actionview 5.0.7.2 → 5.1.7
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of actionview might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +169 -345
- data/MIT-LICENSE +1 -1
- data/README.rdoc +1 -1
- data/lib/action_view/base.rb +19 -19
- data/lib/action_view/buffers.rb +1 -1
- data/lib/action_view/context.rb +1 -1
- data/lib/action_view/dependency_tracker.rb +4 -5
- data/lib/action_view/digestor.rb +22 -13
- data/lib/action_view/flows.rb +5 -6
- data/lib/action_view/gem_version.rb +2 -2
- data/lib/action_view/helpers/active_model_helper.rb +8 -8
- data/lib/action_view/helpers/asset_tag_helper.rb +62 -36
- data/lib/action_view/helpers/asset_url_helper.rb +111 -49
- data/lib/action_view/helpers/atom_feed_helper.rb +12 -13
- data/lib/action_view/helpers/cache_helper.rb +32 -20
- data/lib/action_view/helpers/capture_helper.rb +2 -2
- data/lib/action_view/helpers/controller_helper.rb +2 -2
- data/lib/action_view/helpers/csrf_helper.rb +3 -3
- data/lib/action_view/helpers/date_helper.rb +119 -109
- data/lib/action_view/helpers/debug_helper.rb +2 -3
- data/lib/action_view/helpers/form_helper.rb +440 -31
- data/lib/action_view/helpers/form_options_helper.rb +12 -12
- data/lib/action_view/helpers/form_tag_helper.rb +20 -19
- data/lib/action_view/helpers/javascript_helper.rb +6 -6
- data/lib/action_view/helpers/number_helper.rb +48 -46
- data/lib/action_view/helpers/output_safety_helper.rb +8 -8
- data/lib/action_view/helpers/record_tag_helper.rb +2 -2
- data/lib/action_view/helpers/rendering_helper.rb +2 -3
- data/lib/action_view/helpers/sanitize_helper.rb +16 -12
- data/lib/action_view/helpers/tag_helper.rb +194 -77
- data/lib/action_view/helpers/tags/base.rb +121 -102
- data/lib/action_view/helpers/tags/check_box.rb +17 -17
- data/lib/action_view/helpers/tags/collection_check_boxes.rb +9 -8
- data/lib/action_view/helpers/tags/collection_helpers.rb +60 -60
- data/lib/action_view/helpers/tags/collection_radio_buttons.rb +3 -2
- data/lib/action_view/helpers/tags/collection_select.rb +2 -2
- data/lib/action_view/helpers/tags/date_select.rb +36 -36
- data/lib/action_view/helpers/tags/grouped_collection_select.rb +2 -2
- data/lib/action_view/helpers/tags/label.rb +4 -0
- data/lib/action_view/helpers/tags/password_field.rb +1 -1
- data/lib/action_view/helpers/tags/radio_button.rb +4 -4
- data/lib/action_view/helpers/tags/select.rb +9 -9
- data/lib/action_view/helpers/tags/text_area.rb +1 -1
- data/lib/action_view/helpers/tags/text_field.rb +5 -5
- data/lib/action_view/helpers/tags/translator.rb +14 -12
- data/lib/action_view/helpers/text_helper.rb +20 -19
- data/lib/action_view/helpers/translation_helper.rb +6 -6
- data/lib/action_view/helpers/url_helper.rb +48 -46
- data/lib/action_view/helpers.rb +1 -1
- data/lib/action_view/layouts.rb +51 -47
- data/lib/action_view/log_subscriber.rb +25 -9
- data/lib/action_view/lookup_context.rb +19 -25
- data/lib/action_view/path_set.rb +19 -19
- data/lib/action_view/railtie.rb +13 -4
- data/lib/action_view/record_identifier.rb +6 -6
- data/lib/action_view/renderer/abstract_renderer.rb +17 -17
- data/lib/action_view/renderer/partial_renderer/collection_caching.rb +7 -1
- data/lib/action_view/renderer/partial_renderer.rb +188 -187
- data/lib/action_view/renderer/renderer.rb +4 -0
- data/lib/action_view/renderer/streaming_template_renderer.rb +45 -47
- data/lib/action_view/renderer/template_renderer.rb +64 -66
- data/lib/action_view/rendering.rb +4 -5
- data/lib/action_view/routing_url_for.rb +9 -13
- data/lib/action_view/tasks/cache_digests.rake +7 -7
