actionview 6.0.0.rc1 → 6.0.3.rc1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d46b0e667c524b53bbcfd7291119c3078c1bcef2f379077610f11efa75cb7bcd
-  data.tar.gz: 3952ce8b418d28245b3ba4a0126435958facc728363abd50deb0e6b110556b65
+  metadata.gz: 8eafe5ec8eee9ac7ae7c2a412a01e25ecf75d6895cb3a0719b00585e5d9415f3
+  data.tar.gz: c643fd1d07cea723cb3d19e999b27d5946ec4b4eb278f15e1b952b7de120453d
 SHA512:
-  metadata.gz: dfc23eddf6eeb31093fa017f53ebc46c5a115d1d0edbc3ab40747eb243d4516e99c74d5c6d497bcb9731a62ab224ecde5f62352b50f57ab384a9595ac6d2ae53
-  data.tar.gz: d8abfa6ea6c991820b67fb389c629f6b49d09610c1d0821e009084e475649b6aef7a861c620960ef58b9efa0d4a0709b9606690f6b19557910c0fd3946130f5f
+  metadata.gz: 642b3a371281cae6d3d1d88f1761cf74b9ad562d7a8bbe0764aa5b1dd2d4c367bfb229cbc6ee9ebb60d235e44670b68451a72fd8563efe9c640faced6f8d9f5d
+  data.tar.gz: 82f51fe028a6ab597daa5ba942efabc3d23690c5479740a72f7cc21167e11c4de5463450a9030897c0c743fc9d29feeae8b46c9b0a359d2686f59ff2c9fe7482

data/CHANGELOG.md

@@ -1,3 +1,55 @@
+## Rails 6.0.3.rc1 (April 30, 2020) ##
+
+*   annotated_source_code returns an empty array so TemplateErrors without a
+    template in the backtrace are surfaced properly by DebugExceptions.
+
+    *Guilherme Mansur*, *Kasper Timm Hansen*
+
+*   Add autoload for SyntaxErrorInTemplate so syntax errors are correctly raised by DebugExceptions.
+
+    *Guilherme Mansur*, *Gannon McGibbon*
+
+
+## Rails 6.0.2.2 (March 19, 2020) ##
+
+*   Fix possible XSS vector in escape_javascript helper
+
+    CVE-2020-5267
+
+    *Aaron Patterson*
+
+
+## Rails 6.0.2.1 (December 18, 2019) ##
+
+*   No changes.
+
+
+## Rails 6.0.2 (December 13, 2019) ##
+
+*   No changes.
+
+
+## Rails 6.0.1 (November 5, 2019) ##
+
+*   UJS avoids `Element.closest()` for IE 9 compatibility.
+
+    *George Claghorn*
+
+
+## Rails 6.0.0 (August 16, 2019) ##
+
+*   ActionView::Helpers::SanitizeHelper: support rails-html-sanitizer 1.1.0.
+
+    *Juanito Fatas*
+
+
+## Rails 6.0.0.rc2 (July 22, 2019) ##
+
+*   Fix `select_tag` so that it doesn't change `options` when `include_blank` is present.
+
+    *Younes SERRAJ*
+
+
 ## Rails 6.0.0.rc1 (April 24, 2019) ##
 
 *   Fix partial caching skips same item issue
@@ -23,6 +75,11 @@
 
     *Edward Rudd*
 
+*   `ActionView::TemplateRender.render(file: )` now renders the file directly,
+    without using any handlers, using the new `Template::RawFile` class.
+
+    *John Hawthorn*, *Cliff Pruitt*
+
 
 ## Rails 6.0.0.beta3 (March 11, 2019) ##
 
@@ -56,6 +113,11 @@
 
     *Mark Edmondson*
 
+*   Single arity template handlers are deprecated.  Template handlers must
+    now accept two parameters, the view object and the source for the view object.
+
+    *tenderlove*
+
 
 ## Rails 6.0.0.beta1 (January 18, 2019) ##
 

data/README.rdoc

@@ -37,4 +37,4 @@ Bug reports for the Ruby on Rails project can be filed here:
 
 Feature requests should be discussed on the rails-core mailing list here:
 
