actionview 7.0.7.2 → 7.1.1

data/lib/action_view/helpers/date_helper.rb

@@ -10,7 +10,7 @@ require "active_support/core_ext/object/with_options"
 
 module ActionView
   module Helpers # :nodoc:
-    # = Action View Date Helpers
+    # = Action View \Date \Helpers
     #
     # The Date Helper primarily creates select/option tags for different kinds of dates and times or date and time
     # elements. All of the select-type methods share a number of common options that are as follows:
@@ -72,7 +72,7 @@ module ActionView
       #   distance_of_time_in_words(to_time, from_time, include_seconds: true)                        # => about 6 years
       #   distance_of_time_in_words(Time.now, Time.now)                                               # => less than a minute
       #
-      # With the <tt>scope</tt> option, you can define a custom scope for Rails
+      # With the <tt>scope</tt> option, you can define a custom scope for \Rails
       # to look up the translation.
       #
       # For example you can define the following in your locale (e.g. en.yml).
@@ -217,7 +217,7 @@ module ActionView
       # * <tt>:order</tt>             - Set to an array containing <tt>:day</tt>, <tt>:month</tt> and <tt>:year</tt> to
       #   customize the order in which the select fields are shown. If you leave out any of the symbols, the respective
       #   select will not be shown (like when you set <tt>discard_xxx: true</tt>. Defaults to the order defined in
-      #   the respective locale (e.g. [:year, :month, :day] in the en locale that ships with Rails).
+      #   the respective locale (e.g. [:year, :month, :day] in the en locale that ships with \Rails).
       # * <tt>:include_blank</tt>     - Include a blank option in every select field so it's possible to set empty
       #   dates.
       # * <tt>:default</tt>           - Set a default date if the affected date isn't set or is +nil+.
@@ -320,6 +320,10 @@ module ActionView
       #   # You can set :ampm option to true which will show the hours as: 12 PM, 01 AM .. 11 PM.
       #   time_select 'game', 'game_time', { ampm: true }
       #
+      #   # You can set :ignore_date option to true which will remove the hidden inputs for day,
+      #   # month, and year that are set by default on this helper when you only want the time inputs
+      #   time_select 'game', 'game_time', { ignore_date: true }
+      #
       # The selects are prepared for multi-parameter assignment to an Active Record object.
       #
       # Note: If the day is not included as an option but the month is, the day will be set to the 1st to ensure that
@@ -844,14 +848,14 @@ module ActionView
         if @options[:use_hidden] || @options[:discard_year]
           build_hidden(:year, val)
         else
-          options                     = {}
-          options[:start]             = @options[:start_year] || middle_year - 5
-          options[:end]               = @options[:end_year] || middle_year + 5
-          options[:step]              = options[:start] < options[:end] ? 1 : -1
-          options[:leading_zeros]     = false
-          options[:max_years_allowed] = @options[:max_years_allowed] || 1000
-
-          if (options[:end] - options[:start]).abs > options[:max_years_allowed]
+          options         = {}
+          options[:start] = @options[:start_year] || middle_year - 5
+          options[:end]   = @options[:end_year] || middle_year + 5
+          options[:step]  = options[:start] < options[:end] ? 1 : -1
+
+          max_years_allowed = @options[:max_years_allowed] || 1000
+
+          if (options[:end] - options[:start]).abs > max_years_allowed
             raise ArgumentError, "There are too many years options to be built. Are you sure you haven't mistyped something? You can provide the :max_years_allowed parameter."
           end
 
@@ -936,7 +940,7 @@ module ActionView
         #
         #   month_name(1) # => 1
         #
-        # If the <tt>:use_two_month_numbers</tt> option is passed:
+        # If the <tt>:use_two_digit_numbers</tt> option is passed:
         #
         #   month_name(1) # => '01'
         #
@@ -1076,17 +1080,11 @@ module ActionView
         end
 
