actionview 5.0.7.2 → 5.1.7

data/lib/action_view/helpers/form_tag_helper.rb

@@ -1,7 +1,7 @@
-require 'cgi'
-require 'action_view/helpers/tag_helper'
-require 'active_support/core_ext/string/output_safety'
-require 'active_support/core_ext/module/attribute_accessors'
+require "cgi"
+require "action_view/helpers/tag_helper"
+require "active_support/core_ext/string/output_safety"
+require "active_support/core_ext/module/attribute_accessors"
 
 module ActionView
   # = Action View Form Tag Helpers
@@ -18,7 +18,7 @@ module ActionView
       include TextHelper
 
       mattr_accessor :embed_authenticity_token_in_remote_forms
-      self.embed_authenticity_token_in_remote_forms = false
+      self.embed_authenticity_token_in_remote_forms = nil
 
       # Starts a form tag that points the action to a url configured with <tt>url_for_options</tt> just like
       # ActionController::Base#url_for. The method for the form defaults to POST.
@@ -134,11 +134,11 @@ module ActionView
 
         if options.include?(:include_blank)
           include_blank = options.delete(:include_blank)
-          options_for_blank_options_tag = { value: '' }
+          options_for_blank_options_tag = { value: "" }
 
           if include_blank == true
-            include_blank = ''
-            options_for_blank_options_tag[:label] = ' '
+            include_blank = ""
+            options_for_blank_options_tag[:label] = " "
           end
 
           if include_blank
@@ -147,7 +147,7 @@ module ActionView
         end
 
         if prompt = options.delete(:prompt)
-          option_tags = content_tag("option".freeze, prompt, value: '').safe_concat(option_tags)
+          option_tags = content_tag("option".freeze, prompt, value: "").safe_concat(option_tags)
         end
 
         content_tag "select".freeze, option_tags, { "name" => html_name, "id" => sanitize_to_id(name) }.update(options.stringify_keys)
@@ -449,7 +449,7 @@ module ActionView
       end
 
       # Creates a button element that defines a <tt>submit</tt> button,
-      # <tt>reset</tt>button or a generic button which can be used in
+      # <tt>reset</tt> button or a generic button which can be used in
       # JavaScript, for example. You can use the button tag as a regular
       # submit tag but it isn't supported in legacy browsers. However,
       # the button tag does allow for richer labels such as images and emphasis,
@@ -506,12 +506,12 @@ module ActionView
           options ||= {}
         end
 
-        options = { 'name' => 'button', 'type' => 'submit' }.merge!(options.stringify_keys)
+        options = { "name" => "button", "type" => "submit" }.merge!(options.stringify_keys)
 
         if block_given?
           content_tag :button, options, &block
         else
-          content_tag :button, content_or_options || 'Button', options
+          content_tag :button, content_or_options || "Button", options
         end
       end
 
@@ -681,7 +681,7 @@ module ActionView
       # * <tt>:step</tt> - The acceptable value granularity.
       # * Otherwise accepts the same options as text_field_tag.
       def datetime_field_tag(name, value = nil, options = {})
-        text_field_tag(name, value, options.merge(type: 'datetime-local'))
+        text_field_tag(name, value, options.merge(type: "datetime-local"))
       end
 
       alias datetime_local_field_tag datetime_field_tag
@@ -845,11 +845,12 @@ module ActionView
           authenticity_token = html_options.delete("authenticity_token")
           method = html_options.delete("method").to_s.downcase
 
-          method_tag = case method
-            when 'get'
+          method_tag = \
+            case method
+            when "get"
               html_options["method"] = "get"
-              ''
-            when 'post', ''
+              ""
+            when "post", ""
               html_options["method"] = "post"
               token_tag(authenticity_token, form_options: {
                 action: html_options["action"],
@@ -861,7 +862,7 @@ module ActionView
                 action: html_options["action"],
                 method: method
               })
-          end
+            end
 
           if html_options.delete("enforce_utf8") { true }
             utf8_enforcer_tag + method_tag
@@ -883,7 +884,7 @@ module ActionView
 
