actionview 5.2.8.1 → 6.0.0.beta2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4a732cbd8a2b766ebf37e375ffd2f97c71760de86cb46d9a70702896d07aeb73
-  data.tar.gz: d76fb4ed63f24c3e6b09b576fe3b945b7eb436059cb703e241da7d7d9343cf90
+  metadata.gz: ec7748334d455691ff0946d9ffffa3e6265a87b7fb0e9f070ed7b938f9764750
+  data.tar.gz: 73d7bdba0ec98f9dd8224c2887d603c8860667981d96b0ef054d66c136374bf1
 SHA512:
-  metadata.gz: 69feb0b2c271b42c17c0bc55d0cee3f857aa4a177fe9e27edaf9a5cc101b2a92b5eb0cb678d89c7ea1f40fa1a1c28a6288c2ee9e5dee16db0859777259fce137
-  data.tar.gz: a04fc509175c93512d6517742c283d617749b1498a422c05a6ab02da17ce0042e33011176c83b97e48638f7e2750921d04fd8855bbfb6fc29a1cb1bbbd63bf8b
+  metadata.gz: '0282f9151c08198bb8e1e3cf3d2e2d6eccf17813c4069c0468003e2abf417ebba04cc6a6fb94ddf490900663561759adbfb74b83a7144641a274caeec33e66ec'
+  data.tar.gz: 499a7436942dc63ad515def9e709524fd1d87b26d0e3078ec97abf625134ccd43466dbb22501b079d4383b94bdb1dd997301582e426d179cd872266cec5a2730

data/CHANGELOG.md

@@ -1,100 +1,43 @@
-## Rails 5.2.8.1 (July 12, 2022) ##
+## Rails 6.0.0.beta2 (February 25, 2019) ##
 
-*   No changes.
+*   ActionView::Template.finalize_compiled_template_methods is deprecated with
+    no replacement.
 
+    *tenderlove*
 
-## Rails 5.2.8 (May 09, 2022) ##
+*   config.action_view.finalize_compiled_template_methods is deprecated with
+    no replacement.
 
-*   No changes.
+    *tenderlove*
 
+*   Ensure unique DOM IDs for collection inputs with float values.
+    Fixes #34974
 
-## Rails 5.2.7.1 (April 26, 2022) ##
+    *Mark Edmondson*
 
-*   Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`.
 
-    Escape dangerous characters in names of tags and names of attributes in the
-    tag helpers, following the XML specification. Rename the option
-    `:escape_attributes` to `:escape`, to simplify by applying the option to the
-    whole tag.
+## Rails 6.0.0.beta1 (January 18, 2019) ##
 
-    *Álvaro Martín Fraguas*
+*   [Rename npm package](https://github.com/rails/rails/pull/34905) from
+    [`rails-ujs`](https://www.npmjs.com/package/rails-ujs) to
+    [`@rails/ujs`](https://www.npmjs.com/package/@rails/ujs).
 
+    *Javan Makhmali*
 
-## Rails 5.2.7 (March 10, 2022) ##
-
-*   No changes.
-
-
-## Rails 5.2.6.3 (March 08, 2022) ##
-
-*   No changes.
-
-
-## Rails 5.2.6.2 (February 11, 2022) ##
-
-*   No changes.
-
-
-## Rails 5.2.6.1 (February 11, 2022) ##
-
-*   No changes.
-
-
-## Rails 5.2.6 (May 05, 2021) ##
-
-*   No changes.
-
-
-## Rails 5.2.5 (March 26, 2021) ##
-
-*   No changes.
-
-
-## Rails 5.2.4.6 (May 05, 2021) ##
-
-*   No changes.
-
-
-## Rails 5.2.4.5 (February 10, 2021) ##
-
-*   No changes.
-
-
-## Rails 5.2.4.4 (September 09, 2020) ##
-
-*   [CVE-2020-15169] Fix potential XSS vulnerability in the `translate`/`t` helper
-
-    *Jonathan Hefner*
-
-
-## Rails 5.2.4.3 (May 18, 2020) ##
-
-*   [CVE-2020-8167] Check that request is same-origin prior to including CSRF token in XHRs
-
-
-## Rails 5.2.4.2 (March 19, 2020) ##
-
-*   Fix possible XSS vector in `escape_javascript` helper
-
-    CVE-2020-5267
-
-    *Aaron Patterson*
-
-
-## Rails 5.2.4.1 (December 18, 2019) ##
-
-*   No changes.
+*   Remove deprecated `image_alt` helper.
 