         # Build select option HTML for year.
-        # If <tt>year_format</tt> option is not passed
+        #
         #   build_year_options(1998, start: 1998, end: 2000)
         #   => "<option value="1998" selected="selected">1998</option>
         #       <option value="1999">1999</option>
         #       <option value="2000">2000</option>"
-        #
-        # If <tt>year_format</tt> option is passed
-        #   build_year_options(1998, start: 1998, end: 2000, year_format: ->year { "Heisei #{ year - 1988 }" })
-        #   => "<option value="1998" selected="selected">Heisei 10</option>
-        #       <option value="1999">Heisei 11</option>
-        #       <option value="2000">Heisei 12</option>"
         def build_year_options(selected, options = {})
           start = options.delete(:start)
           stop = options.delete(:end)

data/lib/action_view/helpers/debug_helper.rb

@@ -3,10 +3,10 @@
 require "action_view/helpers/tag_helper"
 
 module ActionView
-  # = Action View Debug Helper
-  #
-  # Provides a set of methods for making it easier to debug Rails objects.
   module Helpers # :nodoc:
+    # = Action View Debug \Helpers
+    #
+    # Provides a set of methods for making it easier to debug \Rails objects.
     module DebugHelper
       include TagHelper
 

data/lib/action_view/helpers/form_helper.rb

@@ -13,8 +13,9 @@ require "active_support/core_ext/string/output_safety"
 require "active_support/core_ext/string/inflections"
 
 module ActionView
-  # = Action View Form Helpers
   module Helpers # :nodoc:
+    # = Action View Form \Helpers
+    #
     # Form helpers are designed to make working with resources much easier
     # compared to using vanilla HTML.
     #
@@ -28,7 +29,7 @@ module ActionView
     # when the form is initially displayed, input fields corresponding to attributes
     # of the resource should show the current values of those attributes.
     #
-    # In Rails, this is usually achieved by creating the form using +form_for+ and
+    # In \Rails, this is usually achieved by creating the form using +form_for+ and
     # a number of related helper methods. +form_for+ generates an appropriate <tt>form</tt>
     # tag and yields a form builder object that knows the model the form is about.
     # Input fields are created by calling methods defined on the form builder, which
@@ -122,7 +123,7 @@ module ActionView
       # of a specific model object.
       #
       # The method can be used in several slightly different ways, depending on
-      # how much you wish to rely on Rails to infer automatically from the model
+      # how much you wish to rely on \Rails to infer automatically from the model
       # how the form should be constructed. For a generic model object, a form
       # can be created by passing +form_for+ a string or symbol representing
       # the object we are concerned with:
@@ -251,7 +252,7 @@ module ActionView
       # form is going to be sent. However, further simplification is possible
       # if the record passed to +form_for+ is a _resource_, i.e. it corresponds
       # to a set of RESTful routes, e.g. defined using the +resources+ method
-      # in <tt>config/routes.rb</tt>. In this case Rails will simply infer the
+      # in <tt>config/routes.rb</tt>. In this case \Rails will simply infer the
       # appropriate URL from the record itself. For example,
       #
       #   <%= form_for @post do |f| %>
@@ -438,7 +439,7 @@ module ActionView
           model       = nil
           object_name = record
         else
-          model       = convert_to_model(record)
+          model       = record
           object      = _object_for_form_builder(record)
           raise ArgumentError, "First argument in form cannot contain nil or be empty" unless object
           object_name = options[:as] || model_name_from_record_or_class(object).param_key
@@ -496,7 +497,7 @@ module ActionView
       #     <%= form.text_field :title %>
       #   <% end %>
       #   # =>
-      #   <form method="post" data-remote="true">
+      #   <form method="post">
       #     <input type="text" name="title">
       #   </form>
       #
@@ -555,7 +556,7 @@ module ActionView
       # is a _resource_. It corresponds to a set of RESTful routes, most likely
       # defined via +resources+ in <tt>config/routes.rb</tt>.
       #
-      # So when passing such a model record, Rails infers the URL and method.
+      # So when passing such a model record, \Rails infers the URL and method.
       #
       #   <%= form_with model: @post do |form| %>
       #     ...
@@ -618,12 +619,12 @@ module ActionView
       # * <tt>:local</tt> - Whether to use standard HTTP form submission.
       #   When set to <tt>true</tt>, the form is submitted via standard HTTP.
       #   When set to <tt>false</tt>, the form is submitted as a "remote form", which
-      #   is handled by Rails UJS as an XHR. When unspecified, the behavior is derived
+      #   is handled by \Rails UJS as an XHR. When unspecified, the behavior is derived
       #   from <tt>config.action_view.form_with_generates_remote_forms</tt> where the
       #   config's value is actually the inverse of what <tt>local</tt>'s value would be.
-      #   As of Rails 6.1, that configuration option defaults to <tt>false</tt>
+      #   As of \Rails 6.1, that configuration option defaults to <tt>false</tt>
       #   (which has the equivalent effect of passing <tt>local: true</tt>).
-      #   In previous versions of Rails, that configuration option defaults to
+      #   In previous versions of \Rails, that configuration option defaults to
       #   <tt>true</tt> (the equivalent of passing <tt>local: false</tt>).
       # * <tt>:skip_enforcing_utf8</tt> - If set to true, a hidden input with name
       #   utf8 is not output.
@@ -756,10 +757,14 @@ module ActionView
 
