actionview 5.2.3 → 6.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: afb542680a6bdea85297d58343a24da1754f7893189439ead02c8b566de24d27
-  data.tar.gz: 53438d080b42df0f88a29b45f9f2a4dfb2afa1129dbe366a612bf47c25645fea
+  metadata.gz: '09307c25b4aca33f07c78f0eb2b2e1dcb83316272272340495d9bdb71200b66c'
+  data.tar.gz: c721b0700848cd657d418b9369ce575abfc12205e764cbdd04aa4f23320b80be
 SHA512:
-  metadata.gz: 985967fad7c02691fca261d82a25bf1b409071c5ee422127bec7bde426b03a8bac3024736861149c8aa4a80de0240e393c4e98b18f52c2041bbe16223d409f59
-  data.tar.gz: b5965f912d6ef4a64764370c17adc1f24bdc960fb8a4e549930d54f2d708dde433a1e9495f35d5fbbc66c3e5bee57d66a3b42107fada1bd708d1201cb657d04e
+  metadata.gz: acd68ab05735381289baf92c2895b30dc73b8e25e36ea9b5496104e66d46d630e352785750518404da5c71cade47b8987effe98fcc7e35d6d108dfba51bb2b4f
+  data.tar.gz: d6e8f0d10ff2d4048c7ad3469584153f6faf284853b7f1afd191dbd3b3b469295855655c5ac59b986c52a894a7c774d11f0a09e747a492ad6d3b0e5edfb0bf27

data/CHANGELOG.md

@@ -1,4 +1,98 @@
-## Rails 5.2.3 (March 27, 2019) ##
+## Rails 6.0.0 (August 16, 2019) ##
+
+*   ActionView::Helpers::SanitizeHelper: support rails-html-sanitizer 1.1.0.
+
+    *Juanito Fatas*
+
+
+## Rails 6.0.0.rc2 (July 22, 2019) ##
+
+*   Fix `select_tag` so that it doesn't change `options` when `include_blank` is present.
+
+    *Younes SERRAJ*
+
+
+## Rails 6.0.0.rc1 (April 24, 2019) ##
+
+*   Fix partial caching skips same item issue
+
+    If we render cached collection partials with repeated items, those repeated items
+    will get skipped. For example, if you have 5 identical items in your collection, Rails
+    only renders the first one when `cached` is set to true. But it should render all
+    5 items instead.
+
+    Fixes #35114.
+
+    *Stan Lo*
+
+*   Only clear ActionView cache in development on file changes
+
+    To speed up development mode, view caches are only cleared when files in
+    the view paths have changed. Applications which have implemented custom
+    `ActionView::Resolver` subclasses may need to add their own cache clearing.
+
+    *John Hawthorn*
+
+*   Fix `ActionView::FixtureResolver` so that it handles template variants correctly.
+
+    *Edward Rudd*
+
+
+## Rails 6.0.0.beta3 (March 11, 2019) ##
+
+*   Only accept formats from registered mime types
+
+    A lack of filtering on mime types could allow an attacker to read
+    arbitrary files on the target server or to perform a denial of service
+    attack.
+
+    Fixes CVE-2019-5418
+    Fixes CVE-2019-5419
+
+    *John Hawthorn*, *Eileen M. Uchitelle*, *Aaron Patterson*
+
+
+## Rails 6.0.0.beta2 (February 25, 2019) ##
+
+*   `ActionView::Template.finalize_compiled_template_methods` is deprecated with
+    no replacement.
+
+    *tenderlove*
+
+*   `config.action_view.finalize_compiled_template_methods` is deprecated with
+    no replacement.
+
+    *tenderlove*
+
+*   Ensure unique DOM IDs for collection inputs with float values.
+
+    Fixes #34974.
+
+    *Mark Edmondson*
+
+
+## Rails 6.0.0.beta1 (January 18, 2019) ##
+
+*   [Rename npm package](https://github.com/rails/rails/pull/34905) from
+    [`rails-ujs`](https://www.npmjs.com/package/rails-ujs) to
+    [`@rails/ujs`](https://www.npmjs.com/package/@rails/ujs).
+
+    *Javan Makhmali*
+
+*   Remove deprecated `image_alt` helper.
+
+    *Rafael Mendonça França*
+
+*   Fix the need of `#protect_against_forgery?` method defined in
+    `ActionView::Base` subclasses. This prevents the use of forms and buttons.
+
+    *Genadi Samokovarov*
+
+*   Fix UJS permanently showing disabled text in a[data-remote][data-disable-with] elements within forms.
+
+    Fixes #33889.
+
+    *Wolfgang Hobmaier*
 
