actionview 7.0.8.7 → 7.1.5.1

data/lib/action_view/helpers/text_helper.rb

@@ -8,8 +8,9 @@ require "action_view/helpers/tag_helper"
 require "action_view/helpers/output_safety_helper"
 
 module ActionView
-  # = Action View Text Helpers
   module Helpers # :nodoc:
+    # = Action View Text \Helpers
+    #
     # The TextHelper module provides a set of methods for filtering, formatting
     # and transforming strings, which can reduce the amount of inline Ruby code in
     # your views. These helper methods extend Action View making them callable
@@ -40,21 +41,25 @@ module ActionView
       include OutputSafetyHelper
 
       # The preferred method of outputting text in your views is to use the
-      # <%= "text" %> eRuby syntax. The regular _puts_ and _print_ methods
+      # <tt><%= "text" %></tt> eRuby syntax. The regular +puts+ and +print+ methods
       # do not operate as expected in an eRuby code block. If you absolutely must
-      # output text within a non-output code block (i.e., <% %>), you can use the concat method.
+      # output text within a non-output code block (i.e., <tt><% %></tt>), you
+      # can use the +concat+ method.
+      #
+      #   <% concat "hello" %> is equivalent to <%= "hello" %>
       #
       #   <%
-      #       concat "hello"
-      #       # is the equivalent of <%= "hello" %>
-      #
-      #       if logged_in
-      #         concat "Logged in!"
-      #       else
-      #         concat link_to('login', action: :login)
-      #       end
-      #       # will either display "Logged in!" or a login link
+      #      unless signed_in?
+      #        concat link_to("Sign In", action: :sign_in)
+      #      end
       #   %>
+      #
+      #   is equivalent to
+      #
+      #   <% unless signed_in? %>
+      #     <%= link_to "Sign In", action: :sign_in %>
+      #   <% end %>
+      #
       def concat(string)
         output_buffer << string
       end
@@ -63,17 +68,36 @@ module ActionView
         output_buffer.respond_to?(:safe_concat) ? output_buffer.safe_concat(string) : concat(string)
       end
 
-      # Truncates a given +text+ after a given <tt>:length</tt> if +text+ is longer than <tt>:length</tt>
-      # (defaults to 30). The last characters will be replaced with the <tt>:omission</tt> (defaults to "...")
-      # for a total length not exceeding <tt>:length</tt>.
+      # Truncates +text+ if it is longer than a specified +:length+. If +text+
+      # is truncated, an omission marker will be appended to the result for a
+      # total length not exceeding +:length+.
+      #
+      # You can also pass a block to render and append extra content after the
+      # omission marker when +text+ is truncated. However, this content _can_
+      # cause the total length to exceed +:length+ characters.
+      #
+      # The result will be escaped unless <tt>escape: false</tt> is specified.
+      # In any case, the result will be marked HTML-safe. Care should be taken
+      # if +text+ might contain HTML tags or entities, because truncation could
+      # produce invalid HTML, such as unbalanced or incomplete tags.
       #
-      # Pass a <tt>:separator</tt> to truncate +text+ at a natural break.
+      # ==== Options
+      #
+      # [+:length+]
+      #   The maximum number of characters that should be returned, excluding
+      #   any extra content from the block. Defaults to 30.
+      #
+      # [+:omission+]
+      #   The string to append after truncating. Defaults to  <tt>"..."</tt>.
+      #
+      # [+:separator+]
+      #   A string or regexp used to find a breaking point at which to truncate.
+      #   By default, truncation can occur at any character in +text+.
       #
-      # Pass a block if you want to show extra content when the text is truncated.
+      # [+:escape+]
+      #   Whether to escape the result. Defaults to true.
       #
-      # The result is marked as HTML-safe, but it is escaped by default, unless <tt>:escape</tt> is
-      # +false+. Care should be taken if +text+ contains HTML tags or entities, because truncation
-      # may produce invalid HTML (such as unbalanced or incomplete tags).
+      # ==== Examples
       #
       #   truncate("Once upon a time in a world far far away")
       #   # => "Once upon a time in a world..."
@@ -94,7 +118,7 @@ module ActionView
       #   # => "<p>Once upon a time in a wo..."
       #
       #   truncate("Once upon a time in a world far far away") { link_to "Continue", "#" }
-      #   # => "Once upon a time in a wo...<a href="#">Continue</a>"
+      #   # => "Once upon a time in a world...<a href=\"#\">Continue</a>"
       def truncate(text, options = {}, &block)
         if text
           length  = options.fetch(:length, 30)
@@ -106,76 +130,108 @@ module ActionView
         end
       end
 
