actionview 7.0.4 → 7.1.5.1

data/CHANGELOG.md

@@ -1,405 +1,516 @@
-## Rails 7.0.4 (September 09, 2022) ##
+## Rails 7.1.5.1 (December 10, 2024) ##
 
-*   Guard against `ActionView::Helpers::FormTagHelper#field_name` calls with nil
-    `object_name` arguments. For example:
+*   No changes.
 
-    ```erb
-    <%= fields do |f| %>
-      <%= f.field_name :body %>
-    <% end %>
-    ```
 
-    *Sean Doyle*
+## Rails 7.1.5 (October 30, 2024) ##
 
-*   Strings returned from `strip_tags` are correctly tagged `html_safe?`
+*   No changes.
 
-    Because these strings contain no HTML elements and the basic entities are escaped, they are safe
-    to be included as-is as PCDATA in HTML content. Tagging them as html-safe avoids double-escaping
-    entities when being concatenated to a SafeBuffer during rendering.
 
-    Fixes [rails/rails-html-sanitizer#124](https://github.com/rails/rails-html-sanitizer/issues/124)
+## Rails 7.1.4.2 (October 23, 2024) ##
 
-    *Mike Dalessio*
+*   No changes.
 
-## Rails 7.0.3.1 (July 12, 2022) ##
+
+## Rails 7.1.4.1 (October 15, 2024) ##
 
 *   No changes.
 
 
-## Rails 7.0.3 (May 09, 2022) ##
+## Rails 7.1.4 (August 22, 2024) ##
 
-*   Ensure models passed to `form_for` attempt to call `to_model`.
+*   Action View Test Case `rendered` memoization.
 
     *Sean Doyle*
 
-## Rails 7.0.2.4 (April 26, 2022) ##
+*   Restore the ability for templates to return any kind of object and not just strings
 
-*   Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`.
+    *Jean Boussier*
 
-    Escape dangerous characters in names of tags and names of attributes in the
-    tag helpers, following the XML specification. Rename the option
-    `:escape_attributes` to `:escape`, to simplify by applying the option to the
-    whole tag.
+*   Fix threading issue with strict locals.
 
-    *Álvaro Martín Fraguas*
+    *Robert Fletcher*
 
-## Rails 7.0.2.3 (March 08, 2022) ##
+
+## Rails 7.1.3.4 (June 04, 2024) ##
 
 *   No changes.
 
 
-## Rails 7.0.2.2 (February 11, 2022) ##
+## Rails 7.1.3.3 (May 16, 2024) ##
 
 *   No changes.
 
 
-## Rails 7.0.2.1 (February 11, 2022) ##
+## Rails 7.1.3.2 (February 21, 2024) ##
 
 *   No changes.
 
 
-## Rails 7.0.2 (February 08, 2022) ##
+## Rails 7.1.3.1 (February 21, 2024) ##
 
-*   Ensure `preload_link_tag` preloads JavaScript modules correctly.
+*   No changes.
 
-    *Máximo Mussini*
 
-*   Fix `stylesheet_link_tag` and similar helpers are being used to work in objects with
-    a `response` method.
+## Rails 7.1.3 (January 16, 2024) ##
 
-    *dark-panda*
+*   Better handle SyntaxError in Action View.
 
+    *Mario Caropreso*
 
-## Rails 7.0.1 (January 06, 2022) ##
+*   Fix `word_wrap` with empty string.
 
-*   Fix `button_to` to work with a hash parameter as URL.
+    *Jonathan Hefner*
 
-    *MingyuanQin*
+*   Rename `ActionView::TestCase::Behavior::Content` to `ActionView::TestCase::Behavior::RenderedViewContent`.
 
-*   Fix `link_to` with a model passed as an argument twice.
+    Make `RenderedViewContent` inherit from `String`. Make private API with `:nodoc:`.
 
-    *Alex Ghiculescu*
+    *Sean Doyle*
 
+*   Fix detection of required strict locals.
 
