actionview 7.0.8.6 → 7.1.0.beta1

data/lib/action_view/helpers/form_tag_helper.rb

@@ -1,14 +1,16 @@
 # frozen_string_literal: true
 
 require "cgi"
+require "action_view/helpers/content_exfiltration_prevention_helper"
 require "action_view/helpers/url_helper"
 require "action_view/helpers/text_helper"
 require "active_support/core_ext/string/output_safety"
 require "active_support/core_ext/module/attribute_accessors"
 
 module ActionView
-  # = Action View Form Tag Helpers
   module Helpers # :nodoc:
+    # = Action View Form Tag \Helpers
+    #
     # Provides a number of methods for creating form tags that don't rely on an Active Record object assigned to the template like
     # FormHelper does. Instead, you provide the names and values manually.
     #
@@ -19,6 +21,7 @@ module ActionView
 
       include UrlHelper
       include TextHelper
+      include ContentExfiltrationPreventionHelper
 
       mattr_accessor :embed_authenticity_token_in_remote_forms
       self.embed_authenticity_token_in_remote_forms = nil
@@ -420,9 +423,17 @@ module ActionView
         content_tag :textarea, content.to_s.html_safe, { "name" => name, "id" => sanitize_to_id(name) }.update(options)
       end
 
+      ##
+      # :call-seq:
+      #   check_box_tag(name, options = {})
+      #   check_box_tag(name, value, options = {})
+      #   check_box_tag(name, value, checked, options = {})
+      #
       # Creates a check box form input tag.
       #
       # ==== Options
+      # * <tt>:value</tt> - The value of the input. Defaults to <tt>"1"</tt>.
+      # * <tt>:checked</tt> - If set to true, the checkbox will be checked by default.
       # * <tt>:disabled</tt> - If set to true, the user will not be able to use this input.
       # * Any other key creates standard HTML options for the tag.
       #
@@ -441,16 +452,27 @@ module ActionView
       #
       #   check_box_tag 'eula', 'accepted', false, disabled: true
       #   # => <input disabled="disabled" id="eula" name="eula" type="checkbox" value="accepted" />
-      def check_box_tag(name, value = "1", checked = false, options = {})
+      def check_box_tag(name, *args)
+        if args.length >= 4
+          raise ArgumentError, "wrong number of arguments (given #{args.length + 1}, expected 1..4)"
+        end
+        options = args.extract_options!
+        value, checked = args.empty? ? ["1", false] : [*args, false]
         html_options = { "type" => "checkbox", "name" => name, "id" => sanitize_to_id(name), "value" => value }.update(options.stringify_keys)
         html_options["checked"] = "checked" if checked
         tag :input, html_options
       end
 
