actionview 5.1.4 → 6.1.1

data/lib/action_view/flows.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "active_support/core_ext/string/output_safety"
 
 module ActionView
@@ -66,7 +68,6 @@ module ActionView
     end
 
     private
-
       def inside_fiber?
         Fiber.current.object_id != @root
       end

data/lib/action_view/gem_version.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module ActionView
   # Returns the version of the currently loaded Action View as a <tt>Gem::Version</tt>
   def self.gem_version
@@ -5,9 +7,9 @@ module ActionView
   end
 
   module VERSION
-    MAJOR = 5
+    MAJOR = 6
     MINOR = 1
-    TINY  = 4
+    TINY  = 1
     PRE   = nil
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")

data/lib/action_view/helpers.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "active_support/benchmarkable"
 
 module ActionView #:nodoc:
@@ -11,6 +13,7 @@ module ActionView #:nodoc:
     autoload :CacheHelper
     autoload :CaptureHelper
     autoload :ControllerHelper
+    autoload :CspHelper
     autoload :CsrfHelper
     autoload :DateHelper
     autoload :DebugHelper
@@ -20,7 +23,6 @@ module ActionView #:nodoc:
     autoload :JavaScriptHelper, "action_view/helpers/javascript_helper"
     autoload :NumberHelper
     autoload :OutputSafetyHelper
-    autoload :RecordTagHelper
     autoload :RenderingHelper
     autoload :SanitizeHelper
     autoload :TagHelper
@@ -44,6 +46,7 @@ module ActionView #:nodoc:
     include CacheHelper
     include CaptureHelper
     include ControllerHelper
+    include CspHelper
     include CsrfHelper
     include DateHelper
     include DebugHelper
@@ -53,7 +56,6 @@ module ActionView #:nodoc:
     include JavaScriptHelper
     include NumberHelper
     include OutputSafetyHelper
-    include RecordTagHelper
     include RenderingHelper
     include SanitizeHelper
     include TagHelper

data/lib/action_view/helpers/active_model_helper.rb

@@ -1,9 +1,11 @@
+# frozen_string_literal: true
+
 require "active_support/core_ext/module/attribute_accessors"
 require "active_support/core_ext/enumerable"
 
 module ActionView
   # = Active Model Helpers
-  module Helpers
+  module Helpers #:nodoc:
     module ActiveModelHelper
     end
 
@@ -15,8 +17,8 @@ module ActionView
         end
       end
 
-      def content_tag(*)
-        error_wrapping(super)
+      def content_tag(type, options, *)
+        select_markup_helper?(type) ? super : error_wrapping(super)
       end
 
       def tag(type, options, *)
@@ -36,11 +38,14 @@ module ActionView
       end
 
       private
-
         def object_has_errors?
           object.respond_to?(:errors) && object.errors.respond_to?(:[]) && error_message.present?
         end
 
+        def select_markup_helper?(type)
+          ["optgroup", "option"].include?(type)
+        end
+
         def tag_generate_errors?(options)
           options["type"] != "hidden"
         end

data/lib/action_view/helpers/asset_tag_helper.rb

@@ -1,5 +1,8 @@
+# frozen_string_literal: true
+
 require "active_support/core_ext/array/extract_options"
 require "active_support/core_ext/hash/keys"
+require "active_support/core_ext/object/inclusion"
 require "action_view/helpers/asset_url_helper"
 require "action_view/helpers/tag_helper"
 
@@ -11,7 +14,7 @@ module ActionView
     # the assets exist before linking to them:
     #
     #   image_tag("rails.png")
-    #   # => <img alt="Rails" src="/assets/rails.png" />
+    #   # => <img src="/assets/rails.png" />
     #   stylesheet_link_tag("application")
     #   # => <link href="/assets/application.css?body=1" media="screen" rel="stylesheet" />
     module AssetTagHelper
@@ -20,13 +23,15 @@ module ActionView
       include AssetUrlHelper
       include TagHelper
 
