actionview 5.1.7 → 5.2.4.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 653bc5c6f534a3b66e9bc0517e1dae96591c0afc046eb4af21c2bfde0aa5436d
-  data.tar.gz: 3f6ac20820ff6a4d61dcf499bff23acf931f3a6ea65822720f63e0e522f1b77d
+  metadata.gz: 970fa5ee0784974b9e80c2704b8176f662061e74cb3130c239a17ceaf27039b2
+  data.tar.gz: 5e578501d9ec2274c1169fca0971b5fbb5aa7ac61a26feaa4583c7301ebdc4dc
 SHA512:
-  metadata.gz: c21cc5b6ec4a492a753325d9c732c9c8900ef7e07134bc259becbd040df51afd0ff3bb27141bcd9ac87c02537eae789161e7e5241f4bfadd230a29aabc3a36fa
-  data.tar.gz: dcd3864b5a9216b19021272876564be5170b6d3e6af094a0a744517d01d89c58629156e6b4a87ebf593e37ae2478eb6687e9e923fe675d22d740e555ea91e64e
+  metadata.gz: 711725496a5ac1db4cfd2dc2755b16d765db5a43a5c6876cacd36bf3ccc4e851ca5b8281729b5f4e3b958f1c692f5dd84fc065a78d49ab9df37abb5557bd7bb2
+  data.tar.gz: 2ca971038b23b0f5a82aff0912cd7ffd3f8f24033e14d23cbad00874f6ff216fd1b09768168464b207bc7a1192b782cc7cfc6a7bedb7fdfa032dbef368d7513f

data/CHANGELOG.md

@@ -1,306 +1,169 @@
-## Rails 5.1.7 (March 27, 2019) ##
+## Rails 5.2.4.3 (May 18, 2020) ##
 
-*   Fix issue with `button_to`'s `to_form_params`
+*   [CVE-2020-8167] Check that request is same-origin prior to including CSRF token in XHRs
 
-    `button_to` was throwing exception when invoked with `params` hash that
-    contains symbol and string keys. The reason for the exception was that
-    `to_form_params` was comparing the given symbol and string keys.
 
-    The issue is fixed by turning all keys to strings inside
-    `to_form_params` before comparing them.
-
-    *Georgi Georgiev*
-
-## Rails 5.1.6.2 (March 11, 2019) ##
+## Rails 5.2.4.1 (December 18, 2019) ##
 
 *   No changes.
 
 
-## Rails 5.1.6.1 (November 27, 2018) ##
-
-*   No changes.
+## Rails 5.2.4 (November 27, 2019) ##
 
+*   Allow programmatic click events to trigger Rails UJS click handlers.
+    Programmatic click events (eg. ones generated by `Rails.fire(link, "click")`) don't specify a button. These events were being incorrectly stopped by code meant to ignore scroll wheel and right clicks introduced in #34573.
 
-## Rails 5.1.6 (March 29, 2018) ##
+    *Sudara Williams*
 
-*   No changes.
 
+## Rails 5.2.3 (March 27, 2019) ##
 
-## Rails 5.1.5 (February 14, 2018) ##
-
-*   No changes.
+*   Prevent non-primary mouse keys from triggering Rails UJS click handlers.
+    Firefox fires click events even if the click was triggered by non-primary mouse keys such as right- or scroll-wheel-clicks.
+    For example, right-clicking a link such as the one described below (with an underlying ajax request registered on click) should not cause that request to occur.
 
+    ```
+    <%= link_to 'Remote', remote_path, class: 'remote', remote: true, data: { type: :json } %>
+    ```
 
-## Rails 5.1.4 (September 07, 2017) ##
+    Fixes #34541
 
-*   No changes.
+    *Wolfgang Hobmaier*
 
 
-## Rails 5.1.4.rc1 (August 24, 2017) ##
+## Rails 5.2.2.1 (March 11, 2019) ##
 
-*   No changes.
+*   Only accept formats from registered mime types
 
+    A lack of filtering on mime types could allow an attacker to read
+    arbitrary files on the target server or to perform a denial of service
+    attack.
 
-## Rails 5.1.3 (August 03, 2017) ##
+    Fixes CVE-2019-5418
+    Fixes CVE-2019-5419
 
-*   No changes.
+    *John Hawthorn*, *Eileen M. Uchitelle*, *Aaron Patterson*
 
 
-## Rails 5.1.3.rc3 (July 31, 2017) ##
+## Rails 5.2.2 (December 04, 2018) ##
 
 *   No changes.
 