         # see http://www.w3.org/TR/html4/types.html#type-name
         def sanitize_to_id(name)
-          name.to_s.delete(']').tr('^-a-zA-Z0-9:.', "_")
+          name.to_s.delete("]").tr("^-a-zA-Z0-9:.", "_")
         end
 
         def set_default_disable_with(value, tag_options)

data/lib/action_view/helpers/javascript_helper.rb

@@ -1,11 +1,11 @@
-require 'action_view/helpers/tag_helper'
+require "action_view/helpers/tag_helper"
 
 module ActionView
   module Helpers
     module JavaScriptHelper
       JS_ESCAPE_MAP = {
         '\\'    => '\\\\',
-        '</'    => '<\/',
+        "</"    => '<\/',
         "\r\n"  => '\n',
         "\n"    => '\n',
         "\r"    => '\n',
@@ -13,8 +13,8 @@ module ActionView
         "'"     => "\\'"
       }
 
-      JS_ESCAPE_MAP["\342\200\250".force_encoding(Encoding::UTF_8).encode!] = '&#x2028;'
-      JS_ESCAPE_MAP["\342\200\251".force_encoding(Encoding::UTF_8).encode!] = '&#x2029;'
+      JS_ESCAPE_MAP["\342\200\250".force_encoding(Encoding::UTF_8).encode!] = "&#x2028;"
+      JS_ESCAPE_MAP["\342\200\251".force_encoding(Encoding::UTF_8).encode!] = "&#x2029;"
 
       # Escapes carriage returns and single and double quotes for JavaScript segments.
       #
@@ -24,10 +24,10 @@ module ActionView
       #   $('some_element').replaceWith('<%= j render 'some/element_template' %>');
       def escape_javascript(javascript)
         if javascript
-          result = javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"'])/u) {|match| JS_ESCAPE_MAP[match] }
+          result = javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"'])/u) { |match| JS_ESCAPE_MAP[match] }
           javascript.html_safe? ? result.html_safe : result
         else
-          ''
+          ""
         end
       end
 

data/lib/action_view/helpers/number_helper.rb

@@ -1,11 +1,10 @@
-require 'active_support/core_ext/hash/keys'
-require 'active_support/core_ext/string/output_safety'
-require 'active_support/number_helper'
+require "active_support/core_ext/hash/keys"
+require "active_support/core_ext/string/output_safety"
+require "active_support/number_helper"
 
 module ActionView
   # = Action View Number Helpers
   module Helpers #:nodoc:
-
     # Provides methods for converting numbers into formatted strings.
     # Methods are provided for phone numbers, currency, percentage,
     # precision, positional notation, file size and pretty printing.
@@ -13,7 +12,6 @@ module ActionView
     # Most methods expect a +number+ argument, and will return it
     # unchanged if can't be converted into a valid number.
     module NumberHelper
-
       # Raised when argument +number+ param given to the helpers is invalid and
       # the option :raise is set to  +true+.
       class InvalidNumberError < StandardError
@@ -94,7 +92,7 @@ module ActionView
       #   (defaults to "%u%n").  Fields are <tt>%u</tt> for the
       #   currency, and <tt>%n</tt> for the number.
       # * <tt>:negative_format</tt> - Sets the format for negative
-      #   numbers (defaults to prepending an hyphen to the formatted
+      #   numbers (defaults to prepending a hyphen to the formatted
       #   number given by <tt>:format</tt>).  Accepts the same fields
       #   than <tt>:format</tt>, except <tt>%n</tt> is here the
       #   absolute value of the number.
@@ -173,6 +171,9 @@ module ActionView
       #   to ",").
       # * <tt>:separator</tt> - Sets the separator between the
       #   fractional and integer digits (defaults to ".").
+      # * <tt>:delimiter_pattern</tt> - Sets a custom regular expression used for
+      #   deriving the placement of delimiter. Helpful when using currency formats
+      #   like INR.
       # * <tt>:raise</tt> - If true, raises +InvalidNumberError+ when
       #   the argument is invalid.
       #
@@ -189,6 +190,9 @@ module ActionView
       #   number_with_delimiter(98765432.98, delimiter: " ", separator: ",")
       #   # => 98 765 432,98
       #
+      #   number_with_delimiter("123456.78",
+      #     delimiter_pattern: /(\d+?)(?=(\d\d)+(\d)(?!\d))/)    # => "1,23,456.78"
+      #
       #  number_with_delimiter("112a", raise: true)              # => raise InvalidNumberError
       def number_with_delimiter(number, options = {})
         delegate_number_helper_method(:number_to_delimited, number, options)
@@ -263,8 +267,6 @@ module ActionView
       # * <tt>:strip_insignificant_zeros</tt> - If +true+ removes
       #   insignificant zeros after the decimal separator (defaults to
       #   +true+)
-      # * <tt>:prefix</tt> - If +:si+ formats the number using the SI
-      #   prefix (defaults to :binary)
       # * <tt>:raise</tt> - If true, raises +InvalidNumberError+ when
       #   the argument is invalid.
       #
@@ -395,53 +397,53 @@ module ActionView
 