+      ##
+      # :call-seq:
+      #   radio_button_tag(name, value, options = {})
+      #   radio_button_tag(name, value, checked, options = {})
+      #
       # Creates a radio button; use groups of radio buttons named the same to allow users to
       # select from a group of options.
       #
       # ==== Options
+      # * <tt>:checked</tt> - If set to true, the radio button will be selected by default.
       # * <tt>:disabled</tt> - If set to true, the user will not be able to use this input.
       # * Any other key creates standard HTML options for the tag.
       #
@@ -466,7 +488,12 @@ module ActionView
       #
       #   radio_button_tag 'color', "green", true, class: "color_input"
       #   # => <input checked="checked" class="color_input" id="color_green" name="color" type="radio" value="green" />
-      def radio_button_tag(name, value, checked = false, options = {})
+      def radio_button_tag(name, value, *args)
+        if args.length >= 3
+          raise ArgumentError, "wrong number of arguments (given #{args.length + 2}, expected 2..4)"
+        end
+        options = args.extract_options!
+        checked = args.empty? ? false : args.first
         html_options = { "type" => "radio", "name" => name, "id" => "#{sanitize_to_id(name)}_#{sanitize_to_id(value)}", "value" => value }.update(options.stringify_keys)
         html_options["checked"] = "checked" if checked
         tag :input, html_options
@@ -495,9 +522,9 @@ module ActionView
       #   submit_tag "Edit", class: "edit_button"
       #   # => <input class="edit_button" data-disable-with="Edit" name="commit" type="submit" value="Edit" />
       #
-      # ==== Deprecated: Rails UJS attributes
+      # ==== Deprecated: \Rails UJS attributes
       #
-      # Prior to Rails 7, Rails shipped with the JavaScript library called @rails/ujs on by default. Following Rails 7,
+      # Prior to \Rails 7, \Rails shipped with the JavaScript library called @rails/ujs on by default. Following \Rails 7,
       # this library is no longer on by default. This library integrated with the following options:
       #
       # * <tt>confirm: 'question?'</tt> - If present the unobtrusive JavaScript
@@ -555,9 +582,9 @@ module ActionView
       #   #     <strong>Ask me!</strong>
       #   #    </button>
       #
-      # ==== Deprecated: Rails UJS attributes
+      # ==== Deprecated: \Rails UJS attributes
       #
-      # Prior to Rails 7, Rails shipped with a JavaScript library called @rails/ujs on by default. Following Rails 7,
+      # Prior to \Rails 7, \Rails shipped with a JavaScript library called @rails/ujs on by default. Following \Rails 7,
       # this library is no longer on by default. This library integrated with the following options:
       #
       # * <tt>confirm: 'question?'</tt> - If present, the
@@ -770,6 +797,7 @@ module ActionView
       # * <tt>:min</tt> - The minimum acceptable value.
       # * <tt>:max</tt> - The maximum acceptable value.
       # * <tt>:step</tt> - The acceptable value granularity.
+      # * <tt>:include_seconds</tt> - Include seconds in the output timestamp format (true by default).
       def datetime_field_tag(name, value = nil, options = {})
         text_field_tag(name, value, options.merge(type: "datetime-local"))
       end
@@ -979,7 +1007,8 @@ module ActionView
 
         def form_tag_html(html_options)
           extra_tags = extra_tags_for_form(html_options)
-          tag(:form, html_options, true) + extra_tags
+          html = tag(:form, html_options, true) + extra_tags
+          prevent_content_exfiltration(html)
         end
 
         def form_tag_with_body(html_options, content)
@@ -1009,9 +1038,14 @@ module ActionView
         end
 
         def convert_direct_upload_option_to_url(options)
-          if options.delete(:direct_upload) && respond_to?(:rails_direct_uploads_url)
+          return options unless options.delete(:direct_upload)
+
+          if respond_to?(:rails_direct_uploads_url)
             options["data-direct-upload-url"] = rails_direct_uploads_url
+          elsif respond_to?(:main_app) && main_app.respond_to?(:rails_direct_uploads_url)
+            options["data-direct-upload-url"] = main_app.rails_direct_uploads_url
           end
+
           options
         end
     end

data/lib/action_view/helpers/javascript_helper.rb

@@ -2,6 +2,7 @@
 
 module ActionView
   module Helpers # :nodoc:
+    # = Action View JavaScript \Helpers
     module JavaScriptHelper
       JS_ESCAPE_MAP = {
         "\\"    => "\\\\",

data/lib/action_view/helpers/number_helper.rb

@@ -5,8 +5,9 @@ require "active_support/core_ext/string/output_safety"
 require "active_support/number_helper"
 
 module ActionView
-  # = Action View Number Helpers
   module Helpers # :nodoc:
+    # = Action View Number \Helpers
+    #
     # Provides methods for converting numbers into formatted strings.
     # Methods are provided for phone numbers, currency, percentage,
     # precision, positional notation, file size, and pretty printing.