+      mattr_accessor :preload_links_header
+
       # Returns an HTML script tag for each of the +sources+ provided.
       #
       # Sources may be paths to JavaScript files. Relative paths are assumed to be relative
       # to <tt>assets/javascripts</tt>, full paths are assumed to be relative to the document
       # root. Relative paths are idiomatic, use absolute paths only when needed.
       #
-      # When passing paths, the ".js" extension is optional.  If you do not want ".js"
+      # When passing paths, the ".js" extension is optional. If you do not want ".js"
       # appended to the path <tt>extname: false</tt> can be set on the options.
       #
       # You can modify the HTML attributes of the script tag by passing a hash as the
@@ -35,19 +40,24 @@ module ActionView
       # When the Asset Pipeline is enabled, you can pass the name of your manifest as
       # source, and include other JavaScript or CoffeeScript files inside the manifest.
       #
+      # If the server supports Early Hints header links for these assets will be
+      # automatically pushed.
+      #
       # ==== Options
       #
       # When the last parameter is a hash you can add HTML attributes using that
       # parameter. The following options are supported:
       #
-      # * <tt>:extname</tt>  - Append an extension to the generated url unless the extension
-      #   already exists. This only applies for relative urls.
-      # * <tt>:protocol</tt>  - Sets the protocol of the generated url, this option only
-      #   applies when a relative url and +host+ options are provided.
-      # * <tt>:host</tt>  - When a relative url is provided the host is added to the
+      # * <tt>:extname</tt>  - Append an extension to the generated URL unless the extension
+      #   already exists. This only applies for relative URLs.
+      # * <tt>:protocol</tt>  - Sets the protocol of the generated URL. This option only
+      #   applies when a relative URL and +host+ options are provided.
+      # * <tt>:host</tt>  - When a relative URL is provided the host is added to the
       #   that path.
       # * <tt>:skip_pipeline</tt>  - This option is used to bypass the asset pipeline
       #   when it is set to true.
+      # * <tt>:nonce</tt>  - When set to true, adds an automatic nonce value if
+      #   you have Content Security Policy enabled.
       #
       # ==== Examples
       #
@@ -72,15 +82,42 @@ module ActionView
       #
       #   javascript_include_tag "http://www.example.com/xmlhr.js"
       #   # => <script src="http://www.example.com/xmlhr.js"></script>
+      #
+      #   javascript_include_tag "http://www.example.com/xmlhr.js", nonce: true
+      #   # => <script src="http://www.example.com/xmlhr.js" nonce="..."></script>
       def javascript_include_tag(*sources)
         options = sources.extract_options!.stringify_keys
         path_options = options.extract!("protocol", "extname", "host", "skip_pipeline").symbolize_keys
-        sources.uniq.map { |source|
+        preload_links = []
+        nopush = options["nopush"].nil? ? true : options.delete("nopush")
+        crossorigin = options.delete("crossorigin")
+        crossorigin = "anonymous" if crossorigin == true
+        integrity = options["integrity"]
+
+        sources_tags = sources.uniq.map { |source|
+          href = path_to_javascript(source, path_options)
+          if preload_links_header && !options["defer"]
+            preload_link = "<#{href}>; rel=preload; as=script"
+            preload_link += "; crossorigin=#{crossorigin}" unless crossorigin.nil?
+            preload_link += "; integrity=#{integrity}" unless integrity.nil?
+            preload_link += "; nopush" if nopush
+            preload_links << preload_link
+          end
           tag_options = {
-            "src" => path_to_javascript(source, path_options)
+            "src" => href,
+            "crossorigin" => crossorigin
           }.merge!(options)
-          content_tag("script".freeze, "", tag_options)
+          if tag_options["nonce"] == true
+            tag_options["nonce"] = content_security_policy_nonce
+          end
+          content_tag("script", "", tag_options)
         }.join("\n").html_safe
+
+        if preload_links_header
+          send_preload_links_header(preload_links)
+        end
+
+        sources_tags
       end
 
