actionview 7.0.10 → 7.1.0.beta1

data/lib/action_view/helpers/sanitize_helper.rb

@@ -3,20 +3,23 @@
 require "rails-html-sanitizer"
 
 module ActionView
-  # = Action View Sanitize Helpers
   module Helpers # :nodoc:
+    # = Action View Sanitize \Helpers
+    #
     # The SanitizeHelper module provides a set of methods for scrubbing text of undesired HTML elements.
     # These helper methods extend Action View making them callable within your template files.
     module SanitizeHelper
+      mattr_accessor :sanitizer_vendor, default: Rails::HTML4::Sanitizer
+
       extend ActiveSupport::Concern
+
       # Sanitizes HTML input, stripping all but known-safe tags and attributes.
       #
-      # It also strips +href+ / +src+ attributes with unsafe protocols like
-      # <tt>javascript:</tt>, while also protecting against attempts to use Unicode,
-      # ASCII, and hex character references to work around these protocol filters.
-      # All special characters will be escaped.
+      # It also strips href/src attributes with unsafe protocols like <tt>javascript:</tt>, while
+      # also protecting against attempts to use Unicode, ASCII, and hex character references to work
+      # around these protocol filters.
       #
-      # The default sanitizer is +Rails::Html::SafeListSanitizer+. See {Rails HTML
+      # The default sanitizer is Rails::HTML5::SafeListSanitizer. See {Rails HTML
       # Sanitizers}[https://github.com/rails/rails-html-sanitizer] for more information.
       #
       # Custom sanitization rules can also be provided.
@@ -26,31 +29,26 @@ module ActionView
       #
       # ==== Options
       #
-      # [+:tags+]
-      #   An array of allowed tags.
-      #
-      # [+:attributes+]
-      #   An array of allowed attributes.
-      #
-      # [+:scrubber+]
-      #   A {Rails::Html scrubber}[https://github.com/rails/rails-html-sanitizer]
+      # * <tt>:tags</tt> - An array of allowed tags.
+      # * <tt>:attributes</tt> - An array of allowed attributes.
+      # * <tt>:scrubber</tt> - A {Rails::HTML scrubber}[https://github.com/rails/rails-html-sanitizer]
       #   or {Loofah::Scrubber}[https://github.com/flavorjones/loofah] object that
       #   defines custom sanitization rules. A custom scrubber takes precedence over
       #   custom tags and attributes.
       #
       # ==== Examples
       #
-      # ===== Normal use
+      # Normal use:
       #
       #   <%= sanitize @comment.body %>
       #
-      # ===== Providing custom lists of permitted tags and attributes
+      # Providing custom lists of permitted tags and attributes:
       #
       #   <%= sanitize @comment.body, tags: %w(strong em a), attributes: %w(href) %>
       #
-      # ===== Providing a custom +Rails::Html+ scrubber
+      # Providing a custom Rails::HTML scrubber:
       #
-      #   class CommentScrubber < Rails::Html::PermitScrubber
+      #   class CommentScrubber < Rails::HTML::PermitScrubber
       #     def initialize
       #       super
       #       self.tags = %w( form script comment blockquote )
@@ -62,38 +60,48 @@ module ActionView
       #     end
       #   end
       #
-      # <code></code>
-      #
       #   <%= sanitize @comment.body, scrubber: CommentScrubber.new %>
       #
       # See {Rails HTML Sanitizer}[https://github.com/rails/rails-html-sanitizer] for
-      # documentation about +Rails::Html+ scrubbers.
+      # documentation about Rails::HTML scrubbers.
       #
-      # ===== Providing a custom +Loofah::Scrubber+
+      # Providing a custom Loofah::Scrubber:
       #
       #   scrubber = Loofah::Scrubber.new do |node|
       #     node.remove if node.name == 'script'
       #   end
       #
-      # <code></code>
-      #
       #   <%= sanitize @comment.body, scrubber: scrubber %>
       #
       # See {Loofah's documentation}[https://github.com/flavorjones/loofah] for more
-      # information about defining custom +Loofah::Scrubber+ objects.
-      #
-      # ==== Global Configuration
+      # information about defining custom Loofah::Scrubber objects.
       #
       # To set the default allowed tags or attributes across your application:
       #
       #   # In config/application.rb
       #   config.action_view.sanitized_allowed_tags = ['strong', 'em', 'a']
       #   config.action_view.sanitized_allowed_attributes = ['href', 'title']
+      #
+      # The default, starting in \Rails 7.1, is to use an HTML5 parser for sanitization (if it is
+      # available, see NOTE below). If you wish to revert back to the previous HTML4 behavior, you
+      # can do so by setting the following in your application configuration:
+      #
+      #   # In config/application.rb
+      #   config.action_view.sanitizer_vendor = Rails::HTML4::Sanitizer
+      #
+      # Or, if you're upgrading from a previous version of \Rails and wish to opt into the HTML5
+      # behavior:
+      #
+      #   # In config/application.rb
+      #   config.action_view.sanitizer_vendor = Rails::HTML5::Sanitizer
+      #
+      # NOTE: Rails::HTML5::Sanitizer is not supported on JRuby, so on JRuby platforms \Rails will
+      # fall back to use Rails::HTML4::Sanitizer.
       def sanitize(html, options = {})
         self.class.safe_list_sanitizer.sanitize(html, options)&.html_safe
       end
 
