actionview 5.2.4.4 → 6.1.1

data/lib/action_view/helpers/sanitize_helper.rb

@@ -1,6 +1,5 @@
 # frozen_string_literal: true
 
-require "active_support/core_ext/object/try"
 require "rails-html-sanitizer"
 
 module ActionView
@@ -10,14 +9,14 @@ module ActionView
     # These helper methods extend Action View making them callable within your template files.
     module SanitizeHelper
       extend ActiveSupport::Concern
-      # Sanitizes HTML input, stripping all tags and attributes that aren't whitelisted.
+      # Sanitizes HTML input, stripping all but known-safe tags and attributes.
       #
       # It also strips href/src attributes with unsafe protocols like
       # <tt>javascript:</tt>, while also protecting against attempts to use Unicode,
       # ASCII, and hex character references to work around these protocol filters.
       # All special characters will be escaped.
       #
-      # The default sanitizer is Rails::Html::WhiteListSanitizer. See {Rails HTML
+      # The default sanitizer is Rails::Html::SafeListSanitizer. See {Rails HTML
       # Sanitizers}[https://github.com/rails/rails-html-sanitizer] for more information.
       #
       # Custom sanitization rules can also be provided.
@@ -40,7 +39,7 @@ module ActionView
       #
       #   <%= sanitize @comment.body %>
       #
-      # Providing custom whitelisted tags and attributes:
+      # Providing custom lists of permitted tags and attributes:
       #
       #   <%= sanitize @comment.body, tags: %w(strong em a), attributes: %w(href) %>
       #
@@ -80,12 +79,12 @@ module ActionView
       #   config.action_view.sanitized_allowed_tags = ['strong', 'em', 'a']
       #   config.action_view.sanitized_allowed_attributes = ['href', 'title']
       def sanitize(html, options = {})
-        self.class.white_list_sanitizer.sanitize(html, options).try(:html_safe)
+        self.class.safe_list_sanitizer.sanitize(html, options)&.html_safe
       end
 
       # Sanitizes a block of CSS code. Used by +sanitize+ when it comes across a style attribute.
       def sanitize_css(style)
-        self.class.white_list_sanitizer.sanitize_css(style)
+        self.class.safe_list_sanitizer.sanitize_css(style)
       end
 
       # Strips all HTML tags from +html+, including comments and special characters.
@@ -123,20 +122,18 @@ module ActionView
       end
 
       module ClassMethods #:nodoc:
-        attr_writer :full_sanitizer, :link_sanitizer, :white_list_sanitizer
+        attr_writer :full_sanitizer, :link_sanitizer, :safe_list_sanitizer
 
-        # Vendors the full, link and white list sanitizers.
-        # Provided strictly for compatibility and can be removed in Rails 5.1.
         def sanitizer_vendor
           Rails::Html::Sanitizer
         end
 
         def sanitized_allowed_tags
-          sanitizer_vendor.white_list_sanitizer.allowed_tags
+          sanitizer_vendor.safe_list_sanitizer.allowed_tags
         end
 
         def sanitized_allowed_attributes
-          sanitizer_vendor.white_list_sanitizer.allowed_attributes
+          sanitizer_vendor.safe_list_sanitizer.allowed_attributes
         end
 
         # Gets the Rails::Html::FullSanitizer instance used by +strip_tags+. Replace with
@@ -145,7 +142,6 @@ module ActionView
         #   class Application < Rails::Application
         #     config.action_view.full_sanitizer = MySpecialSanitizer.new
         #   end
-        #
         def full_sanitizer
           @full_sanitizer ||= sanitizer_vendor.full_sanitizer.new
         end
@@ -156,20 +152,18 @@ module ActionView
         #   class Application < Rails::Application
         #     config.action_view.link_sanitizer = MySpecialSanitizer.new
         #   end
-        #
         def link_sanitizer
           @link_sanitizer ||= sanitizer_vendor.link_sanitizer.new
         end
 
-        # Gets the Rails::Html::WhiteListSanitizer instance used by sanitize and +sanitize_css+.
+        # Gets the Rails::Html::SafeListSanitizer instance used by sanitize and +sanitize_css+.
         # Replace with any object that responds to +sanitize+.
         #
         #   class Application < Rails::Application
-        #     config.action_view.white_list_sanitizer = MySpecialSanitizer.new
+        #     config.action_view.safe_list_sanitizer = MySpecialSanitizer.new
         #   end
-        #
-        def white_list_sanitizer
-          @white_list_sanitizer ||= sanitizer_vendor.white_list_sanitizer.new
+        def safe_list_sanitizer
+          @safe_list_sanitizer ||= sanitizer_vendor.safe_list_sanitizer.new
         end
       end
     end

data/lib/action_view/helpers/tag_helper.rb

@@ -13,19 +13,27 @@ module ActionView
       include CaptureHelper
       include OutputSafetyHelper
 