 *   Prevent non-primary mouse keys from triggering Rails UJS click handlers.
     Firefox fires click events even if the click was triggered by non-primary mouse keys such as right- or scroll-wheel-clicks.
@@ -8,32 +102,54 @@
     <%= link_to 'Remote', remote_path, class: 'remote', remote: true, data: { type: :json } %>
     ```
 
-    Fixes #34541
+    Fixes #34541.
 
     *Wolfgang Hobmaier*
 
+*   Prevent `ActionView::TextHelper#word_wrap` from unexpectedly stripping white space from the _left_ side of lines.
 
-## Rails 5.2.2.1 (March 11, 2019) ##
+    For example, given input like this:
 
-*   No changes.
+    ```
+        This is a paragraph with an initial indent,
+    followed by additional lines that are not indented,
+    and finally terminated with a blockquote:
+      "A pithy saying"
+    ```
 
+    Calling `word_wrap` should not trim the indents on the first and last lines.
 
-## Rails 5.2.2 (December 04, 2018) ##
+    Fixes #34487.
 
-*   No changes.
+    *Lyle Mullican*
 
+*   Add allocations to template rendering instrumentation.
 
-## Rails 5.2.1.1 (November 27, 2018) ##
+    Adds the allocations for template and partial rendering to the server output on render.
 
-*   No changes.
+    ```
+      Rendered posts/_form.html.erb (Duration: 7.1ms | Allocations: 6004)
+      Rendered posts/new.html.erb within layouts/application (Duration: 8.3ms | Allocations: 6654)
+    Completed 200 OK in 858ms (Views: 848.4ms | ActiveRecord: 0.4ms | Allocations: 1539564)
+    ```
+
+    *Eileen M. Uchitelle*, *Aaron Patterson*
+
+*   Respect the `only_path` option passed to `url_for` when the options are passed in as an array
+
+    Fixes #33237.
+
+    *Joel Ambass*
 
+*   Deprecate calling private model methods from view helpers.
 
-## Rails 5.2.1 (August 07, 2018) ##
+    For example, in methods like `options_from_collection_for_select`
+    and `collection_select` it is possible to call private methods from
+    the objects used.
 
-*   Fix leak of `skip_default_ids` and `allow_method_names_outside_object` options
-    to HTML attributes.
+    Fixes #33546.
 
-    *Yurii Cherniavskyi*
+    *Ana María Martínez Gómez*
 
 *   Fix issue with `button_to`'s `to_form_params`
 
@@ -46,97 +162,110 @@
 
     *Georgi Georgiev*
 
-*   Fix JavaScript views rendering does not work with Firefox when using
-    Content Security Policy.
-
-    Fixes #32577.
-
-    *Yuji Yaginuma*
-
-*   Add the `nonce: true` option for `javascript_include_tag` helper to
-    support automatic nonce generation for Content Security Policy.
-    Works the same way as `javascript_tag nonce: true` does.
+*   Mark arrays of translations as trusted safe by using the `_html` suffix.
 
-    *Yaroslav Markin*
+    Example:
 
+        en:
+          foo_html:
+            - "One"
+            - "<strong>Two</strong>"
+            - "Three &#128075; &#128578;"
 
-## Rails 5.2.0 (April 09, 2018) ##
+    *Juan Broullon*
 
-*   Pass the `:skip_pipeline` option in `image_submit_tag` when calling `path_to_image`.
+*   Add `year_format` option to date_select tag. This option makes it possible to customize year
+    names. Lambda should be passed to use this option.
 
