actionview 5.2.4.1 → 6.0.1

data/lib/action_view/helpers/javascript_helper.rb

@@ -15,8 +15,8 @@ module ActionView
         "'"     => "\\'"
       }
 
-      JS_ESCAPE_MAP["\342\200\250".dup.force_encoding(Encoding::UTF_8).encode!] = "
"
-      JS_ESCAPE_MAP["\342\200\251".dup.force_encoding(Encoding::UTF_8).encode!] = "
"
+      JS_ESCAPE_MAP[(+"\342\200\250").force_encoding(Encoding::UTF_8).encode!] = "
"
+      JS_ESCAPE_MAP[(+"\342\200\251").force_encoding(Encoding::UTF_8).encode!] = "
"
 
       # Escapes carriage returns and single and double quotes for JavaScript segments.
       #
@@ -25,12 +25,13 @@ module ActionView
       #
       #   $('some_element').replaceWith('<%= j render 'some/element_template' %>');
       def escape_javascript(javascript)
-        if javascript
-          result = javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"'])/u) { |match| JS_ESCAPE_MAP[match] }
-          javascript.html_safe? ? result.html_safe : result
+        javascript = javascript.to_s
+        if javascript.empty?
+          result = ""
         else
-          ""
+          result = javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"'])/u) { |match| JS_ESCAPE_MAP[match] }
         end
+        javascript.html_safe? ? result.html_safe : result
       end
 
       alias_method :j, :escape_javascript
@@ -65,7 +66,7 @@ module ActionView
       #   <% end -%>
       #
       # If you have a content security policy enabled then you can add an automatic
-      # nonce value by passing +nonce: true+ as part of +html_options+. Example:
+      # nonce value by passing <tt>nonce: true</tt> as part of +html_options+. Example:
       #
       #   <%= javascript_tag nonce: true do -%>
       #     alert('All is good')
@@ -83,7 +84,7 @@ module ActionView
           html_options[:nonce] = content_security_policy_nonce
         end
 
-        content_tag("script".freeze, javascript_cdata_section(content), html_options)
+        content_tag("script", javascript_cdata_section(content), html_options)
       end
 
       def javascript_cdata_section(content) #:nodoc:

data/lib/action_view/helpers/number_helper.rb

@@ -100,6 +100,9 @@ module ActionView
       #   absolute value of the number.
       # * <tt>:raise</tt> - If true, raises +InvalidNumberError+ when
       #   the argument is invalid.
+      # * <tt>:strip_insignificant_zeros</tt> - If +true+ removes
+      #   insignificant zeros after the decimal separator (defaults to
+      #   +false+).
       #
       # ==== Examples
       #
@@ -117,6 +120,8 @@ module ActionView
       #   # => R$1234567890,50
       #   number_to_currency(1234567890.50, unit: "R$", separator: ",", delimiter: "", format: "%n %u")
       #   # => 1234567890,50 R$
+      #   number_to_currency(1234567890.50, strip_insignificant_zeros: true)
+      #   # => "$1,234,567,890.5"
       def number_to_currency(number, options = {})
         delegate_number_helper_method(:number_to_currency, number, options)
       end

data/lib/action_view/helpers/output_safety_helper.rb

@@ -38,7 +38,7 @@ module ActionView #:nodoc:
 
       # Converts the array to a comma-separated sentence where the last element is
       # joined by the connector word. This is the html_safe-aware version of
-      # ActiveSupport's {Array#to_sentence}[http://api.rubyonrails.org/classes/Array.html#method-i-to_sentence].
+      # ActiveSupport's {Array#to_sentence}[https://api.rubyonrails.org/classes/Array.html#method-i-to_sentence].
       #
       def to_sentence(array, options = {})
         options.assert_valid_keys(:words_connector, :two_words_connector, :last_word_connector, :locale)

data/lib/action_view/helpers/rendering_helper.rb

@@ -27,10 +27,12 @@ module ActionView
       def render(options = {}, locals = {}, &block)
         case options
         when Hash
-          if block_given?
-            view_renderer.render_partial(self, options.merge(partial: options[:layout]), &block)
-          else
-            view_renderer.render(self, options)
+          in_rendering_context(options) do |renderer|
+            if block_given?
+              view_renderer.render_partial(self, options.merge(partial: options[:layout]), &block)
+            else
+              view_renderer.render(self, options)
+            end
           end
         else
           view_renderer.render_partial(self, partial: options, locals: locals, &block)