data/lib/action_view/helpers/output_safety_helper.rb

@@ -3,11 +3,11 @@
 require "active_support/core_ext/string/output_safety"
 
 module ActionView # :nodoc:
-  # = Action View Raw Output Helper
   module Helpers # :nodoc:
+    # = Action View Raw Output \Helpers
     module OutputSafetyHelper
       # This method outputs without escaping a string. Since escaping tags is
-      # now default, this can be used when you don't want Rails to automatically
+      # now default, this can be used when you don't want \Rails to automatically
       # escape tags. This is not recommended if the data is coming from the user's
       # input.
       #

data/lib/action_view/helpers/rendering_helper.rb

@@ -2,7 +2,7 @@
 
 module ActionView
   module Helpers # :nodoc:
-    # = Action View Rendering
+    # = Action View \Rendering \Helpers
     #
     # Implements methods that allow rendering from a view context.
     # In order to use this module, all you need is to implement

data/lib/action_view/helpers/sanitize_helper.rb

@@ -3,20 +3,23 @@
 require "rails-html-sanitizer"
 
 module ActionView
-  # = Action View Sanitize Helpers
   module Helpers # :nodoc:
+    # = Action View Sanitize \Helpers
+    #
     # The SanitizeHelper module provides a set of methods for scrubbing text of undesired HTML elements.
     # These helper methods extend Action View making them callable within your template files.
     module SanitizeHelper
+      mattr_accessor :sanitizer_vendor, default: Rails::HTML4::Sanitizer
+
       extend ActiveSupport::Concern
+
       # Sanitizes HTML input, stripping all but known-safe tags and attributes.
       #
-      # It also strips href/src attributes with unsafe protocols like
-      # <tt>javascript:</tt>, while also protecting against attempts to use Unicode,
-      # ASCII, and hex character references to work around these protocol filters.
-      # All special characters will be escaped.
+      # It also strips href/src attributes with unsafe protocols like <tt>javascript:</tt>, while
+      # also protecting against attempts to use Unicode, ASCII, and hex character references to work
+      # around these protocol filters.
       #
-      # The default sanitizer is Rails::Html::SafeListSanitizer. See {Rails HTML
+      # The default sanitizer is Rails::HTML5::SafeListSanitizer. See {Rails HTML
       # Sanitizers}[https://github.com/rails/rails-html-sanitizer] for more information.
       #
       # Custom sanitization rules can also be provided.
@@ -28,7 +31,7 @@ module ActionView
       #
       # * <tt>:tags</tt> - An array of allowed tags.
       # * <tt>:attributes</tt> - An array of allowed attributes.
-      # * <tt>:scrubber</tt> - A {Rails::Html scrubber}[https://github.com/rails/rails-html-sanitizer]
+      # * <tt>:scrubber</tt> - A {Rails::HTML scrubber}[https://github.com/rails/rails-html-sanitizer]
       #   or {Loofah::Scrubber}[https://github.com/flavorjones/loofah] object that
       #   defines custom sanitization rules. A custom scrubber takes precedence over
       #   custom tags and attributes.
@@ -43,9 +46,9 @@ module ActionView
       #
       #   <%= sanitize @comment.body, tags: %w(strong em a), attributes: %w(href) %>
       #
-      # Providing a custom Rails::Html scrubber:
+      # Providing a custom Rails::HTML scrubber:
       #
-      #   class CommentScrubber < Rails::Html::PermitScrubber
+      #   class CommentScrubber < Rails::HTML::PermitScrubber
       #     def initialize
       #       super
       #       self.tags = %w( form script comment blockquote )
@@ -60,7 +63,7 @@ module ActionView
       #   <%= sanitize @comment.body, scrubber: CommentScrubber.new %>
       #
       # See {Rails HTML Sanitizer}[https://github.com/rails/rails-html-sanitizer] for
-      # documentation about Rails::Html scrubbers.
+      # documentation about Rails::HTML scrubbers.
       #
       # Providing a custom Loofah::Scrubber:
       #
@@ -78,6 +81,22 @@ module ActionView
       #   # In config/application.rb
       #   config.action_view.sanitized_allowed_tags = ['strong', 'em', 'a']
       #   config.action_view.sanitized_allowed_attributes = ['href', 'title']
+      #
+      # The default, starting in \Rails 7.1, is to use an HTML5 parser for sanitization (if it is
+      # available, see NOTE below). If you wish to revert back to the previous HTML4 behavior, you
+      # can do so by setting the following in your application configuration:
+      #
+      #   # In config/application.rb
+      #   config.action_view.sanitizer_vendor = Rails::HTML4::Sanitizer
+      #
+      # Or, if you're upgrading from a previous version of \Rails and wish to opt into the HTML5
+      # behavior:
+      #
+      #   # In config/application.rb
+      #   config.action_view.sanitizer_vendor = Rails::HTML5::Sanitizer
+      #
+      # NOTE: Rails::HTML5::Sanitizer is not supported on JRuby, so on JRuby platforms \Rails will
+      # fall back to use Rails::HTML4::Sanitizer.
       def sanitize(html, options = {})
         self.class.safe_list_sanitizer.sanitize(html, options)&.html_safe
       end
@@ -125,7 +144,7 @@ module ActionView
         attr_writer :full_sanitizer, :link_sanitizer, :safe_list_sanitizer
 