       # Returns a stylesheet link tag for the sources specified as arguments. If
@@ -90,6 +127,9 @@ module ActionView
       # to "screen", so you must explicitly set it to "all" for the stylesheet(s) to
       # apply to all media types.
       #
+      # If the server supports Early Hints header links for these assets will be
+      # automatically pushed.
+      #
       #   stylesheet_link_tag "style"
       #   # => <link href="/assets/style.css" media="screen" rel="stylesheet" />
       #
@@ -111,20 +151,41 @@ module ActionView
       def stylesheet_link_tag(*sources)
         options = sources.extract_options!.stringify_keys
         path_options = options.extract!("protocol", "host", "skip_pipeline").symbolize_keys
-        sources.uniq.map { |source|
+        preload_links = []
+        crossorigin = options.delete("crossorigin")
+        crossorigin = "anonymous" if crossorigin == true
+        nopush = options["nopush"].nil? ? true : options.delete("nopush")
+        integrity = options["integrity"]
+
+        sources_tags = sources.uniq.map { |source|
+          href = path_to_stylesheet(source, path_options)
+          if preload_links_header
+            preload_link = "<#{href}>; rel=preload; as=style"
+            preload_link += "; crossorigin=#{crossorigin}" unless crossorigin.nil?
+            preload_link += "; integrity=#{integrity}" unless integrity.nil?
+            preload_link += "; nopush" if nopush
+            preload_links << preload_link
+          end
           tag_options = {
             "rel" => "stylesheet",
             "media" => "screen",
-            "href" => path_to_stylesheet(source, path_options)
+            "crossorigin" => crossorigin,
+            "href" => href
           }.merge!(options)
           tag(:link, tag_options)
         }.join("\n").html_safe
+
+        if preload_links_header
+          send_preload_links_header(preload_links)
+        end
+
+        sources_tags
       end
 
       # Returns a link tag that browsers and feed readers can use to auto-detect
-      # an RSS or Atom feed. The +type+ can either be <tt>:rss</tt> (default) or
-      # <tt>:atom</tt>. Control the link options in url_for format using the
-      # +url_options+. You can modify the LINK tag itself in +tag_options+.
+      # an RSS, Atom, or JSON feed. The +type+ can be <tt>:rss</tt> (default),
+      # <tt>:atom</tt>, or <tt>:json</tt>. Control the link options in url_for format
+      # using the +url_options+. You can modify the LINK tag itself in +tag_options+.
       #
       # ==== Options
       #
@@ -138,6 +199,8 @@ module ActionView
       #   # => <link rel="alternate" type="application/rss+xml" title="RSS" href="http://www.currenthost.com/controller/action" />
       #   auto_discovery_link_tag(:atom)
       #   # => <link rel="alternate" type="application/atom+xml" title="ATOM" href="http://www.currenthost.com/controller/action" />
+      #   auto_discovery_link_tag(:json)
+      #   # => <link rel="alternate" type="application/json" title="JSON" href="http://www.currenthost.com/controller/action" />
       #   auto_discovery_link_tag(:rss, {action: "feed"})
       #   # => <link rel="alternate" type="application/rss+xml" title="RSS" href="http://www.currenthost.com/controller/feed" />
       #   auto_discovery_link_tag(:rss, {action: "feed"}, {title: "My RSS"})
@@ -147,8 +210,8 @@ module ActionView
       #   auto_discovery_link_tag(:rss, "http://www.example.com/feed.rss", {title: "Example RSS"})
       #   # => <link rel="alternate" type="application/rss+xml" title="Example RSS" href="http://www.example.com/feed.rss" />
       def auto_discovery_link_tag(type = :rss, url_options = {}, tag_options = {})
-        if !(type == :rss || type == :atom) && tag_options[:type].blank?
-          raise ArgumentError.new("You should pass :type tag_option key explicitly, because you have passed #{type} type other than :rss or :atom.")
+        if !(type == :rss || type == :atom || type == :json) && tag_options[:type].blank?
+          raise ArgumentError.new("You should pass :type tag_option key explicitly, because you have passed #{type} type other than :rss, :atom, or :json.")
         end
 
         tag(
@@ -195,80 +258,143 @@ module ActionView
         }.merge!(options.symbolize_keys))
       end
 