- data/lib/action_view/template/error.rb +5 -15
- data/lib/action_view/template/handlers/builder.rb +7 -7
- data/lib/action_view/template/handlers/erb/deprecated_erubis.rb +9 -0
- data/lib/action_view/template/handlers/erb/erubi.rb +81 -0
- data/lib/action_view/template/handlers/erb/erubis.rb +81 -0
- data/lib/action_view/template/handlers/erb.rb +9 -76
- data/lib/action_view/template/handlers.rb +4 -4
- data/lib/action_view/template/html.rb +2 -4
- data/lib/action_view/template/resolver.rb +107 -90
- data/lib/action_view/template/text.rb +5 -8
- data/lib/action_view/template/types.rb +1 -1
- data/lib/action_view/template.rb +26 -27
- data/lib/action_view/test_case.rb +20 -21
- data/lib/action_view/testing/resolvers.rb +29 -30
- data/lib/action_view/version.rb +1 -1
- data/lib/action_view/view_paths.rb +20 -8
- data/lib/action_view.rb +5 -5
- data/lib/assets/compiled/rails-ujs.js +683 -0
- metadata +18 -12
@@ -1,7 +1,7 @@
|
|
1
|
-
require
|
2
|
-
require
|
3
|
-
require
|
4
|
-
require
|
1
|
+
require "cgi"
|
2
|
+
require "action_view/helpers/tag_helper"
|
3
|
+
require "active_support/core_ext/string/output_safety"
|
4
|
+
require "active_support/core_ext/module/attribute_accessors"
|
5
5
|
|
6
6
|
module ActionView
|
7
7
|
# = Action View Form Tag Helpers
|
@@ -18,7 +18,7 @@ module ActionView
|
|
18
18
|
include TextHelper
|
19
19
|
|
20
20
|
mattr_accessor :embed_authenticity_token_in_remote_forms
|
21
|
-
self.embed_authenticity_token_in_remote_forms =
|
21
|
+
self.embed_authenticity_token_in_remote_forms = nil
|
22
22
|
|
23
23
|
# Starts a form tag that points the action to a url configured with <tt>url_for_options</tt> just like
|
24
24
|
# ActionController::Base#url_for. The method for the form defaults to POST.
|
@@ -134,11 +134,11 @@ module ActionView
|
|
134
134
|
|
135
135
|
if options.include?(:include_blank)
|
136
136
|
include_blank = options.delete(:include_blank)
|
137
|
-
options_for_blank_options_tag = { value:
|
137
|
+
options_for_blank_options_tag = { value: "" }
|
138
138
|
|
139
139
|
if include_blank == true
|
140
|
-
include_blank =
|
141
|
-
options_for_blank_options_tag[:label] =
|
140
|
+
include_blank = ""
|
141
|
+
options_for_blank_options_tag[:label] = " "
|
142
142
|
end
|
143
143
|
|
144
144
|
if include_blank
|
@@ -147,7 +147,7 @@ module ActionView
|
|
147
147
|
end
|
148
148
|
|
149
149
|
if prompt = options.delete(:prompt)
|
150
|
-
option_tags = content_tag("option".freeze, prompt, value:
|
150
|
+
option_tags = content_tag("option".freeze, prompt, value: "").safe_concat(option_tags)
|
151
151
|
end
|
152
152
|
|
153
153
|
content_tag "select".freeze, option_tags, { "name" => html_name, "id" => sanitize_to_id(name) }.update(options.stringify_keys)
|
@@ -449,7 +449,7 @@ module ActionView
|
|
449
449
|
end
|
450
450
|
|
451
451
|
# Creates a button element that defines a <tt>submit</tt> button,
|
452
|
-
# <tt>reset</tt>button or a generic button which can be used in
|
452
|
+
# <tt>reset</tt> button or a generic button which can be used in
|
453
453
|
# JavaScript, for example. You can use the button tag as a regular
|
454
454
|
# submit tag but it isn't supported in legacy browsers. However,
|
455
455
|
# the button tag does allow for richer labels such as images and emphasis,
|
@@ -506,12 +506,12 @@ module ActionView
|
|
506
506
|
options ||= {}
|
507
507
|
end
|
508
508
|
|
509
|
-
options = {
|
509
|
+
options = { "name" => "button", "type" => "submit" }.merge!(options.stringify_keys)
|
510
510
|
|
511
511
|
if block_given?