-      # Highlights one or more +phrases+ everywhere in +text+ by inserting it into
-      # a <tt>:highlighter</tt> string. The highlighter can be specialized by passing <tt>:highlighter</tt>
-      # as a single-quoted string with <tt>\1</tt> where the phrase is to be inserted (defaults to
-      # <tt><mark>\1</mark></tt>) or passing a block that receives each matched term. By default +text+
-      # is sanitized to prevent possible XSS attacks. If the input is trustworthy, passing false
-      # for <tt>:sanitize</tt> will turn sanitizing off.
+      # Highlights occurrences of +phrases+ in +text+ by formatting them with a
+      # highlighter string. +phrases+ can be one or more strings or regular
+      # expressions. The result will be marked HTML safe. By default, +text+ is
+      # sanitized before highlighting to prevent possible XSS attacks.
+      #
+      # If a block is specified, it will be used instead of the highlighter
+      # string. Each occurrence of a phrase will be passed to the block, and its
+      # return value will be inserted into the final result.
+      #
+      # ==== Options
+      #
+      # [+:highlighter+]
+      #   The highlighter string. Uses <tt>\1</tt> as the placeholder for a
+      #   phrase, similar to +String#sub+. Defaults to <tt>"<mark>\1</mark>"</tt>.
+      #   This option is ignored if a block is specified.
+      #
+      # [+:sanitize+]
+      #   Whether to sanitize +text+ before highlighting. Defaults to true.
+      #
+      # ==== Examples
       #
       #   highlight('You searched for: rails', 'rails')
-      #   # => You searched for: <mark>rails</mark>
+      #   # => "You searched for: <mark>rails</mark>"
       #
       #   highlight('You searched for: rails', /for|rails/)
-      #   # => You searched <mark>for</mark>: <mark>rails</mark>
+      #   # => "You searched <mark>for</mark>: <mark>rails</mark>"
       #
       #   highlight('You searched for: ruby, rails, dhh', 'actionpack')
-      #   # => You searched for: ruby, rails, dhh
+      #   # => "You searched for: ruby, rails, dhh"
       #
       #   highlight('You searched for: rails', ['for', 'rails'], highlighter: '<em>\1</em>')
-      #   # => You searched <em>for</em>: <em>rails</em>
+      #   # => "You searched <em>for</em>: <em>rails</em>"
       #
       #   highlight('You searched for: rails', 'rails', highlighter: '<a href="search?q=\1">\1</a>')
-      #   # => You searched for: <a href="search?q=rails">rails</a>
+      #   # => "You searched for: <a href=\"search?q=rails\">rails</a>"
       #
       #   highlight('You searched for: rails', 'rails') { |match| link_to(search_path(q: match, match)) }
-      #   # => You searched for: <a href="search?q=rails">rails</a>
+      #   # => "You searched for: <a href=\"search?q=rails\">rails</a>"
       #
       #   highlight('<a href="javascript:alert(\'no!\')">ruby</a> on rails', 'rails', sanitize: false)
-      #   # => <a href="javascript:alert('no!')">ruby</a> on <mark>rails</mark>
+      #   # => "<a href=\"javascript:alert('no!')\">ruby</a> on <mark>rails</mark>"
       def highlight(text, phrases, options = {}, &block)
         text = sanitize(text) if options.fetch(:sanitize, true)
 
         if text.blank? || phrases.blank?
           text || ""
         else
-          match = Array(phrases).map do |p|
-            Regexp === p ? p.to_s : Regexp.escape(p)
-          end.join("|")
-
-          if block_given?
-            text.gsub(/(#{match})(?![^<]*?>)/i, &block)
-          else
-            highlighter = options.fetch(:highlighter, '<mark>\1</mark>')
-            text.gsub(/(#{match})(?![^<]*?>)/i, highlighter)
-          end
+          patterns = Array(phrases).map { |phrase| Regexp === phrase ? phrase : Regexp.escape(phrase) }
+          pattern = /(#{patterns.join("|")})/i
+          highlighter = options.fetch(:highlighter, '<mark>\1</mark>') unless block
+
+          text.scan(/<[^>]*|[^<]+/).each do |segment|
+            if !segment.start_with?("<")
+              if block
+                segment.gsub!(pattern, &block)
+              else
+                segment.gsub!(pattern, highlighter)
+              end
+            end
+          end.join
         end.html_safe
       end
 