data/lib/action_view/helpers/sanitize_helper.rb

@@ -1,6 +1,5 @@
 # frozen_string_literal: true
 
-require "active_support/core_ext/object/try"
 require "rails-html-sanitizer"
 
 module ActionView
@@ -10,14 +9,14 @@ module ActionView
     # These helper methods extend Action View making them callable within your template files.
     module SanitizeHelper
       extend ActiveSupport::Concern
-      # Sanitizes HTML input, stripping all tags and attributes that aren't whitelisted.
+      # Sanitizes HTML input, stripping all but known-safe tags and attributes.
       #
       # It also strips href/src attributes with unsafe protocols like
       # <tt>javascript:</tt>, while also protecting against attempts to use Unicode,
       # ASCII, and hex character references to work around these protocol filters.
       # All special characters will be escaped.
       #
-      # The default sanitizer is Rails::Html::WhiteListSanitizer. See {Rails HTML
+      # The default sanitizer is Rails::Html::SafeListSanitizer. See {Rails HTML
       # Sanitizers}[https://github.com/rails/rails-html-sanitizer] for more information.
       #
       # Custom sanitization rules can also be provided.
@@ -40,7 +39,7 @@ module ActionView
       #
       #   <%= sanitize @comment.body %>
       #
-      # Providing custom whitelisted tags and attributes:
+      # Providing custom lists of permitted tags and attributes:
       #
       #   <%= sanitize @comment.body, tags: %w(strong em a), attributes: %w(href) %>
       #
@@ -80,12 +79,12 @@ module ActionView
       #   config.action_view.sanitized_allowed_tags = ['strong', 'em', 'a']
       #   config.action_view.sanitized_allowed_attributes = ['href', 'title']
       def sanitize(html, options = {})
-        self.class.white_list_sanitizer.sanitize(html, options).try(:html_safe)
+        self.class.safe_list_sanitizer.sanitize(html, options)&.html_safe
       end
 
       # Sanitizes a block of CSS code. Used by +sanitize+ when it comes across a style attribute.
       def sanitize_css(style)
-        self.class.white_list_sanitizer.sanitize_css(style)
+        self.class.safe_list_sanitizer.sanitize_css(style)
       end
 
       # Strips all HTML tags from +html+, including comments and special characters.
@@ -123,20 +122,18 @@ module ActionView
       end
 
       module ClassMethods #:nodoc:
-        attr_writer :full_sanitizer, :link_sanitizer, :white_list_sanitizer
+        attr_writer :full_sanitizer, :link_sanitizer, :safe_list_sanitizer
 
-        # Vendors the full, link and white list sanitizers.
-        # Provided strictly for compatibility and can be removed in Rails 5.1.
         def sanitizer_vendor
           Rails::Html::Sanitizer
         end
 
         def sanitized_allowed_tags
-          sanitizer_vendor.white_list_sanitizer.allowed_tags
+          safe_list_sanitizer.allowed_tags
         end
 
         def sanitized_allowed_attributes
-          sanitizer_vendor.white_list_sanitizer.allowed_attributes
+          safe_list_sanitizer.allowed_attributes
         end
 
         # Gets the Rails::Html::FullSanitizer instance used by +strip_tags+. Replace with
@@ -145,7 +142,6 @@ module ActionView
         #   class Application < Rails::Application
         #     config.action_view.full_sanitizer = MySpecialSanitizer.new
         #   end
-        #
         def full_sanitizer
           @full_sanitizer ||= sanitizer_vendor.full_sanitizer.new
         end
@@ -156,20 +152,18 @@ module ActionView
         #   class Application < Rails::Application
         #     config.action_view.link_sanitizer = MySpecialSanitizer.new
         #   end
-        #
         def link_sanitizer
           @link_sanitizer ||= sanitizer_vendor.link_sanitizer.new
         end
 