|
512
512
|
content_tag :button, options, &block
|
513
513
|
else
|
514
|
-
content_tag :button, content_or_options ||
|
514
|
+
content_tag :button, content_or_options || "Button", options
|
515
515
|
end
|
516
516
|
end
|
517
517
|
|
@@ -681,7 +681,7 @@ module ActionView
|
|
681
681
|
# * <tt>:step</tt> - The acceptable value granularity.
|
682
682
|
# * Otherwise accepts the same options as text_field_tag.
|
683
683
|
def datetime_field_tag(name, value = nil, options = {})
|
684
|
-
text_field_tag(name, value, options.merge(type:
|
684
|
+
text_field_tag(name, value, options.merge(type: "datetime-local"))
|
685
685
|
end
|
686
686
|
|
687
687
|
alias datetime_local_field_tag datetime_field_tag
|
@@ -845,11 +845,12 @@ module ActionView
|
|
845
845
|
authenticity_token = html_options.delete("authenticity_token")
|
846
846
|
method = html_options.delete("method").to_s.downcase
|
847
847
|
|
848
|
-
method_tag =
|
849
|
-
|
848
|
+
method_tag = \
|
849
|
+
case method
|
850
|
+
when "get"
|
850
851
|
html_options["method"] = "get"
|
851
|
-
|
852
|
-
when
|
852
|
+
""
|
853
|
+
when "post", ""
|
853
854
|
html_options["method"] = "post"
|
854
855
|
token_tag(authenticity_token, form_options: {
|
855
856
|
action: html_options["action"],
|
@@ -861,7 +862,7 @@ module ActionView
|
|
861
862
|
action: html_options["action"],
|
862
863
|
method: method
|
863
864
|
})
|
864
|
-
|
865
|
+
end
|
865
866
|
|
866
867
|
if html_options.delete("enforce_utf8") { true }
|
867
868
|
utf8_enforcer_tag + method_tag
|
@@ -883,7 +884,7 @@ module ActionView
|
|
883
884
|
|
884
885
|
# see http://www.w3.org/TR/html4/types.html#type-name
|
885
886
|
def sanitize_to_id(name)
|
886
|
-
name.to_s.delete(
|
887
|
+
name.to_s.delete("]").tr("^-a-zA-Z0-9:.", "_")
|
887
888
|
end
|
888
889
|
|
889
890
|
def set_default_disable_with(value, tag_options)
|
@@ -1,11 +1,11 @@
|
|
1
|
-
require
|
1
|
+
require "action_view/helpers/tag_helper"
|
2
2
|
|
3
3
|
module ActionView
|
4
4
|
module Helpers
|
5
5
|
module JavaScriptHelper
|
6
6
|
JS_ESCAPE_MAP = {
|
7
7
|
'\\' => '\\\\',
|
8
|
-
|
8
|
+
"</" => '<\/',
|
9
9
|
"\r\n" => '\n',
|
10
10
|
"\n" => '\n',
|
11
11
|
"\r" => '\n',
|
@@ -13,8 +13,8 @@ module ActionView
|
|
13
13
|
"'" => "\\'"
|
14
14
|
}
|
15
15
|
|
16
|
-
JS_ESCAPE_MAP["\342\200\250".force_encoding(Encoding::UTF_8).encode!] =
|
17
|
-
JS_ESCAPE_MAP["\342\200\251".force_encoding(Encoding::UTF_8).encode!] =
|
16
|
+
JS_ESCAPE_MAP["\342\200\250".force_encoding(Encoding::UTF_8).encode!] = "
"
|
17
|
+
JS_ESCAPE_MAP["\342\200\251".force_encoding(Encoding::UTF_8).encode!] = "
"
