actionview 7.0.8 → 7.1.3.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +295 -317
- data/MIT-LICENSE +1 -1
- data/README.rdoc +1 -1
- data/app/assets/javascripts/rails-ujs.esm.js +686 -0
- data/app/assets/javascripts/rails-ujs.js +630 -0
- data/lib/action_view/base.rb +33 -12
- data/lib/action_view/buffers.rb +106 -8
- data/lib/action_view/cache_expiry.rb +40 -43
- data/lib/action_view/context.rb +1 -1
- data/lib/action_view/deprecator.rb +7 -0
- data/lib/action_view/digestor.rb +1 -1
- data/lib/action_view/gem_version.rb +4 -4
- data/lib/action_view/helpers/active_model_helper.rb +1 -1
- data/lib/action_view/helpers/asset_tag_helper.rb +134 -50
- data/lib/action_view/helpers/asset_url_helper.rb +6 -5
- data/lib/action_view/helpers/atom_feed_helper.rb +5 -5
- data/lib/action_view/helpers/cache_helper.rb +3 -9
- data/lib/action_view/helpers/capture_helper.rb +30 -10
- data/lib/action_view/helpers/content_exfiltration_prevention_helper.rb +70 -0
- data/lib/action_view/helpers/controller_helper.rb +6 -0
- data/lib/action_view/helpers/csp_helper.rb +2 -2
- data/lib/action_view/helpers/csrf_helper.rb +2 -2
- data/lib/action_view/helpers/date_helper.rb +17 -19
- data/lib/action_view/helpers/debug_helper.rb +3 -3
- data/lib/action_view/helpers/form_helper.rb +54 -25
- data/lib/action_view/helpers/form_options_helper.rb +2 -1
- data/lib/action_view/helpers/form_tag_helper.rb +49 -15
- data/lib/action_view/helpers/javascript_helper.rb +1 -0
- data/lib/action_view/helpers/number_helper.rb +37 -330
- data/lib/action_view/helpers/output_safety_helper.rb +2 -2
- data/lib/action_view/helpers/rendering_helper.rb +1 -1
- data/lib/action_view/helpers/sanitize_helper.rb +51 -21
- data/lib/action_view/helpers/tag_helper.rb +5 -27
- data/lib/action_view/helpers/tags/base.rb +11 -52
- data/lib/action_view/helpers/tags/collection_check_boxes.rb +1 -0
- data/lib/action_view/helpers/tags/collection_radio_buttons.rb +1 -0
- data/lib/action_view/helpers/tags/collection_select.rb +3 -0
- data/lib/action_view/helpers/tags/date_field.rb +1 -1
- data/lib/action_view/helpers/tags/date_select.rb +2 -0
- data/lib/action_view/helpers/tags/datetime_field.rb +14 -6
- data/lib/action_view/helpers/tags/datetime_local_field.rb +11 -2
- data/lib/action_view/helpers/tags/grouped_collection_select.rb +3 -0
- data/lib/action_view/helpers/tags/month_field.rb +1 -1
- data/lib/action_view/helpers/tags/select.rb +3 -0
- data/lib/action_view/helpers/tags/select_renderer.rb +56 -0
- data/lib/action_view/helpers/tags/time_field.rb +1 -1
- data/lib/action_view/helpers/tags/time_zone_select.rb +3 -0
- data/lib/action_view/helpers/tags/week_field.rb +1 -1
- data/lib/action_view/helpers/tags/weekday_select.rb +3 -0
- data/lib/action_view/helpers/tags.rb +2 -0
- data/lib/action_view/helpers/text_helper.rb +156 -84
- data/lib/action_view/helpers/translation_helper.rb +3 -3
- data/lib/action_view/helpers/url_helper.rb +41 -14
- data/lib/action_view/helpers.rb +2 -0
- data/lib/action_view/layouts.rb +8 -6
- data/lib/action_view/log_subscriber.rb +49 -32