+    *Rafael Mendonça França*
 
-## Rails 5.2.4 (November 27, 2019) ##
+*   Fix the need of `#protect_against_forgery?` method defined in
+    `ActionView::Base` subclasses. This prevents the use of forms and buttons.
 
-*   Allow programmatic click events to trigger Rails UJS click handlers.
-    Programmatic click events (eg. ones generated by `Rails.fire(link, "click")`) don't specify a button. These events were being incorrectly stopped by code meant to ignore scroll wheel and right clicks introduced in #34573.
+    *Genadi Samokovarov*
 
-    *Sudara Williams*
+*   Fix UJS permanently showing disabled text in a[data-remote][data-disable-with] elements within forms.
 
+    Fixes #33889.
 
-## Rails 5.2.3 (March 27, 2019) ##
+    *Wolfgang Hobmaier*
 
 *   Prevent non-primary mouse keys from triggering Rails UJS click handlers.
     Firefox fires click events even if the click was triggered by non-primary mouse keys such as right- or scroll-wheel-clicks.
@@ -104,41 +47,54 @@
     <%= link_to 'Remote', remote_path, class: 'remote', remote: true, data: { type: :json } %>
     ```
 
-    Fixes #34541
+    Fixes #34541.
 
     *Wolfgang Hobmaier*
 
+*   Prevent `ActionView::TextHelper#word_wrap` from unexpectedly stripping white space from the _left_ side of lines.
 
-## Rails 5.2.2.1 (March 11, 2019) ##
+    For example, given input like this:
 
-*   Only accept formats from registered mime types
+    ```
+        This is a paragraph with an initial indent,
+    followed by additional lines that are not indented,
+    and finally terminated with a blockquote:
+      "A pithy saying"
+    ```
 
-    A lack of filtering on mime types could allow an attacker to read
-    arbitrary files on the target server or to perform a denial of service
-    attack.
+    Calling `word_wrap` should not trim the indents on the first and last lines.
 
-    Fixes CVE-2019-5418
-    Fixes CVE-2019-5419
+    Fixes #34487.
 
-    *John Hawthorn*, *Eileen M. Uchitelle*, *Aaron Patterson*
+    *Lyle Mullican*
 
+*   Add allocations to template rendering instrumentation.
 
-## Rails 5.2.2 (December 04, 2018) ##
+    Adds the allocations for template and partial rendering to the server output on render.
 
-*   No changes.
+    ```
+      Rendered posts/_form.html.erb (Duration: 7.1ms | Allocations: 6004)
+      Rendered posts/new.html.erb within layouts/application (Duration: 8.3ms | Allocations: 6654)
+    Completed 200 OK in 858ms (Views: 848.4ms | ActiveRecord: 0.4ms | Allocations: 1539564)
+    ```
 
+    *Eileen M. Uchitelle*, *Aaron Patterson*
 
-## Rails 5.2.1.1 (November 27, 2018) ##
+*   Respect the `only_path` option passed to `url_for` when the options are passed in as an array
 
-*   No changes.
+    Fixes #33237.
 
+    *Joel Ambass*
 
-## Rails 5.2.1 (August 07, 2018) ##
+*   Deprecate calling private model methods from view helpers.
 
-*   Fix leak of `skip_default_ids` and `allow_method_names_outside_object` options
-    to HTML attributes.
+    For example, in methods like `options_from_collection_for_select`
+    and `collection_select` it is possible to call private methods from
+    the objects used.
 