       private
 
-      def delegate_number_helper_method(method, number, options)
-        return unless number
-        options = escape_unsafe_options(options.symbolize_keys)
+        def delegate_number_helper_method(method, number, options)
+          return unless number
+          options = escape_unsafe_options(options.symbolize_keys)
 
-        wrap_with_output_safety_handling(number, options.delete(:raise)) {
-          ActiveSupport::NumberHelper.public_send(method, number, options)
-        }
-      end
+          wrap_with_output_safety_handling(number, options.delete(:raise)) {
+            ActiveSupport::NumberHelper.public_send(method, number, options)
+          }
+        end
 
-      def escape_unsafe_options(options)
-        options[:format]          = ERB::Util.html_escape(options[:format]) if options[:format]
-        options[:negative_format] = ERB::Util.html_escape(options[:negative_format]) if options[:negative_format]
-        options[:separator]       = ERB::Util.html_escape(options[:separator]) if options[:separator]
-        options[:delimiter]       = ERB::Util.html_escape(options[:delimiter]) if options[:delimiter]
-        options[:unit]            = ERB::Util.html_escape(options[:unit]) if options[:unit] && !options[:unit].html_safe?
-        options[:units]           = escape_units(options[:units]) if options[:units] && Hash === options[:units]
-        options
-      end
+        def escape_unsafe_options(options)
+          options[:format]          = ERB::Util.html_escape(options[:format]) if options[:format]
+          options[:negative_format] = ERB::Util.html_escape(options[:negative_format]) if options[:negative_format]
+          options[:separator]       = ERB::Util.html_escape(options[:separator]) if options[:separator]
+          options[:delimiter]       = ERB::Util.html_escape(options[:delimiter]) if options[:delimiter]
+          options[:unit]            = ERB::Util.html_escape(options[:unit]) if options[:unit] && !options[:unit].html_safe?
+          options[:units]           = escape_units(options[:units]) if options[:units] && Hash === options[:units]
+          options
+        end
 
-      def escape_units(units)
-        Hash[units.map do |k, v|
-          [k, ERB::Util.html_escape(v)]
-        end]
-      end
+        def escape_units(units)
+          Hash[units.map do |k, v|
+            [k, ERB::Util.html_escape(v)]
+          end]
+        end
 
-      def wrap_with_output_safety_handling(number, raise_on_invalid, &block)
-        valid_float = valid_float?(number)
-        raise InvalidNumberError, number if raise_on_invalid && !valid_float
+        def wrap_with_output_safety_handling(number, raise_on_invalid, &block)
+          valid_float = valid_float?(number)
+          raise InvalidNumberError, number if raise_on_invalid && !valid_float
 
-        formatted_number = yield
+          formatted_number = yield
 
-        if valid_float || number.html_safe?
-          formatted_number.html_safe
-        else
-          formatted_number
+          if valid_float || number.html_safe?
+            formatted_number.html_safe
+          else
+            formatted_number
+          end
         end
-      end
 