         if model
           if url != false
-            url ||= polymorphic_path(model, format: format)
+            url ||= if format.nil?
+              polymorphic_path(model, {})
+            else
+              polymorphic_path(model, format: format)
+            end
           end
 
-          model   = _object_for_form_builder(model)
+          model   = convert_to_model(_object_for_form_builder(model))
           scope ||= model_name_from_record_or_class(model).param_key
         end
 
@@ -1311,7 +1316,7 @@ module ActionView
       #     ...
       #   <% end %>
       #
-      # because parameter name repetition is precisely what Rails seeks to distinguish
+      # because parameter name repetition is precisely what \Rails seeks to distinguish
       # the elements of the array. For each item with a checked check box you
       # get an extra ghost item with only that attribute, assigned to "0".
       #
@@ -1494,6 +1499,12 @@ module ActionView
       #   datetime_field("user", "born_on", min: "2014-05-20T00:00:00")
       #   # => <input id="user_born_on" name="user[born_on]" type="datetime-local" min="2014-05-20T00:00:00.000" />
       #
+      # By default, provided datetimes will be formatted including seconds. You can render just the date, hour,
+      # and minute by passing <tt>include_seconds: false</tt>.
+      #
+      #   @user.born_on = Time.current
+      #   datetime_field("user", "born_on", include_seconds: false)
+      #   # => <input id="user_born_on" name="user[born_on]" type="datetime-local" value="2014-05-20T14:35" />
       def datetime_field(object_name, method, options = {})
         Tags::DatetimeLocalField.new(object_name, method, self, options).render
       end
@@ -1610,6 +1621,8 @@ module ActionView
         end
     end
 