-* https://groups.google.com/forum/?fromgroups#!forum/rubyonrails-core
+* https://discuss.rubyonrails.org/c/rubyonrails-core

data/lib/action_view.rb

@@ -77,6 +77,7 @@ module ActionView
       autoload :ActionViewError
       autoload :EncodingError
       autoload :TemplateError
+      autoload :SyntaxErrorInTemplate
       autoload :WrongEncodingError
     end
   end

data/lib/action_view/base.rb

@@ -281,7 +281,7 @@ module ActionView #:nodoc:
         ActiveSupport::Deprecation.warn <<~eowarn.squish
           ActionView::Base instances must implement `compiled_method_container`
           or use the class method `with_empty_template_cache` for constructing
-          an ActionView::Base instances that has an empty cache.
+          an ActionView::Base instance that has an empty cache.
         eowarn
       end
 

data/lib/action_view/cache_expiry.rb

@@ -16,18 +16,23 @@ module ActionView
       @watched_dirs = nil
       @watcher_class = watcher
       @watcher = nil
+      @mutex = Mutex.new
     end
 
     def clear_cache_if_necessary
-      watched_dirs = dirs_to_watch
-      if watched_dirs != @watched_dirs
-        @watched_dirs = watched_dirs
-        @watcher = @watcher_class.new([], watched_dirs) do
-          clear_cache
+      @mutex.synchronize do
+        watched_dirs = dirs_to_watch
+        return if watched_dirs.empty?
+
+        if watched_dirs != @watched_dirs
+          @watched_dirs = watched_dirs
+          @watcher = @watcher_class.new([], watched_dirs) do
+            clear_cache
+          end
+          @watcher.execute
+        else
+          @watcher.execute_if_updated
         end
-        @watcher.execute
-      else
-        @watcher.execute_if_updated
       end
     end
 
@@ -36,7 +41,6 @@ module ActionView
     end
 
     private
-
       def dirs_to_watch
         fs_paths = all_view_paths.grep(FileSystemResolver)
         fs_paths.map(&:path).sort.uniq

data/lib/action_view/digestor.rb

@@ -9,10 +9,11 @@ module ActionView
     class << self
       # Supported options:
       #
-      # * <tt>name</tt>   - Template name
-      # * <tt>finder</tt>  - An instance of <tt>ActionView::LookupContext</tt>
-      # * <tt>dependencies</tt>  - An array of dependent views
-      def digest(name:, format:, finder:, dependencies: nil)
+      # * <tt>name</tt>         - Template name
+      # * <tt>format</tt>       - Template format
+      # * <tt>finder</tt>       - An instance of <tt>ActionView::LookupContext</tt>
+      # * <tt>dependencies</tt> - An array of dependent views
+      def digest(name:, format: nil, finder:, dependencies: nil)
         if dependencies.nil? || dependencies.empty?
           cache_key = "#{name}.#{format}"
         else

data/lib/action_view/flows.rb

@@ -68,7 +68,6 @@ module ActionView
     end
 
     private
-
       def inside_fiber?
         Fiber.current.object_id != @root
       end

data/lib/action_view/gem_version.rb

@@ -9,7 +9,7 @@ module ActionView
   module VERSION
     MAJOR = 6
     MINOR = 0
-    TINY  = 0
+    TINY  = 3
     PRE   = "rc1"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")

data/lib/action_view/helpers/active_model_helper.rb

@@ -38,7 +38,6 @@ module ActionView
       end
 
       private
-
         def object_has_errors?
           object.respond_to?(:errors) && object.errors.respond_to?(:[]) && error_message.present?
         end

data/lib/action_view/helpers/asset_tag_helper.rb

@@ -274,7 +274,7 @@ module ActionView
         crossorigin = "anonymous" if crossorigin == true || (crossorigin.blank? && as_type == "font")
         nopush = options.delete(:nopush) || false
 
-        link_tag = tag.link({
+        link_tag = tag.link(**{
           rel: "preload",
           href: href,
           as: as_type,

data/lib/action_view/helpers/cache_helper.rb

@@ -166,7 +166,7 @@ module ActionView
       def cache(name = {}, options = {}, &block)
         if controller.respond_to?(:perform_caching) && controller.perform_caching
           name_options = options.slice(:skip_digest, :virtual_path)
-          safe_concat(fragment_for(cache_fragment_name(name, name_options), options, &block))
+          safe_concat(fragment_for(cache_fragment_name(name, **name_options), options, &block))
         else
           yield
         end
@@ -227,7 +227,6 @@ module ActionView
       end
 
     private
-
       def fragment_name_with_digest(name, virtual_path, digest_path)
         virtual_path ||= @virtual_path
 

data/lib/action_view/helpers/date_helper.rb

@@ -688,7 +688,6 @@ module ActionView
       end
 
       private
-
         def normalize_distance_of_time_argument_to_time(value)
           if value.is_a?(Numeric)
             Time.at(value)
@@ -831,7 +830,7 @@ module ActionView
       end
 
       def select_year
-        if !@datetime || @datetime == 0
+        if !year || @datetime == 0
           val = "1"
           middle_year = Date.today.year
         else

data/lib/action_view/helpers/form_helper.rb

@@ -755,10 +755,10 @@ module ActionView
           output  = capture(builder, &block)
           options[:multipart] ||= builder.multipart?
 
