*   `number_to_percentage` does not crash with `Float::NAN` or `Float::INFINITY`
-    as input when `precision: 0` is used.
 
-    Fixes #19227.
+## Rails 6.0.2.1 (December 18, 2019) ##
 
-    *Yves Senn*
+*   No changes.
 
 
-## Rails 4.2.2 (June 16, 2015) ##
+## Rails 6.0.2 (December 13, 2019) ##
 
-* No Changes *
+*   No changes.
 
 
-## Rails 4.2.1 (March 19, 2015) ##
+## Rails 6.0.1 (November 5, 2019) ##
 
-*   Default translations that have a lower precedence than an html safe default,
-    but are not themselves safe, should not be marked as html_safe.
+*   UJS avoids `Element.closest()` for IE 9 compatibility.
 
-    *Justin Coyne*
+    *George Claghorn*
 
-*   Added an explicit error message, in `ActionView::PartialRenderer`
-    for partial `rendering`, when the value of option `as` has invalid characters.
 
-    *Angelo Capilleri*
+## Rails 6.0.0 (August 16, 2019) ##
 
+*   ActionView::Helpers::SanitizeHelper: support rails-html-sanitizer 1.1.0.
 
-## Rails 4.2.0 (December 20, 2014) ##
+    *Juanito Fatas*
 
-*   Local variable in a partial is now available even if a falsy value is
-    passed to `:object` when rendering a partial.
 
-    Fixes #17373.
+## Rails 6.0.0.rc2 (July 22, 2019) ##
 
-    *Agis Anastasopoulos*
+*   Fix `select_tag` so that it doesn't change `options` when `include_blank` is present.
 
-*   Add support for `:enforce_utf8` option in `form_for`.
+    *Younes SERRAJ*
 
-    This is the same option that was added in 06388b0 to `form_tag` and allows
-    users to skip the insertion of the UTF8 enforcer tag in a form.
 
-    * claudiob *
+## Rails 6.0.0.rc1 (April 24, 2019) ##
 
-*   Fix a bug that <%= foo(){ %> and <%= foo()do %> in view templates were not regarded
-    as Ruby block calls.
+*   Fix partial caching skips same item issue
 
-    * Akira Matsuda *
+    If we render cached collection partials with repeated items, those repeated items
+    will get skipped. For example, if you have 5 identical items in your collection, Rails
+    only renders the first one when `cached` is set to true. But it should render all
+    5 items instead.
 
-*   Update `select_tag` to work correctly with `:include_blank` option passing a string.
+    Fixes #35114.
 
-    Fixes #16483.
+    *Stan Lo*
 
-    *Frank Groeneveld*
+*   Only clear ActionView cache in development on file changes
 
-*   Changed the meaning of `render "foo/bar"`.
+    To speed up development mode, view caches are only cleared when files in
+    the view paths have changed. Applications which have implemented custom
+    `ActionView::Resolver` subclasses may need to add their own cache clearing.
 
-    Previously, calling `render "foo/bar"` in a controller action is equivalent
-    to `render file: "foo/bar"`. In Rails 4.2, this has been changed to mean
-    `render template: "foo/bar"` instead. If you need to render a file, please
-    change your code to use the explicit form (`render file: "foo/bar"`) instead.
+    *John Hawthorn*
 
-    *Jeremy Jackson*
+*   Fix `ActionView::FixtureResolver` so that it handles template variants correctly.
 
-*   Add support for ARIA attributes in tags.
+    *Edward Rudd*
 
-    Example:
+*   `ActionView::TemplateRender.render(file: )` now renders the file directly,
+    without using any handlers, using the new `Template::RawFile` class.
 
-        <%= f.text_field :name, aria: { required: "true", hidden: "false" } %>
+    *John Hawthorn*, *Cliff Pruitt*
 
-    now generates:
 
-         <input aria-hidden="false" aria-required="true" id="user_name" name="user[name]" type="text">
+## Rails 6.0.0.beta3 (March 11, 2019) ##
 
-    *Paola Garcia Casadiego*
+*   Only accept formats from registered mime types
 
-*   Provide a `builder` object when using the `label` form helper in block form.
+    A lack of filtering on mime types could allow an attacker to read
+    arbitrary files on the target server or to perform a denial of service
+    attack.
 
