actionview 5.2.7.1 → 6.0.0.beta1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0b2a6c8b465b9914ab6831b8972018525cb2fc2a0c7f950a693ba7895ff52923
-  data.tar.gz: 1e9b4548ad481fed3e2b7dec7d256a611e858c8eee70e118d38daaa93f72f7b8
+  metadata.gz: 58d19af0e853c217ca89f2167775195c7a44ebba26e4d9a682aabeb6a25b6af4
+  data.tar.gz: 15d2c9faa90c17d33772df3ce0eacccecb090e7310af47ab1d82bca6448a2a11
 SHA512:
-  metadata.gz: a2e838a423037a30cf4e4e12e8aab64c8e8493f1a370f921be0f7cfbfa92669da4f13cf7cd3c03c42d2c3a2f516b661ba1ca7baa4cf409bf3709b12d3b9692af
-  data.tar.gz: a705450df376aa7abcdd1762ee4f5a9cfc3165bd5102c7c82a7209f8910bd8d46f52d014c3a3feb5f22bfac327414dfeacd75d948b0e2f0ae5d746f0aab71dc7
+  metadata.gz: dc169a10649b5f6cdfb8488bd16cbb7cab049081e7a6c53821cfab497e8035c7843c690e3bffcffc571bf2f610e5f2b7eee80283f622262d5ff9f1f20c8ef210
+  data.tar.gz: ed371d7bec363bafe775d5a1ed3d11a1002f96589c142c662afabc1862c71314427fc07004d0bfa4bc2ac5078f0c0b38410ccca1ee738594223a1a3a336ffa14

data/CHANGELOG.md

@@ -1,90 +1,18 @@
-## Rails 5.2.7.1 (April 26, 2022) ##
+## Rails 6.0.0.beta1 (January 18, 2019) ##
 
-*   Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`.
+*   Remove deprecated `image_alt` helper.
 
-    Escape dangerous characters in names of tags and names of attributes in the
-    tag helpers, following the XML specification. Rename the option
-    `:escape_attributes` to `:escape`, to simplify by applying the option to the
-    whole tag.
-
-    *Álvaro Martín Fraguas*
-
-
-## Rails 5.2.7 (March 10, 2022) ##
-
-*   No changes.
-
-
-## Rails 5.2.6.3 (March 08, 2022) ##
-
-*   No changes.
-
-
-## Rails 5.2.6.2 (February 11, 2022) ##
-
-*   No changes.
-
-
-## Rails 5.2.6.1 (February 11, 2022) ##
-
-*   No changes.
-
-
-## Rails 5.2.6 (May 05, 2021) ##
-
-*   No changes.
-
-
-## Rails 5.2.5 (March 26, 2021) ##
-
-*   No changes.
-
-
-## Rails 5.2.4.6 (May 05, 2021) ##
-
-*   No changes.
-
-
-## Rails 5.2.4.5 (February 10, 2021) ##
-
-*   No changes.
-
-
-## Rails 5.2.4.4 (September 09, 2020) ##
-
-*   [CVE-2020-15169] Fix potential XSS vulnerability in the `translate`/`t` helper
-
-    *Jonathan Hefner*
-
-
-## Rails 5.2.4.3 (May 18, 2020) ##
-
-*   [CVE-2020-8167] Check that request is same-origin prior to including CSRF token in XHRs
-
-
-## Rails 5.2.4.2 (March 19, 2020) ##
-
-*   Fix possible XSS vector in `escape_javascript` helper
-
-    CVE-2020-5267
-
-    *Aaron Patterson*
-
-
-## Rails 5.2.4.1 (December 18, 2019) ##
-
-*   No changes.
-
-
-## Rails 5.2.4 (November 27, 2019) ##
+    *Rafael Mendonça França*
 
-*   Allow programmatic click events to trigger Rails UJS click handlers.
-    Programmatic click events (eg. ones generated by `Rails.fire(link, "click")`) don't specify a button. These events were being incorrectly stopped by code meant to ignore scroll wheel and right clicks introduced in #34573.
+*   Fix the need of `#protect_against_forgery?` method defined in
+    `ActionView::Base` subclasses. This prevents the use of forms and buttons.
 