-    Fixes #32248.
+    Example:
 
-    *Andrew White*
+        date_select('user_birthday', '', start_year: 1998, end_year: 2000, year_format: ->year { "Heisei #{year - 1988}" })
 
-*   Allow the use of callable objects as group methods for grouped selects.
+    The HTML produced:
 
-    Until now, the `option_groups_from_collection_for_select` method was only able to
-    handle method names as `group_method` and `group_label_method` parameters,
-    it is now able to receive procs and other callable objects too.
+        <select id="user_birthday__1i" name="user_birthday[(1i)]">
+        <option value="1998">Heisei 10</option>
+        <option value="1999">Heisei 11</option>
+        <option value="2000">Heisei 12</option>
+        </select>
+        /* The rest is omitted */
 
-    *Jérémie Bonal*
+    *Koki Ryu*
 
-*   Add `preload_link_tag` helper.
+*   Fix JavaScript views rendering does not work with Firefox when using
+    Content Security Policy.
 
-    This helper that allows to the browser to initiate early fetch of resources
-    (different to the specified in `javascript_include_tag` and `stylesheet_link_tag`).
-    Additionally, this sends Early Hints if supported by browser.
+    Fixes #32577.
 
-    *Guillermo Iguaran*
+    *Yuji Yaginuma*
 
-*   Change `form_with` to generates ids by default.
+*   Add the `nonce: true` option for `javascript_include_tag` helper to
+    support automatic nonce generation for Content Security Policy.
+    Works the same way as `javascript_tag nonce: true` does.
 
-    When `form_with` was introduced we disabled the automatic generation of ids
-    that was enabled in `form_for`. This usually is not an good idea since labels don't work
-    when the input doesn't have an id and it made harder to test with Capybara.
+    *Yaroslav Markin*
 
-    You can still disable the automatic generation of ids setting `config.action_view.form_with_generates_ids`
-    to `false.`
+*   Remove `ActionView::Helpers::RecordTagHelper`.
 
-    *Nick Pezza*
+    *Yoshiyuki Hirano*
 
-*   Fix issues with `field_error_proc` wrapping `optgroup` and select divider `option`.
+*   Disable `ActionView::Template` finalizers in test environment.
 
-    Fixes #31088
+    Template finalization can be expensive in large view test suites.
+    Add a configuration option,
+    `action_view.finalize_compiled_template_methods`, and turn it off in
+    the test environment.
 
-    *Matthias Neumayr*
+    *Simon Coffey*
 
-*   Remove deprecated Erubis ERB handler.
+*   Extract the `confirm` call in its own, overridable method in `rails_ujs`.
 
-    *Rafael Mendonça França*
+    Example:
 
-*   Remove default `alt` text generation.
+        Rails.confirm = function(message, element) {
+          return (my_bootstrap_modal_confirm(message));
+        }
 
-    Fixes #30096
+    *Mathieu Mahé*
 
-    *Cameron Cundiff*
+*   Enable select tag helper to mark `prompt` option as `selected` and/or `disabled` for `required`
+    field.
 
-*   Add `srcset` option to `image_tag` helper.
+    Example:
 
-    *Roberto Miranda*
+        select :post,
+               :category,
+               ["lifestyle", "programming", "spiritual"],
+               { selected: "", disabled: "", prompt: "Choose one" },
+               { required: true }
 
-*   Fix issues with scopes and engine on `current_page?` method.
+    Placeholder option would be selected and disabled.
 
-    Fixes #29401.
+    The HTML produced:
 
-    *Nikita Savrov*
+        <select required="required" name="post[category]" id="post_category">
+        <option disabled="disabled" selected="selected" value="">Choose one</option>
+        <option value="lifestyle">lifestyle</option>
+        <option value="programming">programming</option>
+        <option value="spiritual">spiritual</option></select>
 
-*   Generate field ids in `collection_check_boxes` and `collection_radio_buttons`.
+    *Sergey Prikhodko*
 
-    This makes sure that the labels are linked up with the fields.
+*   Don't enforce UTF-8 by default.
 
-    Fixes #29014.
+    With the disabling of TLS 1.0 by most major websites, continuing to run
+    IE8 or lower becomes increasingly difficult so default to not enforcing
+    UTF-8 encoding as it's not relevant to other browsers.
 