-## Rails 7.0.0 (December 15, 2021) ##
+    Further fix `render @collection` compatibility with strict locals
 
-*   Support `include_hidden:` option in calls to
-    `ActionView::Helper::FormBuilder#file_field` with `multiple: true` to
-    support submitting an empty collection of files.
+    *Jean Boussier*
 
-    ```ruby
-    form.file_field :attachments, multiple: true
-    # => <input type="hidden" autocomplete="off" name="post[attachments][]" value="">
-         <input type="file" multiple="multiple" id="post_attachments" name="post[attachments][]">
 
-    form.file_field :attachments, multiple: true, include_hidden: false
-    # => <input type="file" multiple="multiple" id="post_attachments" name="post[attachments][]">
-    ```
+## Rails 7.1.2 (November 10, 2023) ##
 
-    *Sean Doyle*
+*   Fix the `number_to_human_size` view helper to correctly work with negative numbers.
 
-*   Fix `number_with_precision(raise: true)` always raising even on valid numbers.
+    *Earlopain*
 
-    *Pedro Moreira*
+*   Automatically discard the implicit locals injected by collection rendering for template that can't accept them
 
+    When rendering a collection, two implicit variables are injected, which breaks templates with strict locals.
 
-## Rails 7.0.0.rc3 (December 14, 2021) ##
+    Now they are only passed if the template will actually accept them.
 
-*   No changes.
+    *Yasha Krasnou*, *Jean Boussier*
 
+*   Fix `@rails/ujs` calling `start()` an extra time when using bundlers
 
-## Rails 7.0.0.rc2 (December 14, 2021) ##
+    *Hartley McGuire*, *Ryunosuke Sato*
 
-*   No changes.
+*   Fix the `capture` view helper compatibility with HAML and Slim
 
-## Rails 7.0.0.rc1 (December 06, 2021) ##
+    When a blank string was captured in HAML or Slim (and possibly other template engines)
+    it would instead return the entire buffer.
 
-*   Support `fields model: [@nested, @model]` the same way as `form_with model:
-    [@nested, @model]`.
+    *Jean Boussier*
 
-    *Sean Doyle*
 
-*   Infer HTTP verb `[method]` from a model or Array with model as the first
-    argument to `button_to` when combined with a block:
+## Rails 7.1.1 (October 11, 2023) ##
 
-    ```ruby
-    button_to(Workshop.find(1)){ "Update" }
-    #=> <form method="post" action="/workshops/1" class="button_to">
-    #=>   <input type="hidden" name="_method" value="patch" autocomplete="off" />
-    #=>   <button type="submit">Update</button>
-    #=> </form>
+*   Updated `@rails/ujs` files to ignore certain data-* attributes when element is contenteditable.
 
-    button_to([ Workshop.find(1), Session.find(1) ]) { "Update" }
-    #=> <form method="post" action="/workshops/1/sessions/1" class="button_to">
-    #=>   <input type="hidden" name="_method" value="patch" autocomplete="off" />
-    #=>   <button type="submit">Update</button>
-    #=> </form>
-    ```
+    This fix was already landed in >= 7.0.4.3, < 7.1.0.
+    [[CVE-2023-23913](https://github.com/advisories/GHSA-xp5h-f8jf-rc8q)]
+
+    *Ryunosuke Sato*
+
+
+## Rails 7.1.0 (October 05, 2023) ##
+
+*   No changes.
 
-    *Sean Doyle*
 
-*   Support passing a Symbol as the first argument to `FormBuilder#button`:
+## Rails 7.1.0.rc2 (October 01, 2023) ##
+
+*   No changes.
+
+
+## Rails 7.1.0.rc1 (September 27, 2023) ##
+
+*   Introduce `ActionView::TestCase.register_parser`
 
     ```ruby
-    form.button(:draft, value: true)
-    # => <button name="post[draft]" value="true" type="submit">Create post</button>
+    register_parser :rss, -> rendered { RSS::Parser.parse(rendered) }
+
+    test "renders RSS" do
+      article = Article.create!(title: "Hello, world")
 
-    form.button(:draft, value: true) do
-      content_tag(:strong, "Save as draft")
+      render formats: :rss, partial: article
+
+      assert_equal "Hello, world", rendered.rss.items.last.title
     end
-    # =>  <button name="post[draft]" value="true" type="submit">
-    #       <strong>Save as draft</strong>
-    #     </button>
     ```
 