-    *Sudara Williams*
+    *Genadi Samokovarov*
 
+*   Fix UJS permanently showing disabled text in a[data-remote][data-disable-with] elements within forms.
+    Fixes #33889
 
-## Rails 5.2.3 (March 27, 2019) ##
+    *Wolfgang Hobmaier*
 
 *   Prevent non-primary mouse keys from triggering Rails UJS click handlers.
     Firefox fires click events even if the click was triggered by non-primary mouse keys such as right- or scroll-wheel-clicks.
@@ -98,37 +26,50 @@
 
     *Wolfgang Hobmaier*
 
+*   Prevent `ActionView::TextHelper#word_wrap` from unexpectedly stripping white space from the _left_ side of lines.
+
+    For example, given input like this:
 
-## Rails 5.2.2.1 (March 11, 2019) ##
+    ```
+        This is a paragraph with an initial indent,
+    followed by additional lines that are not indented,
+    and finally terminated with a blockquote:
+      "A pithy saying"
+    ```
 
-*   Only accept formats from registered mime types
+    Calling `word_wrap` should not trim the indents on the first and last lines.
 
-    A lack of filtering on mime types could allow an attacker to read
-    arbitrary files on the target server or to perform a denial of service
-    attack.
+    Fixes #34487
 
-    Fixes CVE-2019-5418
-    Fixes CVE-2019-5419
+    *Lyle Mullican*
 
-    *John Hawthorn*, *Eileen M. Uchitelle*, *Aaron Patterson*
+*   Add allocations to template rendering instrumentation.
 
+    Adds the allocations for template and partial rendering to the server output on render.
 
-## Rails 5.2.2 (December 04, 2018) ##
+    ```
+      Rendered posts/_form.html.erb (Duration: 7.1ms | Allocations: 6004)
+      Rendered posts/new.html.erb within layouts/application (Duration: 8.3ms | Allocations: 6654)
+    Completed 200 OK in 858ms (Views: 848.4ms | ActiveRecord: 0.4ms | Allocations: 1539564)
+    ```
 
-*   No changes.
+    *Eileen M. Uchitelle*, *Aaron Patterson*
 
+*   Respect the `only_path` option passed to `url_for` when the options are passed in as an array
 
-## Rails 5.2.1.1 (November 27, 2018) ##
+    Fixes #33237.
 
-*   No changes.
+    *Joel Ambass*
 
+*   Deprecate calling private model methods from view helpers.
 
-## Rails 5.2.1 (August 07, 2018) ##
+    For example, in methods like `options_from_collection_for_select`
+    and `collection_select` it is possible to call private methods from
+    the objects used.
 
-*   Fix leak of `skip_default_ids` and `allow_method_names_outside_object` options
-    to HTML attributes.
+    Fixes #33546.
 
-    *Yurii Cherniavskyi*
+    *Ana María Martínez Gómez*
 
 *   Fix issue with `button_to`'s `to_form_params`
 
@@ -141,97 +82,110 @@
 
     *Georgi Georgiev*
 
-*   Fix JavaScript views rendering does not work with Firefox when using
-    Content Security Policy.
-
-    Fixes #32577.
-
-    *Yuji Yaginuma*
+*   Mark arrays of translations as trusted safe by using the `_html` suffix.
 
-*   Add the `nonce: true` option for `javascript_include_tag` helper to
-    support automatic nonce generation for Content Security Policy.
-    Works the same way as `javascript_tag nonce: true` does.
+    Example:
 
-    *Yaroslav Markin*
+        en:
+          foo_html:
+            - "One"
+            - "<strong>Two</strong>"
+            - "Three &#128075; &#128578;"
 
+    *Juan Broullon*
 
-## Rails 5.2.0 (April 09, 2018) ##
+*   Add `year_format` option to date_select tag. This option makes it possible to customize year
+    names. Lambda should be passed to use this option.
 
