actionview 5.1.7 → 5.2.8.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 653bc5c6f534a3b66e9bc0517e1dae96591c0afc046eb4af21c2bfde0aa5436d
-  data.tar.gz: 3f6ac20820ff6a4d61dcf499bff23acf931f3a6ea65822720f63e0e522f1b77d
+  metadata.gz: 4a732cbd8a2b766ebf37e375ffd2f97c71760de86cb46d9a70702896d07aeb73
+  data.tar.gz: d76fb4ed63f24c3e6b09b576fe3b945b7eb436059cb703e241da7d7d9343cf90
 SHA512:
-  metadata.gz: c21cc5b6ec4a492a753325d9c732c9c8900ef7e07134bc259becbd040df51afd0ff3bb27141bcd9ac87c02537eae789161e7e5241f4bfadd230a29aabc3a36fa
-  data.tar.gz: dcd3864b5a9216b19021272876564be5170b6d3e6af094a0a744517d01d89c58629156e6b4a87ebf593e37ae2478eb6687e9e923fe675d22d740e555ea91e64e
+  metadata.gz: 69feb0b2c271b42c17c0bc55d0cee3f857aa4a177fe9e27edaf9a5cc101b2a92b5eb0cb678d89c7ea1f40fa1a1c28a6288c2ee9e5dee16db0859777259fce137
+  data.tar.gz: a04fc509175c93512d6517742c283d617749b1498a422c05a6ab02da17ce0042e33011176c83b97e48638f7e2750921d04fd8855bbfb6fc29a1cb1bbbd63bf8b

data/CHANGELOG.md

@@ -1,306 +1,247 @@
-## Rails 5.1.7 (March 27, 2019) ##
+## Rails 5.2.8.1 (July 12, 2022) ##
 
-*   Fix issue with `button_to`'s `to_form_params`
+*   No changes.
 
-    `button_to` was throwing exception when invoked with `params` hash that
-    contains symbol and string keys. The reason for the exception was that
-    `to_form_params` was comparing the given symbol and string keys.
 
-    The issue is fixed by turning all keys to strings inside
-    `to_form_params` before comparing them.
+## Rails 5.2.8 (May 09, 2022) ##
 
-    *Georgi Georgiev*
+*   No changes.
 
-## Rails 5.1.6.2 (March 11, 2019) ##
 
-*   No changes.
+## Rails 5.2.7.1 (April 26, 2022) ##
 
+*   Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`.
 
-## Rails 5.1.6.1 (November 27, 2018) ##
+    Escape dangerous characters in names of tags and names of attributes in the
+    tag helpers, following the XML specification. Rename the option
+    `:escape_attributes` to `:escape`, to simplify by applying the option to the
+    whole tag.
 
-*   No changes.
+    *Álvaro Martín Fraguas*
 
 
-## Rails 5.1.6 (March 29, 2018) ##
+## Rails 5.2.7 (March 10, 2022) ##
 
 *   No changes.
 
 
-## Rails 5.1.5 (February 14, 2018) ##
+## Rails 5.2.6.3 (March 08, 2022) ##
 
 *   No changes.
 
 
-## Rails 5.1.4 (September 07, 2017) ##
+## Rails 5.2.6.2 (February 11, 2022) ##
 
 *   No changes.
 
 
-## Rails 5.1.4.rc1 (August 24, 2017) ##
+## Rails 5.2.6.1 (February 11, 2022) ##
 
 *   No changes.
 
 
-## Rails 5.1.3 (August 03, 2017) ##
+## Rails 5.2.6 (May 05, 2021) ##
 
 *   No changes.
 
 
-## Rails 5.1.3.rc3 (July 31, 2017) ##
+## Rails 5.2.5 (March 26, 2021) ##
 
 *   No changes.
 
 
-## Rails 5.1.3.rc2 (July 25, 2017) ##
+## Rails 5.2.4.6 (May 05, 2021) ##
 
 *   No changes.
 
 
-## Rails 5.1.3.rc1 (July 19, 2017) ##
+## Rails 5.2.4.5 (February 10, 2021) ##
 
 *   No changes.
 