-    The new `builder` object responds to `translation`, allowing I18n fallback support
-    when you want to customize how a particular label is presented.
+    Fixes CVE-2019-5418
+    Fixes CVE-2019-5419
 
-    *Alex Robbin*
+    *John Hawthorn*, *Eileen M. Uchitelle*, *Aaron Patterson*
 
-*   Add I18n support for input/textarea placeholder text.
 
-    Placeholder I18n follows the same convention as `label` I18n.
+## Rails 6.0.0.beta2 (February 25, 2019) ##
 
-    *Alex Robbin*
+*   `ActionView::Template.finalize_compiled_template_methods` is deprecated with
+    no replacement.
 
-*   Fix that render layout: 'messages/layout' should also be added to the dependency tracker tree.
+    *tenderlove*
 
-    *DHH*
+*   `config.action_view.finalize_compiled_template_methods` is deprecated with
+    no replacement.
 
-*   Add `PartialIteration` object used when rendering collections.
+    *tenderlove*
 
-    The iteration object is available as the local variable
-    `#{template_name}_iteration` when rendering partials with collections.
+*   Ensure unique DOM IDs for collection inputs with float values.
 
-    It gives access to the `size` of the collection being iterated over,
-    the current `index` and two convenience methods `first?` and `last?`.
+    Fixes #34974.
 
-    *Joel Junström*, *Lucas Uyezu*
+    *Mark Edmondson*
 
-*   Return an absolute instead of relative path from an asset url in the case
-    of the `asset_host` proc returning nil.
+*   Single arity template handlers are deprecated.  Template handlers must
+    now accept two parameters, the view object and the source for the view object.
 
-    *Jolyon Pawlyn*
+    *tenderlove*
 
-*   Fix `html_escape_once` to properly handle hex escape sequences (e.g. &#x1a2b;).
 
-    *John F. Douthat*
+## Rails 6.0.0.beta1 (January 18, 2019) ##
 
-*   Added String support for min and max properties for date field helpers.
+*   [Rename npm package](https://github.com/rails/rails/pull/34905) from
+    [`rails-ujs`](https://www.npmjs.com/package/rails-ujs) to
+    [`@rails/ujs`](https://www.npmjs.com/package/@rails/ujs).
 
-    *Todd Bealmear*
+    *Javan Makhmali*
 
-*   The `highlight` helper now accepts a block to be used instead of the `highlighter`
-    option.
+*   Remove deprecated `image_alt` helper.
 
-    *Lucas Mazza*
+    *Rafael Mendonça França*
 
-*   The `except` and `highlight` helpers now accept regular expressions.
+*   Fix the need of `#protect_against_forgery?` method defined in
+    `ActionView::Base` subclasses. This prevents the use of forms and buttons.
 
-    *Jan Szumiec*
+    *Genadi Samokovarov*
 
-*   Flatten the array parameter in `safe_join`, so it behaves consistently with
-    `Array#join`.
+*   Fix UJS permanently showing disabled text in a[data-remote][data-disable-with] elements within forms.
 
-    *Paul Grayson*
+    Fixes #33889.
 
-*   Honor `html_safe` on array elements in tag values, as we do for plain string
-    values.
+    *Wolfgang Hobmaier*
 
-    *Paul Grayson*
+*   Prevent non-primary mouse keys from triggering Rails UJS click handlers.
+    Firefox fires click events even if the click was triggered by non-primary mouse keys such as right- or scroll-wheel-clicks.
+    For example, right-clicking a link such as the one described below (with an underlying ajax request registered on click) should not cause that request to occur.
 
-*   Add `ActionView::Template::Handler.unregister_template_handler`.
+    ```
+    <%= link_to 'Remote', remote_path, class: 'remote', remote: true, data: { type: :json } %>
+    ```
 
-    It performs the opposite of `ActionView::Template::Handler.register_template_handler`.
+    Fixes #34541.
 
-    *Zuhao Wan*
+    *Wolfgang Hobmaier*
 
-*   Bring `cache_digest` rake tasks up-to-date with the latest API changes.
+*   Prevent `ActionView::TextHelper#word_wrap` from unexpectedly stripping white space from the _left_ side of lines.
 