+    By default, register parsers for `:html` and `:json`.
+
     *Sean Doyle*
 
-*   Introduce the `field_name` view helper, along with the
-    `FormBuilder#field_name` counterpart:
+
+## Rails 7.1.0.beta1 (September 13, 2023) ##
+
+*   Fix `simple_format` with blank `wrapper_tag` option returns plain html tag
+
+    By default `simple_format` method returns the text wrapped with `<p>`. But if we explicitly specify
+    the `wrapper_tag: nil` in the options, it returns the text wrapped with `<></>` tag.
+
+    Before:
 
     ```ruby
-    form_for @post do |f|
-      f.field_tag :tag, name: f.field_name(:tag, multiple: true)
-      # => <input type="text" name="post[tag][]">
-    end
+    simple_format("Hello World", {},  { wrapper_tag: nil })
+    # <>Hello World</>
     ```
 
-    *Sean Doyle*
-
-*   Execute the `ActionView::Base.field_error_proc` within the context of the
-    `ActionView::Base` instance:
+    After:
 
     ```ruby
-    config.action_view.field_error_proc = proc { |html| content_tag(:div, html, class: "field_with_errors") }
+    simple_format("Hello World", {},  { wrapper_tag: nil })
+    # <p>Hello World</p>
     ```
 
+    *Akhil G Krishnan*, *Junichi Ito*
+
+*   Don't double-encode nested `field_id` and `field_name` index values
+
+    Pass `index: @options` as a default keyword argument to `field_id` and
+    `field_name` view helper methods.
+
     *Sean Doyle*
 
-*   Add support for `button_to ..., authenticity_token: false`
+*   Allow opting in/out of `Link preload` headers when calling `stylesheet_link_tag` or `javascript_include_tag`
 
     ```ruby
-    button_to "Create", Post.new, authenticity_token: false
-    # => <form class="button_to" method="post" action="/posts"><button type="submit">Create</button></form>
+    # will exclude header, even if setting is enabled:
+    javascript_include_tag("http://example.com/all.js", preload_links_header: false)
 
-    button_to "Create", Post.new, authenticity_token: true
-    # => <form class="button_to" method="post" action="/posts"><button type="submit">Create</button><input type="hidden" name="form_token" value="abc123..." autocomplete="off" /></form>
-
-    button_to "Create", Post.new, authenticity_token: "secret"
-    # => <form class="button_to" method="post" action="/posts"><button type="submit">Create</button><input type="hidden" name="form_token" value="secret" autocomplete="off" /></form>
+    # will include header, even if setting is disabled:
+    stylesheet_link_tag("http://example.com/all.js", preload_links_header: true)
     ```
 
-    *Sean Doyle*
+    *Alex Ghiculescu*
 
-*   Support rendering `<form>` elements _without_ `[action]` attributes by:
+*   Stop generating `Link preload` headers once it has reached 1KB.
 
-    * `form_with url: false` or `form_with ..., html: { action: false }`
-    * `form_for ..., url: false` or `form_for ..., html: { action: false }`
-    * `form_tag false` or `form_tag ..., action: false`
-    * `button_to "...", false` or `button_to(false) { ... }`
+    Some proxies have trouble handling large headers, but more importantly preload links
+    have diminishing returns so it's preferable not to go overboard with them.
 
-    *Sean Doyle*
+    If tighter control is needed, it's recommended to disable automatic generation of preloads
+    and to generate them manually from the controller or from a middleware.
 
-*   Add `:day_format` option to `date_select`
+    *Jean Boussier*
 
-        date_select("article", "written_on", day_format: ->(day) { day.ordinalize })
-        # generates day options like <option value="1">1st</option>\n<option value="2">2nd</option>...
+*   `simple_format` helper now handles a `:sanitize_options` - any extra options you want appending to the sanitize.
 