 
-## Rails 5.1.2 (June 26, 2017) ##
+## Rails 5.2.4.4 (September 09, 2020) ##
 
-*   Fix issues with scopes and engine on `current_page?` method. 
-    
-    Fixes #29401.
-    
-    *Nikita Savrov*
-    
-*   Generate field ids in `collection_check_boxes` and `collection_radio_buttons`.
+*   [CVE-2020-15169] Fix potential XSS vulnerability in the `translate`/`t` helper
 
-    This makes sure that the labels are linked up with the fields.
+    *Jonathan Hefner*
 
-    Fixes #29014.
 
-    *Yuji Yaginuma*
+## Rails 5.2.4.3 (May 18, 2020) ##
 
-*   Update distance_of_time_in_words helper to display better error messages
-    for bad input.
+*   [CVE-2020-8167] Check that request is same-origin prior to including CSRF token in XHRs
 
-    *Jay Hayes*
 
+## Rails 5.2.4.2 (March 19, 2020) ##
 
-## Rails 5.1.1 (May 12, 2017) ##
+*   Fix possible XSS vector in `escape_javascript` helper
 
-*   No changes.
+    CVE-2020-5267
 
+    *Aaron Patterson*
 
-## Rails 5.1.0 (April 27, 2017) ##
 
-*   Remove the option `encode_special_chars` misnomer from `strip_tags`
+## Rails 5.2.4.1 (December 18, 2019) ##
 
-    As of rails-html-sanitizer v1.0.3, the sanitizer will ignore the
-    `encode_special_chars` option.
+*   No changes.
 
-    Fixes #28060.
 
-    *Andrew Hood*
+## Rails 5.2.4 (November 27, 2019) ##
 
-*   Change the ERB handler from Erubis to Erubi.
+*   Allow programmatic click events to trigger Rails UJS click handlers.
+    Programmatic click events (eg. ones generated by `Rails.fire(link, "click")`) don't specify a button. These events were being incorrectly stopped by code meant to ignore scroll wheel and right clicks introduced in #34573.
 
-    Erubi is an Erubis fork that's svelte, simple, and currently maintained.
-    Plus it supports `--enable-frozen-string-literal` in Ruby 2.3+.
+    *Sudara Williams*
 
-    Compatibility: Drops support for `<%===` tags for debug output.
-    These were an unused, undocumented side effect of the Erubis
-    implementation.
 
-    Deprecation: The Erubis handler will be removed in Rails 5.2, for the
-    handful of folks using it directly.
+## Rails 5.2.3 (March 27, 2019) ##
 
-    *Jeremy Evans*
+*   Prevent non-primary mouse keys from triggering Rails UJS click handlers.
+    Firefox fires click events even if the click was triggered by non-primary mouse keys such as right- or scroll-wheel-clicks.
+    For example, right-clicking a link such as the one described below (with an underlying ajax request registered on click) should not cause that request to occur.
 
-*   Allow render locals to be assigned to instance variables in a view.
+    ```
+    <%= link_to 'Remote', remote_path, class: 'remote', remote: true, data: { type: :json } %>
+    ```
 
-    Fixes #27480.
+    Fixes #34541
 
-    *Andrew White*
+    *Wolfgang Hobmaier*
 
-*   Add `check_parameters` option to `current_page?` which makes it more strict.
 
-    *Maksym Pugach*
+## Rails 5.2.2.1 (March 11, 2019) ##
 
-*   Return correct object name in form helper method after `fields_for`.
+*   Only accept formats from registered mime types
 
-    Fixes #26931.
+    A lack of filtering on mime types could allow an attacker to read
+    arbitrary files on the target server or to perform a denial of service
+    attack.
 
-    *Yuji Yaginuma*
+    Fixes CVE-2019-5418
+    Fixes CVE-2019-5419
 
-*   Use `ActionView::Resolver.caching?` (`config.action_view.cache_template_loading`)
-    to enable template recompilation.
+    *John Hawthorn*, *Eileen M. Uchitelle*, *Aaron Patterson*
 
-    Before it was enabled by `consider_all_requests_local`, which caused
-    recompilation in tests.
 