-      # Sanitizes a block of CSS code. Used by #sanitize when it comes across a style attribute.
+      # Sanitizes a block of CSS code. Used by +sanitize+ when it comes across a style attribute.
       def sanitize_css(style)
         self.class.safe_list_sanitizer.sanitize_css(style)
       end
@@ -136,7 +144,7 @@ module ActionView
         attr_writer :full_sanitizer, :link_sanitizer, :safe_list_sanitizer
 
         def sanitizer_vendor
-          Rails::Html::Sanitizer
+          ActionView::Helpers::SanitizeHelper.sanitizer_vendor
         end
 
         def sanitized_allowed_tags
@@ -147,7 +155,7 @@ module ActionView
           sanitizer_vendor.safe_list_sanitizer.allowed_attributes
         end
 
-        # Gets the Rails::Html::FullSanitizer instance used by +strip_tags+. Replace with
+        # Gets the Rails::HTML::FullSanitizer instance used by +strip_tags+. Replace with
         # any object that responds to +sanitize+.
         #
         #   class Application < Rails::Application
@@ -157,7 +165,7 @@ module ActionView
           @full_sanitizer ||= sanitizer_vendor.full_sanitizer.new
         end
 
-        # Gets the Rails::Html::LinkSanitizer instance used by +strip_links+.
+        # Gets the Rails::HTML::LinkSanitizer instance used by +strip_links+.
         # Replace with any object that responds to +sanitize+.
         #
         #   class Application < Rails::Application
@@ -167,7 +175,7 @@ module ActionView
           @link_sanitizer ||= sanitizer_vendor.link_sanitizer.new
         end
 
-        # Gets the Rails::Html::SafeListSanitizer instance used by sanitize and +sanitize_css+.
+        # Gets the Rails::HTML::SafeListSanitizer instance used by sanitize and +sanitize_css+.
         # Replace with any object that responds to +sanitize+.
         #
         #   class Application < Rails::Application

data/lib/action_view/helpers/tag_helper.rb

@@ -7,8 +7,9 @@ require "action_view/helpers/capture_helper"
 require "action_view/helpers/output_safety_helper"
 
 module ActionView
-  # = Action View Tag Helpers
   module Helpers # :nodoc:
+    # = Action View Tag \Helpers
+    #
     # Provides methods to generate HTML tags programmatically both as a modern
     # HTML5 compliant builder style and legacy XHTML compliant tags.
     module TagHelper
@@ -65,9 +66,7 @@ module ActionView
           tag_string(:p, *arguments, **options, &block)
         end
 
-        def tag_string(name, content = nil, **options, &block)
-          escape = handle_deprecated_escape_options(options)
-
+        def tag_string(name, content = nil, escape: true, **options, &block)
           content = @view_context.capture(self, &block) if block_given?
           self_closing = SVG_SELF_CLOSING_ELEMENTS.include?(name)
           if (HTML_VOID_ELEMENTS.include?(name) || self_closing) && content.nil?
@@ -164,27 +163,6 @@ module ActionView
             true
           end
 