+    # = Action View Form Builder
+    #
     # A +FormBuilder+ object is associated with a particular model object and
     # allows you to generate fields associated with the model object. The
     # +FormBuilder+ object is yielded when using +form_for+ or +fields_for+.
@@ -2074,6 +2087,18 @@ module ActionView
       # DateHelper that are designed to work with an object as base, like
       # FormOptionsHelper#collection_select and DateHelper#datetime_select.
       #
+      # +fields_for+ tries to be smart about parameters, but it can be confused if both
+      # name and value parameters are provided and the provided value has the shape of an
+      # option Hash. To remove the ambiguity, explicitly pass an option Hash, even if empty.
+      #
+      #   <%= form_for @person do |person_form| %>
+      #     ...
+      #     <%= fields_for :permission, @person.permission, {} do |permission_fields| %>
+      #       Admin?: <%= check_box_tag permission_fields.field_name(:admin), @person.permission[:admin] %>
+      #     <% end %>
+      #     ...
+      #   <% end %>
+      #
       # === Nested Attributes Examples
       #
       # When the object belonging to the current scope has a nested attribute
@@ -2254,8 +2279,9 @@ module ActionView
       # to store the ID of the record. There are circumstances where this
       # hidden field is not needed and you can pass <tt>include_id: false</tt>
       # to prevent fields_for from rendering it automatically.
-      def fields_for(record_name, record_object = nil, fields_options = {}, &block)
-        fields_options, record_object = record_object, nil if record_object.is_a?(Hash) && record_object.extractable_options?
+      def fields_for(record_name, record_object = nil, fields_options = nil, &block)
+        fields_options, record_object = record_object, nil if fields_options.nil? && record_object.is_a?(Hash) && record_object.extractable_options?
+        fields_options ||= {}
         fields_options[:builder] ||= options[:builder]
         fields_options[:namespace] = options[:namespace]
         fields_options[:parent_builder] = self
@@ -2412,7 +2438,7 @@ module ActionView
       #     ...
       #   <% end %>
       #
-      # because parameter name repetition is precisely what Rails seeks to distinguish
+      # because parameter name repetition is precisely what \Rails seeks to distinguish
       # the elements of the array. For each item with a checked check box you
       # get an extra ghost item with only that attribute, assigned to "0".
       #
@@ -2495,7 +2521,7 @@ module ActionView
       # * Creates standard HTML attributes for the tag.
       # * <tt>:disabled</tt> - If set to true, the user will not be able to use this input.
       # * <tt>:multiple</tt> - If set to true, *in most updated browsers* the user will be allowed to select multiple files.
-      # * <tt>:include_hidden</tt> - When <tt>multiple: true</tt> and <tt>include_hidden: true</tt>, the field will be prefixed with an <tt><input type="hidden"></tt> field with an empty value to support submitting an empty collection of files.
+      # * <tt>:include_hidden</tt> - When <tt>multiple: true</tt> and <tt>include_hidden: true</tt>, the field will be prefixed with an <tt><input type="hidden"></tt> field with an empty value to support submitting an empty collection of files. Since <tt>include_hidden</tt> will default to <tt>config.active_storage.multiple_file_field_include_hidden</tt> if you don't specify <tt>include_hidden</tt>, you will need to pass <tt>include_hidden: false</tt> to prevent submitting an empty collection of files when passing <tt>multiple: true</tt>.
       # * <tt>:accept</tt> - If set to one or multiple mime-types, the user will be suggested a filter when choosing a file. You still need to set up model validations.
       #
       # ==== Examples

data/lib/action_view/helpers/form_options_helper.rb

@@ -8,8 +8,9 @@ require "active_support/core_ext/array/wrap"
 require "action_view/helpers/text_helper"
 
 module ActionView
-  # = Action View Form Option Helpers
   module Helpers # :nodoc:
+    # = Action View Form Option \Helpers
+    #
     # Provides a number of methods for turning different kinds of containers into a set of option tags.
     #
     # The <tt>collection_select</tt>, <tt>select</tt> and <tt>time_zone_select</tt> methods take an <tt>options</tt> parameter, a hash:

data/lib/action_view/helpers/form_tag_helper.rb

@@ -1,14 +1,16 @@
 # frozen_string_literal: true
 
 require "cgi"
+require "action_view/helpers/content_exfiltration_prevention_helper"
 require "action_view/helpers/url_helper"
 require "action_view/helpers/text_helper"
 require "active_support/core_ext/string/output_safety"
 require "active_support/core_ext/module/attribute_accessors"
 
 module ActionView
-  # = Action View Form Tag Helpers
   module Helpers # :nodoc:
+    # = Action View Form Tag \Helpers
+    #
     # Provides a number of methods for creating form tags that don't rely on an Active Record object assigned to the template like
     # FormHelper does. Instead, you provide the names and values manually.
     #
@@ -19,6 +21,7 @@ module ActionView
 
       include UrlHelper
       include TextHelper
+      include ContentExfiltrationPreventionHelper
 
       mattr_accessor :embed_authenticity_token_in_remote_forms
       self.embed_authenticity_token_in_remote_forms = nil
@@ -420,9 +423,17 @@ module ActionView
         content_tag :textarea, content.to_s.html_safe, { "name" => name, "id" => sanitize_to_id(name) }.update(options)
       end
 