-    *Yuji Yaginuma*
+    *Andrew White*
 
-*   Add `:json` type to `auto_discovery_link_tag` to support [JSON Feeds](https://jsonfeed.org/version/1).
+*   Change translation key of `submit_tag` from `module_name_class_name` to `module_name/class_name`.
 
-    *Mike Gunderloy*
+    *Rui Onodera*
 
-*   Update `distance_of_time_in_words` helper to display better error messages
-    for bad input.
+*   Rails 6 requires Ruby 2.5.0 or newer.
 
-    *Jay Hayes*
+    *Jeremy Daer*, *Kasper Timm Hansen*
 
 
-Please check [5-1-stable](https://github.com/rails/rails/blob/5-1-stable/actionview/CHANGELOG.md) for previous changes.
+Please check [5-2-stable](https://github.com/rails/rails/blob/5-2-stable/actionview/CHANGELOG.md) for previous changes.

data/MIT-LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2004-2018 David Heinemeier Hansson
+Copyright (c) 2004-2019 David Heinemeier Hansson
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

data/README.rdoc

@@ -5,6 +5,8 @@ view helpers that assist when building HTML forms, Atom feeds and more.
 Template formats that Action View handles are ERB (embedded Ruby, typically
 used to inline short Ruby snippets inside HTML), and XML Builder.
 
+You can read more about Action View in the {Action View Overview}[https://edgeguides.rubyonrails.org/action_view_overview.html] guide.
+
 == Download and installation
 
 The latest version of Action View can be installed with RubyGems:
@@ -13,7 +15,7 @@ The latest version of Action View can be installed with RubyGems:
 
 Source code can be downloaded as part of the Rails project on GitHub:
 
-* https://github.com/rails/rails/tree/5-2-stable/actionview
+* https://github.com/rails/rails/tree/master/actionview
 
 
 == License
@@ -27,7 +29,7 @@ Action View is released under the MIT license:
 
 API documentation is at
 
-* http://api.rubyonrails.org
+* https://api.rubyonrails.org
 
 Bug reports for the Ruby on Rails project can be filed here:
 

data/lib/action_view.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 #--
-# Copyright (c) 2004-2018 David Heinemeier Hansson
+# Copyright (c) 2004-2019 David Heinemeier Hansson
 #
 # Permission is hereby granted, free of charge, to any person obtaining
 # a copy of this software and associated documentation files (the
@@ -35,7 +35,6 @@ module ActionView
   eager_autoload do
     autoload :Base
     autoload :Context
-    autoload :CompiledTemplates, "action_view/context"
     autoload :Digestor
     autoload :Helpers
     autoload :LookupContext
@@ -45,6 +44,7 @@ module ActionView
     autoload :Rendering
     autoload :RoutingUrlFor
     autoload :Template
+    autoload :UnboundTemplate
     autoload :ViewPaths
 
     autoload_under "renderer" do
@@ -81,6 +81,7 @@ module ActionView
     end
   end
 
+  autoload :CacheExpiry
   autoload :TestCase
 
   def self.eager_load!

data/lib/action_view/base.rb

@@ -3,6 +3,7 @@
 require "active_support/core_ext/module/attr_internal"
 require "active_support/core_ext/module/attribute_accessors"
 require "active_support/ordered_options"
+require "active_support/deprecation"
 require "action_view/log_subscriber"
 require "action_view/helpers"
 require "action_view/context"
@@ -179,37 +180,133 @@ module ActionView #:nodoc:
       def xss_safe? #:nodoc:
         true
       end
+
+      def with_empty_template_cache # :nodoc:
+        subclass = Class.new(self) {
+          # We can't implement these as self.class because subclasses will
+          # share the same template cache as superclasses, so "changed?" won't work
+          # correctly.
+          define_method(:compiled_method_container)           { subclass }
+          define_singleton_method(:compiled_method_container) { subclass }
+        }
+      end
+
+      def changed?(other) # :nodoc:
+        compiled_method_container != other.compiled_method_container
+      end
     end
 