-        # Gets the Rails::Html::WhiteListSanitizer instance used by sanitize and +sanitize_css+.
+        # Gets the Rails::Html::SafeListSanitizer instance used by sanitize and +sanitize_css+.
         # Replace with any object that responds to +sanitize+.
         #
         #   class Application < Rails::Application
-        #     config.action_view.white_list_sanitizer = MySpecialSanitizer.new
+        #     config.action_view.safe_list_sanitizer = MySpecialSanitizer.new
         #   end
-        #
-        def white_list_sanitizer
-          @white_list_sanitizer ||= sanitizer_vendor.white_list_sanitizer.new
+        def safe_list_sanitizer
+          @safe_list_sanitizer ||= sanitizer_vendor.safe_list_sanitizer.new
         end
       end
     end

data/lib/action_view/helpers/tag_helper.rb

@@ -58,7 +58,7 @@ module ActionView
 
         def tag_options(options, escape = true)
           return if options.blank?
-          output = "".dup
+          output = +""
           sep    = " "
           options.each_pair do |key, value|
             if TAG_PREFIXES.include?(key) && value.is_a?(Hash)
@@ -86,11 +86,12 @@ module ActionView
 
         def tag_option(key, value, escape)
           if value.is_a?(Array)
-            value = escape ? safe_join(value, " ".freeze) : value.join(" ".freeze)
+            value = escape ? safe_join(value, " ") : value.join(" ")
           else
-            value = escape ? ERB::Util.unwrapped_html_escape(value) : value.to_s
+            value = escape ? ERB::Util.unwrapped_html_escape(value).dup : value.to_s.dup
           end
-          %(#{key}="#{value.gsub('"'.freeze, '"'.freeze)}")
+          value.gsub!('"', """)
+          %(#{key}="#{value}")
         end
 
         private
@@ -227,10 +228,10 @@ module ActionView
       #   tag("img", src: "open & shut.png")
       #   # => <img src="open &amp; shut.png" />
       #
-      #   tag("img", {src: "open &amp; shut.png"}, false, false)
+      #   tag("img", { src: "open &amp; shut.png" }, false, false)
       #   # => <img src="open &amp; shut.png" />
       #
-      #   tag("div", data: {name: 'Stephen', city_state: %w(Chicago IL)})
+      #   tag("div", data: { name: 'Stephen', city_state: %w(Chicago IL) })
       #   # => <div data-name="Stephen" data-city-state="[&quot;Chicago&quot;,&quot;IL&quot;]" />
       def tag(name = nil, options = nil, open = false, escape = true)
         if name.nil?

data/lib/action_view/helpers/tags/base.rb

@@ -109,11 +109,11 @@ module ActionView
             # a little duplication to construct less strings
             case
             when @object_name.empty?
-              "#{sanitized_method_name}#{"[]" if multiple}"
+              "#{sanitized_method_name}#{multiple ? "[]" : ""}"
             when index
-              "#{@object_name}[#{index}][#{sanitized_method_name}]#{"[]" if multiple}"
+              "#{@object_name}[#{index}][#{sanitized_method_name}]#{multiple ? "[]" : ""}"
             else
-              "#{@object_name}[#{sanitized_method_name}]#{"[]" if multiple}"
+              "#{@object_name}[#{sanitized_method_name}]#{multiple ? "[]" : ""}"
             end
           end
 
@@ -138,7 +138,7 @@ module ActionView
           end
 
           def sanitized_value(value)
-            value.to_s.gsub(/\s/, "_").gsub(/[^-[[:word:]]]/, "").mb_chars.downcase.to_s
+            value.to_s.gsub(/[\s\.]/, "_").gsub(/[^-[[:word:]]]/, "").downcase
           end
 
           def select_content_tag(option_tags, options, html_options)
@@ -170,7 +170,11 @@ module ActionView
               option_tags = tag_builder.content_tag_string("option", options[:include_blank].kind_of?(String) ? options[:include_blank] : nil, value: "") + "\n" + option_tags
             end
             if value.blank? && options[:prompt]
-              option_tags = tag_builder.content_tag_string("option", prompt_text(options[:prompt]), value: "") + "\n" + option_tags
+              tag_options = { value: "" }.tap do |prompt_opts|
+                prompt_opts[:disabled] = true if options[:disabled] == ""
+                prompt_opts[:selected] = true if options[:selected] == ""
+              end
+              option_tags = tag_builder.content_tag_string("option", prompt_text(options[:prompt]), tag_options) + "\n" + option_tags
             end
             option_tags
           end

data/lib/action_view/helpers/tags/color_field.rb

@@ -15,7 +15,7 @@ module ActionView
 
           def validate_color_string(string)
             regex = /#[0-9a-fA-F]{6}/
-            if regex.match(string)
+            if regex.match?(string)
               string.downcase
             else
               "#000000"

data/lib/action_view/helpers/tags/translator.rb

@@ -16,13 +16,8 @@ module ActionView
           translated_attribute || human_attribute_name
         end
 