-    *Yurii Cherniavskyi*
+    Fixes #33546.
+
+    *Ana María Martínez Gómez*
 
 *   Fix issue with `button_to`'s `to_form_params`
 
@@ -151,97 +107,110 @@
 
     *Georgi Georgiev*
 
-*   Fix JavaScript views rendering does not work with Firefox when using
-    Content Security Policy.
+*   Mark arrays of translations as trusted safe by using the `_html` suffix.
 
-    Fixes #32577.
+    Example:
 
-    *Yuji Yaginuma*
+        en:
+          foo_html:
+            - "One"
+            - "<strong>Two</strong>"
+            - "Three &#128075; &#128578;"
 
-*   Add the `nonce: true` option for `javascript_include_tag` helper to
-    support automatic nonce generation for Content Security Policy.
-    Works the same way as `javascript_tag nonce: true` does.
+    *Juan Broullon*
 
-    *Yaroslav Markin*
-
-
-## Rails 5.2.0 (April 09, 2018) ##
-
-*   Pass the `:skip_pipeline` option in `image_submit_tag` when calling `path_to_image`.
+*   Add `year_format` option to date_select tag. This option makes it possible to customize year
+    names. Lambda should be passed to use this option.
 
-    Fixes #32248.
+    Example:
 
-    *Andrew White*
+        date_select('user_birthday', '', start_year: 1998, end_year: 2000, year_format: ->year { "Heisei #{year - 1988}" })
 
-*   Allow the use of callable objects as group methods for grouped selects.
+    The HTML produced:
 
-    Until now, the `option_groups_from_collection_for_select` method was only able to
-    handle method names as `group_method` and `group_label_method` parameters,
-    it is now able to receive procs and other callable objects too.
+        <select id="user_birthday__1i" name="user_birthday[(1i)]">
+        <option value="1998">Heisei 10</option>
+        <option value="1999">Heisei 11</option>
+        <option value="2000">Heisei 12</option>
+        </select>
+        /* The rest is omitted */
 
-    *Jérémie Bonal*
+    *Koki Ryu*
 
-*   Add `preload_link_tag` helper.
+*   Fix JavaScript views rendering does not work with Firefox when using
+    Content Security Policy.
 
-    This helper that allows to the browser to initiate early fetch of resources
-    (different to the specified in `javascript_include_tag` and `stylesheet_link_tag`).
-    Additionally, this sends Early Hints if supported by browser.
+    Fixes #32577.
 
-    *Guillermo Iguaran*
+    *Yuji Yaginuma*
 
-*   Change `form_with` to generates ids by default.
+*   Add the `nonce: true` option for `javascript_include_tag` helper to
+    support automatic nonce generation for Content Security Policy.
+    Works the same way as `javascript_tag nonce: true` does.
 
-    When `form_with` was introduced we disabled the automatic generation of ids
-    that was enabled in `form_for`. This usually is not an good idea since labels don't work
-    when the input doesn't have an id and it made harder to test with Capybara.
+    *Yaroslav Markin*
 
-    You can still disable the automatic generation of ids setting `config.action_view.form_with_generates_ids`
-    to `false.`
+*   Remove `ActionView::Helpers::RecordTagHelper`.
 
-    *Nick Pezza*
+    *Yoshiyuki Hirano*
 
-*   Fix issues with `field_error_proc` wrapping `optgroup` and select divider `option`.
+*   Disable `ActionView::Template` finalizers in test environment.
 
-    Fixes #31088
+    Template finalization can be expensive in large view test suites.
+    Add a configuration option,
+    `action_view.finalize_compiled_template_methods`, and turn it off in
+    the test environment.
 
-    *Matthias Neumayr*
+    *Simon Coffey*
 
-*   Remove deprecated Erubis ERB handler.
+*   Extract the `confirm` call in its own, overridable method in `rails_ujs`.
 