+      ##
+      # :call-seq:
+      #   check_box_tag(name, options = {})
+      #   check_box_tag(name, value, options = {})
+      #   check_box_tag(name, value, checked, options = {})
+      #
       # Creates a check box form input tag.
       #
       # ==== Options
+      # * <tt>:value</tt> - The value of the input. Defaults to <tt>"1"</tt>.
+      # * <tt>:checked</tt> - If set to true, the checkbox will be checked by default.
       # * <tt>:disabled</tt> - If set to true, the user will not be able to use this input.
       # * Any other key creates standard HTML options for the tag.
       #
@@ -441,16 +452,27 @@ module ActionView
       #
       #   check_box_tag 'eula', 'accepted', false, disabled: true
       #   # => <input disabled="disabled" id="eula" name="eula" type="checkbox" value="accepted" />
-      def check_box_tag(name, value = "1", checked = false, options = {})
+      def check_box_tag(name, *args)
+        if args.length >= 4
+          raise ArgumentError, "wrong number of arguments (given #{args.length + 1}, expected 1..4)"
+        end
+        options = args.extract_options!
+        value, checked = args.empty? ? ["1", false] : [*args, false]
         html_options = { "type" => "checkbox", "name" => name, "id" => sanitize_to_id(name), "value" => value }.update(options.stringify_keys)
         html_options["checked"] = "checked" if checked
         tag :input, html_options
       end
 
+      ##
+      # :call-seq:
+      #   radio_button_tag(name, value, options = {})
+      #   radio_button_tag(name, value, checked, options = {})
+      #
       # Creates a radio button; use groups of radio buttons named the same to allow users to
       # select from a group of options.
       #
       # ==== Options
+      # * <tt>:checked</tt> - If set to true, the radio button will be selected by default.
       # * <tt>:disabled</tt> - If set to true, the user will not be able to use this input.
       # * Any other key creates standard HTML options for the tag.
       #
@@ -466,7 +488,12 @@ module ActionView
       #
       #   radio_button_tag 'color', "green", true, class: "color_input"
       #   # => <input checked="checked" class="color_input" id="color_green" name="color" type="radio" value="green" />
-      def radio_button_tag(name, value, checked = false, options = {})
+      def radio_button_tag(name, value, *args)
+        if args.length >= 3
+          raise ArgumentError, "wrong number of arguments (given #{args.length + 2}, expected 2..4)"
+        end
+        options = args.extract_options!
+        checked = args.empty? ? false : args.first
         html_options = { "type" => "radio", "name" => name, "id" => "#{sanitize_to_id(name)}_#{sanitize_to_id(value)}", "value" => value }.update(options.stringify_keys)
         html_options["checked"] = "checked" if checked
         tag :input, html_options
@@ -495,9 +522,9 @@ module ActionView
       #   submit_tag "Edit", class: "edit_button"
       #   # => <input class="edit_button" data-disable-with="Edit" name="commit" type="submit" value="Edit" />
       #
-      # ==== Deprecated: Rails UJS attributes
+      # ==== Deprecated: \Rails UJS attributes
       #
-      # Prior to Rails 7, Rails shipped with the JavaScript library called @rails/ujs on by default. Following Rails 7,
+      # Prior to \Rails 7, \Rails shipped with the JavaScript library called @rails/ujs on by default. Following \Rails 7,
       # this library is no longer on by default. This library integrated with the following options:
       #
       # * <tt>confirm: 'question?'</tt> - If present the unobtrusive JavaScript
@@ -555,9 +582,9 @@ module ActionView
       #   #     <strong>Ask me!</strong>
       #   #    </button>
       #
-      # ==== Deprecated: Rails UJS attributes
+      # ==== Deprecated: \Rails UJS attributes
       #
-      # Prior to Rails 7, Rails shipped with a JavaScript library called @rails/ujs on by default. Following Rails 7,
+      # Prior to \Rails 7, \Rails shipped with a JavaScript library called @rails/ujs on by default. Following \Rails 7,
       # this library is no longer on by default. This library integrated with the following options:
       #
       # * <tt>confirm: 'question?'</tt> - If present, the
@@ -770,6 +797,7 @@ module ActionView
       # * <tt>:min</tt> - The minimum acceptable value.
       # * <tt>:max</tt> - The maximum acceptable value.
       # * <tt>:step</tt> - The acceptable value granularity.
+      # * <tt>:include_seconds</tt> - Include seconds in the output timestamp format (true by default).
       def datetime_field_tag(name, value = nil, options = {})
         text_field_tag(name, value, options.merge(type: "datetime-local"))
       end
@@ -979,7 +1007,8 @@ module ActionView
 