|
18
18
|
|
19
19
|
# Escapes carriage returns and single and double quotes for JavaScript segments.
|
20
20
|
#
|
@@ -24,10 +24,10 @@ module ActionView
|
|
24
24
|
# $('some_element').replaceWith('<%= j render 'some/element_template' %>');
|
25
25
|
def escape_javascript(javascript)
|
26
26
|
if javascript
|
27
|
-
result = javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"'])/u) {|match| JS_ESCAPE_MAP[match] }
|
27
|
+
result = javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"'])/u) { |match| JS_ESCAPE_MAP[match] }
|
28
28
|
javascript.html_safe? ? result.html_safe : result
|
29
29
|
else
|
30
|
-
|
30
|
+
""
|
31
31
|
end
|
32
32
|
end
|
33
33
|
|
@@ -1,11 +1,10 @@
|
|
1
|
-
require
|
2
|
-
require
|
3
|
-
require
|
1
|
+
require "active_support/core_ext/hash/keys"
|
2
|
+
require "active_support/core_ext/string/output_safety"
|
3
|
+
require "active_support/number_helper"
|
4
4
|
|
5
5
|
module ActionView
|
6
6
|
# = Action View Number Helpers
|
7
7
|
module Helpers #:nodoc:
|
8
|
-
|
9
8
|
# Provides methods for converting numbers into formatted strings.
|
10
9
|
# Methods are provided for phone numbers, currency, percentage,
|
11
10
|
# precision, positional notation, file size and pretty printing.
|
@@ -13,7 +12,6 @@ module ActionView
|
|
13
12
|
# Most methods expect a +number+ argument, and will return it
|
14
13
|
# unchanged if can't be converted into a valid number.
|
15
14
|
module NumberHelper
|
16
|
-
|
17
15
|
# Raised when argument +number+ param given to the helpers is invalid and
|
18
16
|
# the option :raise is set to +true+.
|
19
17
|
class InvalidNumberError < StandardError
|
@@ -94,7 +92,7 @@ module ActionView
|
|
94
92
|
# (defaults to "%u%n"). Fields are <tt>%u</tt> for the
|
95
93
|
# currency, and <tt>%n</tt> for the number.
|
96
94
|
# * <tt>:negative_format</tt> - Sets the format for negative
|
97
|
-
# numbers (defaults to prepending
|
95
|
+
# numbers (defaults to prepending a hyphen to the formatted
|
98
96
|
# number given by <tt>:format</tt>). Accepts the same fields
|
99
97
|
# than <tt>:format</tt>, except <tt>%n</tt> is here the
|
100
98
|
# absolute value of the number.
|
@@ -173,6 +171,9 @@ module ActionView
|
|
173
171
|
# to ",").
|
174
172
|
# * <tt>:separator</tt> - Sets the separator between the
|
175
173
|
# fractional and integer digits (defaults to ".").
|
174
|
+
# * <tt>:delimiter_pattern</tt> - Sets a custom regular expression used for
|
175
|
+
# deriving the placement of delimiter. Helpful when using currency formats
|
176
|
+
# like INR.
|
176
177
|
# * <tt>:raise</tt> - If true, raises +InvalidNumberError+ when
|
177
178
|
# the argument is invalid.
|
178
179
|
#
|
@@ -189,6 +190,9 @@ module ActionView
|
|
189
190
|
# number_with_delimiter(98765432.98, delimiter: " ", separator: ",")
|
190
191
|
# # => 98 765 432,98
|
191
192
|
#
|
193
|
+
# number_with_delimiter("123456.78",
|
194
|
+
# delimiter_pattern: /(\d+?)(?=(\d\d)+(\d)(?!\d))/) # => "1,23,456.78"
|
195
|
+
#
|
192
196
|
# number_with_delimiter("112a", raise: true) # => raise InvalidNumberError
|
193
197
|
def number_with_delimiter(number, options = {})
|
194
198
|
delegate_number_helper_method(:number_to_delimited, number, options)