-    *Shunichi Ikegami*
+    Before:
+    ```ruby
+      simple_format("<a target=\"_blank\" href=\"http://example.com\">Continue</a>")
+      # => "<p><a href=\"http://example.com\">Continue</a></p>"
+    ```
 
-*   Allow `link_to` helper to infer link name from `Model#to_s` when it
-    is used with a single argument:
+    After:
+    ```ruby
+      simple_format("<a target=\"_blank\" href=\"http://example.com\">Continue</a>", {}, { sanitize_options: { attributes: %w[target href] } })
+      # => "<p><a target=\"_blank\" href=\"http://example.com\">Continue</a></p>"
+    ```
 
-        link_to @profile
-        #=> <a href="/profiles/1">Eileen</a>
+    *Andrei Andriichuk*
 
-    This assumes the model class implements a `to_s` method like this:
+*   Add support for HTML5 standards-compliant sanitizers, and default to `Rails::HTML5::Sanitizer`
+    in the Rails 7.1 configuration if it is supported.
 
-        class Profile < ApplicationRecord
-          # ...
-          def to_s
-            name
-          end
-        end
+    Action View's HTML sanitizers can be configured by setting
+    `config.action_view.sanitizer_vendor`. Supported values are `Rails::HTML4::Sanitizer` or
+    `Rails::HTML5::Sanitizer`.
 
-    Previously you had to supply a second argument even if the `Profile`
-    model implemented a `#to_s` method that called the `name` method.
+    The Rails 7.1 configuration will set this to `Rails::HTML5::Sanitizer` when it is supported, and
+    fall back to `Rails::HTML4::Sanitizer`. Previous configurations default to
+    `Rails::HTML4::Sanitizer`.
 
-        link_to @profile, @profile.name
-        #=> <a href="/profiles/1">Eileen</a>
+    *Mike Dalessio*
 
-    *Olivier Lacan*
+*   `config.dom_testing_default_html_version` controls the HTML parser used by
+    `ActionView::TestCase#document_root_element`, which creates the DOM used by the assertions in
+    Rails::Dom::Testing.
 
-*   Support svg unpaired tags for `tag` helper.
+    The Rails 7.1 default configuration opts into the HTML5 parser when it is supported, to better
+    represent what the DOM would be in a browser user agent. Previously this test helper always used
+    Nokogiri's HTML4 parser.
 
-        tag.svg { tag.use('href' => "#cool-icon") }
-        # => <svg><use href="#cool-icon"></svg>
+    *Mike Dalessio*
 
-    *Oleksii Vasyliev*
+*   Add support for the HTML picture tag. It supports passing a String, an Array or a Block.
+    Supports passing properties directly to the img tag via the `:image` key.
+    Since the picture tag requires an img tag, the last element you provide will be used for the img tag.
+    For complete control over the picture tag, a block can be passed, which will populate the contents of the tag accordingly.
 
+    Can be used like this for a single source:
+    ```erb
+    <%= picture_tag("picture.webp") %>
+    ```
+    which will generate the following:
+    ```html
+    <picture>
+        <img src="/images/picture.webp" />
+    </picture>
+    ```
 
-## Rails 7.0.0.alpha2 (September 15, 2021) ##
+    For multiple sources:
+    ```erb
+    <%= picture_tag("picture.webp", "picture.png", :class => "mt-2", :image => { alt: "Image", class: "responsive-img" }) %>
+    ```
+    will generate:
+    ```html
+    <picture class="mt-2">
+        <source srcset="/images/picture.webp" />
+        <source srcset="/images/picture.png" />
+        <img alt="Image" class="responsive-img" src="/images/picture.png" />
+    </picture>
+    ```
 
-*   No changes.
+    Full control via a block:
+    ```erb
+    <%= picture_tag(:class => "my-class") do %>
+        <%= tag(:source, :srcset => image_path("picture.webp")) %>
+        <%= tag(:source, :srcset => image_path("picture.png")) %>
+        <%= image_tag("picture.png", :alt => "Image") %>
+    <% end %>
+    ```
+    will generate:
+    ```html
+    <picture class="my-class">
+        <source srcset="/images/picture.webp" />
+        <source srcset="/images/picture.png" />
+        <img alt="Image" src="/images/picture.png" />
+    </picture>
+    ```
 
+    *Juan Pablo Balarini*
 
-## Rails 7.0.0.alpha1 (September 15, 2021) ##
+*   Remove deprecated support to passing instance variables as locals to partials.
 
