actionview 5.2.4.4 → 6.0.0.beta1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 285d9a982fd985cc0c7b694548154f3e7b52dac3dfa42c9c7dbbd61d07f6ed81
-  data.tar.gz: e877ec1372d604047b00f5a665397a42952ca07f7ed470a7c64a7c8913630f1e
+  metadata.gz: 58d19af0e853c217ca89f2167775195c7a44ebba26e4d9a682aabeb6a25b6af4
+  data.tar.gz: 15d2c9faa90c17d33772df3ce0eacccecb090e7310af47ab1d82bca6448a2a11
 SHA512:
-  metadata.gz: 6293206a2f96b9a349fe3f40f1f42fa81727e38e8333149b60df3bfd56afb39fced4f23c2643eb6fd477bf5b8095e1b31b70cd8f5abbe9d7c577fab225fadfa5
-  data.tar.gz: b5bffb0c64df5ba0640b1fbc0d4b75ca3e672f3172a4cd9c97280a35681be4419e82ac93b4093c6b2889c05fb26dd02e651e14c75e0aed98006ddadda2ca181d
+  metadata.gz: dc169a10649b5f6cdfb8488bd16cbb7cab049081e7a6c53821cfab497e8035c7843c690e3bffcffc571bf2f610e5f2b7eee80283f622262d5ff9f1f20c8ef210
+  data.tar.gz: ed371d7bec363bafe775d5a1ed3d11a1002f96589c142c662afabc1862c71314427fc07004d0bfa4bc2ac5078f0c0b38410ccca1ee738594223a1a3a336ffa14

data/CHANGELOG.md

@@ -1,29 +1,18 @@
-## Rails 5.2.4.4 (September 09, 2020) ##
+## Rails 6.0.0.beta1 (January 18, 2019) ##
 
-*   [CVE-2020-15169] Fix potential XSS vulnerability in the `translate`/`t` helper
+*   Remove deprecated `image_alt` helper.
 
-    *Jonathan Hefner*
-
-
-## Rails 5.2.4.3 (May 18, 2020) ##
-
-*   [CVE-2020-8167] Check that request is same-origin prior to including CSRF token in XHRs
-
-
-## Rails 5.2.4.1 (December 18, 2019) ##
-
-*   No changes.
-
-
-## Rails 5.2.4 (November 27, 2019) ##
+    *Rafael Mendonça França*
 
-*   Allow programmatic click events to trigger Rails UJS click handlers.
-    Programmatic click events (eg. ones generated by `Rails.fire(link, "click")`) don't specify a button. These events were being incorrectly stopped by code meant to ignore scroll wheel and right clicks introduced in #34573.
+*   Fix the need of `#protect_against_forgery?` method defined in
+    `ActionView::Base` subclasses. This prevents the use of forms and buttons.
 
-    *Sudara Williams*
+    *Genadi Samokovarov*
 
+*   Fix UJS permanently showing disabled text in a[data-remote][data-disable-with] elements within forms.
+    Fixes #33889
 
-## Rails 5.2.3 (March 27, 2019) ##
+    *Wolfgang Hobmaier*
 
 *   Prevent non-primary mouse keys from triggering Rails UJS click handlers.
     Firefox fires click events even if the click was triggered by non-primary mouse keys such as right- or scroll-wheel-clicks.
@@ -37,37 +26,50 @@
 
     *Wolfgang Hobmaier*
 
+*   Prevent `ActionView::TextHelper#word_wrap` from unexpectedly stripping white space from the _left_ side of lines.
 
-## Rails 5.2.2.1 (March 11, 2019) ##
+    For example, given input like this:
 
-*   Only accept formats from registered mime types
+    ```
+        This is a paragraph with an initial indent,
+    followed by additional lines that are not indented,
+    and finally terminated with a blockquote:
+      "A pithy saying"
+    ```
+
+    Calling `word_wrap` should not trim the indents on the first and last lines.
 