-*   Pass the `:skip_pipeline` option in `image_submit_tag` when calling `path_to_image`.
+    Example:
 
-    Fixes #32248.
+        date_select('user_birthday', '', start_year: 1998, end_year: 2000, year_format: ->year { "Heisei #{year - 1988}" })
 
-    *Andrew White*
-
-*   Allow the use of callable objects as group methods for grouped selects.
+    The HTML produced:
 
-    Until now, the `option_groups_from_collection_for_select` method was only able to
-    handle method names as `group_method` and `group_label_method` parameters,
-    it is now able to receive procs and other callable objects too.
+        <select id="user_birthday__1i" name="user_birthday[(1i)]">
+        <option value="1998">Heisei 10</option>
+        <option value="1999">Heisei 11</option>
+        <option value="2000">Heisei 12</option>
+        </select>
+        /* The rest is omitted */
 
-    *Jérémie Bonal*
+    *Koki Ryu*
 
-*   Add `preload_link_tag` helper.
+*   Fix JavaScript views rendering does not work with Firefox when using
+    Content Security Policy.
 
-    This helper that allows to the browser to initiate early fetch of resources
-    (different to the specified in `javascript_include_tag` and `stylesheet_link_tag`).
-    Additionally, this sends Early Hints if supported by browser.
+    Fixes #32577.
 
-    *Guillermo Iguaran*
+    *Yuji Yaginuma*
 
-*   Change `form_with` to generates ids by default.
+*   Add the `nonce: true` option for `javascript_include_tag` helper to
+    support automatic nonce generation for Content Security Policy.
+    Works the same way as `javascript_tag nonce: true` does.
 
-    When `form_with` was introduced we disabled the automatic generation of ids
-    that was enabled in `form_for`. This usually is not an good idea since labels don't work
-    when the input doesn't have an id and it made harder to test with Capybara.
+    *Yaroslav Markin*
 
-    You can still disable the automatic generation of ids setting `config.action_view.form_with_generates_ids`
-    to `false.`
+*   Remove `ActionView::Helpers::RecordTagHelper`.
 
-    *Nick Pezza*
+    *Yoshiyuki Hirano*
 
-*   Fix issues with `field_error_proc` wrapping `optgroup` and select divider `option`.
+*   Disable `ActionView::Template` finalizers in test environment.
 
-    Fixes #31088
+    Template finalization can be expensive in large view test suites.
+    Add a configuration option,
+    `action_view.finalize_compiled_template_methods`, and turn it off in
+    the test environment.
 
-    *Matthias Neumayr*
+    *Simon Coffey*
 
-*   Remove deprecated Erubis ERB handler.
+*   Extract the `confirm` call in its own, overridable method in `rails_ujs`.
 
-    *Rafael Mendonça França*
+    Example:
 
-*   Remove default `alt` text generation.
+        Rails.confirm = function(message, element) {
+          return (my_bootstrap_modal_confirm(message));
+        }
 
-    Fixes #30096
+    *Mathieu Mahé*
 
-    *Cameron Cundiff*
+*   Enable select tag helper to mark `prompt` option as `selected` and/or `disabled` for `required`
+    field.
 
-*   Add `srcset` option to `image_tag` helper.
+    Example:
 
-    *Roberto Miranda*
+        select :post,
+               :category,
+               ["lifestyle", "programming", "spiritual"],
+               { selected: "", disabled: "", prompt: "Choose one" },
+               { required: true }
 
-*   Fix issues with scopes and engine on `current_page?` method.
+    Placeholder option would be selected and disabled.
 
-    Fixes #29401.
+    The HTML produced:
 
-    *Nikita Savrov*
+        <select required="required" name="post[category]" id="post_category">
+        <option disabled="disabled" selected="selected" value="">Choose one</option>
+        <option value="lifestyle">lifestyle</option>
+        <option value="programming">programming</option>
+        <option value="spiritual">spiritual</option></select>
 
-*   Generate field ids in `collection_check_boxes` and `collection_radio_buttons`.
+    *Sergey Prikhodko*
 
-    This makes sure that the labels are linked up with the fields.
+*   Don't enforce UTF-8 by default.
 