-*   Improves the performance of ActionView::Helpers::NumberHelper formatters by avoiding the use of
-    exceptions as flow control.
+    *Rafael Mendonça França*
 
-    *Mike Dalessio*
+*   Remove deprecated constant `ActionView::Path`.
 
-*   `preload_link_tag` properly inserts `as` attributes for files with `image` MIME types, such as JPG or SVG.
+    *Rafael Mendonça França*
 
-    *Nate Berkopec*
+*   Guard `token_list` calls from escaping HTML too often
 
-*   Add `weekday_options_for_select` and `weekday_select` helper methods. Also adds `weekday_select` to `FormBuilder`.
+    *Sean Doyle*
 
-    *Drew Bragg*, *Dana Kashubeck*, *Kasper Timm Hansen*
+*   `select` can now be called with a single hash containing options and some HTML options
 
-*   Add `caching?` helper that returns whether the current code path is being cached and `uncacheable!` to denote helper methods that can't participate in fragment caching.
+    Previously this would not work as expected:
 
-    *Ben Toews*, *John Hawthorn*, *Kasper Timm Hansen*, *Joel Hawksley*
+    ```erb
+    <%= select :post, :author, authors, required: true %>
+    ```
 
-*   Add `include_seconds` option for `time_field`.
+    Instead you needed to do this:
 
-        <%= form.time_field :foo, include_seconds: false %>
-        # => <input value="16:22" type="time" />
+    ```erb
+    <%= select :post, :author, authors, {}, required: true %>
+    ```
 
-    Default includes seconds:
+    Now, either form is accepted, for the following HTML attributes: `required`, `multiple`, `size`.
 
-        <%= form.time_field :foo %>
-        # => <input value="16:22:01.440" type="time" />
+    *Alex Ghiculescu*
 
-    This allows you to take advantage of [different rendering options](https://developer.mozilla.org/en-US/docs/Web/HTML/Element/input/time#time_value_format) in some browsers.
+*   Datetime form helpers (`time_field`, `date_field`, `datetime_field`, `week_field`, `month_field`) now accept an instance of Time/Date/DateTime as `:value` option.
 
-    *Alex Ghiculescu*
+    Before:
+    ```erb
+    <%= form.datetime_field :written_at, value: Time.current.strftime("%Y-%m-%dT%T") %>
+    ```
+
+    After:
+    ```erb
+    <%= form.datetime_field :written_at, value: Time.current %>
+    ```
 
-*   Improve error messages when template file does not exist at absolute filepath.
+    *Andrey Samsonov*
 
-    *Ted Whang*
+*   Choices of `select` can optionally contain html attributes as the last element
+    of the child arrays when using grouped/nested collections
 
-*   Add `:country_code` option to `sms_to` for consistency with `phone_to`.
+    ```erb
+    <%= form.select :foo, [["North America", [["United States","US"],["Canada","CA"]], { disabled: "disabled" }]] %>
+    # => <select><optgroup label="North America" disabled="disabled"><option value="US">United States</option><option value="CA">Canada</option></optgroup></select>
+    ```
 
-    *Jonathan Hefner*
+    *Chris Gunther*
 
-*   OpenSSL constants are now used for Digest computations.
+*   `check_box_tag` and `radio_button_tag` now accept `checked` as a keyword argument
 
-    *Dirkjan Bussink*
+    This is to make the API more consistent with the `FormHelper` variants. You can now
+    provide `checked` as a positional or keyword argument:
 
-*   The `translate` helper now passes `default` values that aren't
-    translation keys through `I18n.translate` for interpolation.
+    ```erb
+    = check_box_tag "admin", "1", false
+    = check_box_tag "admin", "1", checked: false
 
-    *Jonathan Hefner*
+    = radio_button_tag 'favorite_color', 'maroon', false
+    = radio_button_tag 'favorite_color', 'maroon', checked: false
+    ```
 
-*   Adds option `extname` to `stylesheet_link_tag` to skip default
-    `.css` extension appended to the stylesheet path.
+    *Alex Ghiculescu*
 
-    Before:
+*   Allow passing a class to `dom_id`.
+    You no longer need to call `new` when passing a class to `dom_id`.
+    This makes `dom_id` behave like `dom_class` in this regard.
+    Apart from saving a few keystrokes, it prevents Ruby from needing
+    to instantiate a whole new object just to generate a string.
 
