actionview 4.2.11.3 → 5.2.7.1

data/lib/action_view/helpers/tag_helper.rb

@@ -1,38 +1,237 @@
-require 'active_support/core_ext/string/output_safety'
-require 'set'
+# frozen_string_literal: true
+
+require "active_support/core_ext/string/output_safety"
+require "set"
 
 module ActionView
   # = Action View Tag Helpers
   module Helpers #:nodoc:
-    # Provides methods to generate HTML tags programmatically when you can't use
-    # a Builder. By default, they output XHTML compliant tags.
+    # Provides methods to generate HTML tags programmatically both as a modern
+    # HTML5 compliant builder style and legacy XHTML compliant tags.
     module TagHelper
       extend ActiveSupport::Concern
       include CaptureHelper
       include OutputSafetyHelper
 
-      BOOLEAN_ATTRIBUTES = %w(disabled readonly multiple checked autobuffer
-                           autoplay controls loop selected hidden scoped async
-                           defer reversed ismap seamless muted required
-                           autofocus novalidate formnovalidate open pubdate
-                           itemscope allowfullscreen default inert sortable
-                           truespeed typemustmatch).to_set
+      BOOLEAN_ATTRIBUTES = %w(allowfullscreen async autofocus autoplay checked
+                              compact controls declare default defaultchecked
+                              defaultmuted defaultselected defer disabled
+                              enabled formnovalidate hidden indeterminate inert
+                              ismap itemscope loop multiple muted nohref
+                              noresize noshade novalidate nowrap open
+                              pauseonexit readonly required reversed scoped
+                              seamless selected sortable truespeed typemustmatch
+                              visible).to_set
+
+      BOOLEAN_ATTRIBUTES.merge(BOOLEAN_ATTRIBUTES.map(&:to_sym))
+
+      TAG_PREFIXES = ["aria", "data", :aria, :data].to_set
+
+      PRE_CONTENT_STRINGS             = Hash.new { "" }
+      PRE_CONTENT_STRINGS[:textarea]  = "\n"
+      PRE_CONTENT_STRINGS["textarea"] = "\n"
+
+      class TagBuilder #:nodoc:
+        include CaptureHelper
+        include OutputSafetyHelper
+
+        VOID_ELEMENTS = %i(area base br col embed hr img input keygen link meta param source track wbr).to_set
+
+        def initialize(view_context)
+          @view_context = view_context
+        end
+
+        def tag_string(name, content = nil, **options, &block)
+          escape = handle_deprecated_escape_options(options)
+          content = @view_context.capture(self, &block) if block_given?
+
+          if VOID_ELEMENTS.include?(name) && content.nil?
+            "<#{name.to_s.dasherize}#{tag_options(options, escape)}>".html_safe
+          else
+            content_tag_string(name.to_s.dasherize, content || "", options, escape)
+          end
+        end
+
+        def content_tag_string(name, content, options, escape = true)
+          tag_options = tag_options(options, escape) if options
+
+          if escape
+            name = ERB::Util.xml_name_escape(name)
+            content = ERB::Util.unwrapped_html_escape(content)
+          end
 
-      BOOLEAN_ATTRIBUTES.merge(BOOLEAN_ATTRIBUTES.map {|attribute| attribute.to_sym })
+          "<#{name}#{tag_options}>#{PRE_CONTENT_STRINGS[name]}#{content}</#{name}>".html_safe
+        end
 
-      TAG_PREFIXES = ['aria', 'data', :aria, :data].to_set
+        def tag_options(options, escape = true)
+          return if options.blank?
+          output = "".dup
+          sep    = " "
+          options.each_pair do |key, value|
+            if TAG_PREFIXES.include?(key) && value.is_a?(Hash)
+              value.each_pair do |k, v|
+                next if v.nil?
+                output << sep
+                output << prefix_tag_option(key, k, v, escape)
+              end
+            elsif BOOLEAN_ATTRIBUTES.include?(key)
+              if value
+                output << sep
+                output << boolean_tag_option(key)
+              end
+            elsif !value.nil?
+              output << sep
+              output << tag_option(key, value, escape)
+            end
+          end
+          output unless output.empty?
+        end
 
-      PRE_CONTENT_STRINGS = {
-        :textarea => "\n"
-      }
+        def boolean_tag_option(key)
+          %(#{key}="#{key}")
+        end
 