         def sanitizer_vendor
-          Rails::Html::Sanitizer
+          ActionView::Helpers::SanitizeHelper.sanitizer_vendor
         end
 
         def sanitized_allowed_tags
@@ -136,7 +155,7 @@ module ActionView
           sanitizer_vendor.safe_list_sanitizer.allowed_attributes
         end
 
-        # Gets the Rails::Html::FullSanitizer instance used by +strip_tags+. Replace with
+        # Gets the Rails::HTML::FullSanitizer instance used by +strip_tags+. Replace with
         # any object that responds to +sanitize+.
         #
         #   class Application < Rails::Application
@@ -146,7 +165,7 @@ module ActionView
           @full_sanitizer ||= sanitizer_vendor.full_sanitizer.new
         end
 
-        # Gets the Rails::Html::LinkSanitizer instance used by +strip_links+.
+        # Gets the Rails::HTML::LinkSanitizer instance used by +strip_links+.
         # Replace with any object that responds to +sanitize+.
         #
         #   class Application < Rails::Application
@@ -156,7 +175,7 @@ module ActionView
           @link_sanitizer ||= sanitizer_vendor.link_sanitizer.new
         end
 
-        # Gets the Rails::Html::SafeListSanitizer instance used by sanitize and +sanitize_css+.
+        # Gets the Rails::HTML::SafeListSanitizer instance used by sanitize and +sanitize_css+.
         # Replace with any object that responds to +sanitize+.
         #
         #   class Application < Rails::Application

data/lib/action_view/helpers/tag_helper.rb

@@ -7,8 +7,9 @@ require "action_view/helpers/capture_helper"
 require "action_view/helpers/output_safety_helper"
 
 module ActionView
-  # = Action View Tag Helpers
   module Helpers # :nodoc:
+    # = Action View Tag \Helpers
+    #
     # Provides methods to generate HTML tags programmatically both as a modern
     # HTML5 compliant builder style and legacy XHTML compliant tags.
     module TagHelper
@@ -65,9 +66,7 @@ module ActionView
           tag_string(:p, *arguments, **options, &block)
         end
 
-        def tag_string(name, content = nil, **options, &block)
-          escape = handle_deprecated_escape_options(options)
-
+        def tag_string(name, content = nil, escape: true, **options, &block)
           content = @view_context.capture(self, &block) if block_given?
           self_closing = SVG_SELF_CLOSING_ELEMENTS.include?(name)
           if (HTML_VOID_ELEMENTS.include?(name) || self_closing) && content.nil?
@@ -164,27 +163,6 @@ module ActionView
             true
           end
 