-    A lack of filtering on mime types could allow an attacker to read
-    arbitrary files on the target server or to perform a denial of service
-    attack.
+    Fixes #34487
 
-    Fixes CVE-2019-5418
-    Fixes CVE-2019-5419
+    *Lyle Mullican*
 
-    *John Hawthorn*, *Eileen M. Uchitelle*, *Aaron Patterson*
+*   Add allocations to template rendering instrumentation.
 
+    Adds the allocations for template and partial rendering to the server output on render.
 
-## Rails 5.2.2 (December 04, 2018) ##
+    ```
+      Rendered posts/_form.html.erb (Duration: 7.1ms | Allocations: 6004)
+      Rendered posts/new.html.erb within layouts/application (Duration: 8.3ms | Allocations: 6654)
+    Completed 200 OK in 858ms (Views: 848.4ms | ActiveRecord: 0.4ms | Allocations: 1539564)
+    ```
 
-*   No changes.
+    *Eileen M. Uchitelle*, *Aaron Patterson*
 
+*   Respect the `only_path` option passed to `url_for` when the options are passed in as an array
 
-## Rails 5.2.1.1 (November 27, 2018) ##
+    Fixes #33237.
 
-*   No changes.
+    *Joel Ambass*
 
+*   Deprecate calling private model methods from view helpers.
 
-## Rails 5.2.1 (August 07, 2018) ##
+    For example, in methods like `options_from_collection_for_select`
+    and `collection_select` it is possible to call private methods from
+    the objects used.
 
-*   Fix leak of `skip_default_ids` and `allow_method_names_outside_object` options
-    to HTML attributes.
+    Fixes #33546.
 
-    *Yurii Cherniavskyi*
+    *Ana María Martínez Gómez*
 
 *   Fix issue with `button_to`'s `to_form_params`
 
@@ -80,97 +82,110 @@
 
     *Georgi Georgiev*
 
-*   Fix JavaScript views rendering does not work with Firefox when using
-    Content Security Policy.
-
-    Fixes #32577.
-
-    *Yuji Yaginuma*
-
-*   Add the `nonce: true` option for `javascript_include_tag` helper to
-    support automatic nonce generation for Content Security Policy.
-    Works the same way as `javascript_tag nonce: true` does.
+*   Mark arrays of translations as trusted safe by using the `_html` suffix.
 
-    *Yaroslav Markin*
+    Example:
 
+        en:
+          foo_html:
+            - "One"
+            - "<strong>Two</strong>"
+            - "Three &#128075; &#128578;"
 
-## Rails 5.2.0 (April 09, 2018) ##
+    *Juan Broullon*
 
-*   Pass the `:skip_pipeline` option in `image_submit_tag` when calling `path_to_image`.
+*   Add `year_format` option to date_select tag. This option makes it possible to customize year
+    names. Lambda should be passed to use this option.
 
-    Fixes #32248.
+    Example:
 
-    *Andrew White*
+        date_select('user_birthday', '', start_year: 1998, end_year: 2000, year_format: ->year { "Heisei #{year - 1988}" })
 
-*   Allow the use of callable objects as group methods for grouped selects.
+    The HTML produced:
 
-    Until now, the `option_groups_from_collection_for_select` method was only able to
-    handle method names as `group_method` and `group_label_method` parameters,
-    it is now able to receive procs and other callable objects too.
+        <select id="user_birthday__1i" name="user_birthday[(1i)]">
+        <option value="1998">Heisei 10</option>
+        <option value="1999">Heisei 11</option>
+        <option value="2000">Heisei 12</option>
+        </select>
+        /* The rest is omitted */
 
-    *Jérémie Bonal*
+    *Koki Ryu*
 
-*   Add `preload_link_tag` helper.
+*   Fix JavaScript views rendering does not work with Firefox when using
+    Content Security Policy.
 
-    This helper that allows to the browser to initiate early fetch of resources
-    (different to the specified in `javascript_include_tag` and `stylesheet_link_tag`).
-    Additionally, this sends Early Hints if supported by browser.
+    Fixes #32577.
 