-      # Extracts an excerpt from +text+ that matches the first instance of +phrase+.
-      # The <tt>:radius</tt> option expands the excerpt on each side of the first occurrence of +phrase+ by the number of characters
-      # defined in <tt>:radius</tt> (which defaults to 100). If the excerpt radius overflows the beginning or end of the +text+,
-      # then the <tt>:omission</tt> option (which defaults to "...") will be prepended/appended accordingly. Use the
-      # <tt>:separator</tt> option to choose the delimitation. The resulting string will be stripped in any case. If the +phrase+
-      # isn't found, +nil+ is returned.
+      # Extracts the first occurrence of +phrase+ plus surrounding text from
+      # +text+. An omission marker is prepended / appended if the start / end of
+      # the result does not coincide with the start / end of +text+. The result
+      # is always stripped in any case. Returns +nil+ if +phrase+ isn't found.
+      #
+      # ==== Options
+      #
+      # [+:radius+]
+      #   The number of characters (or tokens — see +:separator+ option) around
+      #   +phrase+ to include in the result. Defaults to 100.
+      #
+      # [+:omission+]
+      #   The marker to prepend / append when the start / end of the excerpt
+      #   does not coincide with the start / end of +text+. Defaults to
+      #   <tt>"..."</tt>.
+      #
+      # [+:separator+]
+      #   The separator between tokens to count for +:radius+. Defaults to
+      #   <tt>""</tt>, which treats each character as a token.
+      #
+      # ==== Examples
       #
       #   excerpt('This is an example', 'an', radius: 5)
-      #   # => ...s is an exam...
+      #   # => "...s is an exam..."
       #
       #   excerpt('This is an example', 'is', radius: 5)
-      #   # => This is a...
+      #   # => "This is a..."
       #
       #   excerpt('This is an example', 'is')
-      #   # => This is an example
+      #   # => "This is an example"
       #
       #   excerpt('This next thing is an example', 'ex', radius: 2)
-      #   # => ...next...
+      #   # => "...next..."
       #
       #   excerpt('This is also an example', 'an', radius: 8, omission: '<chop> ')
-      #   # => <chop> is also an example
+      #   # => "<chop> is also an example"
       #
       #   excerpt('This is a very beautiful morning', 'very', separator: ' ', radius: 1)
-      #   # => ...a very beautiful...
+      #   # => "...a very beautiful..."
       def excerpt(text, phrase, options = {})
         return unless text && phrase
 