-          def handle_deprecated_escape_options(options)
-            # The option :escape_attributes has been merged into the options hash to be
-            # able to warn when it is used, so we need to handle default values here.
-            escape_option_provided = options.has_key?(:escape)
-            escape_attributes_option_provided = options.has_key?(:escape_attributes)
-
-            if escape_attributes_option_provided
-              ActiveSupport::Deprecation.warn(<<~MSG)
-                Use of the option :escape_attributes is deprecated. It currently \
-                escapes both names and values of tags and attributes and it is \
-                equivalent to :escape. If any of them are enabled, the escaping \
-                is fully enabled.
-              MSG
-            end
-
-            return true unless escape_option_provided || escape_attributes_option_provided
-            escape_option = options.delete(:escape)
-            escape_attributes_option = options.delete(:escape_attributes)
-            escape_option || escape_attributes_option
-          end
-
           def method_missing(called, *args, **options, &block)
             tag_string(called, *args, **options, &block)
           end
@@ -283,7 +261,7 @@ module ActionView
       #
       # === Legacy syntax
       #
-      # The following format is for legacy syntax support. It will be deprecated in future versions of Rails.
+      # The following format is for legacy syntax support. It will be deprecated in future versions of \Rails.
       #
       #   tag(name, options = nil, open = false, escape = true)
       #
@@ -386,7 +364,7 @@ module ActionView
       #   token_list(nil, false, 123, "", "foo", { bar: true })
       #    # => "123 foo bar"
       def token_list(*args)
-        tokens = build_tag_values(*args).flat_map { |value| value.to_s.split(/\s+/) }.uniq
+        tokens = build_tag_values(*args).flat_map { |value| CGI.unescape_html(value.to_s).split(/\s+/) }.uniq
 
         safe_join(tokens, " ")
       end

data/lib/action_view/helpers/tags/base.rb

@@ -5,7 +5,6 @@ module ActionView
     module Tags # :nodoc:
       class Base # :nodoc:
         include Helpers::ActiveModelInstanceTag, Helpers::TagHelper, Helpers::FormTagHelper
-        include FormOptionsHelper
 
         attr_reader :object
 
@@ -35,22 +34,24 @@ module ActionView
 
         private
           def value
+            return unless object
+
             if @allow_method_names_outside_object
-              object.public_send @method_name if object && object.respond_to?(@method_name)
+              object.public_send @method_name if object.respond_to?(@method_name)
             else
-              object.public_send @method_name if object
+              object.public_send @method_name
             end
           end
 
           def value_before_type_cast
-            unless object.nil?
-              method_before_type_cast = @method_name + "_before_type_cast"
+            return unless object
 
-              if value_came_from_user? && object.respond_to?(method_before_type_cast)
-                object.public_send(method_before_type_cast)
-              else
-                value
-              end
+            method_before_type_cast = @method_name + "_before_type_cast"
+
+            if value_came_from_user? && object.respond_to?(method_before_type_cast)
+              object.public_send(method_before_type_cast)
+            else
+              value
             end
           end
 
@@ -120,48 +121,6 @@ module ActionView
             value.to_s.gsub(/[\s.]/, "_").gsub(/[^-[[:word:]]]/, "").downcase
           end
 
-          def select_content_tag(option_tags, options, html_options)
-            html_options = html_options.stringify_keys
-            add_default_name_and_id(html_options)
-
-            if placeholder_required?(html_options)
-              raise ArgumentError, "include_blank cannot be false for a required field." if options[:include_blank] == false
-              options[:include_blank] ||= true unless options[:prompt]
-            end
-
-            value = options.fetch(:selected) { value() }
-            select = content_tag("select", add_options(option_tags, options, value), html_options)
-
-            if html_options["multiple"] && options.fetch(:include_hidden, true)
-              tag("input", disabled: html_options["disabled"], name: html_options["name"], type: "hidden", value: "", autocomplete: "off") + select
-            else
-              select
-            end
-          end
-
-          def placeholder_required?(html_options)
-            # See https://html.spec.whatwg.org/multipage/forms.html#attr-select-required
-            html_options["required"] && !html_options["multiple"] && html_options.fetch("size", 1).to_i == 1
-          end
-
-          def add_options(option_tags, options, value = nil)
-            if options[:include_blank]
-              content = (options[:include_blank] if options[:include_blank].is_a?(String))
-              label = (" " unless content)
-              option_tags = tag_builder.content_tag_string("option", content, value: "", label: label) + "\n" + option_tags
-            end
-
-            if value.blank? && options[:prompt]
-              tag_options = { value: "" }.tap do |prompt_opts|
-                prompt_opts[:disabled] = true if options[:disabled] == ""
-                prompt_opts[:selected] = true if options[:selected] == ""
-              end
-              option_tags = tag_builder.content_tag_string("option", prompt_text(options[:prompt]), tag_options) + "\n" + option_tags
-            end
-
-            option_tags
-          end
-
           def name_and_id_index(options)
             if options.key?("index")
               options.delete("index") || ""