-      # Returns an empty HTML tag of type +name+ which by default is XHTML
+        def tag_option(key, value, escape)
+          key = ERB::Util.xml_name_escape(key) if escape
+
+          if value.is_a?(Array)
+            value = escape ? safe_join(value, " ".freeze) : value.join(" ".freeze)
+          else
+            value = escape ? ERB::Util.unwrapped_html_escape(value) : value.to_s
+          end
+          %(#{key}="#{value.gsub('"'.freeze, '&quot;'.freeze)}")
+        end
+
+        private
+          def prefix_tag_option(prefix, key, value, escape)
+            key = "#{prefix}-#{key.to_s.dasherize}"
+            unless value.is_a?(String) || value.is_a?(Symbol) || value.is_a?(BigDecimal)
+              value = value.to_json
+            end
+            tag_option(key, value, escape)
+          end
+
+          def respond_to_missing?(*args)
+            true
+          end
+
+          def handle_deprecated_escape_options(options)
+            # The option :escape_attributes has been merged into the options hash to be
+            # able to warn when it is used, so we need to handle default values here.
+            escape_option_provided = options.has_key?(:escape)
+            escape_attributes_option_provided = options.has_key?(:escape_attributes)
+
+            if escape_attributes_option_provided
+              ActiveSupport::Deprecation.warn(<<~MSG)
+                Use of the option :escape_attributes is deprecated. It currently \
+                escapes both names and values of tags and attributes and it is \
+                equivalent to :escape. If any of them are enabled, the escaping \
+                is fully enabled.
+              MSG
+            end
+
+            return true unless escape_option_provided || escape_attributes_option_provided
+            escape_option = options.delete(:escape)
+            escape_attributes_option = options.delete(:escape_attributes)
+            escape_option || escape_attributes_option
+          end
+
+          def method_missing(called, *args, **options, &block)
+            tag_string(called, *args, **options, &block)
+          end
+      end
+
+      # Returns an HTML tag.
+      #
+      # === Building HTML tags
+      #
+      # Builds HTML5 compliant tags with a tag proxy. Every tag can be built with:
+      #
+      #   tag.<tag name>(optional content, options)
+      #
+      # where tag name can be e.g. br, div, section, article, or any tag really.
+      #
+      # ==== Passing content
+      #
+      # Tags can pass content to embed within it:
+      #
+      #   tag.h1 'All titles fit to print' # => <h1>All titles fit to print</h1>
+      #
+      #   tag.div tag.p('Hello world!')  # => <div><p>Hello world!</p></div>
+      #
+      # Content can also be captured with a block, which is useful in templates:
+      #
+      #   <%= tag.p do %>
+      #     The next great American novel starts here.
+      #   <% end %>
+      #   # => <p>The next great American novel starts here.</p>
+      #
+      # ==== Options
+      #
+      # Use symbol keyed options to add attributes to the generated tag.
+      #
+      #   tag.section class: %w( kitties puppies )
+      #   # => <section class="kitties puppies"></section>
+      #
+      #   tag.section id: dom_id(@post)
+      #   # => <section id="<generated dom id>"></section>
+      #
+      # Pass +true+ for any attributes that can render with no values, like +disabled+ and +readonly+.
+      #
+      #   tag.input type: 'text', disabled: true
+      #   # => <input type="text" disabled="disabled">
+      #
+      # HTML5 <tt>data-*</tt> attributes can be set with a single +data+ key
+      # pointing to a hash of sub-attributes.
+      #
+      # To play nicely with JavaScript conventions, sub-attributes are dasherized.
+      #
+      #   tag.article data: { user_id: 123 }
+      #   # => <article data-user-id="123"></article>
+      #
+      # Thus <tt>data-user-id</tt> can be accessed as <tt>dataset.userId</tt>.
+      #
+      # Data attribute values are encoded to JSON, with the exception of strings, symbols and
+      # BigDecimals.
+      # This may come in handy when using jQuery's HTML5-aware <tt>.data()</tt>
+      # from 1.4.3.
+      #
+      #   tag.div data: { city_state: %w( Chicago IL ) }
+      #   # => <div data-city-state="[&quot;Chicago&quot;,&quot;IL&quot;]"></div>
+      #
+      # The generated attributes are escaped by default. This can be disabled using
+      # +escape_attributes+.
+      #
+      #   tag.img src: 'open & shut.png'
+      #   # => <img src="open &amp; shut.png">
+      #
+      #   tag.img src: 'open & shut.png', escape_attributes: false
+      #   # => <img src="open & shut.png">
+      #
+      # The tag builder respects
+      # {HTML5 void elements}[https://www.w3.org/TR/html5/syntax.html#void-elements]
+      # if no content is passed, and omits closing tags for those elements.
+      #
+      #   # A standard element:
+      #   tag.div # => <div></div>
+      #
+      #   # A void element:
+      #   tag.br  # => <br>
+      #
+      # === Legacy syntax
+      #
+      # The following format is for legacy syntax support. It will be deprecated in future versions of Rails.
+      #
+      #   tag(name, options = nil, open = false, escape = true)
+      #
+      # It returns an empty HTML tag of type +name+ which by default is XHTML
       # compliant. Set +open+ to true to create an open tag compatible
       # with HTML 4.0 and below. Add HTML attributes by passing an attributes
       # hash to +options+. Set +escape+ to false to disable attribute value
       # escaping.
       #
       # ==== Options
+      #
       # You can use symbols or strings for the attribute names.
       #
       # Use +true+ with boolean attributes that can render with no value, like
@@ -41,16 +240,8 @@ module ActionView
       # HTML5 <tt>data-*</tt> attributes can be set with a single +data+ key
       # pointing to a hash of sub-attributes.
       #
-      # To play nicely with JavaScript conventions sub-attributes are dasherized.
-      # For example, a key +user_id+ would render as <tt>data-user-id</tt> and
-      # thus accessed as <tt>dataset.userId</tt>.
-      #
-      # Values are encoded to JSON, with the exception of strings, symbols and
-      # BigDecimals.
-      # This may come in handy when using jQuery's HTML5-aware <tt>.data()</tt>
-      # from 1.4.3.
-      #
       # ==== Examples
+      #
       #   tag("br")
       #   # => <br />
       #
@@ -71,8 +262,13 @@ module ActionView
       #
       #   tag("div", data: {name: 'Stephen', city_state: %w(Chicago IL)})
       #   # => <div data-name="Stephen" data-city-state="[&quot;Chicago&quot;,&quot;IL&quot;]" />
-      def tag(name, options = nil, open = false, escape = true)
-        "<#{name}#{tag_options(options, escape) if options}#{open ? ">" : " />"}".html_safe
+      def tag(name = nil, options = nil, open = false, escape = true)
+        if name.nil?
+          tag_builder
+        else
+          name = ERB::Util.xml_name_escape(name) if escape
+          "<#{name}#{tag_builder.tag_options(options, escape) if options}#{open ? ">" : " />"}".html_safe
+        end
       end
 