@@ -211,26 +267,26 @@ module ActionView
       # Attempts to pluralize the +singular+ word unless +count+ is 1. If
       # +plural+ is supplied, it will use that when count is > 1, otherwise
       # it will use the Inflector to determine the plural form for the given locale,
-      # which defaults to I18n.locale
+      # which defaults to +I18n.locale+.
       #
       # The word will be pluralized using rules defined for the locale
       # (you must define your own inflection rules for languages other than English).
       # See ActiveSupport::Inflector.pluralize
       #
       #   pluralize(1, 'person')
-      #   # => 1 person
+      #   # => "1 person"
       #
       #   pluralize(2, 'person')
-      #   # => 2 people
+      #   # => "2 people"
       #
       #   pluralize(3, 'person', plural: 'users')
-      #   # => 3 users
+      #   # => "3 users"
       #
       #   pluralize(0, 'person')
-      #   # => 0 people
+      #   # => "0 people"
       #
       #   pluralize(2, 'Person', locale: :de)
-      #   # => 2 Personen
+      #   # => "2 Personen"
       def pluralize(count, singular, plural_arg = nil, plural: plural_arg, locale: I18n.locale)
         word = if count == 1 || count.to_s.match?(/^1(\.0+)?$/)
           singular
@@ -246,25 +302,35 @@ module ActionView
       # (which is 80 by default).
       #
       #   word_wrap('Once upon a time')
-      #   # => Once upon a time
+      #   # => "Once upon a time"
       #
       #   word_wrap('Once upon a time, in a kingdom called Far Far Away, a king fell ill, and finding a successor to the throne turned out to be more trouble than anyone could have imagined...')
-      #   # => Once upon a time, in a kingdom called Far Far Away, a king fell ill, and finding\na successor to the throne turned out to be more trouble than anyone could have\nimagined...
+      #   # => "Once upon a time, in a kingdom called Far Far Away, a king fell ill, and finding\na successor to the throne turned out to be more trouble than anyone could have\nimagined..."
       #
       #   word_wrap('Once upon a time', line_width: 8)
-      #   # => Once\nupon a\ntime
+      #   # => "Once\nupon a\ntime"
       #
       #   word_wrap('Once upon a time', line_width: 1)
-      #   # => Once\nupon\na\ntime
+      #   # => "Once\nupon\na\ntime"
       #
-      #   You can also specify a custom +break_sequence+ ("\n" by default)
+      # You can also specify a custom +break_sequence+ ("\n" by default):
       #
       #   word_wrap('Once upon a time', line_width: 1, break_sequence: "\r\n")
-      #   # => Once\r\nupon\r\na\r\ntime
+      #   # => "Once\r\nupon\r\na\r\ntime"
       def word_wrap(text, line_width: 80, break_sequence: "\n")
-        text.split("\n").collect! do |line|
-          line.length > line_width ? line.gsub(/(.{1,#{line_width}})(\s+|$)/, "\\1#{break_sequence}").rstrip : line
-        end * break_sequence
+        return +"" if text.empty?
+
+        # Match up to `line_width` characters, followed by one of
+        #   (1) non-newline whitespace plus an optional newline
+        #   (2) the end of the string, ignoring any trailing newlines
+        #   (3) a newline
+        #
+        # -OR-
+        #
+        # Match an empty line
+        pattern = /(.{1,#{line_width}})(?:[^\S\n]+\n?|\n*\Z|\n)|\n/
+
+        text.gsub(pattern, "\\1#{break_sequence}").chomp!(break_sequence)
       end
 
       # Returns +text+ transformed into HTML using simple formatting rules.
@@ -279,6 +345,7 @@ module ActionView
       #
       # ==== Options
       # * <tt>:sanitize</tt> - If +false+, does not sanitize +text+.
+      # * <tt>:sanitize_options</tt> - Any extra options you want appended to the sanitize.
       # * <tt>:wrapper_tag</tt> - String representing the wrapper tag, defaults to <tt>"p"</tt>
       #
       # ==== Examples
@@ -303,10 +370,13 @@ module ActionView
       #
       #   simple_format("<blink>Blinkable!</blink> It's true.", {}, sanitize: false)
       #   # => "<p><blink>Blinkable!</blink> It's true.</p>"
+      #
+      #   simple_format("<a target=\"_blank\" href=\"http://example.com\">Continue</a>", {}, { sanitize_options: { attributes: %w[target href] } })
+      #   # => "<p><a target=\"_blank\" href=\"http://example.com\">Continue</a></p>"
       def simple_format(text, html_options = {}, options = {})
-        wrapper_tag = options.fetch(:wrapper_tag, :p)
+        wrapper_tag = options[:wrapper_tag] || "p"
 
-        text = sanitize(text) if options.fetch(:sanitize, true)
+        text = sanitize(text, options.fetch(:sanitize_options, {})) if options.fetch(:sanitize, true)
         paragraphs = split_paragraphs(text)
 
         if paragraphs.empty?
@@ -318,7 +388,7 @@ module ActionView
         end
       end
 