+      # Returns a link tag that browsers can use to preload the +source+.
+      # The +source+ can be the path of a resource managed by asset pipeline,
+      # a full path, or an URI.
+      #
+      # ==== Options
+      #
+      # * <tt>:type</tt>  - Override the auto-generated mime type, defaults to the mime type for +source+ extension.
+      # * <tt>:as</tt>  - Override the auto-generated value for as attribute, calculated using +source+ extension and mime type.
+      # * <tt>:crossorigin</tt>  - Specify the crossorigin attribute, required to load cross-origin resources.
+      # * <tt>:nopush</tt>  - Specify if the use of server push is not desired for the resource. Defaults to +false+.
+      # * <tt>:integrity</tt> - Specify the integrity attribute.
+      #
+      # ==== Examples
+      #
+      #   preload_link_tag("custom_theme.css")
+      #   # => <link rel="preload" href="/assets/custom_theme.css" as="style" type="text/css" />
+      #
+      #   preload_link_tag("/videos/video.webm")
+      #   # => <link rel="preload" href="/videos/video.mp4" as="video" type="video/webm" />
+      #
+      #   preload_link_tag(post_path(format: :json), as: "fetch")
+      #   # => <link rel="preload" href="/posts.json" as="fetch" type="application/json" />
+      #
+      #   preload_link_tag("worker.js", as: "worker")
+      #   # => <link rel="preload" href="/assets/worker.js" as="worker" type="text/javascript" />
+      #
+      #   preload_link_tag("//example.com/font.woff2")
+      #   # => <link rel="preload" href="//example.com/font.woff2" as="font" type="font/woff2" crossorigin="anonymous"/>
+      #
+      #   preload_link_tag("//example.com/font.woff2", crossorigin: "use-credentials")
+      #   # => <link rel="preload" href="//example.com/font.woff2" as="font" type="font/woff2" crossorigin="use-credentials" />
+      #
+      #   preload_link_tag("/media/audio.ogg", nopush: true)
+      #   # => <link rel="preload" href="/media/audio.ogg" as="audio" type="audio/ogg" />
+      #
+      def preload_link_tag(source, options = {})
+        href = asset_path(source, skip_pipeline: options.delete(:skip_pipeline))
+        extname = File.extname(source).downcase.delete(".")
+        mime_type = options.delete(:type) || Template::Types[extname]&.to_s
+        as_type = options.delete(:as) || resolve_link_as(extname, mime_type)
+        crossorigin = options.delete(:crossorigin)
+        crossorigin = "anonymous" if crossorigin == true || (crossorigin.blank? && as_type == "font")
+        integrity = options[:integrity]
+        nopush = options.delete(:nopush) || false
+
+        link_tag = tag.link(**{
+          rel: "preload",
+          href: href,
+          as: as_type,
+          type: mime_type,
+          crossorigin: crossorigin
+        }.merge!(options.symbolize_keys))
+
+        preload_link = "<#{href}>; rel=preload; as=#{as_type}"
+        preload_link += "; type=#{mime_type}" if mime_type
+        preload_link += "; crossorigin=#{crossorigin}" if crossorigin
+        preload_link += "; integrity=#{integrity}" if integrity
+        preload_link += "; nopush" if nopush
+
+        send_preload_links_header([preload_link])
+
+        link_tag
+      end
+
       # Returns an HTML image tag for the +source+. The +source+ can be a full
-      # path or a file.