-    *Rafael Mendonça França*
+    Example:
 
-*   Remove default `alt` text generation.
+        Rails.confirm = function(message, element) {
+          return (my_bootstrap_modal_confirm(message));
+        }
 
-    Fixes #30096
+    *Mathieu Mahé*
 
-    *Cameron Cundiff*
+*   Enable select tag helper to mark `prompt` option as `selected` and/or `disabled` for `required`
+    field.
 
-*   Add `srcset` option to `image_tag` helper.
+    Example:
 
-    *Roberto Miranda*
+        select :post,
+               :category,
+               ["lifestyle", "programming", "spiritual"],
+               { selected: "", disabled: "", prompt: "Choose one" },
+               { required: true }
 
-*   Fix issues with scopes and engine on `current_page?` method.
+    Placeholder option would be selected and disabled.
 
-    Fixes #29401.
+    The HTML produced:
 
-    *Nikita Savrov*
+        <select required="required" name="post[category]" id="post_category">
+        <option disabled="disabled" selected="selected" value="">Choose one</option>
+        <option value="lifestyle">lifestyle</option>
+        <option value="programming">programming</option>
+        <option value="spiritual">spiritual</option></select>
 
-*   Generate field ids in `collection_check_boxes` and `collection_radio_buttons`.
+    *Sergey Prikhodko*
 
-    This makes sure that the labels are linked up with the fields.
+*   Don't enforce UTF-8 by default.
 
-    Fixes #29014.
+    With the disabling of TLS 1.0 by most major websites, continuing to run
+    IE8 or lower becomes increasingly difficult so default to not enforcing
+    UTF-8 encoding as it's not relevant to other browsers.
 
-    *Yuji Yaginuma*
+    *Andrew White*
 
-*   Add `:json` type to `auto_discovery_link_tag` to support [JSON Feeds](https://jsonfeed.org/version/1).
+*   Change translation key of `submit_tag` from `module_name_class_name` to `module_name/class_name`.
 
-    *Mike Gunderloy*
+    *Rui Onodera*
 
-*   Update `distance_of_time_in_words` helper to display better error messages
-    for bad input.
+*   Rails 6 requires Ruby 2.5.0 or newer.
 
-    *Jay Hayes*
+    *Jeremy Daer*, *Kasper Timm Hansen*
 
 
-Please check [5-1-stable](https://github.com/rails/rails/blob/5-1-stable/actionview/CHANGELOG.md) for previous changes.
+Please check [5-2-stable](https://github.com/rails/rails/blob/5-2-stable/actionview/CHANGELOG.md) for previous changes.

data/MIT-LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2004-2018 David Heinemeier Hansson
+Copyright (c) 2004-2019 David Heinemeier Hansson
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

data/README.rdoc

@@ -13,7 +13,7 @@ The latest version of Action View can be installed with RubyGems:
 
 Source code can be downloaded as part of the Rails project on GitHub:
 
-* https://github.com/rails/rails/tree/5-2-stable/actionview
+* https://github.com/rails/rails/tree/master/actionview
 
 
 == License

data/lib/action_view/base.rb

@@ -3,6 +3,7 @@
 require "active_support/core_ext/module/attr_internal"
 require "active_support/core_ext/module/attribute_accessors"
 require "active_support/ordered_options"
+require "active_support/deprecation"
 require "action_view/log_subscriber"
 require "action_view/helpers"
 require "action_view/context"
@@ -179,37 +180,133 @@ module ActionView #:nodoc:
       def xss_safe? #:nodoc:
         true
       end
+
+      def with_empty_template_cache # :nodoc:
+        subclass = Class.new(self) {
+          # We can't implement these as self.class because subclasses will
+          # share the same template cache as superclasses, so "changed?" won't work
+          # correctly.
+          define_method(:compiled_method_container)           { subclass }
+          define_singleton_method(:compiled_method_container) { subclass }
+        }
+      end
+
+      def changed?(other) # :nodoc:
+        compiled_method_container != other.compiled_method_container
+      end
     end
 
-    attr_accessor :view_renderer
+    attr_reader :view_renderer, :lookup_context
     attr_internal :config, :assigns
 
