actionview 6.0.6.1 → 6.1.7.6

data/CHANGELOG.md

@@ -1,24 +1,51 @@
-## Rails 6.0.6.1 (January 17, 2023) ##
+## Rails 6.1.7.6 (August 22, 2023) ##
 
 *   No changes.
 
 
-## Rails 6.0.6 (September 09, 2022) ##
+## Rails 6.1.7.5 (August 22, 2023) ##
 
 *   No changes.
 
 
-## Rails 6.0.5.1 (July 12, 2022) ##
+## Rails 6.1.7.4 (June 26, 2023) ##
 
 *   No changes.
 
 
-## Rails 6.0.5 (May 09, 2022) ##
+## Rails 6.1.7.3 (March 13, 2023) ##
+
+*   Ignore certain data-* attributes in rails-ujs when element is contenteditable
+
+    [CVE-2023-23913]
+
+
+## Rails 6.1.7.2 (January 24, 2023) ##
+
+*   No changes.
+
+
+## Rails 6.1.7.1 (January 17, 2023) ##
+
+*   No changes.
+
+
+## Rails 6.1.7 (September 09, 2022) ##
+
+*   No changes.
+
+
+## Rails 6.1.6.1 (July 12, 2022) ##
+
+*   No changes.
+
+
+## Rails 6.1.6 (May 09, 2022) ##
 
 *   No changes.
 
 
-## Rails 6.0.4.8 (April 26, 2022) ##
+## Rails 6.1.5.1 (April 26, 2022) ##
 
 *   Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`.
 
@@ -29,405 +56,406 @@
 
     *Álvaro Martín Fraguas*
 
+## Rails 6.1.5 (March 09, 2022) ##
 
-## Rails 6.0.4.7 (March 08, 2022) ##
+*   `preload_link_tag` properly inserts `as` attributes for files with `image` MIME
+    types, such as JPG or SVG.
 
-*   No changes.
+    *Nate Berkopec*
 
+*   Add `autocomplete="off"` to all generated hidden fields.
 
-## Rails 6.0.4.6 (February 11, 2022) ##
+    Fixes #42610.
 
-*   No changes.
+    *Ryan Baumann*
 
+*   Fix `current_page?` when URL has trailing slash.
 
-## Rails 6.0.4.5 (February 11, 2022) ##
+    This fixes the `current_page?` helper when the given URL has a trailing slash,
+    and is an absolute URL or also has query params.
 
-*   No changes.
+    Fixes #33956.
+
+    *Jonathan Hefner*
 
 
-## Rails 6.0.4.4 (December 15, 2021) ##
+## Rails 6.1.4.7 (March 08, 2022) ##
 
 *   No changes.
 
 
-## Rails 6.0.4.3 (December 14, 2021) ##
+## Rails 6.1.4.6 (February 11, 2022) ##
 
 *   No changes.
 
 
-## Rails 6.0.4.2 (December 14, 2021) ##
+## Rails 6.1.4.5 (February 11, 2022) ##
 
 *   No changes.
 
 
-## Rails 6.0.4.1 (August 19, 2021) ##
+## Rails 6.1.4.4 (December 15, 2021) ##
 
 *   No changes.
 
 
-## Rails 6.0.4 (June 15, 2021) ##
-
-*   SanitizeHelper.sanitized_allowed_attributes and SanitizeHelper.sanitized_allowed_tags
-    call safe_list_sanitizer's class method
-
-    Fixes #39586
+## Rails 6.1.4.3 (December 14, 2021) ##
 
-    *Taufiq Muhammadi*
+*   No changes.
 
 
-## Rails 6.0.3.7 (May 05, 2021) ##
+## Rails 6.1.4.2 (December 14, 2021) ##
 
 *   No changes.
 
 
-## Rails 6.0.3.6 (March 26, 2021) ##
+## Rails 6.1.4.1 (August 19, 2021) ##
 
 *   No changes.
 
 
-## Rails 6.0.3.5 (February 10, 2021) ##
+## Rails 6.1.4 (June 24, 2021) ##
 
-*   No changes.
+*   The `translate` helper now passes `default` values that aren't
+    translation keys through `I18n.translate` for interpolation.
 