+    Before:
     ```ruby
-    stylesheet_link_tag "style.less"
-    # <link href="/stylesheets/style.less.scss" rel="stylesheet">
+    dom_id(Post) # => NoMethodError: undefined method `to_key' for Post:Class
     ```
 
     After:
+    ```ruby
+    dom_id(Post) # => "new_post"
+    ```
 
+    *Goulven Champenois*
+
+*   Report `:locals` as part of the data returned by ActionView render instrumentation.
+
+    Before:
     ```ruby
-    stylesheet_link_tag "style.less", extname: false, skip_pipeline: true, rel: "stylesheet/less"
-    # <link href="/stylesheets/style.less" rel="stylesheet/less">
+    {
+    identifier: "/Users/adam/projects/notifications/app/views/posts/index.html.erb",
+    layout: "layouts/application"
+    }
     ```
 
-    *Abhay Nikam*
+    After:
+    ```ruby
+    {
+    identifier: "/Users/adam/projects/notifications/app/views/posts/index.html.erb",
+    layout: "layouts/application",
+    locals: {foo: "bar"}
+    }
+    ```
 
-*   Deprecate `render` locals to be assigned to instance variables.
+    *Aaron Gough*
 
-    *Petrik de Heus*
+*   Strip `break_sequence` at the end of `word_wrap`.
 
-*   Remove legacy default `media=screen` from `stylesheet_link_tag`.
+    This fixes a bug where `word_wrap` didn't properly strip off break sequences that had printable characters.
 
-    *André Luis Leal Cardoso Junior*
+    For example, compare the outputs of this template:
 
-*   Change `ActionView::Helpers::FormBuilder#button` to transform `formmethod`
-    attributes into `_method="$VERB"` Form Data to enable varied same-form actions:
+    ```erb
+    # <%= word_wrap("11 22\n33 44", line_width: 2, break_sequence: "\n# ") %>
+    ```
 
-        <%= form_with model: post, method: :put do %>
-          <%= form.button "Update" %>
-          <%= form.button "Delete", formmethod: :delete %>
-        <% end %>
-        <%# => <form action="posts/1">
-            =>   <input type="hidden" name="_method" value="put">
-            =>   <button type="submit">Update</button>
-            =>   <button type="submit" formmethod="post" name="_method" value="delete">Delete</button>
-            => </form>
-        %>
+    Before:
 
-    *Sean Doyle*
+    ```
+    # 11
+    # 22
+    #
+    # 33
+    # 44
+    #
+    ```
 
-*   Change `ActionView::Helpers::UrlHelper#button_to` to *always* render a
-    `<button>` element, regardless of whether or not the content is passed as
-    the first argument or as a block.
+    After:
 
-        <%= button_to "Delete", post_path(@post), method: :delete %>
-        # => <form action="/posts/1"><input type="hidden" name="_method" value="delete"><button type="submit">Delete</button></form>
+    ```
+    # 11
+    # 22
+    # 33
+    # 44
+    ```
 
-        <%= button_to post_path(@post), method: :delete do %>
-          Delete
-        <% end %>
-        # => <form action="/posts/1"><input type="hidden" name="_method" value="delete"><button type="submit">Delete</button></form>
+    *Max Chernyak*
 
-    *Sean Doyle*, *Dusan Orlovic*
+*   Allow templates to set strict `locals`.
 