       # Returns an HTML block tag of type +name+ surrounding the +content+. Add
@@ -80,6 +276,7 @@ module ActionView
       # Instead of passing the content as an argument, you can also use a block
       # in which case, you pass your +options+ as the second parameter.
       # Set escape to false to disable attribute value escaping.
+      # Note: this is legacy syntax, see +tag+ method description for details.
       #
       # ==== Options
       # The +options+ hash can be used with attributes with no value like (<tt>disabled</tt> and
@@ -103,9 +300,9 @@ module ActionView
       def content_tag(name, content_or_options_with_block = nil, options = nil, escape = true, &block)
         if block_given?
           options = content_or_options_with_block if content_or_options_with_block.is_a?(Hash)
-          content_tag_string(name, capture(&block), options, escape)
+          tag_builder.content_tag_string(name, capture(&block), options, escape)
         else
-          content_tag_string(name, content_or_options_with_block, options, escape)
+          tag_builder.content_tag_string(name, content_or_options_with_block, options, escape)
         end
       end
 
@@ -123,7 +320,7 @@ module ActionView
       #   cdata_section("hello]]>world")
       #   # => <![CDATA[hello]]]]><![CDATA[>world]]>
       def cdata_section(content)
-        splitted = content.to_s.gsub(/\]\]\>/, ']]]]><![CDATA[>')
+        splitted = content.to_s.gsub(/\]\]\>/, "]]]]><![CDATA[>")
         "<![CDATA[#{splitted}]]>".html_safe
       end
 