data/lib/action_view/helpers/tags/collection_check_boxes.rb

@@ -7,6 +7,7 @@ module ActionView
     module Tags # :nodoc:
       class CollectionCheckBoxes < Base # :nodoc:
         include CollectionHelpers
+        include FormOptionsHelper
 
         class CheckBoxBuilder < Builder # :nodoc:
           def check_box(extra_html_options = {})

data/lib/action_view/helpers/tags/collection_radio_buttons.rb

@@ -7,6 +7,7 @@ module ActionView
     module Tags # :nodoc:
       class CollectionRadioButtons < Base # :nodoc:
         include CollectionHelpers
+        include FormOptionsHelper
 
         class RadioButtonBuilder < Builder # :nodoc:
           def radio_button(extra_html_options = {})

data/lib/action_view/helpers/tags/collection_select.rb

@@ -4,6 +4,9 @@ module ActionView
   module Helpers
     module Tags # :nodoc:
       class CollectionSelect < Base # :nodoc:
+        include SelectRenderer
+        include FormOptionsHelper
+
         def initialize(object_name, method_name, template_object, collection, value_method, text_method, options, html_options)
           @collection   = collection
           @value_method = value_method

data/lib/action_view/helpers/tags/date_field.rb

@@ -5,7 +5,7 @@ module ActionView
     module Tags # :nodoc:
       class DateField < DatetimeField # :nodoc:
         private
-          def format_date(value)
+          def format_datetime(value)
             value&.strftime("%Y-%m-%d")
           end
       end

data/lib/action_view/helpers/tags/date_select.rb

@@ -6,6 +6,8 @@ module ActionView
   module Helpers
     module Tags # :nodoc:
       class DateSelect < Base # :nodoc:
+        include SelectRenderer
+
         def initialize(object_name, method_name, template_object, options, html_options)
           @html_options = html_options
 

data/lib/action_view/helpers/tags/datetime_field.rb

@@ -6,20 +6,28 @@ module ActionView
       class DatetimeField < TextField # :nodoc:
         def render
           options = @options.stringify_keys
-          options["value"] ||= format_date(value)
-          options["min"] = format_date(datetime_value(options["min"]))
-          options["max"] = format_date(datetime_value(options["max"]))
+          options["value"] = datetime_value(options["value"] || value)
+          options["min"] = format_datetime(parse_datetime(options["min"]))
+          options["max"] = format_datetime(parse_datetime(options["max"]))
           @options = options
           super
         end
 
         private
-          def format_date(value)
+          def datetime_value(value)
+            if value.is_a?(String)
+              value
+            else
+              format_datetime(value)
+            end
+          end
+
+          def format_datetime(value)
             raise NotImplementedError
           end
 