+    *Jonathan Hefner*
 
-## Rails 6.0.3.4 (October 07, 2020) ##
+*   Don't attach UJS form submission handlers to Turbo forms.
 
-*   No changes.
+    *David Heinemeier Hansson*
 
+*   Allow both `current_page?(url_hash)` and `current_page?(**url_hash)` on Ruby 2.7.
 
-## Rails 6.0.3.3 (September 09, 2020) ##
+    *Ryuta Kamizono*
 
-*   [CVE-2020-8185] Fix potential XSS vulnerability in the `translate`/`t` helper.
 
-    *Jonathan Hefner*
+## Rails 6.1.3.2 (May 05, 2021) ##
+
+*   No changes.
 
 
-## Rails 6.0.3.2 (June 17, 2020) ##
+## Rails 6.1.3.1 (March 26, 2021) ##
 
 *   No changes.
 
 
-## Rails 6.0.3.1 (May 18, 2020) ##
+## Rails 6.1.3 (February 17, 2021) ##
 
-*   [CVE-2020-8167] Check that request is same-origin prior to including CSRF token in XHRs
+*   No changes.
 
 
-## Rails 6.0.3 (May 06, 2020) ##
+## Rails 6.1.2.1 (February 10, 2021) ##
 
-*   annotated_source_code returns an empty array so TemplateErrors without a
-    template in the backtrace are surfaced properly by DebugExceptions.
+*   No changes.
 
-    *Guilherme Mansur*, *Kasper Timm Hansen*
 
-*   Add autoload for SyntaxErrorInTemplate so syntax errors are correctly raised by DebugExceptions.
+## Rails 6.1.2 (February 09, 2021) ##
 
-    *Guilherme Mansur*, *Gannon McGibbon*
+*   No changes.
 
 
-## Rails 6.0.2.2 (March 19, 2020) ##
+## Rails 6.1.1 (January 07, 2021) ##
 
-*   Fix possible XSS vector in escape_javascript helper
+*   Fix lazy translation in partial with block.
 
-    CVE-2020-5267
+    *Marek Kasztelnik*
 
-    *Aaron Patterson*
+*   Avoid extra `SELECT COUNT` queries when rendering Active Record collections.
 
+    *aar0nr*
 
-## Rails 6.0.2.1 (December 18, 2019) ##
+*   Link preloading keep integrity hashes in the header.
 
-*   No changes.
+    *Étienne Barrié*
 
+*   Add `config.action_view.preload_links_header` to allow disabling of
+    the `Link` header being added by default when using `stylesheet_link_tag`
+    and `javascript_include_tag`.
 
-## Rails 6.0.2 (December 13, 2019) ##
+    *Andrew White*
 
-*   No changes.
+*   The `translate` helper now resolves `default` values when a `nil` key is
+    specified, instead of always returning `nil`.
 
+    *Jonathan Hefner*
 
-## Rails 6.0.1 (November 5, 2019) ##
 
-*   UJS avoids `Element.closest()` for IE 9 compatibility.
+## Rails 6.1.0 (December 09, 2020) ##
 
-    *George Claghorn*
+*   SanitizeHelper.sanitized_allowed_attributes and SanitizeHelper.sanitized_allowed_tags
+    call safe_list_sanitizer's class method
 
+    Fixes #39586
 
-## Rails 6.0.0 (August 16, 2019) ##
+    *Taufiq Muhammadi*
 
-*   ActionView::Helpers::SanitizeHelper: support rails-html-sanitizer 1.1.0.
+*   Change form_with to generate non-remote forms by default.
 
-    *Juanito Fatas*
+    `form_with` would generate a remote form by default. This would confuse
+    users because they were forced to handle remote requests.
 
+    All new 6.1 applications will generate non-remote forms by default.
+    When upgrading a 6.0 application you can enable remote forms by default by
+    setting `config.action_view.form_with_generates_remote_forms` to `true`.
 
-## Rails 6.0.0.rc2 (July 22, 2019) ##
+    *Petrik de Heus*
 
-*   Fix `select_tag` so that it doesn't change `options` when `include_blank` is present.
+*   Yield translated strings to calls of `ActionView::FormBuilder#button`
+    when a block is given.
 