-    *Jiri Pospisil*
+    For example, given input like this:
 
-*   Allow custom `:host` option to be passed to `asset_url` helper that
-    overwrites `config.action_controller.asset_host` for particular asset.
+    ```
+        This is a paragraph with an initial indent,
+    followed by additional lines that are not indented,
+    and finally terminated with a blockquote:
+      "A pithy saying"
+    ```
 
-    *Hubert Łępicki*
+    Calling `word_wrap` should not trim the indents on the first and last lines.
 
-*   Deprecate `AbstractController::Base.parent_prefixes`.
-    Override `AbstractController::Base.local_prefixes` when you want to change
-    where to find views.
+    Fixes #34487.
 
-    *Nick Sutterer*
+    *Lyle Mullican*
 
-*   Take label values into account when doing I18n lookups for model attributes.
+*   Add allocations to template rendering instrumentation.
 
-    The following:
+    Adds the allocations for template and partial rendering to the server output on render.
 
-        # form.html.erb
-        <%= form_for @post do |f| %>
-          <%= f.label :type, value: "long" %>
-        <% end %>
+    ```
+      Rendered posts/_form.html.erb (Duration: 7.1ms | Allocations: 6004)
+      Rendered posts/new.html.erb within layouts/application (Duration: 8.3ms | Allocations: 6654)
+    Completed 200 OK in 858ms (Views: 848.4ms | ActiveRecord: 0.4ms | Allocations: 1539564)
+    ```
 
-        # en.yml
-        en:
-          activerecord:
-            attributes:
-              post/long: "Long-form Post"
+    *Eileen M. Uchitelle*, *Aaron Patterson*
 
-    Used to simply return "long", but now it will return "Long-form
-    Post".
+*   Respect the `only_path` option passed to `url_for` when the options are passed in as an array
 
-    *Joshua Cody*
+    Fixes #33237.
 
-*   Change `asset_path` to use File.join to create proper paths:
+    *Joel Ambass*
 
-    Before:
+*   Deprecate calling private model methods from view helpers.
 
-        https://some.host.com//assets/some.js
+    For example, in methods like `options_from_collection_for_select`
+    and `collection_select` it is possible to call private methods from
+    the objects used.
 
-    After:
+    Fixes #33546.
 
-        https://some.host.com/assets/some.js
+    *Ana María Martínez Gómez*
 
-    *Peter Schröder*
+*   Fix issue with `button_to`'s `to_form_params`
 
-*   Change `favicon_link_tag` default mimetype from `image/vnd.microsoft.icon` to
-    `image/x-icon`.
+    `button_to` was throwing exception when invoked with `params` hash that
+    contains symbol and string keys. The reason for the exception was that
+    `to_form_params` was comparing the given symbol and string keys.
 
-    Before:
+    The issue is fixed by turning all keys to strings inside
+    `to_form_params` before comparing them.
 
-        # => favicon_link_tag 'myicon.ico'
-        <link href="/assets/myicon.ico" rel="shortcut icon" type="image/vnd.microsoft.icon" />
+    *Georgi Georgiev*
 
-    After:
+*   Mark arrays of translations as trusted safe by using the `_html` suffix.
 
-        # => favicon_link_tag 'myicon.ico'
-        <link href="/assets/myicon.ico" rel="shortcut icon" type="image/x-icon" />
+    Example:
 
-    *Geoffroy Lorieux*
+        en:
+          foo_html:
+            - "One"
+            - "<strong>Two</strong>"
+            - "Three &#128075; &#128578;"
 
-*   Remove wrapping div with inline styles for hidden form fields.
+    *Juan Broullon*
 
-    We are dropping HTML 4.01 and XHTML strict compliance since input tags directly
-    inside a form are valid HTML5, and the absence of inline styles help in validating
-    for Content Security Policy.
+*   Add `year_format` option to date_select tag. This option makes it possible to customize year
+    names. Lambda should be passed to use this option.
 