+      # path, a file, or an Active Storage attachment.
       #
       # ==== Options
       #
       # You can add HTML attributes using the +options+. The +options+ supports
-      # two additional keys for convenience and conformance:
+      # additional keys for convenience and conformance:
       #
-      # * <tt>:alt</tt>  - If no alt text is given, the file name part of the
-      #   +source+ is used (capitalized and without the extension)
       # * <tt>:size</tt> - Supplied as "{Width}x{Height}" or "{Number}", so "30x45" becomes
       #   width="30" and height="45", and "50" becomes width="50" and height="50".
       #   <tt>:size</tt> will be ignored if the value is not in the correct format.
+      # * <tt>:srcset</tt> - If supplied as a hash or array of <tt>[source, descriptor]</tt>
+      #   pairs, each image path will be expanded before the list is formatted as a string.
       #
       # ==== Examples
       #
+      # Assets (images that are part of your app):
+      #
       #   image_tag("icon")
-      #   # => <img alt="Icon" src="/assets/icon" />
+      #   # => <img src="/assets/icon" />
       #   image_tag("icon.png")
-      #   # => <img alt="Icon" src="/assets/icon.png" />
+      #   # => <img src="/assets/icon.png" />
       #   image_tag("icon.png", size: "16x10", alt: "Edit Entry")
       #   # => <img src="/assets/icon.png" width="16" height="10" alt="Edit Entry" />
       #   image_tag("/icons/icon.gif", size: "16")
-      #   # => <img src="/icons/icon.gif" width="16" height="16" alt="Icon" />
+      #   # => <img src="/icons/icon.gif" width="16" height="16" />
       #   image_tag("/icons/icon.gif", height: '32', width: '32')
-      #   # => <img alt="Icon" height="32" src="/icons/icon.gif" width="32" />
+      #   # => <img height="32" src="/icons/icon.gif" width="32" />
       #   image_tag("/icons/icon.gif", class: "menu_icon")
-      #   # => <img alt="Icon" class="menu_icon" src="/icons/icon.gif" />
+      #   # => <img class="menu_icon" src="/icons/icon.gif" />
       #   image_tag("/icons/icon.gif", data: { title: 'Rails Application' })
       #   # => <img data-title="Rails Application" src="/icons/icon.gif" />
+      #   image_tag("icon.png", srcset: { "icon_2x.png" => "2x", "icon_4x.png" => "4x" })
+      #   # => <img src="/assets/icon.png" srcset="/assets/icon_2x.png 2x, /assets/icon_4x.png 4x">
+      #   image_tag("pic.jpg", srcset: [["pic_1024.jpg", "1024w"], ["pic_1980.jpg", "1980w"]], sizes: "100vw")
+      #   # => <img src="/assets/pic.jpg" srcset="/assets/pic_1024.jpg 1024w, /assets/pic_1980.jpg 1980w" sizes="100vw">
+      #
+      # Active Storage blobs (images that are uploaded by the users of your app):
+      #
+      #   image_tag(user.avatar)
+      #   # => <img src="/rails/active_storage/blobs/.../tiger.jpg" />
+      #   image_tag(user.avatar.variant(resize_to_limit: [100, 100]))
+      #   # => <img src="/rails/active_storage/representations/.../tiger.jpg" />
+      #   image_tag(user.avatar.variant(resize_to_limit: [100, 100]), size: '100')
+      #   # => <img width="100" height="100" src="/rails/active_storage/representations/.../tiger.jpg" />
       def image_tag(source, options = {})
         options = options.symbolize_keys
         check_for_image_tag_errors(options)
+        skip_pipeline = options.delete(:skip_pipeline)
 