 
-## Rails 5.1.3.rc2 (July 25, 2017) ##
+## Rails 5.2.1.1 (November 27, 2018) ##
 
 *   No changes.
 
 
-## Rails 5.1.3.rc1 (July 19, 2017) ##
+## Rails 5.2.1 (August 07, 2018) ##
 
-*   No changes.
-
-
-## Rails 5.1.2 (June 26, 2017) ##
+*   Fix leak of `skip_default_ids` and `allow_method_names_outside_object` options
+    to HTML attributes.
 
-*   Fix issues with scopes and engine on `current_page?` method. 
-    
-    Fixes #29401.
-    
-    *Nikita Savrov*
-    
-*   Generate field ids in `collection_check_boxes` and `collection_radio_buttons`.
-
-    This makes sure that the labels are linked up with the fields.
-
-    Fixes #29014.
-
-    *Yuji Yaginuma*
-
-*   Update distance_of_time_in_words helper to display better error messages
-    for bad input.
-
-    *Jay Hayes*
-
-
-## Rails 5.1.1 (May 12, 2017) ##
-
-*   No changes.
+    *Yurii Cherniavskyi*
 
+*   Fix issue with `button_to`'s `to_form_params`
 
-## Rails 5.1.0 (April 27, 2017) ##
+    `button_to` was throwing exception when invoked with `params` hash that
+    contains symbol and string keys. The reason for the exception was that
+    `to_form_params` was comparing the given symbol and string keys.
 
-*   Remove the option `encode_special_chars` misnomer from `strip_tags`
+    The issue is fixed by turning all keys to strings inside
+    `to_form_params` before comparing them.
 
-    As of rails-html-sanitizer v1.0.3, the sanitizer will ignore the
-    `encode_special_chars` option.
+    *Georgi Georgiev*
 
-    Fixes #28060.
+*   Fix JavaScript views rendering does not work with Firefox when using
+    Content Security Policy.
 
-    *Andrew Hood*
+    Fixes #32577.
 
-*   Change the ERB handler from Erubis to Erubi.
+    *Yuji Yaginuma*
 
-    Erubi is an Erubis fork that's svelte, simple, and currently maintained.
-    Plus it supports `--enable-frozen-string-literal` in Ruby 2.3+.
+*   Add the `nonce: true` option for `javascript_include_tag` helper to
+    support automatic nonce generation for Content Security Policy.
+    Works the same way as `javascript_tag nonce: true` does.
 
-    Compatibility: Drops support for `<%===` tags for debug output.
-    These were an unused, undocumented side effect of the Erubis
-    implementation.
+    *Yaroslav Markin*
 
-    Deprecation: The Erubis handler will be removed in Rails 5.2, for the
-    handful of folks using it directly.
 
-    *Jeremy Evans*
+## Rails 5.2.0 (April 09, 2018) ##
 
-*   Allow render locals to be assigned to instance variables in a view.
+*   Pass the `:skip_pipeline` option in `image_submit_tag` when calling `path_to_image`.
 
-    Fixes #27480.
+    Fixes #32248.
 
     *Andrew White*
 
-*   Add `check_parameters` option to `current_page?` which makes it more strict.
+*   Allow the use of callable objects as group methods for grouped selects.
 
-    *Maksym Pugach*
+    Until now, the `option_groups_from_collection_for_select` method was only able to
+    handle method names as `group_method` and `group_label_method` parameters,
+    it is now able to receive procs and other callable objects too.
 
-*   Return correct object name in form helper method after `fields_for`.
+    *Jérémie Bonal*
 
-    Fixes #26931.
+*   Add `preload_link_tag` helper.
 
-    *Yuji Yaginuma*
+    This helper that allows to the browser to initiate early fetch of resources
+    (different to the specified in `javascript_include_tag` and `stylesheet_link_tag`).
+    Additionally, this sends Early Hints if supported by browser.
 
-*   Use `ActionView::Resolver.caching?` (`config.action_view.cache_template_loading`)
-    to enable template recompilation.
+    *Guillermo Iguaran*
 
-    Before it was enabled by `consider_all_requests_local`, which caused
-    recompilation in tests.
+*   Change `form_with` to generates ids by default.
 
-    *Max Melentiev*
+    When `form_with` was introduced we disabled the automatic generation of ids
+    that was enabled in `form_for`. This usually is not an good idea since labels don't work
+    when the input doesn't have an id and it made harder to test with Capybara.
 