         def form_tag_html(html_options)
           extra_tags = extra_tags_for_form(html_options)
-          tag(:form, html_options, true) + extra_tags
+          html = tag(:form, html_options, true) + extra_tags
+          prevent_content_exfiltration(html)
         end
 
         def form_tag_with_body(html_options, content)
@@ -1009,9 +1038,14 @@ module ActionView
         end
 
         def convert_direct_upload_option_to_url(options)
-          if options.delete(:direct_upload) && respond_to?(:rails_direct_uploads_url)
+          return options unless options.delete(:direct_upload)
+
+          if respond_to?(:rails_direct_uploads_url)
             options["data-direct-upload-url"] = rails_direct_uploads_url
+          elsif respond_to?(:main_app) && main_app.respond_to?(:rails_direct_uploads_url)
+            options["data-direct-upload-url"] = main_app.rails_direct_uploads_url
           end
+
           options
         end
     end

data/lib/action_view/helpers/javascript_helper.rb

@@ -2,6 +2,7 @@
 
 module ActionView
   module Helpers # :nodoc:
+    # = Action View JavaScript \Helpers
     module JavaScriptHelper
       JS_ESCAPE_MAP = {
         "\\"    => "\\\\",

data/lib/action_view/helpers/number_helper.rb

@@ -5,8 +5,9 @@ require "active_support/core_ext/string/output_safety"
 require "active_support/number_helper"
 
 module ActionView
-  # = Action View Number Helpers
   module Helpers # :nodoc:
+    # = Action View Number \Helpers
+    #
     # Provides methods for converting numbers into formatted strings.
     # Methods are provided for phone numbers, currency, percentage,
     # precision, positional notation, file size, and pretty printing.

data/lib/action_view/helpers/output_safety_helper.rb

@@ -3,11 +3,11 @@
 require "active_support/core_ext/string/output_safety"
 
 module ActionView # :nodoc:
-  # = Action View Raw Output Helper
   module Helpers # :nodoc:
+    # = Action View Raw Output \Helpers
     module OutputSafetyHelper
       # This method outputs without escaping a string. Since escaping tags is
-      # now default, this can be used when you don't want Rails to automatically
+      # now default, this can be used when you don't want \Rails to automatically
       # escape tags. This is not recommended if the data is coming from the user's
       # input.
       #

data/lib/action_view/helpers/rendering_helper.rb

@@ -2,7 +2,7 @@
 
 module ActionView
   module Helpers # :nodoc:
-    # = Action View Rendering
+    # = Action View \Rendering \Helpers
     #
     # Implements methods that allow rendering from a view context.
     # In order to use this module, all you need is to implement

data/lib/action_view/helpers/sanitize_helper.rb

@@ -3,20 +3,23 @@
 require "rails-html-sanitizer"
 