-    *Younes SERRAJ*
+    *Sean Doyle*
 
+*   Alias `ActionView::Helpers::Tags::Label::LabelBuilder#translation` to
+    `#to_s` so that `form.label` calls can yield that value to their blocks.
 
-## Rails 6.0.0.rc1 (April 24, 2019) ##
+    *Sean Doyle*
 
-*   Fix partial caching skips same item issue
+*   Rename the new `TagHelper#class_names` method to `TagHelper#token_list`,
+    and make the original available as an alias.
 
-    If we render cached collection partials with repeated items, those repeated items
-    will get skipped. For example, if you have 5 identical items in your collection, Rails
-    only renders the first one when `cached` is set to true. But it should render all
-    5 items instead.
+        token_list("foo", "foo bar")
+        # => "foo bar"
 
-    Fixes #35114.
+    *Sean Doyle*
 
-    *Stan Lo*
+*   ARIA Array and Hash attributes are treated as space separated `DOMTokenList`
+    values. This is useful when declaring lists of label text identifiers in
+    `aria-labelledby` or `aria-describedby`.
 
-*   Only clear ActionView cache in development on file changes
+        tag.input type: 'checkbox', name: 'published', aria: {
+          invalid: @post.errors[:published].any?,
+          labelledby: ['published_context', 'published_label'],
+          describedby: { published_errors: @post.errors[:published].any? }
+        }
+        #=> <input
+              type="checkbox" name="published" aria-invalid="true"
+              aria-labelledby="published_context published_label"
+              aria-describedby="published_errors"
+            >
 
-    To speed up development mode, view caches are only cleared when files in
-    the view paths have changed. Applications which have implemented custom
-    `ActionView::Resolver` subclasses may need to add their own cache clearing.
+    *Sean Doyle*
 
-    *John Hawthorn*
+*   Remove deprecated `escape_whitelist` from `ActionView::Template::Handlers::ERB`.
 
-*   Fix `ActionView::FixtureResolver` so that it handles template variants correctly.
+    *Rafael Mendonça França*
 
-    *Edward Rudd*
+*   Remove deprecated `find_all_anywhere` from `ActionView::Resolver`.
 
-*   `ActionView::TemplateRender.render(file: )` now renders the file directly,
-    without using any handlers, using the new `Template::RawFile` class.
+    *Rafael Mendonça França*
 
-    *John Hawthorn*, *Cliff Pruitt*
+*   Remove deprecated `formats` from `ActionView::Template::HTML`.
 
+    *Rafael Mendonça França*
 
-## Rails 6.0.0.beta3 (March 11, 2019) ##
+*   Remove deprecated `formats` from `ActionView::Template::RawFile`.
 
-*   Only accept formats from registered mime types
+    *Rafael Mendonça França*
 
-    A lack of filtering on mime types could allow an attacker to read
-    arbitrary files on the target server or to perform a denial of service
-    attack.
+*   Remove deprecated `formats` from `ActionView::Template::Text`.
 
-    Fixes CVE-2019-5418
-    Fixes CVE-2019-5419
+    *Rafael Mendonça França*
 
-    *John Hawthorn*, *Eileen M. Uchitelle*, *Aaron Patterson*
+*   Remove deprecated `find_file` from `ActionView::PathSet`.
 
+    *Rafael Mendonça França*
 
-## Rails 6.0.0.beta2 (February 25, 2019) ##
+*   Remove deprecated `rendered_format` from `ActionView::LookupContext`.
 
-*   `ActionView::Template.finalize_compiled_template_methods` is deprecated with
-    no replacement.
+    *Rafael Mendonça França*
 
-    *tenderlove*
+*   Remove deprecated `find_file` from `ActionView::ViewPaths`.
 
-*   `config.action_view.finalize_compiled_template_methods` is deprecated with
-    no replacement.
+    *Rafael Mendonça França*
 
-    *tenderlove*
+*   Require that `ActionView::Base` subclasses implement `#compiled_method_container`.
 
-*   Ensure unique DOM IDs for collection inputs with float values.
+    *Rafael Mendonça França*
 
-    Fixes #34974.
+*   Remove deprecated support to pass an object that is not a `ActionView::LookupContext` as the first argument
+    in `ActionView::Base#initialize`.
 