-        # TODO Change this to private once we've dropped Ruby 2.2 support.
-        # Workaround for Ruby 2.2 "private attribute?" warning.
-        protected
-
-          attr_reader :object_name, :method_and_value, :scope, :model
-
         private
+          attr_reader :object_name, :method_and_value, :scope, :model
 
           def i18n_default
             if model

data/lib/action_view/helpers/text_helper.rb

@@ -188,7 +188,7 @@ module ActionView
 
         unless separator.empty?
           text.split(separator).each do |value|
-            if value.match(regex)
+            if value.match?(regex)
               phrase = value
               break
             end
@@ -228,7 +228,7 @@ module ActionView
       #   pluralize(2, 'Person', locale: :de)
       #   # => 2 Personen
       def pluralize(count, singular, plural_arg = nil, plural: plural_arg, locale: I18n.locale)
-        word = if (count == 1 || count.to_s =~ /^1(\.0+)?$/)
+        word = if count == 1 || count.to_s =~ /^1(\.0+)?$/
           singular
         else
           plural || singular.pluralize(locale)
@@ -259,7 +259,7 @@ module ActionView
       #   # => Once\r\nupon\r\na\r\ntime
       def word_wrap(text, line_width: 80, break_sequence: "\n")
         text.split("\n").collect! do |line|
-          line.length > line_width ? line.gsub(/(.{1,#{line_width}})(\s+|$)/, "\\1#{break_sequence}").strip : line
+          line.length > line_width ? line.gsub(/(.{1,#{line_width}})(\s+|$)/, "\\1#{break_sequence}").rstrip : line
         end * break_sequence
       end
 

data/lib/action_view/helpers/translation_helper.rb

@@ -59,11 +59,9 @@ module ActionView
       # they can provide HTML values for.
       def translate(key, options = {})
         options = options.dup
-        has_default = options.has_key?(:default)
-        remaining_defaults = Array(options.delete(:default)).compact
-
-        if has_default && !remaining_defaults.first.kind_of?(Symbol)
-          options[:default] = remaining_defaults
+        if options.has_key?(:default)
+          remaining_defaults = Array.wrap(options.delete(:default)).compact
+          options[:default] = remaining_defaults unless remaining_defaults.first.kind_of?(Symbol)
         end
 
         # If the user has explicitly decided to NOT raise errors, pass that option to I18n.
@@ -85,8 +83,11 @@ module ActionView
             end
           end
           translation = I18n.translate(scope_key_by_partial(key), html_safe_options.merge(raise: i18n_raise))
-
-          translation.respond_to?(:html_safe) ? translation.html_safe : translation
+          if translation.respond_to?(:map)
+            translation.map { |element| element.respond_to?(:html_safe) ? element.html_safe : element }
+          else
+            translation.respond_to?(:html_safe) ? translation.html_safe : translation
+          end
         else
           I18n.translate(scope_key_by_partial(key), options.merge(raise: i18n_raise))
         end
@@ -97,7 +98,7 @@ module ActionView
           raise e if raise_error
 
           keys = I18n.normalize_keys(e.locale, e.key, e.options[:scope])
-          title = "translation missing: #{keys.join('.')}".dup
+          title = +"translation missing: #{keys.join('.')}"
 
           interpolations = options.except(:default, :scope)
           if interpolations.any?
@@ -113,7 +114,7 @@ module ActionView
 
       # Delegates to <tt>I18n.localize</tt> with no additional functionality.
       #
-      # See http://rubydoc.info/github/svenfuchs/i18n/master/I18n/Backend/Base:localize
+      # See https://www.rubydoc.info/github/svenfuchs/i18n/master/I18n/Backend/Base:localize
       # for more information.
       def localize(*args)
         I18n.localize(*args)
@@ -122,9 +123,12 @@ module ActionView
 
       private
         def scope_key_by_partial(key)
-          if key.to_s.first == "."
+          stringified_key = key.to_s
+          if stringified_key.first == "."
             if @virtual_path
-              @virtual_path.gsub(%r{/_?}, ".") + key.to_s
+              @_scope_key_by_partial_cache ||= {}
+              @_scope_key_by_partial_cache[@virtual_path] ||= @virtual_path.gsub(%r{/_?}, ".")
+              "#{@_scope_key_by_partial_cache[@virtual_path]}#{stringified_key}"
             else
               raise "Cannot use t(#{key.inspect}) shortcut because path is not available"
             end
@@ -134,7 +138,7 @@ module ActionView
         end
 
         def html_safe_translation_key?(key)
-          /(\b|_|\.)html$/.match?(key.to_s)
+          /(?:_|\b)html\z/.match?(key.to_s)
         end
     end
   end

data/lib/action_view/helpers/url_helper.rb

@@ -200,9 +200,9 @@ module ActionView
         html_options = convert_options_to_data_attributes(options, html_options)
 
         url = url_for(options)
-        html_options["href".freeze] ||= url
+        html_options["href"] ||= url
 