-    *Joost Baaij*
+    Example:
+
+        date_select('user_birthday', '', start_year: 1998, end_year: 2000, year_format: ->year { "Heisei #{year - 1988}" })
+
+    The HTML produced:
+
+        <select id="user_birthday__1i" name="user_birthday[(1i)]">
+        <option value="1998">Heisei 10</option>
+        <option value="1999">Heisei 11</option>
+        <option value="2000">Heisei 12</option>
+        </select>
+        /* The rest is omitted */
+
+    *Koki Ryu*
+
+*   Fix JavaScript views rendering does not work with Firefox when using
+    Content Security Policy.
+
+    Fixes #32577.
+
+    *Yuji Yaginuma*
+
+*   Add the `nonce: true` option for `javascript_include_tag` helper to
+    support automatic nonce generation for Content Security Policy.
+    Works the same way as `javascript_tag nonce: true` does.
+
+    *Yaroslav Markin*
 
-*   `collection_check_boxes` respects `:index` option for the hidden field name.
+*   Remove `ActionView::Helpers::RecordTagHelper`.
 
-    Fixes #14147.
+    *Yoshiyuki Hirano*
 
-    *Vasiliy Ermolovich*
+*   Disable `ActionView::Template` finalizers in test environment.
 
-*   `date_select` helper with option `with_css_classes: true` does not overwrite other classes.
+    Template finalization can be expensive in large view test suites.
+    Add a configuration option,
+    `action_view.finalize_compiled_template_methods`, and turn it off in
+    the test environment.
 
-    *Izumi Wong-Horiuchi*
+    *Simon Coffey*
 
-*   `number_to_percentage` does not crash with `Float::NAN` or `Float::INFINITY`
-    as input.
+*   Extract the `confirm` call in its own, overridable method in `rails_ujs`.
 
-    Fixes #14405.
+    Example:
+
+        Rails.confirm = function(message, element) {
+          return (my_bootstrap_modal_confirm(message));
+        }
+
+    *Mathieu Mahé*
 
-    *Yves Senn*
+*   Enable select tag helper to mark `prompt` option as `selected` and/or `disabled` for `required`
+    field.
+
+    Example:
 
-*   Add `include_hidden` option to `collection_check_boxes` helper.
+        select :post,
+               :category,
+               ["lifestyle", "programming", "spiritual"],
+               { selected: "", disabled: "", prompt: "Choose one" },
+               { required: true }
 
-    *Vasiliy Ermolovich*
+    Placeholder option would be selected and disabled.
 
-*   Fixed a problem where the default options for the `button_tag` helper are not
-    applied correctly.
+    The HTML produced:
 
-    Fixes #14254.
+        <select required="required" name="post[category]" id="post_category">
+        <option disabled="disabled" selected="selected" value="">Choose one</option>
+        <option value="lifestyle">lifestyle</option>
+        <option value="programming">programming</option>
+        <option value="spiritual">spiritual</option></select>
 
     *Sergey Prikhodko*
 
-*   Take variants into account when calculating template digests in ActionView::Digestor.
+*   Don't enforce UTF-8 by default.
+
+    With the disabling of TLS 1.0 by most major websites, continuing to run
+    IE8 or lower becomes increasingly difficult so default to not enforcing
+    UTF-8 encoding as it's not relevant to other browsers.
+
+    *Andrew White*
+
+*   Change translation key of `submit_tag` from `module_name_class_name` to `module_name/class_name`.
+
+    *Rui Onodera*
+
+*   Rails 6 requires Ruby 2.5.0 or newer.
 
-    The arguments to ActionView::Digestor#digest are now being passed as a hash
-    to support variants and allow more flexibility in the future. The support for
-    regular (required) arguments is deprecated and will be removed in Rails 5.0 or later.
+    *Jeremy Daer*, *Kasper Timm Hansen*
 
-    *Piotr Chmolowski, Łukasz Strzałkowski*
 
-Please check [4-1-stable](https://github.com/rails/rails/blob/4-1-stable/actionview/CHANGELOG.md) for previous changes.
+Please check [5-2-stable](https://github.com/rails/rails/blob/5-2-stable/actionview/CHANGELOG.md) for previous changes.

data/MIT-LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2004-2014 David Heinemeier Hansson
+Copyright (c) 2004-2019 David Heinemeier Hansson
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the