-    attr_accessor :view_renderer
+    attr_reader :view_renderer, :lookup_context
     attr_internal :config, :assigns
 
-    delegate :lookup_context, to: :view_renderer
     delegate :formats, :formats=, :locale, :locale=, :view_paths, :view_paths=, to: :lookup_context
 
     def assign(new_assigns) # :nodoc:
       @_assigns = new_assigns.each { |key, value| instance_variable_set("@#{key}", value) }
     end
 
-    def initialize(context = nil, assigns = {}, controller = nil, formats = nil) #:nodoc:
+    # :stopdoc:
+
+    def self.build_lookup_context(context)
+      case context
+      when ActionView::Renderer
+        context.lookup_context
+      when Array
+        ActionView::LookupContext.new(context)
+      when ActionView::PathSet
+        ActionView::LookupContext.new(context)
+      when nil
+        ActionView::LookupContext.new([])
+      else
+        raise NotImplementedError, context.class.name
+      end
+    end
+
+    def self.empty
+      with_view_paths([])
+    end
+
+    def self.with_view_paths(view_paths, assigns = {}, controller = nil)
+      with_context ActionView::LookupContext.new(view_paths), assigns, controller
+    end
+
+    def self.with_context(context, assigns = {}, controller = nil)
+      new context, assigns, controller
+    end
+
+    NULL = Object.new
+
+    # :startdoc:
+
+    def initialize(lookup_context = nil, assigns = {}, controller = nil, formats = NULL) #:nodoc:
       @_config = ActiveSupport::InheritableOptions.new
 
-      if context.is_a?(ActionView::Renderer)
-        @view_renderer = context
+      unless formats == NULL
+        ActiveSupport::Deprecation.warn <<~eowarn.squish
+        Passing formats to ActionView::Base.new is deprecated
+        eowarn
+      end
+
+      case lookup_context
+      when ActionView::LookupContext
+        @lookup_context = lookup_context
       else
-        lookup_context = context.is_a?(ActionView::LookupContext) ?
-          context : ActionView::LookupContext.new(context)
-        lookup_context.formats  = formats if formats
-        lookup_context.prefixes = controller._prefixes if controller
-        @view_renderer = ActionView::Renderer.new(lookup_context)
+        ActiveSupport::Deprecation.warn <<~eowarn.squish
+        ActionView::Base instances should be constructed with a lookup context,
+        assignments, and a controller.
+        eowarn
+        @lookup_context = self.class.build_lookup_context(lookup_context)
       end
 
+      @view_renderer = ActionView::Renderer.new @lookup_context
+      @current_template = nil
+
       @cache_hit = {}
       assign(assigns)
       assign_controller(controller)
       _prepare_context
     end
 
+    def _run(method, template, locals, buffer, &block)
+      _old_output_buffer, _old_virtual_path, _old_template = @output_buffer, @virtual_path, @current_template
+      @current_template = template
+      @output_buffer = buffer
+      send(method, locals, buffer, &block)
+    ensure
+      @output_buffer, @virtual_path, @current_template = _old_output_buffer, _old_virtual_path, _old_template
+    end
+
+    def compiled_method_container
+      if self.class == ActionView::Base
+        ActiveSupport::Deprecation.warn <<~eowarn.squish
+          ActionView::Base instances must implement `compiled_method_container`
+          or use the class method `with_empty_template_cache` for constructing
+          an ActionView::Base instances that has an empty cache.
+        eowarn
+      end
+
+      self.class
+    end
+
+    def in_rendering_context(options)
+      old_view_renderer  = @view_renderer
+      old_lookup_context = @lookup_context
+
+      if !lookup_context.html_fallback_for_js && options[:formats]
+        formats = Array(options[:formats])
+        if formats == [:js]
+          formats << :html
+        end
+        @lookup_context = lookup_context.with_prepended_formats(formats)
+        @view_renderer = ActionView::Renderer.new @lookup_context
+      end
+
+      yield @view_renderer
+    ensure
+      @view_renderer = old_view_renderer
+      @lookup_context = old_lookup_context
+    end
+
     ActiveSupport.run_load_hooks(:action_view, self)
   end
 end