|
@@ -263,8 +267,6 @@ module ActionView
|
|
263
267
|
# * <tt>:strip_insignificant_zeros</tt> - If +true+ removes
|
264
268
|
# insignificant zeros after the decimal separator (defaults to
|
265
269
|
# +true+)
|
266
|
-
# * <tt>:prefix</tt> - If +:si+ formats the number using the SI
|
267
|
-
# prefix (defaults to :binary)
|
268
270
|
# * <tt>:raise</tt> - If true, raises +InvalidNumberError+ when
|
269
271
|
# the argument is invalid.
|
270
272
|
#
|
@@ -395,53 +397,53 @@ module ActionView
|
|
395
397
|
|
396
398
|
private
|
397
399
|
|
398
|
-
|
399
|
-
|
400
|
-
|
400
|
+
def delegate_number_helper_method(method, number, options)
|
401
|
+
return unless number
|
402
|
+
options = escape_unsafe_options(options.symbolize_keys)
|
401
403
|
|
402
|
-
|
403
|
-
|
404
|
-
|
405
|
-
|
404
|
+
wrap_with_output_safety_handling(number, options.delete(:raise)) {
|
405
|
+
ActiveSupport::NumberHelper.public_send(method, number, options)
|
406
|
+
}
|
407
|
+
end
|
406
408
|
|
407
|
-
|
408
|
-
|
409
|
-
|
410
|
-
|
411
|
-
|
412
|
-
|
413
|
-
|
414
|
-
|
415
|
-
|
409
|
+
def escape_unsafe_options(options)
|
410
|
+
options[:format] = ERB::Util.html_escape(options[:format]) if options[:format]
|
411
|
+
options[:negative_format] = ERB::Util.html_escape(options[:negative_format]) if options[:negative_format]
|
412
|
+
options[:separator] = ERB::Util.html_escape(options[:separator]) if options[:separator]
|
413
|
+
options[:delimiter] = ERB::Util.html_escape(options[:delimiter]) if options[:delimiter]
|
414
|
+
options[:unit] = ERB::Util.html_escape(options[:unit]) if options[:unit] && !options[:unit].html_safe?
|
415
|
+
options[:units] = escape_units(options[:units]) if options[:units] && Hash === options[:units]
|
416
|
+
options
|
417
|
+
end
|
416
418
|
|
417
|
-
|
418
|
-
|
419
|
-
|
420
|
-
|
421
|
-
|
419
|
+
def escape_units(units)
|
420
|
+
Hash[units.map do |k, v|
|
421
|
+
[k, ERB::Util.html_escape(v)]
|
422
|
+
end]
|
423
|
+
end
|
422
424
|
|
423
|
-
|
424
|
-
|
425
|
-
|
425
|
+
def wrap_with_output_safety_handling(number, raise_on_invalid, &block)
|
426
|
+
valid_float = valid_float?(number)
|
427
|
+
raise InvalidNumberError, number if raise_on_invalid && !valid_float
|
426
428
|
|
427
|
-
|
429
|
+
formatted_number = yield
|
428
430
|
|
429
|
-
|
430
|
-
|
431
|
-
|
432
|
-
|
431
|
+
if valid_float || number.html_safe?
|
432
|
+
formatted_number.html_safe
|
433
|
+
else
|
434
|
+
formatted_number
|
435
|
+
end
|
433
436
|
end
|
434
|
-
end
|
435
437
|
|
436
|
-
|
437
|
-
|
438
|
-
|
438
|
+
def valid_float?(number)
|
439
|
+
!parse_float(number, false).nil?
|
440
|
+
end
|
439
441
|
|
440
|
-
|
441
|
-
|
442
|
-
|
443
|
-
|
444
|
-
|
442
|
+
def parse_float(number, raise_error)
|
443
|
+
Float(number)
|
444
|
+
rescue ArgumentError, TypeError
|
445
|
+
raise InvalidNumberError, number if raise_error
|
446
|
+
end
|
445
447
|
end
|
446
448
|
end
|
447
449
|
end
|
@@ -1,4 +1,4 @@
|
|
1
|
-
require
|
1
|
+
require "active_support/core_ext/string/output_safety"
|
2
2
|
|
3
3
|
module ActionView #:nodoc:
|
4
4
|
# = Action View Raw Output Helper
|