-          def handle_deprecated_escape_options(options)
-            # The option :escape_attributes has been merged into the options hash to be
-            # able to warn when it is used, so we need to handle default values here.
-            escape_option_provided = options.has_key?(:escape)
-            escape_attributes_option_provided = options.has_key?(:escape_attributes)
-
-            if escape_attributes_option_provided
-              ActiveSupport::Deprecation.warn(<<~MSG)
-                Use of the option :escape_attributes is deprecated. It currently \
-                escapes both names and values of tags and attributes and it is \
-                equivalent to :escape. If any of them are enabled, the escaping \
-                is fully enabled.
-              MSG
-            end
-
-            return true unless escape_option_provided || escape_attributes_option_provided
-            escape_option = options.delete(:escape)
-            escape_attributes_option = options.delete(:escape_attributes)
-            escape_option || escape_attributes_option
-          end
-
           def method_missing(called, *args, **options, &block)
             tag_string(called, *args, **options, &block)
           end
@@ -283,7 +261,7 @@ module ActionView
       #
       # === Legacy syntax
       #
-      # The following format is for legacy syntax support. It will be deprecated in future versions of Rails.
+      # The following format is for legacy syntax support. It will be deprecated in future versions of \Rails.
       #
       #   tag(name, options = nil, open = false, escape = true)
       #
@@ -386,7 +364,7 @@ module ActionView
       #   token_list(nil, false, 123, "", "foo", { bar: true })
       #    # => "123 foo bar"
       def token_list(*args)
-        tokens = build_tag_values(*args).flat_map { |value| value.to_s.split(/\s+/) }.uniq
+        tokens = build_tag_values(*args).flat_map { |value| CGI.unescape_html(value.to_s).split(/\s+/) }.uniq
 
         safe_join(tokens, " ")
       end

data/lib/action_view/helpers/tags/base.rb

@@ -5,7 +5,6 @@ module ActionView
     module Tags # :nodoc:
       class Base # :nodoc:
         include Helpers::ActiveModelInstanceTag, Helpers::TagHelper, Helpers::FormTagHelper
-        include FormOptionsHelper
 
         attr_reader :object
 
@@ -35,22 +34,24 @@ module ActionView
 
         private
           def value
+            return unless object
+
             if @allow_method_names_outside_object
-              object.public_send @method_name if object && object.respond_to?(@method_name)
+              object.public_send @method_name if object.respond_to?(@method_name)
             else
-              object.public_send @method_name if object
+              object.public_send @method_name
             end
           end
 
           def value_before_type_cast
-            unless object.nil?
-              method_before_type_cast = @method_name + "_before_type_cast"
+            return unless object
 
-              if value_came_from_user? && object.respond_to?(method_before_type_cast)
-                object.public_send(method_before_type_cast)
-              else
-                value
-              end
+            method_before_type_cast = @method_name + "_before_type_cast"
+
+            if value_came_from_user? && object.respond_to?(method_before_type_cast)
+              object.public_send(method_before_type_cast)
+            else
+              value
             end
           end
 
@@ -120,48 +121,6 @@ module ActionView
             value.to_s.gsub(/[\s.]/, "_").gsub(/[^-[[:word:]]]/, "").downcase
           end
 
-          def select_content_tag(option_tags, options, html_options)
-            html_options = html_options.stringify_keys
-            add_default_name_and_id(html_options)
-
-            if placeholder_required?(html_options)
-              raise ArgumentError, "include_blank cannot be false for a required field." if options[:include_blank] == false
-              options[:include_blank] ||= true unless options[:prompt]
-            end
-
-            value = options.fetch(:selected) { value() }
-            select = content_tag("select", add_options(option_tags, options, value), html_options)
-
-            if html_options["multiple"] && options.fetch(:include_hidden, true)
-              tag("input", disabled: html_options["disabled"], name: html_options["name"], type: "hidden", value: "", autocomplete: "off") + select
-            else
-              select
-            end
-          end
-
-          def placeholder_required?(html_options)
-            # See https://html.spec.whatwg.org/multipage/forms.html#attr-select-required
-            html_options["required"] && !html_options["multiple"] && html_options.fetch("size", 1).to_i == 1
-          end
-
-          def add_options(option_tags, options, value = nil)
-            if options[:include_blank]
-              content = (options[:include_blank] if options[:include_blank].is_a?(String))
-              label = (" " unless content)
-              option_tags = tag_builder.content_tag_string("option", content, value: "", label: label) + "\n" + option_tags
-            end
-
-            if value.blank? && options[:prompt]
-              tag_options = { value: "" }.tap do |prompt_opts|
-                prompt_opts[:disabled] = true if options[:disabled] == ""
-                prompt_opts[:selected] = true if options[:selected] == ""
-              end
-              option_tags = tag_builder.content_tag_string("option", prompt_text(options[:prompt]), tag_options) + "\n" + option_tags
-            end
-
-            option_tags
-          end
-
           def name_and_id_index(options)
             if options.key?("index")
               options.delete("index") || ""