-      def valid_float?(number)
-        !parse_float(number, false).nil?
-      end
+        def valid_float?(number)
+          !parse_float(number, false).nil?
+        end
 
-      def parse_float(number, raise_error)
-        Float(number)
-      rescue ArgumentError, TypeError
-        raise InvalidNumberError, number if raise_error
-      end
+        def parse_float(number, raise_error)
+          Float(number)
+        rescue ArgumentError, TypeError
+          raise InvalidNumberError, number if raise_error
+        end
     end
   end
 end

data/lib/action_view/helpers/output_safety_helper.rb

@@ -1,4 +1,4 @@
-require 'active_support/core_ext/string/output_safety'
+require "active_support/core_ext/string/output_safety"
 
 module ActionView #:nodoc:
   # = Action View Raw Output Helper
@@ -25,10 +25,10 @@ module ActionView #:nodoc:
       #   safe_join([raw("<p>foo</p>"), "<p>bar</p>"], "<br />")
       #   # => "<p>foo</p>&lt;br /&gt;&lt;p&gt;bar&lt;/p&gt;"
       #
-      #   safe_join([raw("<p>foo</p>"), raw("<p>bar</p>")], raw("<br />")
+      #   safe_join([raw("<p>foo</p>"), raw("<p>bar</p>")], raw("<br />"))
       #   # => "<p>foo</p><br /><p>bar</p>"
       #
-      def safe_join(array, sep=$,)
+      def safe_join(array, sep = $,)
         sep = ERB::Util.unwrapped_html_escape(sep)
 
         array.flatten.map! { |i| ERB::Util.unwrapped_html_escape(i) }.join(sep).html_safe
@@ -42,9 +42,9 @@ module ActionView #:nodoc:
         options.assert_valid_keys(:words_connector, :two_words_connector, :last_word_connector, :locale)
 
         default_connectors = {
-          :words_connector     => ', ',
-          :two_words_connector => ' and ',
-          :last_word_connector => ', and '
+          words_connector: ", ",
+          two_words_connector: " and ",
+          last_word_connector: ", and "
         }
         if defined?(I18n)
           i18n_connectors = I18n.translate(:'support.array', locale: options[:locale], default: {})
@@ -54,13 +54,13 @@ module ActionView #:nodoc:
 
         case array.length
         when 0
-          ''.html_safe
+          "".html_safe
         when 1
           ERB::Util.html_escape(array[0])
         when 2
           safe_join([array[0], array[1]], options[:two_words_connector])
         else
-          safe_join([safe_join(array[0...-1], options[:words_connector]), options[:last_word_connector], array[-1]])
+          safe_join([safe_join(array[0...-1], options[:words_connector]), options[:last_word_connector], array[-1]], nil)
         end
       end
     end

data/lib/action_view/helpers/record_tag_helper.rb

@@ -1,7 +1,7 @@
 module ActionView
   module Helpers
     module RecordTagHelper
-      def div_for(*)
+      def div_for(*) # :nodoc:
         raise NoMethodError, "The `div_for` method has been removed from " \
           "Rails. To continue using it, add the `record_tag_helper` gem to " \
           "your Gemfile:\n" \
@@ -9,7 +9,7 @@ module ActionView
           "Consult the Rails upgrade guide for details."
       end
 
-      def content_tag_for(*)
+      def content_tag_for(*) # :nodoc:
         raise NoMethodError, "The `content_tag_for` method has been removed from " \
           "Rails. To continue using it, add the `record_tag_helper` gem to " \
           "your Gemfile:\n" \