-    *Max Melentiev*
+## Rails 5.2.2 (December 04, 2018) ##
 
-*   Add `form_with` to unify `form_tag` and `form_for` usage.
+*   No changes.
 
-    Used like `form_tag` (where just the open tag is output):
 
-    ```erb
-    <%= form_with scope: :post, url: super_special_posts_path %>
-    ```
+## Rails 5.2.1.1 (November 27, 2018) ##
 
-    Used like `form_for`:
+*   No changes.
 
-    ```erb
-    <%= form_with model: @post do |form| %>
-      <%= form.text_field :title %>
-    <% end %>
-    ```
 
-    *Kasper Timm Hansen*, *Marek Kirejczyk*
+## Rails 5.2.1 (August 07, 2018) ##
 
-*   Add `fields` form helper method.
+*   Fix leak of `skip_default_ids` and `allow_method_names_outside_object` options
+    to HTML attributes.
 
-    ```erb
-    <%= fields :comment, model: @comment do |fields| %>
-      <%= fields.text_field :title %>
-    <% end %>
-    ```
+    *Yurii Cherniavskyi*
 
-    Can also be used within form helpers such as `form_with`.
+*   Fix issue with `button_to`'s `to_form_params`
 
-    *Kasper Timm Hansen*
+    `button_to` was throwing exception when invoked with `params` hash that
+    contains symbol and string keys. The reason for the exception was that
+    `to_form_params` was comparing the given symbol and string keys.
 
-*   Removed deprecated `#original_exception` in `ActionView::Template::Error`.
+    The issue is fixed by turning all keys to strings inside
+    `to_form_params` before comparing them.
 
-    *Rafael Mendonça França*
+    *Georgi Georgiev*
 
-*   Render now accepts any keys for locals, including reserved keywords.
+*   Fix JavaScript views rendering does not work with Firefox when using
+    Content Security Policy.
 
-    Only locals with valid variable names get set directly. Others
-    will still be available in `local_assigns`.
+    Fixes #32577.
 
-    Example of render with reserved keywords:
+    *Yuji Yaginuma*
 
-    ```erb
-    <%= render "example", class: "text-center", message: "Hello world!" %>
+*   Add the `nonce: true` option for `javascript_include_tag` helper to
+    support automatic nonce generation for Content Security Policy.
+    Works the same way as `javascript_tag nonce: true` does.
 
-    <!-- _example.html.erb: -->
-    <%= tag.div class: local_assigns[:class] do %>
-      <p><%= message %></p>
-    <% end %>
-    ```
+    *Yaroslav Markin*
 
-    *Peter Schilling*, *Matthew Draper*
 
-*   Add `:skip_pipeline` option to several asset tag helpers
+## Rails 5.2.0 (April 09, 2018) ##
 
-    `javascript_include_tag`, `stylesheet_link_tag`, `favicon_link_tag`,
-    `image_tag` and `audio_tag` now accept a `:skip_pipeline` option which can
-    be set to true to bypass the asset pipeline and serve the assets from the
-    public folder.
+*   Pass the `:skip_pipeline` option in `image_submit_tag` when calling `path_to_image`.
 
-    *Richard Schneeman*
+    Fixes #32248.
 
-*   Add `:poster_skip_pipeline` option to the `video_tag` helper
+    *Andrew White*
 
-    `video_tag` now accepts a `:poster_skip_pipeline` option which can be used
-    in combination with the `:poster` option to bypass the asset pipeline and
-    serve the poster image for the video from the public folder.
+*   Allow the use of callable objects as group methods for grouped selects.
 
-    *Richard Schneeman*
+    Until now, the `option_groups_from_collection_for_select` method was only able to
+    handle method names as `group_method` and `group_label_method` parameters,
+    it is now able to receive procs and other callable objects too.
 