-      BOOLEAN_ATTRIBUTES = %w(allowfullscreen async autofocus autoplay checked
-                              compact controls declare default defaultchecked
-                              defaultmuted defaultselected defer disabled
-                              enabled formnovalidate hidden indeterminate inert
-                              ismap itemscope loop multiple muted nohref
-                              noresize noshade novalidate nowrap open
-                              pauseonexit readonly required reversed scoped
-                              seamless selected sortable truespeed typemustmatch
-                              visible).to_set
+      BOOLEAN_ATTRIBUTES = %w(allowfullscreen allowpaymentrequest async autofocus
+                              autoplay checked compact controls declare default
+                              defaultchecked defaultmuted defaultselected defer
+                              disabled enabled formnovalidate hidden indeterminate
+                              inert ismap itemscope loop multiple muted nohref
+                              nomodule noresize noshade novalidate nowrap open
+                              pauseonexit playsinline readonly required reversed
+                              scoped seamless selected sortable truespeed
+                              typemustmatch visible).to_set
 
       BOOLEAN_ATTRIBUTES.merge(BOOLEAN_ATTRIBUTES.map(&:to_sym))
+      BOOLEAN_ATTRIBUTES.freeze
 
-      TAG_PREFIXES = ["aria", "data", :aria, :data].to_set
+      ARIA_PREFIXES = ["aria", :aria].to_set.freeze
+      DATA_PREFIXES = ["data", :data].to_set.freeze
+
+      TAG_TYPES = {}
+      TAG_TYPES.merge! BOOLEAN_ATTRIBUTES.index_with(:boolean)
+      TAG_TYPES.merge! DATA_PREFIXES.index_with(:data)
+      TAG_TYPES.merge! ARIA_PREFIXES.index_with(:aria)
+      TAG_TYPES.freeze
 
       PRE_CONTENT_STRINGS             = Hash.new { "" }
       PRE_CONTENT_STRINGS[:textarea]  = "\n"
@@ -41,6 +49,10 @@ module ActionView
           @view_context = view_context
         end
 
+        def p(*arguments, **options, &block)
+          tag_string(:p, *arguments, **options, &block)
+        end
+
         def tag_string(name, content = nil, escape_attributes: true, **options, &block)
           content = @view_context.capture(self, &block) if block_given?
           if VOID_ELEMENTS.include?(name) && content.nil?
@@ -58,16 +70,34 @@ module ActionView
 
         def tag_options(options, escape = true)
           return if options.blank?
-          output = "".dup
+          output = +""
           sep    = " "
           options.each_pair do |key, value|
-            if TAG_PREFIXES.include?(key) && value.is_a?(Hash)
+            type = TAG_TYPES[key]
+            if type == :data && value.is_a?(Hash)
+              value.each_pair do |k, v|
+                next if v.nil?
+                output << sep
+                output << prefix_tag_option(key, k, v, escape)
+              end
+            elsif type == :aria && value.is_a?(Hash)
               value.each_pair do |k, v|
                 next if v.nil?
+
+                case v
+                when Array, Hash
+                  tokens = TagHelper.build_tag_values(v)
+                  next if tokens.none?
+
+                  v = safe_join(tokens, " ")
+                else
+                  v = v.to_s
+                end
+
                 output << sep
                 output << prefix_tag_option(key, k, v, escape)
               end
-            elsif BOOLEAN_ATTRIBUTES.include?(key)
+            elsif type == :boolean
               if value
                 output << sep
                 output << boolean_tag_option(key)
@@ -85,12 +115,15 @@ module ActionView
         end
 
         def tag_option(key, value, escape)
-          if value.is_a?(Array)
-            value = escape ? safe_join(value, " ".freeze) : value.join(" ".freeze)
+          case value
+          when Array, Hash
+            value = TagHelper.build_tag_values(value) if key.to_s == "class"
+            value = escape ? safe_join(value, " ") : value.join(" ")
           else
             value = escape ? ERB::Util.unwrapped_html_escape(value) : value.to_s
           end
-          %(#{key}="#{value.gsub('"'.freeze, '&quot;'.freeze)}")
+          value = value.gsub('"', "&quot;") if value.include?('"')
+          %(#{key}="#{value}")
         end
 
         private
@@ -106,8 +139,8 @@ module ActionView
             true
           end
 
-          def method_missing(called, *args, &block)
-            tag_string(called, *args, &block)
+          def method_missing(called, *args, **options, &block)
+            tag_string(called, *args, **options, &block)
           end
       end
 