-    *Mark Edmondson*
+    *Rafael Mendonça França*
 
-*   Single arity template handlers are deprecated.  Template handlers must
-    now accept two parameters, the view object and the source for the view object.
+*   Remove deprecated `format` argument `ActionView::Base#initialize`.
 
-    *tenderlove*
+    *Rafael Mendonça França*
 
+*   Remove deprecated `ActionView::Template#refresh`.
 
-## Rails 6.0.0.beta1 (January 18, 2019) ##
+    *Rafael Mendonça França*
 
-*   [Rename npm package](https://github.com/rails/rails/pull/34905) from
-    [`rails-ujs`](https://www.npmjs.com/package/rails-ujs) to
-    [`@rails/ujs`](https://www.npmjs.com/package/@rails/ujs).
+*   Remove deprecated `ActionView::Template#original_encoding`.
 
-    *Javan Makhmali*
+    *Rafael Mendonça França*
 
-*   Remove deprecated `image_alt` helper.
+*   Remove deprecated `ActionView::Template#variants`.
 
     *Rafael Mendonça França*
 
-*   Fix the need of `#protect_against_forgery?` method defined in
-    `ActionView::Base` subclasses. This prevents the use of forms and buttons.
+*   Remove deprecated `ActionView::Template#formats`.
 
-    *Genadi Samokovarov*
-
-*   Fix UJS permanently showing disabled text in a[data-remote][data-disable-with] elements within forms.
+    *Rafael Mendonça França*
 
-    Fixes #33889.
+*   Remove deprecated `ActionView::Template#virtual_path=`.
 
-    *Wolfgang Hobmaier*
+    *Rafael Mendonça França*
 
-*   Prevent non-primary mouse keys from triggering Rails UJS click handlers.
-    Firefox fires click events even if the click was triggered by non-primary mouse keys such as right- or scroll-wheel-clicks.
-    For example, right-clicking a link such as the one described below (with an underlying ajax request registered on click) should not cause that request to occur.
+*   Remove deprecated `ActionView::Template#updated_at`.
 
-    ```
-    <%= link_to 'Remote', remote_path, class: 'remote', remote: true, data: { type: :json } %>
-    ```
+    *Rafael Mendonça França*
 
-    Fixes #34541.
+*   Remove deprecated `updated_at` argument required on `ActionView::Template#initialize`.
 
-    *Wolfgang Hobmaier*
+    *Rafael Mendonça França*
 
-*   Prevent `ActionView::TextHelper#word_wrap` from unexpectedly stripping white space from the _left_ side of lines.
+*   Make `locals` argument required on `ActionView::Template#initialize`.
 
-    For example, given input like this:
+    *Rafael Mendonça França*
 
-    ```
-        This is a paragraph with an initial indent,
-    followed by additional lines that are not indented,
-    and finally terminated with a blockquote:
-      "A pithy saying"
-    ```
+*   Remove deprecated `ActionView::Template.finalize_compiled_template_methods`.
 
-    Calling `word_wrap` should not trim the indents on the first and last lines.
+    *Rafael Mendonça França*
 
-    Fixes #34487.
+*   Remove deprecated `config.action_view.finalize_compiled_template_methods`
 
-    *Lyle Mullican*
+    *Rafael Mendonça França*
 
-*   Add allocations to template rendering instrumentation.
+*   Remove deprecated support to calling `ActionView::ViewPaths#with_fallback` with a block.
 
-    Adds the allocations for template and partial rendering to the server output on render.
+    *Rafael Mendonça França*
 
-    ```
-      Rendered posts/_form.html.erb (Duration: 7.1ms | Allocations: 6004)
-      Rendered posts/new.html.erb within layouts/application (Duration: 8.3ms | Allocations: 6654)
-    Completed 200 OK in 858ms (Views: 848.4ms | ActiveRecord: 0.4ms | Allocations: 1539564)
-    ```
+*   Remove deprecated support to passing absolute paths to `render template:`.
 
-    *Eileen M. Uchitelle*, *Aaron Patterson*
+    *Rafael Mendonça França*
 
-*   Respect the `only_path` option passed to `url_for` when the options are passed in as an array
+*   Remove deprecated support to passing relative paths to `render file:`.
 