-    *Guillermo Iguaran*
+    *Yuji Yaginuma*
 
-*   Change `form_with` to generates ids by default.
+*   Add the `nonce: true` option for `javascript_include_tag` helper to
+    support automatic nonce generation for Content Security Policy.
+    Works the same way as `javascript_tag nonce: true` does.
 
-    When `form_with` was introduced we disabled the automatic generation of ids
-    that was enabled in `form_for`. This usually is not an good idea since labels don't work
-    when the input doesn't have an id and it made harder to test with Capybara.
+    *Yaroslav Markin*
 
-    You can still disable the automatic generation of ids setting `config.action_view.form_with_generates_ids`
-    to `false.`
+*   Remove `ActionView::Helpers::RecordTagHelper`.
 
-    *Nick Pezza*
+    *Yoshiyuki Hirano*
 
-*   Fix issues with `field_error_proc` wrapping `optgroup` and select divider `option`.
+*   Disable `ActionView::Template` finalizers in test environment.
 
-    Fixes #31088
+    Template finalization can be expensive in large view test suites.
+    Add a configuration option,
+    `action_view.finalize_compiled_template_methods`, and turn it off in
+    the test environment.
 
-    *Matthias Neumayr*
+    *Simon Coffey*
 
-*   Remove deprecated Erubis ERB handler.
+*   Extract the `confirm` call in its own, overridable method in `rails_ujs`.
 
-    *Rafael Mendonça França*
+    Example:
 
-*   Remove default `alt` text generation.
+        Rails.confirm = function(message, element) {
+          return (my_bootstrap_modal_confirm(message));
+        }
 
-    Fixes #30096
+    *Mathieu Mahé*
 
-    *Cameron Cundiff*
+*   Enable select tag helper to mark `prompt` option as `selected` and/or `disabled` for `required`
+    field.
 
-*   Add `srcset` option to `image_tag` helper.
+    Example:
 
-    *Roberto Miranda*
+        select :post,
+               :category,
+               ["lifestyle", "programming", "spiritual"],
+               { selected: "", disabled: "", prompt: "Choose one" },
+               { required: true }
 
-*   Fix issues with scopes and engine on `current_page?` method.
+    Placeholder option would be selected and disabled.
 
-    Fixes #29401.
+    The HTML produced:
 
-    *Nikita Savrov*
+        <select required="required" name="post[category]" id="post_category">
+        <option disabled="disabled" selected="selected" value="">Choose one</option>
+        <option value="lifestyle">lifestyle</option>
+        <option value="programming">programming</option>
+        <option value="spiritual">spiritual</option></select>
 
-*   Generate field ids in `collection_check_boxes` and `collection_radio_buttons`.
+    *Sergey Prikhodko*
 
-    This makes sure that the labels are linked up with the fields.
+*   Don't enforce UTF-8 by default.
 
-    Fixes #29014.
+    With the disabling of TLS 1.0 by most major websites, continuing to run
+    IE8 or lower becomes increasingly difficult so default to not enforcing
+    UTF-8 encoding as it's not relevant to other browsers.
 
-    *Yuji Yaginuma*
+    *Andrew White*
 
-*   Add `:json` type to `auto_discovery_link_tag` to support [JSON Feeds](https://jsonfeed.org/version/1).
+*   Change translation key of `submit_tag` from `module_name_class_name` to `module_name/class_name`.
 
-    *Mike Gunderloy*
+    *Rui Onodera*
 
-*   Update `distance_of_time_in_words` helper to display better error messages
-    for bad input.
+*   Rails 6 requires Ruby 2.5.0 or newer.
 