-*   Add `form_with` to unify `form_tag` and `form_for` usage.
+    You can still disable the automatic generation of ids setting `config.action_view.form_with_generates_ids`
+    to `false.`
 
-    Used like `form_tag` (where just the open tag is output):
+    *Nick Pezza*
 
-    ```erb
-    <%= form_with scope: :post, url: super_special_posts_path %>
-    ```
+*   Fix issues with `field_error_proc` wrapping `optgroup` and select divider `option`.
 
-    Used like `form_for`:
+    Fixes #31088
 
-    ```erb
-    <%= form_with model: @post do |form| %>
-      <%= form.text_field :title %>
-    <% end %>
-    ```
-
-    *Kasper Timm Hansen*, *Marek Kirejczyk*
-
-*   Add `fields` form helper method.
-
-    ```erb
-    <%= fields :comment, model: @comment do |fields| %>
-      <%= fields.text_field :title %>
-    <% end %>
-    ```
-
-    Can also be used within form helpers such as `form_with`.
+    *Matthias Neumayr*
 
-    *Kasper Timm Hansen*
-
-*   Removed deprecated `#original_exception` in `ActionView::Template::Error`.
+*   Remove deprecated Erubis ERB handler.
 
     *Rafael Mendonça França*
 
-*   Render now accepts any keys for locals, including reserved keywords.
-
-    Only locals with valid variable names get set directly. Others
-    will still be available in `local_assigns`.
-
-    Example of render with reserved keywords:
-
-    ```erb
-    <%= render "example", class: "text-center", message: "Hello world!" %>
-
-    <!-- _example.html.erb: -->
-    <%= tag.div class: local_assigns[:class] do %>
-      <p><%= message %></p>
-    <% end %>
-    ```
-
-    *Peter Schilling*, *Matthew Draper*
-
-*   Add `:skip_pipeline` option to several asset tag helpers
-
-    `javascript_include_tag`, `stylesheet_link_tag`, `favicon_link_tag`,
-    `image_tag` and `audio_tag` now accept a `:skip_pipeline` option which can
-    be set to true to bypass the asset pipeline and serve the assets from the
-    public folder.
-
-    *Richard Schneeman*
-
-*   Add `:poster_skip_pipeline` option to the `video_tag` helper
-
-    `video_tag` now accepts a `:poster_skip_pipeline` option which can be used
-    in combination with the `:poster` option to bypass the asset pipeline and
-    serve the poster image for the video from the public folder.
-
-    *Richard Schneeman*
-
-*   Show cache hits and misses when rendering partials.
-
-    Partials using the `cache` helper will show whether a render hit or missed
-    the cache:
-
-    ```
-    Rendered messages/_message.html.erb in 1.2 ms [cache hit]
-    Rendered recordings/threads/_thread.html.erb in 1.5 ms [cache miss]
-    ```
-
-    This removes the need for the old fragment cache logging:
-
-    ```
-    Read fragment views/v1/2914079/v1/2914079/recordings/70182313-20160225015037000000/d0bdf2974e1ef6d31685c3b392ad0b74 (0.6ms)
-    Rendered messages/_message.html.erb in 1.2 ms [cache hit]
-    Write fragment views/v1/2914079/v1/2914079/recordings/70182313-20160225015037000000/3b4e249ac9d168c617e32e84b99218b5 (1.1ms)
-    Rendered recordings/threads/_thread.html.erb in 1.5 ms [cache miss]
-    ```
-
-    Though that full output can be reenabled with
-    `config.action_controller.enable_fragment_cache_logging = true`.
-
-    *Stan Lo*
-
-*   Changed partial rendering with a collection to allow collections which
-    implement `to_a`.
-
-    Extracting the collection option had an optimization to avoid unnecessary
-    queries of ActiveRecord Relations by calling `#to_ary` on the given
-    collection. Instances of `Enumerator` or `Enumerable` are valid
-    collections, but they do not implement `#to_ary`. By changing this to
-    `#to_a`, they will now be extracted and rendered as expected.
-
-    *Steven Harman*
-
-*   New syntax for tag helpers. Avoid positional parameters and support HTML5 by default.
-    Example usage of tag helpers before:
-
-    ```ruby
-    tag(:br, nil, true)
-    content_tag(:div, content_tag(:p, "Hello world!"), class: "strong")
-
-    <%= content_tag :div, class: "strong" do -%>
-      Hello world!
-    <% end -%>
-    ```
+*   Remove default `alt` text generation.
 