data/lib/action_view/helpers/tags/collection_check_boxes.rb

@@ -7,6 +7,7 @@ module ActionView
     module Tags # :nodoc:
       class CollectionCheckBoxes < Base # :nodoc:
         include CollectionHelpers
+        include FormOptionsHelper
 
         class CheckBoxBuilder < Builder # :nodoc:
           def check_box(extra_html_options = {})

data/lib/action_view/helpers/tags/collection_radio_buttons.rb

@@ -7,6 +7,7 @@ module ActionView
     module Tags # :nodoc:
       class CollectionRadioButtons < Base # :nodoc:
         include CollectionHelpers
+        include FormOptionsHelper
 
         class RadioButtonBuilder < Builder # :nodoc:
           def radio_button(extra_html_options = {})

data/lib/action_view/helpers/tags/collection_select.rb

@@ -4,6 +4,9 @@ module ActionView
   module Helpers
     module Tags # :nodoc:
       class CollectionSelect < Base # :nodoc:
+        include SelectRenderer
+        include FormOptionsHelper
+
         def initialize(object_name, method_name, template_object, collection, value_method, text_method, options, html_options)
           @collection   = collection
           @value_method = value_method

data/lib/action_view/helpers/tags/date_field.rb

@@ -5,7 +5,7 @@ module ActionView
     module Tags # :nodoc:
       class DateField < DatetimeField # :nodoc:
         private
-          def format_date(value)
+          def format_datetime(value)
             value&.strftime("%Y-%m-%d")
           end
       end

data/lib/action_view/helpers/tags/date_select.rb

@@ -6,6 +6,8 @@ module ActionView
   module Helpers
     module Tags # :nodoc:
       class DateSelect < Base # :nodoc:
+        include SelectRenderer
+
         def initialize(object_name, method_name, template_object, options, html_options)
           @html_options = html_options
 

data/lib/action_view/helpers/tags/datetime_field.rb

@@ -6,20 +6,28 @@ module ActionView
       class DatetimeField < TextField # :nodoc:
         def render
           options = @options.stringify_keys
-          options["value"] ||= format_date(value)
-          options["min"] = format_date(datetime_value(options["min"]))
-          options["max"] = format_date(datetime_value(options["max"]))
+          options["value"] = datetime_value(options["value"] || value)
+          options["min"] = format_datetime(parse_datetime(options["min"]))
+          options["max"] = format_datetime(parse_datetime(options["max"]))
           @options = options
           super
         end
 
         private
-          def format_date(value)
+          def datetime_value(value)
+            if value.is_a?(String)
+              value
+            else
+              format_datetime(value)
+            end
+          end
+
+          def format_datetime(value)
             raise NotImplementedError
           end
 
-          def datetime_value(value)
-            if value.is_a? String
+          def parse_datetime(value)
+            if value.is_a?(String)
               DateTime.parse(value) rescue nil
             else
               value

data/lib/action_view/helpers/tags/datetime_local_field.rb

@@ -4,6 +4,11 @@ module ActionView
   module Helpers
     module Tags # :nodoc:
       class DatetimeLocalField < DatetimeField # :nodoc:
+        def initialize(object_name, method_name, template_object, options = {})
+          @include_seconds = options.delete(:include_seconds) { true }
+          super
+        end
+
         class << self
           def field_type
             @field_type ||= "datetime-local"
@@ -11,8 +16,12 @@ module ActionView
         end
 
         private
-          def format_date(value)
-            value&.strftime("%Y-%m-%dT%T")
+          def format_datetime(value)
+            if @include_seconds
+              value&.strftime("%Y-%m-%dT%T")
+            else
+              value&.strftime("%Y-%m-%dT%H:%M")
+            end
           end
       end
     end

data/lib/action_view/helpers/tags/grouped_collection_select.rb

@@ -4,6 +4,9 @@ module ActionView
   module Helpers
     module Tags # :nodoc:
       class GroupedCollectionSelect < Base # :nodoc:
+        include SelectRenderer
+        include FormOptionsHelper
+
         def initialize(object_name, method_name, template_object, collection, group_method, group_label_method, option_key_method, option_value_method, options, html_options)
           @collection          = collection
           @group_method        = group_method