-    Fixes #29014.
+    With the disabling of TLS 1.0 by most major websites, continuing to run
+    IE8 or lower becomes increasingly difficult so default to not enforcing
+    UTF-8 encoding as it's not relevant to other browsers.
 
-    *Yuji Yaginuma*
+    *Andrew White*
 
-*   Add `:json` type to `auto_discovery_link_tag` to support [JSON Feeds](https://jsonfeed.org/version/1).
+*   Change translation key of `submit_tag` from `module_name_class_name` to `module_name/class_name`.
 
-    *Mike Gunderloy*
+    *Rui Onodera*
 
-*   Update `distance_of_time_in_words` helper to display better error messages
-    for bad input.
+*   Rails 6 requires Ruby 2.5.0 or newer.
 
-    *Jay Hayes*
+    *Jeremy Daer*, *Kasper Timm Hansen*
 
 
-Please check [5-1-stable](https://github.com/rails/rails/blob/5-1-stable/actionview/CHANGELOG.md) for previous changes.
+Please check [5-2-stable](https://github.com/rails/rails/blob/5-2-stable/actionview/CHANGELOG.md) for previous changes.

data/MIT-LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2004-2018 David Heinemeier Hansson
+Copyright (c) 2004-2019 David Heinemeier Hansson
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

data/README.rdoc

@@ -13,7 +13,7 @@ The latest version of Action View can be installed with RubyGems:
 
 Source code can be downloaded as part of the Rails project on GitHub:
 
-* https://github.com/rails/rails/tree/5-2-stable/actionview
+* https://github.com/rails/rails/tree/master/actionview
 
 
 == License

data/lib/action_view/buffers.rb

@@ -3,6 +3,21 @@
 require "active_support/core_ext/string/output_safety"
 
 module ActionView
+  # Used as a buffer for views
+  #
+  # The main difference between this and ActiveSupport::SafeBuffer
+  # is for the methods `<<` and `safe_expr_append=` the inputs are
+  # checked for nil before they are assigned and `to_s` is called on
+  # the input. For example:
+  #
+  #   obuf = ActionView::OutputBuffer.new "hello"
+  #   obuf << 5
+  #   puts obuf # => "hello5"
+  #
+  #   sbuf = ActiveSupport::SafeBuffer.new "hello"
+  #   sbuf << 5
+  #   puts sbuf # => "hello\u0005"
+  #
   class OutputBuffer < ActiveSupport::SafeBuffer #:nodoc:
     def initialize(*)
       super

data/lib/action_view/context.rb

@@ -10,10 +10,11 @@ module ActionView
   # Action View contexts are supplied to Action Controller to render a template.
   # The default Action View context is ActionView::Base.
   #
-  # In order to work with ActionController, a Context must just include this module.
-  # The initialization of the variables used by the context (@output_buffer, @view_flow,
-  # and @virtual_path) is responsibility of the object that includes this module
-  # (although you can call _prepare_context defined below).
+  # In order to work with Action Controller, a Context must just include this
+  # module. The initialization of the variables used by the context
+  # (@output_buffer, @view_flow, and @virtual_path) is responsibility of the
+  # object that includes this module (although you can call _prepare_context
+  # defined below).
   module Context
     include CompiledTemplates
     attr_accessor :output_buffer, :view_flow

data/lib/action_view/digestor.rb

@@ -1,8 +1,6 @@
 # frozen_string_literal: true
 
-require "concurrent/map"
 require "action_view/dependency_tracker"
-require "monitor"
 
 module ActionView
   class Digestor
@@ -20,9 +18,12 @@ module ActionView
       # * <tt>name</tt>   - Template name
       # * <tt>finder</tt>  - An instance of <tt>ActionView::LookupContext</tt>
       # * <tt>dependencies</tt>  - An array of dependent views
-      def digest(name:, finder:, dependencies: [])
-        dependencies ||= []
-        cache_key = [ name, finder.rendered_format, dependencies ].flatten.compact.join(".")
+      def digest(name:, finder:, dependencies: nil)
+        if dependencies.nil? || dependencies.empty?
+          cache_key = "#{name}.#{finder.rendered_format}"
+        else
+          cache_key = [ name, finder.rendered_format, dependencies ].flatten.compact.join(".")
+        end
 