- data/lib/action_view/lookup_context.rb +29 -13
- data/lib/action_view/path_registry.rb +57 -0
- data/lib/action_view/path_set.rb +13 -14
- data/lib/action_view/railtie.rb +26 -3
- data/lib/action_view/record_identifier.rb +15 -8
- data/lib/action_view/renderer/abstract_renderer.rb +1 -1
- data/lib/action_view/renderer/collection_renderer.rb +10 -2
- data/lib/action_view/renderer/partial_renderer/collection_caching.rb +2 -1
- data/lib/action_view/renderer/partial_renderer.rb +2 -1
- data/lib/action_view/renderer/renderer.rb +2 -0
- data/lib/action_view/renderer/streaming_template_renderer.rb +3 -2
- data/lib/action_view/renderer/template_renderer.rb +3 -2
- data/lib/action_view/rendering.rb +22 -4
- data/lib/action_view/ripper_ast_parser.rb +6 -6
- data/lib/action_view/template/error.rb +14 -1
- data/lib/action_view/template/handlers/builder.rb +4 -4
- data/lib/action_view/template/handlers/erb/erubi.rb +23 -27
- data/lib/action_view/template/handlers/erb.rb +73 -1
- data/lib/action_view/template/handlers.rb +1 -1
- data/lib/action_view/template/html.rb +1 -1
- data/lib/action_view/template/raw_file.rb +1 -1
- data/lib/action_view/template/renderable.rb +1 -1
- data/lib/action_view/template/resolver.rb +10 -2
- data/lib/action_view/template/text.rb +1 -1
- data/lib/action_view/template/types.rb +25 -34
- data/lib/action_view/template.rb +242 -54
- data/lib/action_view/template_path.rb +2 -0
- data/lib/action_view/test_case.rb +176 -21
- data/lib/action_view/unbound_template.rb +15 -5
- data/lib/action_view/version.rb +1 -1
- data/lib/action_view/view_paths.rb +15 -24
- data/lib/action_view.rb +4 -1
- metadata +24 -25
- data/lib/assets/compiled/rails-ujs.js +0 -777
data/CHANGELOG.md
CHANGED
@@ -1,493 +1,471 @@
|
|
1
|
-
## Rails 7.
|
2
|
-
|
3
|
-
* Fix `form_for` missing the hidden `_method` input for models with a
|
4
|
-
namespaced route.
|
5
|
-
|
6
|
-
*Hartley McGuire*
|
7
|
-
|
8
|
-
* Fix `render collection: @records, cache: true` inside `jbuilder` templates
|
9
|
-
|
10
|
-
The previous fix that shipped in `7.0.7` assumed template fragments are always strings,
|
11
|
-
this isn't true with `jbuilder`.
|
12
|
-
|
13
|
-
*Jean Boussier*
|
14
|
-
|
15
|
-
## Rails 7.0.7.2 (August 22, 2023) ##
|
1
|
+
## Rails 7.1.3.2 (February 21, 2024) ##
|
16
2
|
|
17
3
|
* No changes.
|
18
4
|
|
19
5
|
|
20
|
-
## Rails 7.
|
6
|
+
## Rails 7.1.3.1 (February 21, 2024) ##
|
21
7
|
|
22
8
|
* No changes.
|
23
9
|
|
24
10
|
|
25
|
-
## Rails 7.
|
11
|
+
## Rails 7.1.3 (January 16, 2024) ##
|
26
12
|
|
27
|
-
*
|
13
|
+
* Better handle SyntaxError in Action View.
|
28
14
|
|
29
|
-
|
15
|
+
*Mario Caropreso*
|
30
16
|
|
31
|
-
|
17
|
+
* Fix `word_wrap` with empty string.
|
32
18
|
|
33
|
-
*
|
19
|
+
*Jonathan Hefner*
|
34
20
|
|
35
|
-
|
36
|
-
|
21
|
+
* Rename `ActionView::TestCase::Behavior::Content` to `ActionView::TestCase::Behavior::RenderedViewContent`.
|
22
|
+
|
23
|
+
Make `RenderedViewContent` inherit from `String`. Make private API with `:nodoc:`.
|
37
24
|
|
38
25
|
*Sean Doyle*
|
39
26
|
|
27
|
+
* Fix detection of required strict locals.