data/lib/action_view/helpers/tags/month_field.rb

@@ -5,7 +5,7 @@ module ActionView
     module Tags # :nodoc:
       class MonthField < DatetimeField # :nodoc:
         private
-          def format_date(value)
+          def format_datetime(value)
             value&.strftime("%Y-%m")
           end
       end

data/lib/action_view/helpers/tags/select.rb

@@ -4,6 +4,9 @@ module ActionView
   module Helpers
     module Tags # :nodoc:
       class Select < Base # :nodoc:
+        include SelectRenderer
+        include FormOptionsHelper
+
         def initialize(object_name, method_name, template_object, choices, options, html_options)
           @choices = block_given? ? template_object.capture { yield || "" } : choices
           @choices = @choices.to_a if @choices.is_a?(Range)

data/lib/action_view/helpers/tags/select_renderer.rb

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+
+module ActionView
+  module Helpers
+    module Tags # :nodoc:
+      module SelectRenderer # :nodoc:
+        private
+          def select_content_tag(option_tags, options, html_options)
+            html_options = html_options.stringify_keys
+            [:required, :multiple, :size].each do |prop|
+              html_options[prop.to_s] = options.delete(prop) if options.key?(prop) && !html_options.key?(prop.to_s)
+            end
+
+            add_default_name_and_id(html_options)
+
+            if placeholder_required?(html_options)
+              raise ArgumentError, "include_blank cannot be false for a required field." if options[:include_blank] == false
+              options[:include_blank] ||= true unless options[:prompt]
+            end
+
+            value = options.fetch(:selected) { value() }
+            select = content_tag("select", add_options(option_tags, options, value), html_options)
+
+            if html_options["multiple"] && options.fetch(:include_hidden, true)
+              tag("input", disabled: html_options["disabled"], name: html_options["name"], type: "hidden", value: "", autocomplete: "off") + select
+            else
+              select
+            end
+          end
+
+          def placeholder_required?(html_options)
+            # See https://html.spec.whatwg.org/multipage/forms.html#attr-select-required
+            html_options["required"] && !html_options["multiple"] && html_options.fetch("size", 1).to_i == 1
+          end
+
+          def add_options(option_tags, options, value = nil)
+            if options[:include_blank]
+              content = (options[:include_blank] if options[:include_blank].is_a?(String))
+              label = (" " unless content)
+              option_tags = tag_builder.content_tag_string("option", content, value: "", label: label) + "\n" + option_tags
+            end
+
+            if value.blank? && options[:prompt]
+              tag_options = { value: "" }.tap do |prompt_opts|
+                prompt_opts[:disabled] = true if options[:disabled] == ""
+                prompt_opts[:selected] = true if options[:selected] == ""
+              end
+              option_tags = tag_builder.content_tag_string("option", prompt_text(options[:prompt]), tag_options) + "\n" + option_tags
+            end
+
+            option_tags
+          end
+      end
+    end
+  end
+end

data/lib/action_view/helpers/tags/time_field.rb

@@ -10,7 +10,7 @@ module ActionView
         end
 
         private
-          def format_date(value)
+          def format_datetime(value)
             if @include_seconds
               value&.strftime("%T.%L")
             else

data/lib/action_view/helpers/tags/time_zone_select.rb

@@ -4,6 +4,9 @@ module ActionView
   module Helpers
     module Tags # :nodoc:
       class TimeZoneSelect < Base # :nodoc:
+        include SelectRenderer
+        include FormOptionsHelper
+
         def initialize(object_name, method_name, template_object, priority_zones, options, html_options)
           @priority_zones = priority_zones
           @html_options   = html_options

data/lib/action_view/helpers/tags/week_field.rb

@@ -5,7 +5,7 @@ module ActionView
     module Tags # :nodoc:
       class WeekField < DatetimeField # :nodoc:
         private
-          def format_date(value)
+          def format_datetime(value)
             value&.strftime("%Y-W%V")
           end
       end

data/lib/action_view/helpers/tags/weekday_select.rb

@@ -4,6 +4,9 @@ module ActionView
   module Helpers
     module Tags # :nodoc:
       class WeekdaySelect < Base # :nodoc:
+        include SelectRenderer
+        include FormOptionsHelper
+
         def initialize(object_name, method_name, template_object, options, html_options)
           @html_options = html_options
 

data/lib/action_view/helpers/tags.rb

@@ -5,6 +5,8 @@ module ActionView
     module Tags # :nodoc:
       extend ActiveSupport::Autoload
 
+      autoload :SelectRenderer
+
       eager_autoload do
         autoload :Base
         autoload :Translator