@@ -139,49 +336,8 @@ module ActionView
       end
 
       private
-
-        def content_tag_string(name, content, options, escape = true)
-          tag_options = tag_options(options, escape) if options
-          content     = ERB::Util.unwrapped_html_escape(content) if escape
-          "<#{name}#{tag_options}>#{PRE_CONTENT_STRINGS[name.to_sym]}#{content}</#{name}>".html_safe
-        end
-
-        def tag_options(options, escape = true)
-          return if options.blank?
-          attrs = []
-          options.each_pair do |key, value|
-            if TAG_PREFIXES.include?(key) && value.is_a?(Hash)
-              value.each_pair do |k, v|
-                attrs << prefix_tag_option(key, k, v, escape)
-              end
-            elsif BOOLEAN_ATTRIBUTES.include?(key)
-              attrs << boolean_tag_option(key) if value
-            elsif !value.nil?
-              attrs << tag_option(key, value, escape)
-            end
-          end
-          " #{attrs * ' '}" unless attrs.empty?
-        end
-
-        def prefix_tag_option(prefix, key, value, escape)
-          key = "#{prefix}-#{key.to_s.dasherize}"
-          unless value.is_a?(String) || value.is_a?(Symbol) || value.is_a?(BigDecimal)
-            value = value.to_json
-          end
-          tag_option(key, value, escape)
-        end
-
-        def boolean_tag_option(key)
-          %(#{key}="#{key}")
-        end
-
-        def tag_option(key, value, escape)
-          if value.is_a?(Array)
-            value = escape ? safe_join(value, " ") : value.join(" ")
-          else
-            value = escape ? ERB::Util.unwrapped_html_escape(value) : value.to_s
-          end
-          %(#{key}="#{value.gsub('"'.freeze, '&quot;'.freeze)}")
+        def tag_builder
+          @tag_builder ||= TagBuilder.new(self)
         end
     end
   end

data/lib/action_view/helpers/tags/base.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module ActionView
   module Helpers
     module Tags # :nodoc:
@@ -11,10 +13,19 @@ module ActionView
           @object_name, @method_name = object_name.to_s.dup, method_name.to_s.dup
           @template_object = template_object
 
-          @object_name.sub!(/\[\]$/,"") || @object_name.sub!(/\[\]\]$/,"]")
+          @object_name.sub!(/\[\]$/, "") || @object_name.sub!(/\[\]\]$/, "]")
           @object = retrieve_object(options.delete(:object))
+          @skip_default_ids = options.delete(:skip_default_ids)
+          @allow_method_names_outside_object = options.delete(:allow_method_names_outside_object)
           @options = options
-          @auto_index = retrieve_autoindex(Regexp.last_match.pre_match) if Regexp.last_match
+
+          if Regexp.last_match
+            @generate_indexed_names = true
+            @auto_index = retrieve_autoindex(Regexp.last_match.pre_match)
+          else
+            @generate_indexed_names = false
+            @auto_index = nil
+          end
         end
 
         # This is what child classes implement.
@@ -24,131 +35,157 @@ module ActionView
 
         private
 
-        def value(object)
-          object.public_send @method_name if object
-        end
+          def value
+            if @allow_method_names_outside_object
+              object.public_send @method_name if object && object.respond_to?(@method_name)
+            else
+              object.public_send @method_name if object
+            end
+          end
 
-        def value_before_type_cast(object)
-          unless object.nil?
-            method_before_type_cast = @method_name + "_before_type_cast"
+          def value_before_type_cast
+            unless object.nil?
+              method_before_type_cast = @method_name + "_before_type_cast"
 
-            if value_came_from_user?(object) && object.respond_to?(method_before_type_cast)
-              object.public_send(method_before_type_cast)
-            else
-              value(object)
+              if value_came_from_user? && object.respond_to?(method_before_type_cast)
+                object.public_send(method_before_type_cast)
+              else
+                value
+              end
             end
           end
-        end
 
-        def value_came_from_user?(object)
-          method_name = "#{@method_name}_came_from_user?"
-          !object.respond_to?(method_name) || object.public_send(method_name)
-        end
+          def value_came_from_user?
+            method_name = "#{@method_name}_came_from_user?"
+            !object.respond_to?(method_name) || object.public_send(method_name)
+          end
 