-*   Show cache hits and misses when rendering partials.
+    *Jérémie Bonal*
 
-    Partials using the `cache` helper will show whether a render hit or missed
-    the cache:
+*   Add `preload_link_tag` helper.
 
-    ```
-    Rendered messages/_message.html.erb in 1.2 ms [cache hit]
-    Rendered recordings/threads/_thread.html.erb in 1.5 ms [cache miss]
-    ```
+    This helper that allows to the browser to initiate early fetch of resources
+    (different to the specified in `javascript_include_tag` and `stylesheet_link_tag`).
+    Additionally, this sends Early Hints if supported by browser.
 
-    This removes the need for the old fragment cache logging:
+    *Guillermo Iguaran*
 
-    ```
-    Read fragment views/v1/2914079/v1/2914079/recordings/70182313-20160225015037000000/d0bdf2974e1ef6d31685c3b392ad0b74 (0.6ms)
-    Rendered messages/_message.html.erb in 1.2 ms [cache hit]
-    Write fragment views/v1/2914079/v1/2914079/recordings/70182313-20160225015037000000/3b4e249ac9d168c617e32e84b99218b5 (1.1ms)
-    Rendered recordings/threads/_thread.html.erb in 1.5 ms [cache miss]
-    ```
+*   Change `form_with` to generates ids by default.
 
-    Though that full output can be reenabled with
-    `config.action_controller.enable_fragment_cache_logging = true`.
+    When `form_with` was introduced we disabled the automatic generation of ids
+    that was enabled in `form_for`. This usually is not an good idea since labels don't work
+    when the input doesn't have an id and it made harder to test with Capybara.
 
-    *Stan Lo*
+    You can still disable the automatic generation of ids setting `config.action_view.form_with_generates_ids`
+    to `false.`
 
-*   Changed partial rendering with a collection to allow collections which
-    implement `to_a`.
+    *Nick Pezza*
 
-    Extracting the collection option had an optimization to avoid unnecessary
-    queries of ActiveRecord Relations by calling `#to_ary` on the given
-    collection. Instances of `Enumerator` or `Enumerable` are valid
-    collections, but they do not implement `#to_ary`. By changing this to
-    `#to_a`, they will now be extracted and rendered as expected.
+*   Fix issues with `field_error_proc` wrapping `optgroup` and select divider `option`.
 
-    *Steven Harman*
+    Fixes #31088
 
-*   New syntax for tag helpers. Avoid positional parameters and support HTML5 by default.
-    Example usage of tag helpers before:
+    *Matthias Neumayr*
 
-    ```ruby
-    tag(:br, nil, true)
-    content_tag(:div, content_tag(:p, "Hello world!"), class: "strong")
+*   Remove deprecated Erubis ERB handler.
 
-    <%= content_tag :div, class: "strong" do -%>
-      Hello world!
-    <% end -%>
-    ```
+    *Rafael Mendonça França*
 
-    Example usage of tag helpers after:
+*   Remove default `alt` text generation.
 
-    ```ruby
-    tag.br
-    tag.div tag.p("Hello world!"), class: "strong"
+    Fixes #30096
 
-    <%= tag.div class: "strong" do %>
-      Hello world!
-    <% end %>
-    ```
+    *Cameron Cundiff*
 
-    *Marek Kirejczyk*, *Kasper Timm Hansen*
+*   Add `srcset` option to `image_tag` helper.
 
-*   Change `datetime_field` and `datetime_field_tag` to generate `datetime-local` fields.
+    *Roberto Miranda*
 
-    As a new specification of the HTML 5 the text field type `datetime` will no longer exist
-    and it is recommended to use `datetime-local`.
-    Ref: https://html.spec.whatwg.org/multipage/forms.html#local-date-and-time-state-(type=datetime-local)
+*   Fix issues with scopes and engine on `current_page?` method.
 
-    *Herminio Torres*
+    Fixes #29401.
 
-*   Raw template handler (which is also the default template handler in Rails 5) now outputs
-    HTML-safe strings.
+    *Nikita Savrov*
+
+*   Generate field ids in `collection_check_boxes` and `collection_radio_buttons`.
 
-    In Rails 5 the default template handler was changed to the raw template handler. Because
-    the ERB template handler escaped strings by default this broke some applications that
-    expected plain JS or HTML files to be rendered unescaped. This fixes the issue caused
-    by changing the default handler by changing the Raw template handler to output HTML-safe
-    strings.
+    This makes sure that the labels are linked up with the fields.
 