-    *Jay Hayes*
+    *Jeremy Daer*, *Kasper Timm Hansen*
 
 
-Please check [5-1-stable](https://github.com/rails/rails/blob/5-1-stable/actionview/CHANGELOG.md) for previous changes.
+Please check [5-2-stable](https://github.com/rails/rails/blob/5-2-stable/actionview/CHANGELOG.md) for previous changes.

data/MIT-LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2004-2018 David Heinemeier Hansson
+Copyright (c) 2004-2019 David Heinemeier Hansson
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

data/README.rdoc

@@ -13,7 +13,7 @@ The latest version of Action View can be installed with RubyGems:
 
 Source code can be downloaded as part of the Rails project on GitHub:
 
-* https://github.com/rails/rails/tree/5-2-stable/actionview
+* https://github.com/rails/rails/tree/master/actionview
 
 
 == License

data/lib/action_view.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 #--
-# Copyright (c) 2004-2018 David Heinemeier Hansson
+# Copyright (c) 2004-2019 David Heinemeier Hansson
 #
 # Permission is hereby granted, free of charge, to any person obtaining
 # a copy of this software and associated documentation files (the

data/lib/action_view/buffers.rb

@@ -3,6 +3,21 @@
 require "active_support/core_ext/string/output_safety"
 
 module ActionView
+  # Used as a buffer for views
+  #
+  # The main difference between this and ActiveSupport::SafeBuffer
+  # is for the methods `<<` and `safe_expr_append=` the inputs are
+  # checked for nil before they are assigned and `to_s` is called on
+  # the input. For example:
+  #
+  #   obuf = ActionView::OutputBuffer.new "hello"
+  #   obuf << 5
+  #   puts obuf # => "hello5"
+  #
+  #   sbuf = ActiveSupport::SafeBuffer.new "hello"
+  #   sbuf << 5
+  #   puts sbuf # => "hello\u0005"
+  #
   class OutputBuffer < ActiveSupport::SafeBuffer #:nodoc:
     def initialize(*)
       super

data/lib/action_view/context.rb

@@ -10,10 +10,11 @@ module ActionView
   # Action View contexts are supplied to Action Controller to render a template.
   # The default Action View context is ActionView::Base.
   #
-  # In order to work with ActionController, a Context must just include this module.
-  # The initialization of the variables used by the context (@output_buffer, @view_flow,
-  # and @virtual_path) is responsibility of the object that includes this module
-  # (although you can call _prepare_context defined below).
+  # In order to work with Action Controller, a Context must just include this
+  # module. The initialization of the variables used by the context
+  # (@output_buffer, @view_flow, and @virtual_path) is responsibility of the
+  # object that includes this module (although you can call _prepare_context
+  # defined below).
   module Context
     include CompiledTemplates
     attr_accessor :output_buffer, :view_flow

data/lib/action_view/digestor.rb

@@ -1,8 +1,6 @@
 # frozen_string_literal: true
 
-require "concurrent/map"
 require "action_view/dependency_tracker"
-require "monitor"
 
 module ActionView
   class Digestor
@@ -20,9 +18,12 @@ module ActionView
       # * <tt>name</tt>   - Template name
       # * <tt>finder</tt>  - An instance of <tt>ActionView::LookupContext</tt>
       # * <tt>dependencies</tt>  - An array of dependent views
-      def digest(name:, finder:, dependencies: [])
-        dependencies ||= []
-        cache_key = [ name, finder.rendered_format, dependencies ].flatten.compact.join(".")
+      def digest(name:, finder:, dependencies: nil)
+        if dependencies.nil? || dependencies.empty?
+          cache_key = "#{name}.#{finder.rendered_format}"
+        else
+          cache_key = [ name, finder.rendered_format, dependencies ].flatten.compact.join(".")
+        end
 