@@ -25,10 +25,10 @@ module ActionView #:nodoc:
|
|
25
25
|
# safe_join([raw("<p>foo</p>"), "<p>bar</p>"], "<br />")
|
26
26
|
# # => "<p>foo</p><br /><p>bar</p>"
|
27
27
|
#
|
28
|
-
# safe_join([raw("<p>foo</p>"), raw("<p>bar</p>")], raw("<br />")
|
28
|
+
# safe_join([raw("<p>foo</p>"), raw("<p>bar</p>")], raw("<br />"))
|
29
29
|
# # => "<p>foo</p><br /><p>bar</p>"
|
30
30
|
#
|
31
|
-
def safe_join(array, sep
|
31
|
+
def safe_join(array, sep = $,)
|
32
32
|
sep = ERB::Util.unwrapped_html_escape(sep)
|
33
33
|
|
34
34
|
array.flatten.map! { |i| ERB::Util.unwrapped_html_escape(i) }.join(sep).html_safe
|
@@ -42,9 +42,9 @@ module ActionView #:nodoc:
|
|
42
42
|
options.assert_valid_keys(:words_connector, :two_words_connector, :last_word_connector, :locale)
|
43
43
|
|
44
44
|
default_connectors = {
|
45
|
-
:
|
46
|
-
:
|
47
|
-
:
|
45
|
+
words_connector: ", ",
|
46
|
+
two_words_connector: " and ",
|
47
|
+
last_word_connector: ", and "
|
48
48
|
}
|
49
49
|
if defined?(I18n)
|
50
50
|
i18n_connectors = I18n.translate(:'support.array', locale: options[:locale], default: {})
|
@@ -54,13 +54,13 @@ module ActionView #:nodoc:
|
|
54
54
|
|
55
55
|
case array.length
|
56
56
|
when 0
|
57
|
-
|
57
|
+
"".html_safe
|
58
58
|
when 1
|
59
59
|
ERB::Util.html_escape(array[0])
|
60
60
|
when 2
|
61
61
|
safe_join([array[0], array[1]], options[:two_words_connector])
|
62
62
|
else
|
63
|
-
safe_join([safe_join(array[0...-1], options[:words_connector]), options[:last_word_connector], array[-1]])
|
63
|
+
safe_join([safe_join(array[0...-1], options[:words_connector]), options[:last_word_connector], array[-1]], nil)
|
64
64
|
end
|
65
65
|
end
|
66
66
|
end
|
@@ -1,7 +1,7 @@
|
|
1
1
|
module ActionView
|
2
2
|
module Helpers
|
3
3
|
module RecordTagHelper
|
4
|
-
def div_for(*)
|
4
|
+
def div_for(*) # :nodoc:
|
5
5
|
raise NoMethodError, "The `div_for` method has been removed from " \
|
6
6
|
"Rails. To continue using it, add the `record_tag_helper` gem to " \
|
7
7
|
"your Gemfile:\n" \
|
@@ -9,7 +9,7 @@ module ActionView
|
|
9
9
|
"Consult the Rails upgrade guide for details."
|
10
10
|
end
|
11
11
|
|
12
|
-
def content_tag_for(*)
|
12
|
+
def content_tag_for(*) # :nodoc:
|
13
13
|
raise NoMethodError, "The `content_tag_for` method has been removed from " \
|
14
14
|
"Rails. To continue using it, add the `record_tag_helper` gem to " \
|
15
15
|
"your Gemfile:\n" \
|
@@ -11,7 +11,6 @@ module ActionView
|
|
11
11
|
# * <tt>:partial</tt> - See <tt>ActionView::PartialRenderer</tt>.
|
12
12
|
# * <tt>:file</tt> - Renders an explicit template file (this used to be the old default), add :locals to pass in those.
|
13
13
|
# * <tt>:inline</tt> - Renders an inline template similar to how it's done in the controller.
|
14
|
-
# * <tt>:text</tt> - Renders the text passed in out.
|
15
14
|
# * <tt>:plain</tt> - Renders the text passed in out. Setting the content
|
16
15
|
# type as <tt>text/plain</tt>.
|
17
16
|
# * <tt>:html</tt> - Renders the HTML safe string passed in out, otherwise
|
@@ -27,12 +26,12 @@ module ActionView
|
|
27
26
|
case options
|
28
27
|
when Hash
|
29
28
|
if block_given?