-    Example usage of tag helpers after:
+    Fixes #30096
 
-    ```ruby
-    tag.br
-    tag.div tag.p("Hello world!"), class: "strong"
+    *Cameron Cundiff*
 
-    <%= tag.div class: "strong" do %>
-      Hello world!
-    <% end %>
-    ```
+*   Add `srcset` option to `image_tag` helper.
 
-    *Marek Kirejczyk*, *Kasper Timm Hansen*
+    *Roberto Miranda*
 
-*   Change `datetime_field` and `datetime_field_tag` to generate `datetime-local` fields.
+*   Fix issues with scopes and engine on `current_page?` method.
 
-    As a new specification of the HTML 5 the text field type `datetime` will no longer exist
-    and it is recommended to use `datetime-local`.
-    Ref: https://html.spec.whatwg.org/multipage/forms.html#local-date-and-time-state-(type=datetime-local)
+    Fixes #29401.
 
-    *Herminio Torres*
+    *Nikita Savrov*
 
-*   Raw template handler (which is also the default template handler in Rails 5) now outputs
-    HTML-safe strings.
+*   Generate field ids in `collection_check_boxes` and `collection_radio_buttons`.
 
-    In Rails 5 the default template handler was changed to the raw template handler. Because
-    the ERB template handler escaped strings by default this broke some applications that
-    expected plain JS or HTML files to be rendered unescaped. This fixes the issue caused
-    by changing the default handler by changing the Raw template handler to output HTML-safe
-    strings.
+    This makes sure that the labels are linked up with the fields.
 
-    *Eileen M. Uchitelle*
+    Fixes #29014.
 
-*   `select_tag`'s `include_blank` option for generation for blank option tag, now adds an empty space label,
-     when the value as well as content for option tag are empty, so that we conform with html specification.
-     Ref: https://www.w3.org/TR/html5/forms.html#the-option-element.
+    *Yuji Yaginuma*
 
-    Generation of option before:
+*   Add `:json` type to `auto_discovery_link_tag` to support [JSON Feeds](https://jsonfeed.org/version/1).
 
-    ```html
-    <option value=""></option>
-    ```
+    *Mike Gunderloy*
 
-    Generation of option after:
+*   Update `distance_of_time_in_words` helper to display better error messages
+    for bad input.
 
-    ```html
-    <option value="" label=" "></option>
-    ```
+    *Jay Hayes*
 
-    *Vipul A M*
 
-Please check [5-0-stable](https://github.com/rails/rails/blob/5-0-stable/actionview/CHANGELOG.md) for previous changes.
+Please check [5-1-stable](https://github.com/rails/rails/blob/5-1-stable/actionview/CHANGELOG.md) for previous changes.

data/MIT-LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2004-2017 David Heinemeier Hansson
+Copyright (c) 2004-2018 David Heinemeier Hansson
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

data/README.rdoc

@@ -11,16 +11,16 @@ The latest version of Action View can be installed with RubyGems:
 
   $ gem install actionview
 
-Source code can be downloaded as part of the Rails project on GitHub
+Source code can be downloaded as part of the Rails project on GitHub:
 
-* https://github.com/rails/rails/tree/master/actionview
+* https://github.com/rails/rails/tree/5-2-stable/actionview
 
 
 == License
 
 Action View is released under the MIT license:
 
-* http://www.opensource.org/licenses/MIT
+* https://opensource.org/licenses/MIT
 
 
 == Support
@@ -29,7 +29,7 @@ API documentation is at
 
 * http://api.rubyonrails.org
 
-Bug reports can be filed for the Ruby on Rails project here:
+Bug reports for the Ruby on Rails project can be filed here:
 
 * https://github.com/rails/rails/issues
 

data/lib/action_view.rb

@@ -1,5 +1,7 @@
+# frozen_string_literal: true
+
 #--
-# Copyright (c) 2004-2017 David Heinemeier Hansson
+# Copyright (c) 2004-2018 David Heinemeier Hansson
 #
 # Permission is hereby granted, free of charge, to any person obtaining
 # a copy of this software and associated documentation files (the
@@ -74,7 +76,6 @@ module ActionView
       autoload :MissingTemplate
       autoload :ActionViewError
       autoload :EncodingError
-      autoload :MissingRequestError
       autoload :TemplateError
       autoload :WrongEncodingError
     end
@@ -92,5 +93,5 @@ end
 require "active_support/core_ext/string/output_safety"
 
 ActiveSupport.on_load(:i18n) do
-  I18n.load_path << "#{File.dirname(__FILE__)}/action_view/locale/en.yml"
+  I18n.load_path << File.expand_path("action_view/locale/en.yml", __dir__)
 end