|
40
28
|
|
41
|
-
|
29
|
+
Further fix `render @collection` compatibility with strict locals
|
42
30
|
|
43
|
-
*
|
31
|
+
*Jean Boussier*
|
44
32
|
|
45
33
|
|
46
|
-
## Rails 7.
|
34
|
+
## Rails 7.1.2 (November 10, 2023) ##
|
47
35
|
|
48
|
-
*
|
36
|
+
* Fix the `number_to_human_size` view helper to correctly work with negative numbers.
|
49
37
|
|
38
|
+
*Earlopain*
|
50
39
|
|
51
|
-
|
40
|
+
* Automatically discard the implicit locals injected by collection rendering for template that can't accept them
|
52
41
|
|
53
|
-
|
42
|
+
When rendering a collection, two implicit variables are injected, which breaks templates with strict locals.
|
54
43
|
|
55
|
-
|
44
|
+
Now they are only passed if the template will actually accept them.
|
56
45
|
|
57
|
-
*
|
46
|
+
*Yasha Krasnou*, *Jean Boussier*
|
58
47
|
|
59
|
-
|
48
|
+
* Fix `@rails/ujs` calling `start()` an extra time when using bundlers
|
60
49
|
|
61
|
-
*
|
62
|
-
of the child arrays when using grouped/nested collections
|
50
|
+
*Hartley McGuire*, *Ryunosuke Sato*
|
63
51
|
|
64
|
-
|
65
|
-
<%= form.select :foo, [["North America", [["United States","US"],["Canada","CA"]], { disabled: "disabled" }]] %>
|
66
|
-
# => <select><optgroup label="North America" disabled="disabled"><option value="US">United States</option><option value="CA">Canada</option></optgroup></select>
|
67
|
-
```
|
68
|
-
|
69
|
-
*Chris Gunther*
|
52
|
+
* Fix the `capture` view helper compatibility with HAML and Slim
|
70
53
|
|
54
|
+
When a blank string was captured in HAML or Slim (and possibly other template engines)
|
55
|
+
it would instead return the entire buffer.
|
71
56
|
|
72
|
-
|
57
|
+
*Jean Boussier*
|
73
58
|
|
74
|
-
* Ignore certain data-* attributes in rails-ujs when element is contenteditable
|
75
59
|
|
76
|
-
|
60
|
+
## Rails 7.1.1 (October 11, 2023) ##
|
77
61
|
|
62
|
+
* Updated `@rails/ujs` files to ignore certain data-* attributes when element is contenteditable.
|
78
63
|
|
79
|
-
|
64
|
+
This fix was already landed in >= 7.0.4.3, < 7.1.0.
|
65
|
+
[[CVE-2023-23913](https://github.com/advisories/GHSA-xp5h-f8jf-rc8q)]
|
80
66
|
|
81
|
-
*
|
67
|
+
*Ryunosuke Sato*
|
82
68
|
|
83
69
|
|
84
|
-
## Rails 7.0
|
70
|
+
## Rails 7.1.0 (October 05, 2023) ##
|
85
71
|
|
86
72
|
* No changes.
|
87
73
|
|
88
74
|
|
89
|
-
## Rails 7.0.
|
90
|
-
|
91
|
-
* Guard against `ActionView::Helpers::FormTagHelper#field_name` calls with nil
|
92
|
-
`object_name` arguments. For example:
|
93
|
-
|
94
|
-
```erb
|
95
|
-
<%= fields do |f| %>
|
96
|
-
<%= f.field_name :body %>
|
97
|
-
<% end %>
|
98
|
-
```
|
99
|
-
|
100
|
-
*Sean Doyle*
|
101
|
-
|
102
|
-
* Strings returned from `strip_tags` are correctly tagged `html_safe?`
|
103
|
-
|
104
|
-
Because these strings contain no HTML elements and the basic entities are escaped, they are safe
|
105
|
-
to be included as-is as PCDATA in HTML content. Tagging them as html-safe avoids double-escaping
|
106
|
-
entities when being concatenated to a SafeBuffer during rendering.
|
107
|
-
|
108
|
-
Fixes [rails/rails-html-sanitizer#124](https://github.com/rails/rails-html-sanitizer/issues/124)
|
109
|
-
|
110
|
-
*Mike Dalessio*
|
111
|
-
|
112
|
-
## Rails 7.0.3.1 (July 12, 2022) ##
|
75
|
+
## Rails 7.1.0.rc2 (October 01, 2023) ##
|
113
76
|
|
114
77
|
* No changes.