|
30
|
-
view_renderer.render_partial(self, options.merge(:
|
29
|
+
view_renderer.render_partial(self, options.merge(partial: options[:layout]), &block)
|
31
30
|
else
|
32
31
|
view_renderer.render(self, options)
|
33
32
|
end
|
34
33
|
else
|
35
|
-
view_renderer.render_partial(self, :
|
34
|
+
view_renderer.render_partial(self, partial: options, locals: locals, &block)
|
36
35
|
end
|
37
36
|
end
|
38
37
|
|
@@ -1,5 +1,5 @@
|
|
1
|
-
require
|
2
|
-
require
|
1
|
+
require "active_support/core_ext/object/try"
|
2
|
+
require "rails-html-sanitizer"
|
3
3
|
|
4
4
|
module ActionView
|
5
5
|
# = Action View Sanitize Helpers
|
@@ -13,6 +13,7 @@ module ActionView
|
|
13
13
|
# It also strips href/src attributes with unsafe protocols like
|
14
14
|
# <tt>javascript:</tt>, while also protecting against attempts to use Unicode,
|
15
15
|
# ASCII, and hex character references to work around these protocol filters.
|
16
|
+
# All special characters will be escaped.
|
16
17
|
#
|
17
18
|
# The default sanitizer is Rails::Html::WhiteListSanitizer. See {Rails HTML
|
18
19
|
# Sanitizers}[https://github.com/rails/rails-html-sanitizer] for more information.
|
@@ -20,8 +21,7 @@ module ActionView
|
|
20
21
|
# Custom sanitization rules can also be provided.
|
21
22
|
#
|
22
23
|
# Please note that sanitizing user-provided text does not guarantee that the
|
23
|
-
# resulting markup is valid or even well-formed.
|
24
|
-
# contain unescaped characters like <tt><</tt>, <tt>></tt>, or <tt>&</tt>.
|
24
|
+
# resulting markup is valid or even well-formed.
|
25
25
|
#
|
26
26
|
# ==== Options
|
27
27
|
#
|
@@ -45,17 +45,15 @@ module ActionView
|
|
45
45
|
# Providing a custom Rails::Html scrubber:
|
46
46
|
#
|
47
47
|
# class CommentScrubber < Rails::Html::PermitScrubber
|
48
|
-
# def
|
49
|
-
#
|
48
|
+
# def initialize
|
49
|
+
# super
|
50
|
+
# self.tags = %w( form script comment blockquote )
|
51
|
+
# self.attributes = %w( style )
|
50
52
|
# end
|
51
53
|
#
|
52
54
|
# def skip_node?(node)
|
53
55
|
# node.text?
|
54
56
|
# end
|
55
|
-
#
|
56
|
-
# def scrub_attribute?(name)
|
57
|
-
# name == 'style'
|
58
|
-
# end
|
59
57
|
# end
|
60
58
|
#
|
61
59
|
# <%= sanitize @comment.body, scrubber: CommentScrubber.new %>
|
@@ -88,7 +86,7 @@ module ActionView
|
|
88
86
|
self.class.white_list_sanitizer.sanitize_css(style)
|
89
87
|
end
|
90
88
|
|
91
|
-
# Strips all HTML tags from +html+, including comments.
|
89
|
+
# Strips all HTML tags from +html+, including comments and special characters.
|
92
90
|
#
|
93
91
|
# strip_tags("Strip <i>these</i> tags!")
|
94
92
|
# # => Strip these tags!
|
@@ -98,8 +96,11 @@ module ActionView
|
|
98
96
|
#
|
99
97
|
# strip_tags("<div id='top-bar'>Welcome to my website!</div>")
|
100
98
|
# # => Welcome to my website!
|
99
|
+
#
|
100
|
+
# strip_tags("> A quote from Smith & Wesson")
|
101
|
+
# # => > A quote from Smith & Wesson
|
101
102
|
def strip_tags(html)
|
102
|
-
self.class.full_sanitizer.sanitize(html
|
103
|
+
self.class.full_sanitizer.sanitize(html)
|
103
104
|
end
|
104
105
|
|
105
106
|
# Strips all link tags from +html+ leaving just the link text.
|
@@ -112,6 +113,9 @@ module ActionView
|
|
112
113
|
#
|
113
114
|
# strip_links('Blog: <a href="http://www.myblog.com/" class="nav" target=\"_blank\">Visit</a>.')
|
114
115
|
# # => Blog: Visit.
|
116
|
+
#
|
117
|
+
# strip_links('<<a href="https://example.org">malformed & link</a>')
|
118
|
+
# # => <malformed & link
|
115
119
|
def strip_links(html)
|
116
120
|
self.class.link_sanitizer.sanitize(html)
|
117
121
|
end
|