-        src = options[:src] = path_to_image(source, skip_pipeline: options.delete(:skip_pipeline))
+        options[:src] = resolve_image_source(source, skip_pipeline)
 
-        unless src.start_with?("cid:") || src.start_with?("data:") || src.blank?
-          options[:alt] = options.fetch(:alt) { image_alt(src) }
+        if options[:srcset] && !options[:srcset].is_a?(String)
+          options[:srcset] = options[:srcset].map do |src_path, size|
+            src_path = path_to_image(src_path, skip_pipeline: skip_pipeline)
+            "#{src_path} #{size}"
+          end.join(", ")
         end
 
         options[:width], options[:height] = extract_dimensions(options.delete(:size)) if options[:size]
         tag("img", options)
       end
 
-      # Returns a string suitable for an HTML image tag alt attribute.
-      # The +src+ argument is meant to be an image file path.
-      # The method removes the basename of the file path and the digest,
-      # if any. It also removes hyphens and underscores from file names and
-      # replaces them with spaces, returning a space-separated, titleized
-      # string.
-      #
-      # ==== Examples
-      #
-      #   image_alt('rails.png')
-      #   # => Rails
-      #
-      #   image_alt('hyphenated-file-name.png')
-      #   # => Hyphenated file name
-      #
-      #   image_alt('underscored_file_name.png')
-      #   # => Underscored file name
-      def image_alt(src)
-        File.basename(src, ".*".freeze).sub(/-[[:xdigit:]]{32,64}\z/, "".freeze).tr("-_".freeze, " ".freeze).capitalize
-      end
-
       # Returns an HTML video tag for the +sources+. If +sources+ is a string,
       # a single video tag will be returned. If +sources+ is an array, a video
       # tag with nested source tags for each source will be returned. The
-      # +sources+ can be full paths or files that exists in your public videos
+      # +sources+ can be full paths or files that exist in your public videos
       # directory.
       #
       # ==== Options
-      # You can add HTML attributes using the +options+. The +options+ supports
-      # two additional keys for convenience and conformance:
+      #
+      # When the last parameter is a hash you can add HTML attributes using that
+      # parameter. The following options are supported:
       #
       # * <tt>:poster</tt> - Set an image (like a screenshot) to be shown
       #   before the video loads. The path is calculated like the +src+ of +image_tag+.
@@ -285,7 +411,7 @@ module ActionView
       #   video_tag("trailer.ogg")
       #   # => <video src="/videos/trailer.ogg"></video>
       #   video_tag("trailer.ogg", controls: true, preload: 'none')
-      #   # => <video preload="none" controls="controls" src="/videos/trailer.ogg" ></video>
+      #   # => <video preload="none" controls="controls" src="/videos/trailer.ogg"></video>
       #   video_tag("trailer.m4v", size: "16x10", poster: "screenshot.png")
       #   # => <video src="/videos/trailer.m4v" width="16" height="10" poster="/assets/screenshot.png"></video>
       #   video_tag("trailer.m4v", size: "16x10", poster: "screenshot.png", poster_skip_pipeline: true)
@@ -312,9 +438,14 @@ module ActionView
         end
       end
 
-      # Returns an HTML audio tag for the +source+.
-      # The +source+ can be full path or file that exists in
-      # your public audios directory.
+      # Returns an HTML audio tag for the +sources+. If +sources+ is a string,
+      # a single audio tag will be returned. If +sources+ is an array, an audio
+      # tag with nested source tags for each source will be returned. The
+      # +sources+ can be full paths or files that exist in your public audios
+      # directory.
+      #
+      # When the last parameter is a hash you can add HTML attributes using that
+      # parameter.
       #
       #   audio_tag("sound")
       #   # => <audio src="/audios/sound"></audio>
@@ -346,6 +477,16 @@ module ActionView
           end
         end
 
+        def resolve_image_source(source, skip_pipeline)
+          if source.is_a?(Symbol) || source.is_a?(String)
+            path_to_image(source, skip_pipeline: skip_pipeline)
+          else
+            polymorphic_url(source)
+          end
+        rescue NoMethodError => e
+          raise ArgumentError, "Can't resolve image into URL: #{e}"
+        end
+
         def extract_dimensions(size)
           size = size.to_s
           if /\A\d+x\d+\z/.match?(size)
@@ -360,6 +501,28 @@ module ActionView
             raise ArgumentError, "Cannot pass a :size option with a :height or :width option"
           end
         end
+
+        def resolve_link_as(extname, mime_type)
+          if extname == "js"
+            "script"
+          elsif extname == "css"
+            "style"
+          elsif extname == "vtt"
+            "track"
+          elsif (type = mime_type.to_s.split("/")[0]) && type.in?(%w(audio video font))
+            type
+          end
+        end
+
+        def send_preload_links_header(preload_links)
+          if respond_to?(:request) && request
+            request.send_early_hints("Link" => preload_links.join("\n"))
+          end
+
+          if respond_to?(:response) && response
+            response.headers["Link"] = [response.headers["Link"].presence, *preload_links].compact.join(",")
+          end
+        end
     end
   end
 end