         # this is a correctly done double-checked locking idiom
         # (Concurrent::Map's lookups have volatile semantics)
@@ -32,7 +33,7 @@ module ActionView
             root = tree(name, finder, partial)
             dependencies.each do |injected_dep|
               root.children << Injected.new(injected_dep, nil, nil)
-            end
+            end if dependencies
             finder.digest_cache[cache_key] = root.digest(finder)
           end
         end

data/lib/action_view/gem_version.rb

@@ -7,10 +7,10 @@ module ActionView
   end
 
   module VERSION
-    MAJOR = 5
-    MINOR = 2
-    TINY  = 4
-    PRE   = "4"
+    MAJOR = 6
+    MINOR = 0
+    TINY  = 0
+    PRE   = "beta1"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

data/lib/action_view/helpers.rb

@@ -23,7 +23,6 @@ module ActionView #:nodoc:
     autoload :JavaScriptHelper, "action_view/helpers/javascript_helper"
     autoload :NumberHelper
     autoload :OutputSafetyHelper
-    autoload :RecordTagHelper
     autoload :RenderingHelper
     autoload :SanitizeHelper
     autoload :TagHelper
@@ -57,7 +56,6 @@ module ActionView #:nodoc:
     include JavaScriptHelper
     include NumberHelper
     include OutputSafetyHelper
-    include RecordTagHelper
     include RenderingHelper
     include SanitizeHelper
     include TagHelper

data/lib/action_view/helpers/asset_tag_helper.rb

@@ -55,7 +55,7 @@ module ActionView
       #   that path.
       # * <tt>:skip_pipeline</tt>  - This option is used to bypass the asset pipeline
       #   when it is set to true.
-      # * <tt>:nonce<tt>  - When set to true, adds an automatic nonce value if
+      # * <tt>:nonce</tt>  - When set to true, adds an automatic nonce value if
       #   you have Content Security Policy enabled.
       #
       # ==== Examples
@@ -98,7 +98,7 @@ module ActionView
           if tag_options["nonce"] == true
             tag_options["nonce"] = content_security_policy_nonce
           end
-          content_tag("script".freeze, "", tag_options)
+          content_tag("script", "", tag_options)
         }.join("\n").html_safe
 
         request.send_early_hints("Link" => early_hints_links.join("\n")) if respond_to?(:request) && request
@@ -333,9 +333,9 @@ module ActionView
       #
       #   image_tag(user.avatar)
       #   # => <img src="/rails/active_storage/blobs/.../tiger.jpg" />
-      #   image_tag(user.avatar.variant(resize: "100x100"))
+      #   image_tag(user.avatar.variant(resize_to_fit: [100, 100]))
       #   # => <img src="/rails/active_storage/variants/.../tiger.jpg" />
-      #   image_tag(user.avatar.variant(resize: "100x100"), size: '100')
+      #   image_tag(user.avatar.variant(resize_to_fit: [100, 100]), size: '100')
       #   # => <img width="100" height="100" src="/rails/active_storage/variants/.../tiger.jpg" />
       def image_tag(source, options = {})
         options = options.symbolize_keys
@@ -355,29 +355,6 @@ module ActionView
         tag("img", options)
       end
 
-      # Returns a string suitable for an HTML image tag alt attribute.
-      # The +src+ argument is meant to be an image file path.
-      # The method removes the basename of the file path and the digest,
-      # if any. It also removes hyphens and underscores from file names and
-      # replaces them with spaces, returning a space-separated, titleized
-      # string.
-      #
-      # ==== Examples
-      #
-      #   image_alt('rails.png')
-      #   # => Rails
-      #
-      #   image_alt('hyphenated-file-name.png')
-      #   # => Hyphenated file name
-      #
-      #   image_alt('underscored_file_name.png')
-      #   # => Underscored file name
-      def image_alt(src)
-        ActiveSupport::Deprecation.warn("image_alt is deprecated and will be removed from Rails 6.0. You must explicitly set alt text on images.")
-
-        File.basename(src, ".*".freeze).sub(/-[[:xdigit:]]{32,64}\z/, "".freeze).tr("-_".freeze, " ".freeze).capitalize
-      end
-
       # Returns an HTML video tag for the +sources+. If +sources+ is a string,
       # a single video tag will be returned. If +sources+ is an array, a video
       # tag with nested source tags for each source will be returned. The