@@ -151,8 +184,8 @@ module ActionView
       #   tag.input type: 'text', disabled: true
       #   # => <input type="text" disabled="disabled">
       #
-      # HTML5 <tt>data-*</tt> attributes can be set with a single +data+ key
-      # pointing to a hash of sub-attributes.
+      # HTML5 <tt>data-*</tt> and <tt>aria-*</tt> attributes can be set with a
+      # single +data+ or +aria+ key pointing to a hash of sub-attributes.
       #
       # To play nicely with JavaScript conventions, sub-attributes are dasherized.
       #
@@ -227,11 +260,14 @@ module ActionView
       #   tag("img", src: "open & shut.png")
       #   # => <img src="open &amp; shut.png" />
       #
-      #   tag("img", {src: "open &amp; shut.png"}, false, false)
+      #   tag("img", { src: "open &amp; shut.png" }, false, false)
       #   # => <img src="open &amp; shut.png" />
       #
-      #   tag("div", data: {name: 'Stephen', city_state: %w(Chicago IL)})
+      #   tag("div", data: { name: 'Stephen', city_state: %w(Chicago IL) })
       #   # => <div data-name="Stephen" data-city-state="[&quot;Chicago&quot;,&quot;IL&quot;]" />
+      #
+      #   tag("div", class: { highlight: current_user.admin? })
+      #   # => <div class="highlight" />
       def tag(name = nil, options = nil, open = false, escape = true)
         if name.nil?
           tag_builder
@@ -259,6 +295,8 @@ module ActionView
       #    # => <div class="strong"><p>Hello world!</p></div>
       #   content_tag(:div, "Hello world!", class: ["strong", "highlight"])
       #    # => <div class="strong highlight">Hello world!</div>
+      #   content_tag(:div, "Hello world!", class: ["strong", { highlight: current_user.admin? }])
+      #    # => <div class="strong highlight">Hello world!</div>
       #   content_tag("select", options, multiple: true)
       #    # => <select multiple="multiple">...options...</select>
       #
@@ -275,6 +313,24 @@ module ActionView
         end
       end
 
+      # Returns a string of tokens built from +args+.
+      #
+      # ==== Examples
+      #   token_list("foo", "bar")
+      #    # => "foo bar"
+      #   token_list("foo", "foo bar")
+      #    # => "foo bar"
+      #   token_list({ foo: true, bar: false })
+      #    # => "foo"
+      #   token_list(nil, false, 123, "", "foo", { bar: true })
+      #    # => "123 foo bar"
+      def token_list(*args)
+        tokens = build_tag_values(*args).flat_map { |value| value.to_s.split(/\s+/) }.uniq
+
+        safe_join(tokens, " ")
+      end
+      alias_method :class_names, :token_list
+
       # Returns a CDATA section with the given +content+. CDATA sections
       # are used to escape blocks of text containing characters which would
       # otherwise be recognized as markup. CDATA sections begin with the string
@@ -305,6 +361,26 @@ module ActionView
       end
 
       private
+        def build_tag_values(*args)
+          tag_values = []
+
+          args.each do |tag_value|
+            case tag_value
+            when Hash
+              tag_value.each do |key, val|
+                tag_values << key.to_s if val && key.present?
+              end
+            when Array
+              tag_values.concat build_tag_values(*tag_value)
+            else
+              tag_values << tag_value.to_s if tag_value.present?
+            end
+          end
+
+          tag_values
+        end
+        module_function :build_tag_values
+
         def tag_builder
           @tag_builder ||= TagBuilder.new(self)
         end

data/lib/action_view/helpers/tags/base.rb

@@ -34,7 +34,6 @@ module ActionView
         end
 
         private
-
           def value
             if @allow_method_names_outside_object
               object.public_send @method_name if object && object.respond_to?(@method_name)
@@ -106,19 +105,19 @@ module ActionView
           end
 
           def tag_name(multiple = false, index = nil)
-            # a little duplication to construct less strings
+            # a little duplication to construct fewer strings
             case
             when @object_name.empty?
-              "#{sanitized_method_name}#{"[]" if multiple}"
+              "#{sanitized_method_name}#{multiple ? "[]" : ""}"
             when index
-              "#{@object_name}[#{index}][#{sanitized_method_name}]#{"[]" if multiple}"
+              "#{@object_name}[#{index}][#{sanitized_method_name}]#{multiple ? "[]" : ""}"
             else
-              "#{@object_name}[#{sanitized_method_name}]#{"[]" if multiple}"
+              "#{@object_name}[#{sanitized_method_name}]#{multiple ? "[]" : ""}"
             end
           end
 