 module ActionView
-  # = Action View Sanitize Helpers
   module Helpers # :nodoc:
+    # = Action View Sanitize \Helpers
+    #
     # The SanitizeHelper module provides a set of methods for scrubbing text of undesired HTML elements.
     # These helper methods extend Action View making them callable within your template files.
     module SanitizeHelper
+      mattr_accessor :sanitizer_vendor, default: Rails::HTML4::Sanitizer
+
       extend ActiveSupport::Concern
+
       # Sanitizes HTML input, stripping all but known-safe tags and attributes.
       #
-      # It also strips href/src attributes with unsafe protocols like
-      # <tt>javascript:</tt>, while also protecting against attempts to use Unicode,
-      # ASCII, and hex character references to work around these protocol filters.
-      # All special characters will be escaped.
+      # It also strips href/src attributes with unsafe protocols like <tt>javascript:</tt>, while
+      # also protecting against attempts to use Unicode, ASCII, and hex character references to work
+      # around these protocol filters.
       #
-      # The default sanitizer is Rails::Html::SafeListSanitizer. See {Rails HTML
+      # The default sanitizer is Rails::HTML5::SafeListSanitizer. See {Rails HTML
       # Sanitizers}[https://github.com/rails/rails-html-sanitizer] for more information.
       #
       # Custom sanitization rules can also be provided.
@@ -28,7 +31,7 @@ module ActionView
       #
       # * <tt>:tags</tt> - An array of allowed tags.
       # * <tt>:attributes</tt> - An array of allowed attributes.
-      # * <tt>:scrubber</tt> - A {Rails::Html scrubber}[https://github.com/rails/rails-html-sanitizer]
+      # * <tt>:scrubber</tt> - A {Rails::HTML scrubber}[https://github.com/rails/rails-html-sanitizer]
       #   or {Loofah::Scrubber}[https://github.com/flavorjones/loofah] object that
       #   defines custom sanitization rules. A custom scrubber takes precedence over
       #   custom tags and attributes.
@@ -43,9 +46,9 @@ module ActionView
       #
       #   <%= sanitize @comment.body, tags: %w(strong em a), attributes: %w(href) %>
       #
-      # Providing a custom Rails::Html scrubber:
+      # Providing a custom Rails::HTML scrubber:
       #
-      #   class CommentScrubber < Rails::Html::PermitScrubber
+      #   class CommentScrubber < Rails::HTML::PermitScrubber
       #     def initialize
       #       super
       #       self.tags = %w( form script comment blockquote )
@@ -60,7 +63,7 @@ module ActionView
       #   <%= sanitize @comment.body, scrubber: CommentScrubber.new %>
       #
       # See {Rails HTML Sanitizer}[https://github.com/rails/rails-html-sanitizer] for
-      # documentation about Rails::Html scrubbers.
+      # documentation about Rails::HTML scrubbers.
       #
       # Providing a custom Loofah::Scrubber:
       #
@@ -78,6 +81,22 @@ module ActionView
       #   # In config/application.rb
       #   config.action_view.sanitized_allowed_tags = ['strong', 'em', 'a']
       #   config.action_view.sanitized_allowed_attributes = ['href', 'title']
+      #
+      # The default, starting in \Rails 7.1, is to use an HTML5 parser for sanitization (if it is
+      # available, see NOTE below). If you wish to revert back to the previous HTML4 behavior, you
+      # can do so by setting the following in your application configuration:
+      #
+      #   # In config/application.rb
+      #   config.action_view.sanitizer_vendor = Rails::HTML4::Sanitizer
+      #
+      # Or, if you're upgrading from a previous version of \Rails and wish to opt into the HTML5
+      # behavior:
+      #
+      #   # In config/application.rb
+      #   config.action_view.sanitizer_vendor = Rails::HTML5::Sanitizer
+      #
+      # NOTE: Rails::HTML5::Sanitizer is not supported on JRuby, so on JRuby platforms \Rails will
+      # fall back to use Rails::HTML4::Sanitizer.
       def sanitize(html, options = {})
         self.class.safe_list_sanitizer.sanitize(html, options)&.html_safe
       end
@@ -125,7 +144,7 @@ module ActionView
         attr_writer :full_sanitizer, :link_sanitizer, :safe_list_sanitizer
 
         def sanitizer_vendor
-          Rails::Html::Sanitizer
+          ActionView::Helpers::SanitizeHelper.sanitizer_vendor
         end
 
         def sanitized_allowed_tags
@@ -136,7 +155,7 @@ module ActionView
           sanitizer_vendor.safe_list_sanitizer.allowed_attributes
         end
 