-*   Add `config.action_view.preload_links_header` to allow disabling of
-    the `Link` header being added by default when using `stylesheet_link_tag`
-    and `javascript_include_tag`.
+    By default, templates will accept any `locals` as keyword arguments. To define what `locals` a template accepts, add a `locals` magic comment:
 
-    *Andrew White*
+    ```erb
+    <%# locals: (message:) -%>
+    <%= message %>
+    ```
 
-*   The `translate` helper now resolves `default` values when a `nil` key is
-    specified, instead of always returning `nil`.
+    Default values can also be provided:
 
-    *Jonathan Hefner*
+    ```erb
+    <%# locals: (message: "Hello, world!") -%>
+    <%= message %>
+    ```
+
+    Or `locals` can be disabled entirely:
 
-*   Add `config.action_view.image_loading` to configure the default value of
-    the `image_tag` `:loading` option.
+    ```erb
+    <%# locals: () %>
+    ```
 
-    By setting `config.action_view.image_loading = "lazy"`, an application can opt in to
-    lazy loading images sitewide, without changing view code.
+    *Joel Hawksley*
 
-    *Jonathan Hefner*
+*   Add `include_seconds` option for `datetime_local_field`
 
-*   `ActionView::Helpers::FormBuilder#id` returns the value
-    of the `<form>` element's `id` attribute. With a `method` argument, returns
-    the `id` attribute for a form field with that name.
+    This allows to omit seconds part in the input field, by passing `include_seconds: false`
 
-        <%= form_for @post do |f| %>
-          <%# ... %>
+    *Wojciech Wnętrzak*
 
-          <% content_for :sticky_footer do %>
-            <%= form.button(form: f.id) %>
-          <% end %>
-        <% end %>
+*   Guard against `ActionView::Helpers::FormTagHelper#field_name` calls with nil
+    `object_name` arguments. For example:
+
+    ```erb
+    <%= fields do |f| %>
+      <%= f.field_name :body %>
+    <% end %>
+    ```
 
     *Sean Doyle*
 
-*   `ActionView::Helpers::FormBuilder#field_id` returns the value generated by
-    the FormBuilder for the given attribute name.
+*   Strings returned from `strip_tags` are correctly tagged `html_safe?`
 
-        <%= form_for @post do |f| %>
-          <%= f.label :title %>
-          <%= f.text_field :title, aria: { describedby: f.field_id(:title, :error) } %>
-          <%= tag.span("is blank", id: f.field_id(:title, :error) %>
-        <% end %>
+    Because these strings contain no HTML elements and the basic entities are escaped, they are safe
+    to be included as-is as PCDATA in HTML content. Tagging them as html-safe avoids double-escaping
+    entities when being concatenated to a SafeBuffer during rendering.
 
-    *Sean Doyle*
+    Fixes [rails/rails-html-sanitizer#124](https://github.com/rails/rails-html-sanitizer/issues/124)
 
-*   Add `tag.attributes` to transform a Hash into HTML Attributes, ready to be
-    interpolated into ERB.
+    *Mike Dalessio*
 
-        <input <%= tag.attributes(type: :text, aria: { label: "Search" }) %> >
-        # => <input type="text" aria-label="Search">
+*   Move `convert_to_model` call from `form_for` into `form_with`
+
+    Now that `form_for` is implemented in terms of `form_with`, remove the
+    `convert_to_model` call from `form_for`.
 
     *Sean Doyle*
 
+*   Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`.
+
+    Escape dangerous characters in names of tags and names of attributes in the
+    tag helpers, following the XML specification. Rename the option
+    `:escape_attributes` to `:escape`, to simplify by applying the option to the
+    whole tag.
+
+    *Álvaro Martín Fraguas*
+
+*   Extend audio_tag and video_tag to accept Active Storage attachments.
+
+    Now it's possible to write
+
+    ```ruby
+    audio_tag(user.audio_file)
+    video_tag(user.video_file)
+    ```
+
+    Instead of
+
+    ```ruby
+    audio_tag(polymorphic_path(user.audio_file))
+    video_tag(polymorphic_path(user.video_file))
+    ```
+
+    `image_tag` already supported that, so this follows the same pattern.
+
+    *Matheus Richard*
+
+*   Ensure models passed to `form_for` attempt to call `to_model`.
+
+    *Sean Doyle*
 
-Please check [6-1-stable](https://github.com/rails/rails/blob/6-1-stable/actionview/CHANGELOG.md) for previous changes.
+Please check [7-0-stable](https://github.com/rails/rails/blob/7-0-stable/actionview/CHANGELOG.md) for previous changes.