         # this is a correctly done double-checked locking idiom
         # (Concurrent::Map's lookups have volatile semantics)
@@ -32,7 +33,7 @@ module ActionView
             root = tree(name, finder, partial)
             dependencies.each do |injected_dep|
               root.children << Injected.new(injected_dep, nil, nil)
-            end
+            end if dependencies
             finder.digest_cache[cache_key] = root.digest(finder)
           end
         end

data/lib/action_view/gem_version.rb

@@ -7,10 +7,10 @@ module ActionView
   end
 
   module VERSION
-    MAJOR = 5
-    MINOR = 2
-    TINY  = 7
-    PRE   = "1"
+    MAJOR = 6
+    MINOR = 0
+    TINY  = 0
+    PRE   = "beta1"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

data/lib/action_view/helpers/asset_tag_helper.rb

@@ -55,7 +55,7 @@ module ActionView
       #   that path.
       # * <tt>:skip_pipeline</tt>  - This option is used to bypass the asset pipeline
       #   when it is set to true.
-      # * <tt>:nonce<tt>  - When set to true, adds an automatic nonce value if
+      # * <tt>:nonce</tt>  - When set to true, adds an automatic nonce value if
       #   you have Content Security Policy enabled.
       #
       # ==== Examples
@@ -98,7 +98,7 @@ module ActionView
           if tag_options["nonce"] == true
             tag_options["nonce"] = content_security_policy_nonce
           end
-          content_tag("script".freeze, "", tag_options)
+          content_tag("script", "", tag_options)
         }.join("\n").html_safe
 
         request.send_early_hints("Link" => early_hints_links.join("\n")) if respond_to?(:request) && request
@@ -333,9 +333,9 @@ module ActionView
       #
       #   image_tag(user.avatar)
       #   # => <img src="/rails/active_storage/blobs/.../tiger.jpg" />
-      #   image_tag(user.avatar.variant(resize: "100x100"))
+      #   image_tag(user.avatar.variant(resize_to_fit: [100, 100]))
       #   # => <img src="/rails/active_storage/variants/.../tiger.jpg" />
-      #   image_tag(user.avatar.variant(resize: "100x100"), size: '100')
+      #   image_tag(user.avatar.variant(resize_to_fit: [100, 100]), size: '100')
       #   # => <img width="100" height="100" src="/rails/active_storage/variants/.../tiger.jpg" />
       def image_tag(source, options = {})
         options = options.symbolize_keys
@@ -355,29 +355,6 @@ module ActionView
         tag("img", options)
       end
 
-      # Returns a string suitable for an HTML image tag alt attribute.
-      # The +src+ argument is meant to be an image file path.
-      # The method removes the basename of the file path and the digest,
-      # if any. It also removes hyphens and underscores from file names and
-      # replaces them with spaces, returning a space-separated, titleized
-      # string.
-      #
-      # ==== Examples
-      #
-      #   image_alt('rails.png')
-      #   # => Rails
-      #
-      #   image_alt('hyphenated-file-name.png')
-      #   # => Hyphenated file name
-      #
-      #   image_alt('underscored_file_name.png')
-      #   # => Underscored file name
-      def image_alt(src)
-        ActiveSupport::Deprecation.warn("image_alt is deprecated and will be removed from Rails 6.0. You must explicitly set alt text on images.")
-
-        File.basename(src, ".*".freeze).sub(/-[[:xdigit:]]{32,64}\z/, "".freeze).tr("-_".freeze, " ".freeze).capitalize
-      end
-
       # Returns an HTML video tag for the +sources+. If +sources+ is a string,
       # a single video tag will be returned. If +sources+ is an array, a video
       # tag with nested source tags for each source will be returned. The