-      # Creates a Cycle object whose _to_s_ method cycles through elements of an
+      # Creates a Cycle object whose +to_s+ method cycles through elements of an
       # array every time it is called. This can be used for example, to alternate
       # classes for table rows. You can use named cycles to allow nesting in loops.
       # Passing a Hash as the last parameter with a <tt>:name</tt> key will create a
@@ -327,8 +397,8 @@ module ActionView
       # and passing the name of the cycle. The current cycle string can be obtained
       # anytime using the current_cycle method.
       #
-      #   # Alternate CSS classes for even and odd numbers...
-      #   @items = [1,2,3,4]
+      #   <%# Alternate CSS classes for even and odd numbers... %>
+      #   <% @items = [1,2,3,4] %>
       #   <table>
       #   <% @items.each do |item| %>
       #     <tr class="<%= cycle("odd", "even") -%>">
@@ -338,10 +408,12 @@ module ActionView
       #   </table>
       #
       #
-      #   # Cycle CSS classes for rows, and text colors for values within each row
-      #   @items = x = [{first: 'Robert', middle: 'Daniel', last: 'James'},
-      #                {first: 'Emily', middle: 'Shannon', maiden: 'Pike', last: 'Hicks'},
-      #               {first: 'June', middle: 'Dae', last: 'Jones'}]
+      #   <%# Cycle CSS classes for rows, and text colors for values within each row %>
+      #   <% @items = [
+      #     { first: "Robert", middle: "Daniel", last: "James" },
+      #     { first: "Emily", middle: "Shannon", maiden: "Pike", last: "Hicks" },
+      #     { first: "June", middle: "Dae", last: "Jones" },
+      #   ] %>
       #   <% @items.each do |item| %>
       #     <tr class="<%= cycle("odd", "even", name: "row_class") -%>">
       #       <td>
@@ -372,8 +444,8 @@ module ActionView
       # for complex table highlighting or any other design need which requires
       # the current cycle string in more than one place.
       #
-      #   # Alternate background colors
-      #   @items = [1,2,3,4]
+      #   <%# Alternate background colors %>
+      #   <% @items = [1,2,3,4] %>
       #   <% @items.each do |item| %>
       #     <div style="background-color:<%= cycle("red","white","blue") %>">
       #       <span style="background-color:<%= current_cycle %>"><%= item %></span>
@@ -387,8 +459,8 @@ module ActionView
       # Resets a cycle so that it starts from the first element the next time
       # it is called. Pass in +name+ to reset a named cycle.
       #
-      #   # Alternate CSS classes for even and odd numbers...
-      #   @items = [[1,2,3,4], [5,6,3], [3,4,5,6,7,4]]
+      #   <%# Alternate CSS classes for even and odd numbers... %>
+      #   <% @items = [[1,2,3,4], [5,6,3], [3,4,5,6,7,4]] %>
       #   <table>
       #   <% @items.each do |item| %>
       #     <tr class="<%= cycle("even", "odd") -%>">

data/lib/action_view/helpers/translation_helper.rb

@@ -4,14 +4,14 @@ require "action_view/helpers/tag_helper"
 require "active_support/html_safe_translation"
 
 module ActionView
-  # = Action View Translation Helpers
   module Helpers # :nodoc:
+    # = Action View Translation \Helpers
     module TranslationHelper
       extend ActiveSupport::Concern
 
       include TagHelper
 
-      # Specify whether an error should be raised for missing translations
+      # Specify whether an error should be raised for missing translations.
       singleton_class.attr_accessor :raise_on_missing_translations
 
       included do
@@ -93,7 +93,7 @@ module ActionView
           break translated unless translated == MISSING_TRANSLATION
 
           if alternatives.present? && !alternatives.first.is_a?(Symbol)
-            break alternatives.first && I18n.translate(**options, default: alternatives)
+            break alternatives.first && I18n.translate(nil, **options, default: alternatives)
           end
 
           first_key ||= key

data/lib/action_view/helpers/url_helper.rb

@@ -3,11 +3,13 @@
 require "active_support/core_ext/array/access"
 require "active_support/core_ext/hash/keys"
 require "active_support/core_ext/string/output_safety"
+require "action_view/helpers/content_exfiltration_prevention_helper"
 require "action_view/helpers/tag_helper"
 
 module ActionView
-  # = Action View URL Helpers
   module Helpers # :nodoc:
+    # = Action View URL \Helpers
+    #
     # Provides a set of methods for making links and getting URLs that
     # depend on the routing subsystem (see ActionDispatch::Routing).
     # This allows you to use the same format for links in views
@@ -22,6 +24,7 @@ module ActionView
       extend ActiveSupport::Concern
 