-          html_options = html_options_for_form_with(url, model, options)
+          html_options = html_options_for_form_with(url, model, **options)
           form_tag_with_body(html_options, output)
         else
-          html_options = html_options_for_form_with(url, model, options)
+          html_options = html_options_for_form_with(url, model, **options)
           form_tag_html(html_options)
         end
       end

data/lib/action_view/helpers/form_options_helper.rb

@@ -566,9 +566,10 @@ module ActionView
       # an ActiveSupport::TimeZone.
       #
       # By default, +model+ is the ActiveSupport::TimeZone constant (which can
-      # be obtained in Active Record as a value object). The only requirement
-      # is that the +model+ parameter be an object that responds to +all+, and
-      # returns an array of objects that represent time zones.
+      # be obtained in Active Record as a value object). The +model+ parameter
+      # must respond to +all+ and return an array of objects that represent time
+      # zones; each object must respond to +name+. If a Regexp is given it will
+      # attempt to match the zones using the <code>=~<code> operator.
       #
       # NOTE: Only the option tags are returned, you have to wrap this call in
       # a regular HTML select tag.

data/lib/action_view/helpers/form_tag_helper.rb

@@ -137,7 +137,8 @@ module ActionView
         html_name = (options[:multiple] == true && !name.to_s.ends_with?("[]")) ? "#{name}[]" : name
 
         if options.include?(:include_blank)
-          include_blank = options.delete(:include_blank)
+          include_blank = options[:include_blank]
+          options = options.except(:include_blank)
           options_for_blank_options_tag = { value: "" }
 
           if include_blank == true
@@ -165,6 +166,8 @@ module ActionView
       # * <tt>:size</tt> - The number of visible characters that will fit in the input.
       # * <tt>:maxlength</tt> - The maximum number of characters that the browser will allow the user to enter.
       # * <tt>:placeholder</tt> - The text contained in the field by default which is removed when the field receives focus.
+      #   If set to true, use a translation is found in the current I18n locale
+      #   (through helpers.placeholders.<modelname>.<attribute>).
       # * Any other key creates standard HTML attributes for the tag.
       #
       # ==== Examples

data/lib/action_view/helpers/javascript_helper.rb

@@ -12,7 +12,9 @@ module ActionView
         "\n"    => '\n',
         "\r"    => '\n',
         '"'     => '\\"',
-        "'"     => "\\'"
+        "'"     => "\\'",
+        "`"     => "\\`",
+        "$"     => "\\$"
       }
 
       JS_ESCAPE_MAP[(+"\342\200\250").force_encoding(Encoding::UTF_8).encode!] = "
"
@@ -29,7 +31,7 @@ module ActionView
         if javascript.empty?
           result = ""
         else
-          result = javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"'])/u) { |match| JS_ESCAPE_MAP[match] }
+          result = javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"']|[`]|[$])/u, JS_ESCAPE_MAP)
         end
         javascript.html_safe? ? result.html_safe : result
       end

data/lib/action_view/helpers/number_helper.rb

@@ -57,7 +57,7 @@ module ActionView
       #
       #   number_to_phone(75561234567, pattern: /(\d{1,4})(\d{4})(\d{4})$/, area_code: true)
       #   # => "(755) 6123-4567"
-      #   number_to_phone(13312345678, pattern: /(\d{3})(\d{4})(\d{4})$/))
+      #   number_to_phone(13312345678, pattern: /(\d{3})(\d{4})(\d{4})$/)
       #   # => "133-1234-5678"
       def number_to_phone(number, options = {})
         return unless number
@@ -114,6 +114,8 @@ module ActionView
       #
       #   number_to_currency("123a456", raise: true)           # => InvalidNumberError
       #
+      #   number_to_currency(-0.456789, precision: 0)
+      #   # => "$0"
       #   number_to_currency(-1234567890.50, negative_format: "(%u%n)")
       #   # => ($1,234,567,890.50)
       #   number_to_currency(1234567890.50, unit: "R$", separator: ",", delimiter: "")
@@ -403,7 +405,6 @@ module ActionView
       end
 
       private
-
         def delegate_number_helper_method(method, number, options)
           return unless number
           options = escape_unsafe_options(options.symbolize_keys)

data/lib/action_view/helpers/sanitize_helper.rb

@@ -1,6 +1,5 @@
 # frozen_string_literal: true
 
-require "active_support/core_ext/object/try"
 require "rails-html-sanitizer"
 