-        content_tag("a".freeze, name || url, html_options, &block)
+        content_tag("a", name || url, html_options, &block)
       end
 
       # Generates a form containing a single button that submits to the URL created
@@ -308,7 +308,7 @@ module ActionView
         params = html_options.delete("params")
 
         method     = html_options.delete("method").to_s
-        method_tag = BUTTON_TAG_METHOD_VERBS.include?(method) ? method_tag(method) : "".freeze.html_safe
+        method_tag = BUTTON_TAG_METHOD_VERBS.include?(method) ? method_tag(method) : "".html_safe
 
         form_method  = method == "get" ? "get" : "post"
         form_options = html_options.delete("form") || {}
@@ -321,7 +321,7 @@ module ActionView
           request_method = method.empty? ? "post" : method
           token_tag(nil, form_options: { action: url, method: request_method })
         else
-          "".freeze
+          ""
         end
 
         html_options = convert_options_to_data_attributes(options, html_options)
@@ -487,12 +487,12 @@ module ActionView
           option = html_options.delete(item).presence || next
           "#{item.dasherize}=#{ERB::Util.url_encode(option)}"
         }.compact
-        extras = extras.empty? ? "".freeze : "?" + extras.join("&")
+        extras = extras.empty? ? "" : "?" + extras.join("&")
 
         encoded_email_address = ERB::Util.url_encode(email_address).gsub("%40", "@")
         html_options["href"] = "mailto:#{encoded_email_address}#{extras}"
 
-        content_tag("a".freeze, name || email_address, html_options, &block)
+        content_tag("a", name || email_address, html_options, &block)
       end
 
       # True if the current request URI was generated by the given +options+.
@@ -553,7 +553,7 @@ module ActionView
         url_string = URI.parser.unescape(url_for(options)).force_encoding(Encoding::BINARY)
 
         # We ignore any extra parameters in the request_uri if the
-        # submitted url doesn't have any either. This lets the function
+        # submitted URL doesn't have any either. This lets the function
         # work with things like ?order=asc
         # the behaviour can be disabled with check_parameters: true
         request_uri = url_string.index("?") || check_parameters ? request.fullpath : request.path
@@ -575,21 +575,21 @@ module ActionView
         def convert_options_to_data_attributes(options, html_options)
           if html_options
             html_options = html_options.stringify_keys
-            html_options["data-remote"] = "true".freeze if link_to_remote_options?(options) || link_to_remote_options?(html_options)
+            html_options["data-remote"] = "true" if link_to_remote_options?(options) || link_to_remote_options?(html_options)
 
-            method = html_options.delete("method".freeze)
+            method = html_options.delete("method")
 
             add_method_to_attributes!(html_options, method) if method
 
             html_options
           else
-            link_to_remote_options?(options) ? { "data-remote" => "true".freeze } : {}
+            link_to_remote_options?(options) ? { "data-remote" => "true" } : {}
           end
         end
 
         def link_to_remote_options?(options)
           if options.is_a?(Hash)
-            options.delete("remote".freeze) || options.delete(:remote)
+            options.delete("remote") || options.delete(:remote)
           end
         end
 
@@ -618,11 +618,11 @@ module ActionView
         end
 
         def token_tag(token = nil, form_options: {})
-          if token != false && protect_against_forgery?
+          if token != false && defined?(protect_against_forgery?) && protect_against_forgery?
             token ||= form_authenticity_token(form_options: form_options)
             tag(:input, type: "hidden", name: request_forgery_protection_token.to_s, value: token)
           else
-            "".freeze
+            ""
           end
         end
 
@@ -636,7 +636,7 @@ module ActionView
         #   to_form_params(name: 'David', nationality: 'Danish')
         #   # => [{name: 'name', value: 'David'}, {name: 'nationality', value: 'Danish'}]
         #
-        #   to_form_params(country: {name: 'Denmark'})
+        #   to_form_params(country: { name: 'Denmark' })
         #   # => [{name: 'country[name]', value: 'Denmark'}]
         #
         #   to_form_params(countries: ['Denmark', 'Sweden']})