-    delegate :lookup_context, to: :view_renderer
     delegate :formats, :formats=, :locale, :locale=, :view_paths, :view_paths=, to: :lookup_context
 
     def assign(new_assigns) # :nodoc:
       @_assigns = new_assigns.each { |key, value| instance_variable_set("@#{key}", value) }
     end
 
-    def initialize(context = nil, assigns = {}, controller = nil, formats = nil) #:nodoc:
+    # :stopdoc:
+
+    def self.build_lookup_context(context)
+      case context
+      when ActionView::Renderer
+        context.lookup_context
+      when Array
+        ActionView::LookupContext.new(context)
+      when ActionView::PathSet
+        ActionView::LookupContext.new(context)
+      when nil
+        ActionView::LookupContext.new([])
+      else
+        raise NotImplementedError, context.class.name
+      end
+    end
+
+    def self.empty
+      with_view_paths([])
+    end
+
+    def self.with_view_paths(view_paths, assigns = {}, controller = nil)
+      with_context ActionView::LookupContext.new(view_paths), assigns, controller
+    end
+
+    def self.with_context(context, assigns = {}, controller = nil)
+      new context, assigns, controller
+    end
+
+    NULL = Object.new
+
+    # :startdoc:
+
+    def initialize(lookup_context = nil, assigns = {}, controller = nil, formats = NULL) #:nodoc:
       @_config = ActiveSupport::InheritableOptions.new
 
-      if context.is_a?(ActionView::Renderer)
-        @view_renderer = context
+      unless formats == NULL
+        ActiveSupport::Deprecation.warn <<~eowarn
+        Passing formats to ActionView::Base.new is deprecated
+        eowarn
+      end
+
+      case lookup_context
+      when ActionView::LookupContext
+        @lookup_context = lookup_context
       else
-        lookup_context = context.is_a?(ActionView::LookupContext) ?
-          context : ActionView::LookupContext.new(context)
-        lookup_context.formats  = formats if formats
-        lookup_context.prefixes = controller._prefixes if controller
-        @view_renderer = ActionView::Renderer.new(lookup_context)
+        ActiveSupport::Deprecation.warn <<~eowarn
+        ActionView::Base instances should be constructed with a lookup context,
+        assignments, and a controller.
+        eowarn
+        @lookup_context = self.class.build_lookup_context(lookup_context)
       end
 
+      @view_renderer = ActionView::Renderer.new @lookup_context
+      @current_template = nil
+
       @cache_hit = {}
       assign(assigns)
       assign_controller(controller)
       _prepare_context
     end
 
+    def run(method, template, locals, buffer, &block)
+      _old_output_buffer, _old_virtual_path, _old_template = @output_buffer, @virtual_path, @current_template
+      @current_template = template
+      @output_buffer = buffer
+      send(method, locals, buffer, &block)
+    ensure
+      @output_buffer, @virtual_path, @current_template = _old_output_buffer, _old_virtual_path, _old_template
+    end
+
+    def compiled_method_container
+      if self.class == ActionView::Base
+        ActiveSupport::Deprecation.warn <<~eowarn
+          ActionView::Base instances must implement `compiled_method_container`
+          or use the class method `with_empty_template_cache` for constructing
+          an ActionView::Base instances that has an empty cache.
+        eowarn
+      end
+
+      self.class
+    end
+
+    def in_rendering_context(options)
+      old_view_renderer  = @view_renderer
+      old_lookup_context = @lookup_context
+
+      if !lookup_context.html_fallback_for_js && options[:formats]
+        formats = Array(options[:formats])
+        if formats == [:js]
+          formats << :html
+        end
+        @lookup_context = lookup_context.with_prepended_formats(formats)
+        @view_renderer = ActionView::Renderer.new @lookup_context
+      end
+
+      yield @view_renderer
+    ensure
+      @view_renderer = old_view_renderer
+      @lookup_context = old_lookup_context
+    end
+
     ActiveSupport.run_load_hooks(:action_view, self)
   end
 end