-        # Gets the Rails::Html::FullSanitizer instance used by +strip_tags+. Replace with
+        # Gets the Rails::HTML::FullSanitizer instance used by +strip_tags+. Replace with
         # any object that responds to +sanitize+.
         #
         #   class Application < Rails::Application
@@ -146,7 +165,7 @@ module ActionView
           @full_sanitizer ||= sanitizer_vendor.full_sanitizer.new
         end
 
-        # Gets the Rails::Html::LinkSanitizer instance used by +strip_links+.
+        # Gets the Rails::HTML::LinkSanitizer instance used by +strip_links+.
         # Replace with any object that responds to +sanitize+.
         #
         #   class Application < Rails::Application
@@ -156,7 +175,7 @@ module ActionView
           @link_sanitizer ||= sanitizer_vendor.link_sanitizer.new
         end
 
-        # Gets the Rails::Html::SafeListSanitizer instance used by sanitize and +sanitize_css+.
+        # Gets the Rails::HTML::SafeListSanitizer instance used by sanitize and +sanitize_css+.
         # Replace with any object that responds to +sanitize+.
         #
         #   class Application < Rails::Application

data/lib/action_view/helpers/tag_helper.rb

@@ -7,8 +7,9 @@ require "action_view/helpers/capture_helper"
 require "action_view/helpers/output_safety_helper"
 
 module ActionView
-  # = Action View Tag Helpers
   module Helpers # :nodoc:
+    # = Action View Tag \Helpers
+    #
     # Provides methods to generate HTML tags programmatically both as a modern
     # HTML5 compliant builder style and legacy XHTML compliant tags.
     module TagHelper
@@ -65,9 +66,7 @@ module ActionView
           tag_string(:p, *arguments, **options, &block)
         end
 
-        def tag_string(name, content = nil, **options, &block)
-          escape = handle_deprecated_escape_options(options)
-
+        def tag_string(name, content = nil, escape: true, **options, &block)
           content = @view_context.capture(self, &block) if block_given?
           self_closing = SVG_SELF_CLOSING_ELEMENTS.include?(name)
           if (HTML_VOID_ELEMENTS.include?(name) || self_closing) && content.nil?
@@ -164,27 +163,6 @@ module ActionView
             true
           end
 
-          def handle_deprecated_escape_options(options)
-            # The option :escape_attributes has been merged into the options hash to be
-            # able to warn when it is used, so we need to handle default values here.
-            escape_option_provided = options.has_key?(:escape)
-            escape_attributes_option_provided = options.has_key?(:escape_attributes)
-
-            if escape_attributes_option_provided
-              ActiveSupport::Deprecation.warn(<<~MSG)
-                Use of the option :escape_attributes is deprecated. It currently \
-                escapes both names and values of tags and attributes and it is \
-                equivalent to :escape. If any of them are enabled, the escaping \
-                is fully enabled.
-              MSG
-            end
-
-            return true unless escape_option_provided || escape_attributes_option_provided
-            escape_option = options.delete(:escape)
-            escape_attributes_option = options.delete(:escape_attributes)
-            escape_option || escape_attributes_option
-          end
-
           def method_missing(called, *args, **options, &block)
             tag_string(called, *args, **options, &block)
           end
@@ -283,7 +261,7 @@ module ActionView
       #
       # === Legacy syntax
       #
-      # The following format is for legacy syntax support. It will be deprecated in future versions of Rails.
+      # The following format is for legacy syntax support. It will be deprecated in future versions of \Rails.
       #
       #   tag(name, options = nil, open = false, escape = true)
       #
@@ -386,7 +364,7 @@ module ActionView
       #   token_list(nil, false, 123, "", "foo", { bar: true })
       #    # => "123 foo bar"
       def token_list(*args)
-        tokens = build_tag_values(*args).flat_map { |value| value.to_s.split(/\s+/) }.uniq
+        tokens = build_tag_values(*args).flat_map { |value| CGI.unescape_html(value.to_s).split(/\s+/) }.uniq
 
         safe_join(tokens, " ")
       end