       include TagHelper
+      include ContentExfiltrationPreventionHelper
 
       module ClassMethods
         def _url_for_modules
@@ -93,7 +96,7 @@ module ActionView
       # ==== Examples
       #
       # Because it relies on +url_for+, +link_to+ supports both older-style controller/action/id arguments
-      # and newer RESTful routes. Current Rails style favors RESTful routes whenever possible, so base
+      # and newer RESTful routes. Current \Rails style favors RESTful routes whenever possible, so base
       # your application on resources and use
       #
       #   link_to "Profile", profile_path(@profile)
@@ -170,9 +173,31 @@ module ActionView
       #   link_to "External link", "http://www.rubyonrails.org/", target: "_blank", rel: "nofollow"
       #   # => <a href="http://www.rubyonrails.org/" target="_blank" rel="nofollow">External link</a>
       #
-      # ==== Deprecated: Rails UJS Attributes
+      # ==== Turbo
       #
-      # Prior to Rails 7, Rails shipped with a JavaScript library called <tt>@rails/ujs</tt> on by default. Following Rails 7,
+      # Rails 7 ships with Turbo enabled by default. Turbo provides the following +:data+ options:
+      #
+      # * <tt>turbo_method: symbol of HTTP verb</tt> - Performs a Turbo link visit
+      #   with the given HTTP verb. Forms are recommended when performing non-+GET+ requests.
+      #   Only use <tt>data-turbo-method</tt> where a form is not possible.
+      #
+      # * <tt>turbo_confirm: "question?"</tt> - Adds a confirmation dialog to the link with the
+      #   given value.
+      #
+      # {Consult the Turbo Handbook for more information on the options
+      # above.}[https://turbo.hotwired.dev/handbook/drive#performing-visits-with-a-different-method]
+      #
+      # ===== \Examples
+      #
+      #   link_to "Delete profile", @profile, data: { turbo_method: :delete }
+      #   # => <a href="/profiles/1" data-turbo-method="delete">Delete profile</a>
+      #
+      #   link_to "Visit Other Site", "https://rubyonrails.org/", data: { turbo_confirm: "Are you sure?" }
+      #   # => <a href="https://rubyonrails.org/" data-turbo-confirm="Are you sure?">Visit Other Site</a>
+      #
+      # ==== Deprecated: \Rails UJS Attributes
+      #
+      # Prior to \Rails 7, \Rails shipped with a JavaScript library called <tt>@rails/ujs</tt> on by default. Following \Rails 7,
       # this library is no longer on by default. This library integrated with the following options:
       #
       # * <tt>method: symbol of HTTP verb</tt> - This modifier will dynamically
@@ -198,7 +223,7 @@ module ActionView
       # * <tt>:disable_with</tt> - Value of this parameter will be used as the
       #   name for a disabled version of the link.
       #
-      # ===== Rails UJS Examples
+      # ===== \Rails UJS Examples
       #
       #   link_to "Remove Profile", profile_path(@profile), method: :delete
       #   # => <a href="/profiles/1" rel="nofollow" data-method="delete">Remove Profile</a>
@@ -221,9 +246,6 @@ module ActionView
       # Generates a form containing a single button that submits to the URL created
       # by the set of +options+. This is the safest method to ensure links that
       # cause changes to your data are not triggered by search bots or accelerators.
-      # If the HTML button does not work with your layout, you can also consider
-      # using the +link_to+ method with the <tt>:method</tt> modifier as described in
-      # the +link_to+ documentation.
       #
       # You can control the form and button behavior with +html_options+. Most
       # values in +html_options+ are passed through to the button element. For
@@ -237,6 +259,10 @@ module ActionView
       # The form submits a POST request by default. You can specify a different
       # HTTP verb via the +:method+ option within +html_options+.
       #
+      # If the HTML button generated from +button_to+ does not work with your layout, you can
+      # consider using the +link_to+ method with the +data-turbo-method+
+      # attribute as described in the +link_to+ documentation.
+      #
       # ==== Options
       # The +options+ hash accepts the same options as +url_for+. To generate a
       # <tt><form></tt> element without an <tt>[action]</tt> attribute, pass
@@ -302,9 +328,9 @@ module ActionView
       #   #      <input name="authenticity_token" type="hidden" value="10f2163b45388899ad4d5ae948988266befcb6c3d1b2451cf657a0c293d605a6"  autocomplete="off"/>
       #   #    </form>"
       #
-      # ==== Deprecated: Rails UJS Attributes
+      # ==== Deprecated: \Rails UJS Attributes
       #
-      # Prior to Rails 7, Rails shipped with a JavaScript library called <tt>@rails/ujs</tt> on by default. Following Rails 7,
+      # Prior to \Rails 7, \Rails shipped with a JavaScript library called <tt>@rails/ujs</tt> on by default. Following \Rails 7,
       # this library is no longer on by default. This library integrated with the following options:
       #
       # * <tt>:remote</tt> -  If set to true, will allow <tt>@rails/ujs</tt> to control the
@@ -320,7 +346,7 @@ module ActionView
       #   used as the value for a disabled version of the submit
       #   button when the form is submitted.
       #
-      # ===== Rails UJS Examples
+      # ===== \Rails UJS Examples
       #
       #   <%= button_to "Create", { action: "create" }, remote: true, form: { "data-type" => "json" } %>
       #   # => "<form method="post" action="/images/create" class="button_to" data-remote="true" data-type="json">
@@ -380,7 +406,8 @@ module ActionView
                                        autocomplete: "off")
           end
         end
-        content_tag("form", inner_tags, form_options)
+        html = content_tag("form", inner_tags, form_options)
+        prevent_content_exfiltration(html)
       end
 