-          def datetime_value(value)
-            if value.is_a? String
+          def parse_datetime(value)
+            if value.is_a?(String)
               DateTime.parse(value) rescue nil
             else
               value

data/lib/action_view/helpers/tags/datetime_local_field.rb

@@ -4,6 +4,11 @@ module ActionView
   module Helpers
     module Tags # :nodoc:
       class DatetimeLocalField < DatetimeField # :nodoc:
+        def initialize(object_name, method_name, template_object, options = {})
+          @include_seconds = options.delete(:include_seconds) { true }
+          super
+        end
+
         class << self
           def field_type
             @field_type ||= "datetime-local"
@@ -11,8 +16,12 @@ module ActionView
         end
 
         private
-          def format_date(value)
-            value&.strftime("%Y-%m-%dT%T")
+          def format_datetime(value)
+            if @include_seconds
+              value&.strftime("%Y-%m-%dT%T")
+            else
+              value&.strftime("%Y-%m-%dT%H:%M")
+            end
           end
       end
     end

data/lib/action_view/helpers/tags/grouped_collection_select.rb

@@ -4,6 +4,9 @@ module ActionView
   module Helpers
     module Tags # :nodoc:
       class GroupedCollectionSelect < Base # :nodoc:
+        include SelectRenderer
+        include FormOptionsHelper
+
         def initialize(object_name, method_name, template_object, collection, group_method, group_label_method, option_key_method, option_value_method, options, html_options)
           @collection          = collection
           @group_method        = group_method

data/lib/action_view/helpers/tags/month_field.rb

@@ -5,7 +5,7 @@ module ActionView
     module Tags # :nodoc:
       class MonthField < DatetimeField # :nodoc:
         private
-          def format_date(value)
+          def format_datetime(value)
             value&.strftime("%Y-%m")
           end
       end

data/lib/action_view/helpers/tags/select.rb

@@ -4,6 +4,9 @@ module ActionView
   module Helpers
     module Tags # :nodoc:
       class Select < Base # :nodoc:
+        include SelectRenderer
+        include FormOptionsHelper
+
         def initialize(object_name, method_name, template_object, choices, options, html_options)
           @choices = block_given? ? template_object.capture { yield || "" } : choices
           @choices = @choices.to_a if @choices.is_a?(Range)

data/lib/action_view/helpers/tags/select_renderer.rb

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+
+module ActionView
+  module Helpers
+    module Tags # :nodoc:
+      module SelectRenderer # :nodoc:
+        private
+          def select_content_tag(option_tags, options, html_options)
+            html_options = html_options.stringify_keys
+            [:required, :multiple, :size].each do |prop|
+              html_options[prop.to_s] = options.delete(prop) if options.key?(prop) && !html_options.key?(prop.to_s)
+            end
+
+            add_default_name_and_id(html_options)
+
+            if placeholder_required?(html_options)
+              raise ArgumentError, "include_blank cannot be false for a required field." if options[:include_blank] == false
+              options[:include_blank] ||= true unless options[:prompt]
+            end
+
+            value = options.fetch(:selected) { value() }
+            select = content_tag("select", add_options(option_tags, options, value), html_options)
+
+            if html_options["multiple"] && options.fetch(:include_hidden, true)
+              tag("input", disabled: html_options["disabled"], name: html_options["name"], type: "hidden", value: "", autocomplete: "off") + select
+            else
+              select
+            end
+          end
+
+          def placeholder_required?(html_options)
+            # See https://html.spec.whatwg.org/multipage/forms.html#attr-select-required
+            html_options["required"] && !html_options["multiple"] && html_options.fetch("size", 1).to_i == 1
+          end
+
+          def add_options(option_tags, options, value = nil)
+            if options[:include_blank]
+              content = (options[:include_blank] if options[:include_blank].is_a?(String))
+              label = (" " unless content)
+              option_tags = tag_builder.content_tag_string("option", content, value: "", label: label) + "\n" + option_tags
+            end
+
+            if value.blank? && options[:prompt]
+              tag_options = { value: "" }.tap do |prompt_opts|
+                prompt_opts[:disabled] = true if options[:disabled] == ""
+                prompt_opts[:selected] = true if options[:selected] == ""
+              end
+              option_tags = tag_builder.content_tag_string("option", prompt_text(options[:prompt]), tag_options) + "\n" + option_tags
+            end
+
+            option_tags
+          end
+      end
+    end
+  end
+end