data/lib/action_view/helpers/rendering_helper.rb

@@ -11,7 +11,6 @@ module ActionView
       # * <tt>:partial</tt> - See <tt>ActionView::PartialRenderer</tt>.
       # * <tt>:file</tt> - Renders an explicit template file (this used to be the old default), add :locals to pass in those.
       # * <tt>:inline</tt> - Renders an inline template similar to how it's done in the controller.
-      # * <tt>:text</tt> - Renders the text passed in out.
       # * <tt>:plain</tt> - Renders the text passed in out. Setting the content
       #   type as <tt>text/plain</tt>.
       # * <tt>:html</tt> - Renders the HTML safe string passed in out, otherwise
@@ -27,12 +26,12 @@ module ActionView
         case options
         when Hash
           if block_given?
-            view_renderer.render_partial(self, options.merge(:partial => options[:layout]), &block)
+            view_renderer.render_partial(self, options.merge(partial: options[:layout]), &block)
           else
             view_renderer.render(self, options)
           end
         else
-          view_renderer.render_partial(self, :partial => options, :locals => locals, &block)
+          view_renderer.render_partial(self, partial: options, locals: locals, &block)
         end
       end
 

data/lib/action_view/helpers/sanitize_helper.rb

@@ -1,5 +1,5 @@
-require 'active_support/core_ext/object/try'
-require 'rails-html-sanitizer'
+require "active_support/core_ext/object/try"
+require "rails-html-sanitizer"
 
 module ActionView
   # = Action View Sanitize Helpers
@@ -13,6 +13,7 @@ module ActionView
       # It also strips href/src attributes with unsafe protocols like
       # <tt>javascript:</tt>, while also protecting against attempts to use Unicode,
       # ASCII, and hex character references to work around these protocol filters.
+      # All special characters will be escaped.
       #
       # The default sanitizer is Rails::Html::WhiteListSanitizer. See {Rails HTML
       # Sanitizers}[https://github.com/rails/rails-html-sanitizer] for more information.
@@ -20,8 +21,7 @@ module ActionView
       # Custom sanitization rules can also be provided.
       #
       # Please note that sanitizing user-provided text does not guarantee that the
-      # resulting markup is valid or even well-formed. For example, the output may still
-      # contain unescaped characters like <tt><</tt>, <tt>></tt>, or <tt>&</tt>.
+      # resulting markup is valid or even well-formed.
       #
       # ==== Options
       #
@@ -45,17 +45,15 @@ module ActionView
       # Providing a custom Rails::Html scrubber:
       #
       #   class CommentScrubber < Rails::Html::PermitScrubber
-      #     def allowed_node?(node)
-      #       !%w(form script comment blockquote).include?(node.name)
+      #     def initialize
+      #       super
+      #       self.tags = %w( form script comment blockquote )
+      #       self.attributes = %w( style )
       #     end
       #
       #     def skip_node?(node)
       #       node.text?
       #     end
-      #
-      #     def scrub_attribute?(name)
-      #       name == 'style'
-      #     end
       #   end
       #
       #   <%= sanitize @comment.body, scrubber: CommentScrubber.new %>
@@ -88,7 +86,7 @@ module ActionView
         self.class.white_list_sanitizer.sanitize_css(style)
       end
 
-      # Strips all HTML tags from +html+, including comments.
+      # Strips all HTML tags from +html+, including comments and special characters.
       #
       #   strip_tags("Strip <i>these</i> tags!")
       #   # => Strip these tags!
@@ -98,8 +96,11 @@ module ActionView
       #
       #   strip_tags("<div id='top-bar'>Welcome to my website!</div>")
       #   # => Welcome to my website!
+      #
+      #   strip_tags("> A quote from Smith & Wesson")
+      #   # => &gt; A quote from Smith &amp; Wesson
       def strip_tags(html)
-        self.class.full_sanitizer.sanitize(html, encode_special_chars: false)
+        self.class.full_sanitizer.sanitize(html)
       end
 
       # Strips all link tags from +html+ leaving just the link text.
@@ -112,6 +113,9 @@ module ActionView
       #
       #   strip_links('Blog: <a href="http://www.myblog.com/" class="nav" target=\"_blank\">Visit</a>.')
       #   # => Blog: Visit.
+      #
+      #   strip_links('<<a href="https://example.org">malformed & link</a>')
+      #   # => &lt;malformed &amp; link
       def strip_links(html)
         self.class.link_sanitizer.sanitize(html)
       end