       # Creates a link tag of the given +name+ using a URL created by the set of
@@ -495,7 +522,7 @@ module ActionView
       # * <tt>:reply_to</tt> - Preset the +Reply-To+ field of the email.
       #
       # ==== Obfuscation
-      # Prior to Rails 4.0, +mail_to+ provided options for encoding the address
+      # Prior to \Rails 4.0, +mail_to+ provided options for encoding the address
       # in order to hinder email harvesters.  To take advantage of these options,
       # install the +actionview-encoded_mail_to+ gem.
       #
@@ -534,6 +561,8 @@ module ActionView
         content_tag("a", name || email_address, html_options, &block)
       end
 
+      RFC2396_PARSER = defined?(URI::RFC2396_PARSER) ? URI::RFC2396_PARSER : URI::RFC2396_Parser.new
+
       # True if the current request URI was generated by the given +options+.
       #
       # ==== Examples
@@ -590,14 +619,14 @@ module ActionView
 
         options ||= options_as_kwargs
         check_parameters ||= options.is_a?(Hash) && options.delete(:check_parameters)
-        url_string = URI::DEFAULT_PARSER.unescape(url_for(options)).force_encoding(Encoding::BINARY)
+        url_string = RFC2396_PARSER.unescape(url_for(options)).force_encoding(Encoding::BINARY)
 
         # We ignore any extra parameters in the request_uri if the
         # submitted URL doesn't have any either. This lets the function
         # work with things like ?order=asc
-        # the behaviour can be disabled with check_parameters: true
+        # the behavior can be disabled with check_parameters: true
         request_uri = url_string.index("?") || check_parameters ? request.fullpath : request.path
-        request_uri = URI::DEFAULT_PARSER.unescape(request_uri).force_encoding(Encoding::BINARY)
+        request_uri = RFC2396_PARSER.unescape(request_uri).force_encoding(Encoding::BINARY)
 
         if %r{^\w+://}.match?(url_string)
           request_uri = +"#{request.protocol}#{request.host_with_port}#{request_uri}"
@@ -757,7 +786,7 @@ module ActionView
         end
 
         def add_method_to_attributes!(html_options, method)
-          if method_not_get_method?(method) && !html_options["rel"]&.match?(/nofollow/)
+          if method_not_get_method?(method) && !html_options["rel"].to_s.include?("nofollow")
             if html_options["rel"].blank?
               html_options["rel"] = "nofollow"
             else

data/lib/action_view/helpers.rb

@@ -12,6 +12,7 @@ require "action_view/helpers/asset_tag_helper"
 require "action_view/helpers/asset_url_helper"
 require "action_view/helpers/atom_feed_helper"
 require "action_view/helpers/cache_helper"
+require "action_view/helpers/content_exfiltration_prevention_helper"
 require "action_view/helpers/controller_helper"
 require "action_view/helpers/csp_helper"
 require "action_view/helpers/csrf_helper"
@@ -45,6 +46,7 @@ module ActionView # :nodoc:
     include AtomFeedHelper
     include CacheHelper
     include CaptureHelper
+    include ContentExfiltrationPreventionHelper
     include ControllerHelper
     include CspHelper
     include CsrfHelper