 module ActionView
@@ -17,7 +16,7 @@ module ActionView
       # ASCII, and hex character references to work around these protocol filters.
       # All special characters will be escaped.
       #
-      # The default sanitizer is Rails::Html::WhiteListSanitizer. See {Rails HTML
+      # The default sanitizer is Rails::Html::SafeListSanitizer. See {Rails HTML
       # Sanitizers}[https://github.com/rails/rails-html-sanitizer] for more information.
       #
       # Custom sanitization rules can also be provided.
@@ -80,12 +79,12 @@ module ActionView
       #   config.action_view.sanitized_allowed_tags = ['strong', 'em', 'a']
       #   config.action_view.sanitized_allowed_attributes = ['href', 'title']
       def sanitize(html, options = {})
-        self.class.white_list_sanitizer.sanitize(html, options).try(:html_safe)
+        self.class.safe_list_sanitizer.sanitize(html, options)&.html_safe
       end
 
       # Sanitizes a block of CSS code. Used by +sanitize+ when it comes across a style attribute.
       def sanitize_css(style)
-        self.class.white_list_sanitizer.sanitize_css(style)
+        self.class.safe_list_sanitizer.sanitize_css(style)
       end
 
       # Strips all HTML tags from +html+, including comments and special characters.
@@ -123,20 +122,18 @@ module ActionView
       end
 
       module ClassMethods #:nodoc:
-        attr_writer :full_sanitizer, :link_sanitizer, :white_list_sanitizer
+        attr_writer :full_sanitizer, :link_sanitizer, :safe_list_sanitizer
 
-        # Vendors the full, link and white list sanitizers.
-        # Provided strictly for compatibility and can be removed in Rails 6.
         def sanitizer_vendor
           Rails::Html::Sanitizer
         end
 
         def sanitized_allowed_tags
-          sanitizer_vendor.white_list_sanitizer.allowed_tags
+          safe_list_sanitizer.allowed_tags
         end
 
         def sanitized_allowed_attributes
-          sanitizer_vendor.white_list_sanitizer.allowed_attributes
+          safe_list_sanitizer.allowed_attributes
         end
 
         # Gets the Rails::Html::FullSanitizer instance used by +strip_tags+. Replace with
@@ -145,7 +142,6 @@ module ActionView
         #   class Application < Rails::Application
         #     config.action_view.full_sanitizer = MySpecialSanitizer.new
         #   end
-        #
         def full_sanitizer
           @full_sanitizer ||= sanitizer_vendor.full_sanitizer.new
         end
@@ -156,20 +152,18 @@ module ActionView
         #   class Application < Rails::Application
         #     config.action_view.link_sanitizer = MySpecialSanitizer.new
         #   end
-        #
         def link_sanitizer
           @link_sanitizer ||= sanitizer_vendor.link_sanitizer.new
         end
 
-        # Gets the Rails::Html::WhiteListSanitizer instance used by sanitize and +sanitize_css+.
+        # Gets the Rails::Html::SafeListSanitizer instance used by sanitize and +sanitize_css+.
         # Replace with any object that responds to +sanitize+.
         #
         #   class Application < Rails::Application
-        #     config.action_view.white_list_sanitizer = MySpecialSanitizer.new
+        #     config.action_view.safe_list_sanitizer = MySpecialSanitizer.new
         #   end
-        #
-        def white_list_sanitizer
-          @white_list_sanitizer ||= sanitizer_vendor.white_list_sanitizer.new
+        def safe_list_sanitizer
+          @safe_list_sanitizer ||= sanitizer_vendor.safe_list_sanitizer.new
         end
       end
     end

data/lib/action_view/helpers/tag_helper.rb

@@ -88,7 +88,7 @@ module ActionView
           if value.is_a?(Array)
             value = escape ? safe_join(value, " ") : value.join(" ")
           else
-            value = escape ? ERB::Util.unwrapped_html_escape(value) : value.to_s.dup
+            value = escape ? ERB::Util.unwrapped_html_escape(value).dup : value.to_s.dup
           end
           value.gsub!('"', """)
           %(#{key}="#{value}")
@@ -107,8 +107,8 @@ module ActionView
             true
           end
 
-          def method_missing(called, *args, &block)
-            tag_string(called, *args, &block)
+          def method_missing(called, *args, **options, &block)
+            tag_string(called, *args, **options, &block)
           end
       end
 

data/lib/action_view/helpers/tags/base.rb

@@ -34,7 +34,6 @@ module ActionView
         end
 
         private
-
           def value
             if @allow_method_names_outside_object
               object.public_send @method_name if object && object.respond_to?(@method_name)