-    Fixes #33237.
+    *Rafael Mendonça França*
 
-    *Joel Ambass*
+*   Remove support to template handlers that don't accept two arguments.
 
-*   Deprecate calling private model methods from view helpers.
+    *Rafael Mendonça França*
 
-    For example, in methods like `options_from_collection_for_select`
-    and `collection_select` it is possible to call private methods from
-    the objects used.
+*   Remove deprecated pattern argument in `ActionView::Template::PathResolver`.
 
-    Fixes #33546.
+    *Rafael Mendonça França*
 
-    *Ana María Martínez Gómez*
+*   Remove deprecated support to call private methods from object in some view helpers.
 
-*   Fix issue with `button_to`'s `to_form_params`
+    *Rafael Mendonça França*
 
-    `button_to` was throwing exception when invoked with `params` hash that
-    contains symbol and string keys. The reason for the exception was that
-    `to_form_params` was comparing the given symbol and string keys.
+*   `ActionView::Helpers::TranslationHelper#translate` accepts a block, yielding
+    the translated text and the fully resolved translation key:
 
-    The issue is fixed by turning all keys to strings inside
-    `to_form_params` before comparing them.
+        <%= translate(".relative_key") do |translation, resolved_key| %>
+          <span title="<%= resolved_key %>"><%= translation %></span>
+        <% end %>
 
-    *Georgi Georgiev*
+    *Sean Doyle*
 
-*   Mark arrays of translations as trusted safe by using the `_html` suffix.
+*   Ensure cache fragment digests include all relevant template dependencies when
+    fragments are contained in a block passed to the render helper. Remove the
+    virtual_path keyword arguments found in CacheHelper as they no longer possess
+    any function following 1581cab.
 
-    Example:
+    Fixes #38984.
 
-        en:
-          foo_html:
-            - "One"
-            - "<strong>Two</strong>"
-            - "Three &#128075; &#128578;"
+    *Aaron Lipman*
 
-    *Juan Broullon*
+*   Deprecate `config.action_view.raise_on_missing_translations` in favor of
+    `config.i18n.raise_on_missing_translations`.
 
-*   Add `year_format` option to date_select tag. This option makes it possible to customize year
-    names. Lambda should be passed to use this option.
+    New generalized configuration option now determines whether an error should be raised
+    for missing translations in controllers and views.
 
-    Example:
+    *fatkodima*
 
-        date_select('user_birthday', '', start_year: 1998, end_year: 2000, year_format: ->year { "Heisei #{year - 1988}" })
+*   Instrument layout rendering in `TemplateRenderer#render_with_layout` as `render_layout.action_view`,
+    and include (when necessary) the layout's virtual path in notification payloads for collection and partial renders.
 
-    The HTML produced:
+    *Zach Kemp*
 
-        <select id="user_birthday__1i" name="user_birthday[(1i)]">
-        <option value="1998">Heisei 10</option>
-        <option value="1999">Heisei 11</option>
-        <option value="2000">Heisei 12</option>
-        </select>
-        /* The rest is omitted */
+*   `ActionView::Base.annotate_rendered_view_with_filenames` annotates HTML output with template file names.
 
-    *Koki Ryu*
+    *Joel Hawksley*, *Aaron Patterson*
 
-*   Fix JavaScript views rendering does not work with Firefox when using
-    Content Security Policy.
+*   `ActionView::Helpers::TranslationHelper#translate` returns nil when
+    passed `default: nil` without a translation matching `I18n#translate`.
 
-    Fixes #32577.
+    *Stefan Wrobel*
 
-    *Yuji Yaginuma*
+*   `OptimizedFileSystemResolver` prefers template details in order of locale,
+    formats, variants, handlers.
 
-*   Add the `nonce: true` option for `javascript_include_tag` helper to
-    support automatic nonce generation for Content Security Policy.
-    Works the same way as `javascript_tag nonce: true` does.
+    *Iago Pimenta*
 
-    *Yaroslav Markin*
+*   Added `class_names` helper to create a CSS class value with conditional classes.
 
-*   Remove `ActionView::Helpers::RecordTagHelper`.
+    *Joel Hawksley*, *Aaron Patterson*
 
-    *Yoshiyuki Hirano*
+*   Add support for conditional values to TagBuilder.
 