-        def retrieve_object(object)
-          if object
-            object
-          elsif @template_object.instance_variable_defined?("@#{@object_name}")
-            @template_object.instance_variable_get("@#{@object_name}")
+          def retrieve_object(object)
+            if object
+              object
+            elsif @template_object.instance_variable_defined?("@#{@object_name}")
+              @template_object.instance_variable_get("@#{@object_name}")
+            end
+          rescue NameError
+            # As @object_name may contain the nested syntax (item[subobject]) we need to fallback to nil.
+            nil
           end
-        rescue NameError
-          # As @object_name may contain the nested syntax (item[subobject]) we need to fallback to nil.
-          nil
-        end
 
-        def retrieve_autoindex(pre_match)
-          object = self.object || @template_object.instance_variable_get("@#{pre_match}")
-          if object && object.respond_to?(:to_param)
-            object.to_param
-          else
-            raise ArgumentError, "object[] naming but object param and @object var don't exist or don't respond to to_param: #{object.inspect}"
+          def retrieve_autoindex(pre_match)
+            object = self.object || @template_object.instance_variable_get("@#{pre_match}")
+            if object && object.respond_to?(:to_param)
+              object.to_param
+            else
+              raise ArgumentError, "object[] naming but object param and @object var don't exist or don't respond to to_param: #{object.inspect}"
+            end
           end
-        end
 
-        def add_default_name_and_id_for_value(tag_value, options)
-          if tag_value.nil?
-            add_default_name_and_id(options)
-          else
-            specified_id = options["id"]
-            add_default_name_and_id(options)
+          def add_default_name_and_id_for_value(tag_value, options)
+            if tag_value.nil?
+              add_default_name_and_id(options)
+            else
+              specified_id = options["id"]
+              add_default_name_and_id(options)
 
-            if specified_id.blank? && options["id"].present?
-              options["id"] += "_#{sanitized_value(tag_value)}"
+              if specified_id.blank? && options["id"].present?
+                options["id"] += "_#{sanitized_value(tag_value)}"
+              end
             end
           end
-        end
 
-        def add_default_name_and_id(options)
-          if options.has_key?("index")
-            options["name"] ||= options.fetch("name"){ tag_name_with_index(options["index"], options["multiple"]) }
-            options["id"] = options.fetch("id"){ tag_id_with_index(options["index"]) }
-            options.delete("index")
-          elsif defined?(@auto_index)
-            options["name"] ||= options.fetch("name"){ tag_name_with_index(@auto_index, options["multiple"]) }
-            options["id"] = options.fetch("id"){ tag_id_with_index(@auto_index) }
-          else
-            options["name"] ||= options.fetch("name"){ tag_name(options["multiple"]) }
-            options["id"] = options.fetch("id"){ tag_id }
+          def add_default_name_and_id(options)
+            index = name_and_id_index(options)
+            options["name"] = options.fetch("name") { tag_name(options["multiple"], index) }
+
+            if generate_ids?
+              options["id"] = options.fetch("id") { tag_id(index) }
+              if namespace = options.delete("namespace")
+                options["id"] = options["id"] ? "#{namespace}_#{options['id']}" : namespace
+              end
+            end
           end
 
-          options["id"] = [options.delete('namespace'), options["id"]].compact.join("_").presence
-        end
+          def tag_name(multiple = false, index = nil)
+            # a little duplication to construct less strings
+            case
+            when @object_name.empty?
+              "#{sanitized_method_name}#{"[]" if multiple}"
+            when index
+              "#{@object_name}[#{index}][#{sanitized_method_name}]#{"[]" if multiple}"
+            else
+              "#{@object_name}[#{sanitized_method_name}]#{"[]" if multiple}"
+            end
+          end
 
-        def tag_name(multiple = false)
-          "#{@object_name}[#{sanitized_method_name}]#{"[]" if multiple}"
-        end
+          def tag_id(index = nil)
+            # a little duplication to construct less strings
+            case
+            when @object_name.empty?
+              sanitized_method_name.dup
+            when index
+              "#{sanitized_object_name}_#{index}_#{sanitized_method_name}"
+            else
+              "#{sanitized_object_name}_#{sanitized_method_name}"
+            end
+          end
 