           def tag_id(index = nil)
-            # a little duplication to construct less strings
+            # a little duplication to construct fewer strings
             case
             when @object_name.empty?
               sanitized_method_name.dup
@@ -130,15 +129,15 @@ module ActionView
           end
 
           def sanitized_object_name
-            @sanitized_object_name ||= @object_name.gsub(/\]\[|[^-a-zA-Z0-9:.]/, "_").sub(/_$/, "")
+            @sanitized_object_name ||= @object_name.gsub(/\]\[|[^-a-zA-Z0-9:.]/, "_").delete_suffix("_")
           end
 
           def sanitized_method_name
-            @sanitized_method_name ||= @method_name.sub(/\?$/, "")
+            @sanitized_method_name ||= @method_name.delete_suffix("?")
           end
 
           def sanitized_value(value)
-            value.to_s.gsub(/\s/, "_").gsub(/[^-[[:word:]]]/, "").mb_chars.downcase.to_s
+            value.to_s.gsub(/[\s\.]/, "_").gsub(/[^-[[:word:]]]/, "").downcase
           end
 
           def select_content_tag(option_tags, options, html_options)
@@ -167,11 +166,19 @@ module ActionView
 
           def add_options(option_tags, options, value = nil)
             if options[:include_blank]
-              option_tags = tag_builder.content_tag_string("option", options[:include_blank].kind_of?(String) ? options[:include_blank] : nil, value: "") + "\n" + option_tags
+              content = (options[:include_blank] if options[:include_blank].is_a?(String))
+              label = (" " unless content)
+              option_tags = tag_builder.content_tag_string("option", content, value: "", label: label) + "\n" + option_tags
             end
+
             if value.blank? && options[:prompt]
-              option_tags = tag_builder.content_tag_string("option", prompt_text(options[:prompt]), value: "") + "\n" + option_tags
+              tag_options = { value: "" }.tap do |prompt_opts|
+                prompt_opts[:disabled] = true if options[:disabled] == ""
+                prompt_opts[:selected] = true if options[:selected] == ""
+              end
+              option_tags = tag_builder.content_tag_string("option", prompt_text(options[:prompt]), tag_options) + "\n" + option_tags
             end
+
             option_tags
           end
 

data/lib/action_view/helpers/tags/check_box.rb

@@ -39,7 +39,6 @@ module ActionView
         end
 
         private
-
           def checked?(value)
             case value
             when TrueClass, FalseClass

data/lib/action_view/helpers/tags/collection_check_boxes.rb

@@ -22,7 +22,6 @@ module ActionView
         end
 
         private
-
           def render_component(builder)
             builder.check_box + builder.label
           end

data/lib/action_view/helpers/tags/collection_helpers.rb

@@ -37,7 +37,6 @@ module ActionView
         end
 
         private
-
           def instantiate_builder(builder_class, item, value, text, html_options)
             builder_class.new(@template_object, @object_name, @method_name, item,
                               sanitize_attribute_name(value), text, value, html_options)

data/lib/action_view/helpers/tags/collection_radio_buttons.rb

@@ -21,7 +21,6 @@ module ActionView
         end
 
         private
-
           def render_component(builder)
             builder.radio_button + builder.label
           end

data/lib/action_view/helpers/tags/color_field.rb

@@ -12,10 +12,9 @@ module ActionView
         end
 
         private
-
           def validate_color_string(string)
             regex = /#[0-9a-fA-F]{6}/
-            if regex.match(string)
+            if regex.match?(string)
               string.downcase
             else
               "#000000"

data/lib/action_view/helpers/tags/date_field.rb

@@ -5,9 +5,8 @@ module ActionView
     module Tags # :nodoc:
       class DateField < DatetimeField # :nodoc:
         private
-
           def format_date(value)
-            value.try(:strftime, "%Y-%m-%d")
+            value&.strftime("%Y-%m-%d")
           end
       end
     end

data/lib/action_view/helpers/tags/date_select.rb

@@ -13,7 +13,7 @@ module ActionView
         end
 
         def render
-          error_wrapping(datetime_selector(@options, @html_options).send("select_#{select_type}").html_safe)
+          error_wrapping(datetime_selector(@options, @html_options).public_send("select_#{select_type}").html_safe)
         end
 
         class << self
@@ -23,7 +23,6 @@ module ActionView
         end
 
         private
-
           def select_type
             self.class.select_type
           end
@@ -59,7 +58,7 @@ module ActionView
               time = Time.current
 
               [:year, :month, :day, :hour, :min, :sec].each do |key|
-                default[key] ||= time.send(key)
+                default[key] ||= time.public_send(key)
               end
 
               Time.utc(