data/lib/action_view/buffers.rb

@@ -3,6 +3,21 @@
 require "active_support/core_ext/string/output_safety"
 
 module ActionView
+  # Used as a buffer for views
+  #
+  # The main difference between this and ActiveSupport::SafeBuffer
+  # is for the methods `<<` and `safe_expr_append=` the inputs are
+  # checked for nil before they are assigned and `to_s` is called on
+  # the input. For example:
+  #
+  #   obuf = ActionView::OutputBuffer.new "hello"
+  #   obuf << 5
+  #   puts obuf # => "hello5"
+  #
+  #   sbuf = ActiveSupport::SafeBuffer.new "hello"
+  #   sbuf << 5
+  #   puts sbuf # => "hello\u0005"
+  #
   class OutputBuffer < ActiveSupport::SafeBuffer #:nodoc:
     def initialize(*)
       super

data/lib/action_view/context.rb

@@ -1,21 +1,17 @@
 # frozen_string_literal: true
 
 module ActionView
-  module CompiledTemplates #:nodoc:
-    # holds compiled template code
-  end
-
   # = Action View Context
   #
   # Action View contexts are supplied to Action Controller to render a template.
   # The default Action View context is ActionView::Base.
   #
-  # In order to work with ActionController, a Context must just include this module.
-  # The initialization of the variables used by the context (@output_buffer, @view_flow,
-  # and @virtual_path) is responsibility of the object that includes this module
-  # (although you can call _prepare_context defined below).
+  # In order to work with Action Controller, a Context must just include this
+  # module. The initialization of the variables used by the context
+  # (@output_buffer, @view_flow, and @virtual_path) is responsibility of the
+  # object that includes this module (although you can call _prepare_context
+  # defined below).
   module Context
-    include CompiledTemplates
     attr_accessor :output_buffer, :view_flow
 
     # Prepares the context by setting the appropriate instance variables.

data/lib/action_view/digestor.rb

@@ -1,8 +1,6 @@
 # frozen_string_literal: true
 
-require "concurrent/map"
 require "action_view/dependency_tracker"
-require "monitor"
 
 module ActionView
   class Digestor
@@ -20,9 +18,12 @@ module ActionView
       # * <tt>name</tt>   - Template name
       # * <tt>finder</tt>  - An instance of <tt>ActionView::LookupContext</tt>
       # * <tt>dependencies</tt>  - An array of dependent views
-      def digest(name:, finder:, dependencies: [])
-        dependencies ||= []
-        cache_key = [ name, finder.rendered_format, dependencies ].flatten.compact.join(".")
+      def digest(name:, format:, finder:, dependencies: nil)
+        if dependencies.nil? || dependencies.empty?
+          cache_key = "#{name}.#{format}"
+        else
+          cache_key = [ name, format, dependencies ].flatten.compact.join(".")
+        end
 
         # this is a correctly done double-checked locking idiom
         # (Concurrent::Map's lookups have volatile semantics)
@@ -32,7 +33,7 @@ module ActionView
             root = tree(name, finder, partial)
             dependencies.each do |injected_dep|
               root.children << Injected.new(injected_dep, nil, nil)
-            end
+            end if dependencies
             finder.digest_cache[cache_key] = root.digest(finder)
           end
         end
@@ -47,8 +48,6 @@ module ActionView
         logical_name = name.gsub(%r|/_|, "/")
 
         if template = find_template(finder, logical_name, [], partial, [])
-          finder.rendered_format ||= template.formats.first
-
           if node = seen[template.identifier] # handle cycles in the tree
             node
           else
@@ -72,9 +71,7 @@ module ActionView
       private
         def find_template(finder, name, prefixes, partial, keys)
           finder.disable_cache do
-            format = finder.rendered_format
-            result = finder.find_all(name, prefixes, partial, keys, formats: [format]).first if format
-            result || finder.find_all(name, prefixes, partial, keys).first
+            finder.find_all(name, prefixes, partial, keys).first
           end
         end
     end