-    *Eileen M. Uchitelle*
+    Fixes #29014.
 
-*   `select_tag`'s `include_blank` option for generation for blank option tag, now adds an empty space label,
-     when the value as well as content for option tag are empty, so that we conform with html specification.
-     Ref: https://www.w3.org/TR/html5/forms.html#the-option-element.
+    *Yuji Yaginuma*
 
-    Generation of option before:
+*   Add `:json` type to `auto_discovery_link_tag` to support [JSON Feeds](https://jsonfeed.org/version/1).
 
-    ```html
-    <option value=""></option>
-    ```
+    *Mike Gunderloy*
 
-    Generation of option after:
+*   Update `distance_of_time_in_words` helper to display better error messages
+    for bad input.
 
-    ```html
-    <option value="" label=" "></option>
-    ```
+    *Jay Hayes*
 
-    *Vipul A M*
 
-Please check [5-0-stable](https://github.com/rails/rails/blob/5-0-stable/actionview/CHANGELOG.md) for previous changes.
+Please check [5-1-stable](https://github.com/rails/rails/blob/5-1-stable/actionview/CHANGELOG.md) for previous changes.

data/MIT-LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2004-2017 David Heinemeier Hansson
+Copyright (c) 2004-2018 David Heinemeier Hansson
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

data/README.rdoc

@@ -11,16 +11,16 @@ The latest version of Action View can be installed with RubyGems:
 
   $ gem install actionview
 
-Source code can be downloaded as part of the Rails project on GitHub
+Source code can be downloaded as part of the Rails project on GitHub:
 
-* https://github.com/rails/rails/tree/master/actionview
+* https://github.com/rails/rails/tree/5-2-stable/actionview
 
 
 == License
 
 Action View is released under the MIT license:
 
-* http://www.opensource.org/licenses/MIT
+* https://opensource.org/licenses/MIT
 
 
 == Support
@@ -29,7 +29,7 @@ API documentation is at
 
 * http://api.rubyonrails.org
 
-Bug reports can be filed for the Ruby on Rails project here:
+Bug reports for the Ruby on Rails project can be filed here:
 
 * https://github.com/rails/rails/issues
 

data/lib/action_view/base.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "active_support/core_ext/module/attr_internal"
 require "active_support/core_ext/module/attribute_accessors"
 require "active_support/ordered_options"
@@ -140,30 +142,25 @@ module ActionView #:nodoc:
     include Helpers, ::ERB::Util, Context
 
     # Specify the proc used to decorate input tags that refer to attributes with errors.
-    cattr_accessor :field_error_proc
-    @@field_error_proc = Proc.new { |html_tag, instance| "<div class=\"field_with_errors\">#{html_tag}</div>".html_safe }
+    cattr_accessor :field_error_proc, default: Proc.new { |html_tag, instance| "<div class=\"field_with_errors\">#{html_tag}</div>".html_safe }
 
     # How to complete the streaming when an exception occurs.
     # This is our best guess: first try to close the attribute, then the tag.
-    cattr_accessor :streaming_completion_on_exception
-    @@streaming_completion_on_exception = %("><script>window.location = "/500.html"</script></html>)
+    cattr_accessor :streaming_completion_on_exception, default: %("><script>window.location = "/500.html"</script></html>)
 
     # Specify whether rendering within namespaced controllers should prefix
     # the partial paths for ActiveModel objects with the namespace.
     # (e.g., an Admin::PostsController would render @post using /admin/posts/_post.erb)
-    cattr_accessor :prefix_partial_path_with_controller_namespace
-    @@prefix_partial_path_with_controller_namespace = true
+    cattr_accessor :prefix_partial_path_with_controller_namespace, default: true
 
     # Specify default_formats that can be rendered.
     cattr_accessor :default_formats
 
     # Specify whether an error should be raised for missing translations
-    cattr_accessor :raise_on_missing_translations
-    @@raise_on_missing_translations = false
+    cattr_accessor :raise_on_missing_translations, default: false
 