-*   Disable `ActionView::Template` finalizers in test environment.
+    *Joel Hawksley*
 
-    Template finalization can be expensive in large view test suites.
-    Add a configuration option,
-    `action_view.finalize_compiled_template_methods`, and turn it off in
-    the test environment.
+*   `ActionView::Helpers::FormOptionsHelper#select` should mark option for `nil` as selected.
 
-    *Simon Coffey*
+    ```ruby
+    @post = Post.new
+    @post.category = nil
 
-*   Extract the `confirm` call in its own, overridable method in `rails_ujs`.
+    # Before
+    select("post", "category", none: nil, programming: 1, economics: 2)
+    # =>
+    # <select name="post[category]" id="post_category">
+    #   <option value="">none</option>
+    #  <option value="1">programming</option>
+    #  <option value="2">economics</option>
+    # </select>
 
-    Example:
+    # After
+    select("post", "category", none: nil, programming: 1, economics: 2)
+    # =>
+    # <select name="post[category]" id="post_category">
+    #   <option selected="selected" value="">none</option>
+    #  <option value="1">programming</option>
+    #  <option value="2">economics</option>
+    # </select>
+    ```
 
-        Rails.confirm = function(message, element) {
-          return (my_bootstrap_modal_confirm(message));
-        }
+    *bogdanvlviv*
 
-    *Mathieu Mahé*
+*   Log lines for partial renders and started template renders are now
+    emitted at the `DEBUG` level instead of `INFO`.
 
-*   Enable select tag helper to mark `prompt` option as `selected` and/or `disabled` for `required`
-    field.
+    Completed template renders are still logged at the `INFO` level.
 
-    Example:
+    *DHH*
 
-        select :post,
-               :category,
-               ["lifestyle", "programming", "spiritual"],
-               { selected: "", disabled: "", prompt: "Choose one" },
-               { required: true }
+*   ActionView::Helpers::SanitizeHelper: support rails-html-sanitizer 1.1.0.
 
-    Placeholder option would be selected and disabled.
+    *Juanito Fatas*
 
-    The HTML produced:
+*   Added `phone_to` helper method to create a link from mobile numbers.
 
-        <select required="required" name="post[category]" id="post_category">
-        <option disabled="disabled" selected="selected" value="">Choose one</option>
-        <option value="lifestyle">lifestyle</option>
-        <option value="programming">programming</option>
-        <option value="spiritual">spiritual</option></select>
+    *Pietro Moro*
 
-    *Sergey Prikhodko*
+*   annotated_source_code returns an empty array so TemplateErrors without a
+    template in the backtrace are surfaced properly by DebugExceptions.
 
-*   Don't enforce UTF-8 by default.
+    *Guilherme Mansur*, *Kasper Timm Hansen*
 
-    With the disabling of TLS 1.0 by most major websites, continuing to run
-    IE8 or lower becomes increasingly difficult so default to not enforcing
-    UTF-8 encoding as it's not relevant to other browsers.
+*   Add autoload for SyntaxErrorInTemplate so syntax errors are correctly raised by DebugExceptions.
 
-    *Andrew White*
+    *Guilherme Mansur*, *Gannon McGibbon*
 
-*   Change translation key of `submit_tag` from `module_name_class_name` to `module_name/class_name`.
+*   `RenderingHelper` supports rendering objects that `respond_to?` `:render_in`.
 
-    *Rui Onodera*
+    *Joel Hawksley*, *Natasha Umer*, *Aaron Patterson*, *Shawn Allen*, *Emily Plummer*, *Diana Mounter*, *John Hawthorn*, *Nathan Herald*, *Zaid Zawaideh*, *Zach Ahn*
 
-*   Rails 6 requires Ruby 2.5.0 or newer.
+*   Fix `select_tag` so that it doesn't change `options` when `include_blank` is present.
 
-    *Jeremy Daer*, *Kasper Timm Hansen*
+    *Younes SERRAJ*
 
 
-Please check [5-2-stable](https://github.com/rails/rails/blob/5-2-stable/actionview/CHANGELOG.md) for previous changes.
+Please check [6-0-stable](https://github.com/rails/rails/blob/6-0-stable/actionview/CHANGELOG.md) for previous changes.