data/lib/action_view/helpers/asset_url_helper.rb

@@ -98,8 +98,9 @@ module ActionView
     # have SSL certificates for each of the asset hosts this technique allows you
     # to avoid warnings in the client about mixed media.
     # Note that the +request+ parameter might not be supplied, e.g. when the assets
-    # are precompiled via a Rake task. Make sure to use a +Proc+ instead of a lambda,
-    # since a +Proc+ allows missing parameters and sets them to +nil+.
+    # are precompiled with the command `rails assets:precompile`. Make sure to use a
+    # +Proc+ instead of a lambda, since a +Proc+ allows missing parameters and sets them
+    # to +nil+.
     #
     #   config.action_controller.asset_host = Proc.new { |source, request|
     #     if request && request.ssl?
@@ -187,7 +188,7 @@ module ActionView
         return "" if source.blank?
         return source if URI_REGEXP.match?(source)
 
-        tail, source = source[/([\?#].+)$/], source.sub(/([\?#].+)$/, "".freeze)
+        tail, source = source[/([\?#].+)$/], source.sub(/([\?#].+)$/, "")
 
         if extname = compute_asset_extname(source, options)
           source = "#{source}#{extname}"

data/lib/action_view/helpers/cache_helper.rb

@@ -201,34 +201,42 @@ module ActionView
       end
 
       # This helper returns the name of a cache key for a given fragment cache
-      # call. By supplying +skip_digest:+ true to cache, the digestion of cache
+      # call. By supplying <tt>skip_digest: true</tt> to cache, the digestion of cache
       # fragments can be manually bypassed. This is useful when cache fragments
       # cannot be manually expired unless you know the exact key which is the
       # case when using memcached.
       #
       # The digest will be generated using +virtual_path:+ if it is provided.
       #
-      def cache_fragment_name(name = {}, skip_digest: nil, virtual_path: nil)
+      def cache_fragment_name(name = {}, skip_digest: nil, virtual_path: nil, digest_path: nil)
         if skip_digest
           name
         else
-          fragment_name_with_digest(name, virtual_path)
+          fragment_name_with_digest(name, virtual_path, digest_path)
+        end
+      end
+
+      def digest_path_from_virtual(virtual_path) # :nodoc:
+        digest = Digestor.digest(name: virtual_path, finder: lookup_context, dependencies: view_cache_dependencies)
+
+        if digest.present?
+          "#{virtual_path}:#{digest}"
+        else
+          virtual_path
         end
       end
 
     private
 
-      def fragment_name_with_digest(name, virtual_path)
+      def fragment_name_with_digest(name, virtual_path, digest_path)
         virtual_path ||= @virtual_path
 
-        if virtual_path
+        if virtual_path || digest_path
           name = controller.url_for(name).split("://").last if name.is_a?(Hash)
 
-          if digest = Digestor.digest(name: virtual_path, finder: lookup_context, dependencies: view_cache_dependencies).presence
-            [ "#{virtual_path}:#{digest}", name ]
-          else
-            [ virtual_path, name ]
-          end
+          digest_path ||= digest_path_from_virtual(virtual_path)
+
+          [ digest_path, name ]
         else
           name
         end

data/lib/action_view/helpers/capture_helper.rb

@@ -36,6 +36,10 @@ module ActionView
       #   </body>
       #   </html>
       #
+      # The return of capture is the string generated by the block. For Example:
+      #
+      #   @greeting # => "Welcome to my shiny new web page! The date and time is 2018-09-06 11:09:16 -0500"
+      #
       def capture(*args)
         value = nil
         buffer = with_output_buffer { value = yield(*args) }

data/lib/action_view/helpers/csrf_helper.rb

@@ -20,7 +20,7 @@ module ActionView
       # "X-CSRF-Token" HTTP header. If you are using rails-ujs this happens automatically.
       #
       def csrf_meta_tags
-        if protect_against_forgery?
+        if defined?(protect_against_forgery?) && protect_against_forgery?
           [
             tag("meta", name: "csrf-param", content: request_forgery_protection_token),
             tag("meta", name: "csrf-token", content: form_authenticity_token)