     # Specify whether submit_tag should automatically disable on click
-    cattr_accessor :automatically_disable_submit_tag
-    @@automatically_disable_submit_tag = true
+    cattr_accessor :automatically_disable_submit_tag, default: true
 
     class_attribute :_routes
     class_attribute :logger
@@ -207,6 +204,7 @@ module ActionView #:nodoc:
         @view_renderer = ActionView::Renderer.new(lookup_context)
       end
 
+      @cache_hit = {}
       assign(assigns)
       assign_controller(controller)
       _prepare_context

data/lib/action_view/buffers.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "active_support/core_ext/string/output_safety"
 
 module ActionView

data/lib/action_view/context.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module ActionView
   module CompiledTemplates #:nodoc:
     # holds compiled template code
@@ -17,7 +19,6 @@ module ActionView
     attr_accessor :output_buffer, :view_flow
 
     # Prepares the context by setting the appropriate instance variables.
-    # :api: plugin
     def _prepare_context
       @view_flow     = OutputFlow.new
       @output_buffer = nil
@@ -27,7 +28,6 @@ module ActionView
     # Encapsulates the interaction with the view flow so it
     # returns the correct buffer on +yield+. This is usually
     # overwritten by helpers to add more behavior.
-    # :api: plugin
     def _layout_for(name = nil)
       name ||= :layout
       view_flow.get(name).html_safe

data/lib/action_view/dependency_tracker.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "concurrent/map"
 require "action_view/path_set"
 

data/lib/action_view/digestor.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "concurrent/map"
 require "action_view/dependency_tracker"
 require "monitor"
@@ -68,13 +70,11 @@ module ActionView
       end
 
       private
-        def find_template(finder, *args)
+        def find_template(finder, name, prefixes, partial, keys)
           finder.disable_cache do
-            if format = finder.rendered_format
-              finder.find_all(*args, formats: [format]).first || finder.find_all(*args).first
-            else
-              finder.find_all(*args).first
-            end
+            format = finder.rendered_format
+            result = finder.find_all(name, prefixes, partial, keys, formats: [format]).first if format
+            result || finder.find_all(name, prefixes, partial, keys).first
           end
         end
     end
@@ -95,7 +95,7 @@ module ActionView
       end
 
       def digest(finder, stack = [])
-        Digest::MD5.hexdigest("#{template.source}-#{dependency_digest(finder, stack)}")
+        ActiveSupport::Digest.hexdigest("#{template.source}-#{dependency_digest(finder, stack)}")
       end
 
       def dependency_digest(finder, stack)

data/lib/action_view/flows.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "active_support/core_ext/string/output_safety"
 
 module ActionView

data/lib/action_view/gem_version.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module ActionView
   # Returns the version of the currently loaded Action View as a <tt>Gem::Version</tt>
   def self.gem_version
@@ -6,9 +8,9 @@ module ActionView
 
   module VERSION
     MAJOR = 5
-    MINOR = 1
-    TINY  = 7
-    PRE   = nil
+    MINOR = 2
+    TINY  = 8
+    PRE   = "1"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

data/lib/action_view/helpers/active_model_helper.rb

@@ -1,9 +1,11 @@
+# frozen_string_literal: true
+
 require "active_support/core_ext/module/attribute_accessors"
 require "active_support/core_ext/enumerable"
 
 module ActionView
   # = Active Model Helpers
-  module Helpers
+  module Helpers #:nodoc:
     module ActiveModelHelper
     end
 
@@ -15,8 +17,8 @@ module ActionView
         end
       end
 
-      def content_tag(*)
-        error_wrapping(super)
+      def content_tag(type, options, *)
+        select_markup_helper?(type) ? super : error_wrapping(super)
       end
 
       def tag(type, options, *)
@@ -41,6 +43,10 @@ module ActionView
           object.respond_to?(:errors) && object.errors.respond_to?(:[]) && error_message.present?
         end
 
+        def select_markup_helper?(type)
+          ["optgroup", "option"].include?(type)
+        end
+
         def tag_generate_errors?(options)
           options["type"] != "hidden"
         end