-        def tag_name_with_index(index, multiple = false)
-          "#{@object_name}[#{index}][#{sanitized_method_name}]#{"[]" if multiple}"
-        end
+          def sanitized_object_name
+            @sanitized_object_name ||= @object_name.gsub(/\]\[|[^-a-zA-Z0-9:.]/, "_").sub(/_$/, "")
+          end
 
-        def tag_id
-          "#{sanitized_object_name}_#{sanitized_method_name}"
-        end
+          def sanitized_method_name
+            @sanitized_method_name ||= @method_name.sub(/\?$/, "")
+          end
 
-        def tag_id_with_index(index)
-          "#{sanitized_object_name}_#{index}_#{sanitized_method_name}"
-        end
+          def sanitized_value(value)
+            value.to_s.gsub(/\s/, "_").gsub(/[^-[[:word:]]]/, "").mb_chars.downcase.to_s
+          end
 
-        def sanitized_object_name
-          @sanitized_object_name ||= @object_name.gsub(/\]\[|[^-a-zA-Z0-9:.]/, "_").sub(/_$/, "")
-        end
+          def select_content_tag(option_tags, options, html_options)
+            html_options = html_options.stringify_keys
+            add_default_name_and_id(html_options)
 
-        def sanitized_method_name
-          @sanitized_method_name ||= @method_name.sub(/\?$/,"")
-        end
+            if placeholder_required?(html_options)
+              raise ArgumentError, "include_blank cannot be false for a required field." if options[:include_blank] == false
+              options[:include_blank] ||= true unless options[:prompt]
+            end
 
-        def sanitized_value(value)
-          value.to_s.gsub(/\s/, "_").gsub(/[^-\w]/, "").downcase
-        end
+            value = options.fetch(:selected) { value() }
+            select = content_tag("select", add_options(option_tags, options, value), html_options)
 
-        def select_content_tag(option_tags, options, html_options)
-          html_options = html_options.stringify_keys
-          add_default_name_and_id(html_options)
-          options[:include_blank] ||= true unless options[:prompt] || select_not_required?(html_options)
-          value = options.fetch(:selected) { value(object) }
-          select = content_tag("select", add_options(option_tags, options, value), html_options)
+            if html_options["multiple"] && options.fetch(:include_hidden, true)
+              tag("input", disabled: html_options["disabled"], name: html_options["name"], type: "hidden", value: "") + select
+            else
+              select
+            end
+          end
 
-          if html_options["multiple"] && options.fetch(:include_hidden, true)
-            tag("input", :disabled => html_options["disabled"], :name => html_options["name"], :type => "hidden", :value => "") + select
-          else
-            select
+          def placeholder_required?(html_options)
+            # See https://html.spec.whatwg.org/multipage/forms.html#attr-select-required
+            html_options["required"] && !html_options["multiple"] && html_options.fetch("size", 1).to_i == 1
           end
-        end
 
-        def select_not_required?(html_options)
-          !html_options["required"] || html_options["multiple"] || html_options["size"].to_i > 1
-        end
+          def add_options(option_tags, options, value = nil)
+            if options[:include_blank]
+              option_tags = tag_builder.content_tag_string("option", options[:include_blank].kind_of?(String) ? options[:include_blank] : nil, value: "") + "\n" + option_tags
+            end
+            if value.blank? && options[:prompt]
+              option_tags = tag_builder.content_tag_string("option", prompt_text(options[:prompt]), value: "") + "\n" + option_tags
+            end
+            option_tags
+          end
 
-        def add_options(option_tags, options, value = nil)
-          if options[:include_blank]
-            option_tags = content_tag_string('option', options[:include_blank].kind_of?(String) ? options[:include_blank] : nil, :value => '') + "\n" + option_tags
+          def name_and_id_index(options)
+            if options.key?("index")
+              options.delete("index") || ""
+            elsif @generate_indexed_names
+              @auto_index || ""
+            end
           end
-          if value.blank? && options[:prompt]
-            option_tags = content_tag_string('option', prompt_text(options[:prompt]), :value => '') + "\n" + option_tags
+
+          def generate_ids?
+            !@skip_default_ids
           end
-          option_tags
-        end
       end
     end
   end