|
115
78
|
|
116
79
|
|
117
|
-
## Rails 7.0.
|
118
|
-
|
119
|
-
* Ensure models passed to `form_for` attempt to call `to_model`.
|
80
|
+
## Rails 7.1.0.rc1 (September 27, 2023) ##
|
120
81
|
|
121
|
-
|
82
|
+
* Introduce `ActionView::TestCase.register_parser`
|
122
83
|
|
123
|
-
|
84
|
+
```ruby
|
85
|
+
register_parser :rss, -> rendered { RSS::Parser.parse(rendered) }
|
124
86
|
|
125
|
-
|
87
|
+
test "renders RSS" do
|
88
|
+
article = Article.create!(title: "Hello, world")
|
126
89
|
|
127
|
-
|
128
|
-
tag helpers, following the XML specification. Rename the option
|
129
|
-
`:escape_attributes` to `:escape`, to simplify by applying the option to the
|
130
|
-
whole tag.
|
90
|
+
render formats: :rss, partial: article
|
131
91
|
|
132
|
-
|
92
|
+
assert_equal "Hello, world", rendered.rss.items.last.title
|
93
|
+
end
|
94
|
+
```
|
133
95
|
|
134
|
-
|
96
|
+
By default, register parsers for `:html` and `:json`.
|
135
97
|
|
136
|
-
*
|
98
|
+
*Sean Doyle*
|
137
99
|
|
138
100
|
|
139
|
-
## Rails 7.0.
|
101
|
+
## Rails 7.1.0.beta1 (September 13, 2023) ##
|
140
102
|
|
141
|
-
*
|
103
|
+
* Fix `simple_format` with blank `wrapper_tag` option returns plain html tag
|
142
104
|
|
105
|
+
By default `simple_format` method returns the text wrapped with `<p>`. But if we explicitly specify
|
106
|
+
the `wrapper_tag: nil` in the options, it returns the text wrapped with `<></>` tag.
|
143
107
|
|
144
|
-
|
108
|
+
Before:
|
145
109
|
|
146
|
-
|
110
|
+
```ruby
|
111
|
+
simple_format("Hello World", {}, { wrapper_tag: nil })
|
112
|
+
# <>Hello World</>
|
113
|
+
```
|
147
114
|
|
115
|
+
After:
|
148
116
|
|
149
|
-
|
117
|
+
```ruby
|
118
|
+
simple_format("Hello World", {}, { wrapper_tag: nil })
|
119
|
+
# <p>Hello World</p>
|
120
|
+
```
|
150
121
|
|
151
|
-
*
|
122
|
+
*Akhil G Krishnan*, *Junichi Ito*
|
152
123
|
|
153
|
-
|
124
|
+
* Don't double-encode nested `field_id` and `field_name` index values
|
154
125
|
|
155
|
-
|
156
|
-
|
126
|
+
Pass `index: @options` as a default keyword argument to `field_id` and
|
127
|
+
`field_name` view helper methods.
|
157
128
|
|
158
|
-
*
|
129
|
+
*Sean Doyle*
|
159
130
|
|
131
|
+
* Allow opting in/out of `Link preload` headers when calling `stylesheet_link_tag` or `javascript_include_tag`
|
160
132
|
|
161
|
-
|
133
|
+
```ruby
|
134
|
+
# will exclude header, even if setting is enabled:
|
135
|
+
javascript_include_tag("http://example.com/all.js", preload_links_header: false)
|
162
136
|
|
163
|
-
|
137
|
+
# will include header, even if setting is disabled:
|
138
|
+
stylesheet_link_tag("http://example.com/all.js", preload_links_header: true)
|
139
|
+
```
|
164
140
|
|
165
|
-
*
|
141
|
+
*Alex Ghiculescu*
|
166
142
|
|
167
|
-
*
|
143
|
+
* Stop generating `Link preload` headers once it has reached 1KB.
|
168
144
|
|
169
|
-
|
145
|
+
Some proxies have trouble handling large headers, but more importantly preload links
|
146
|
+
have diminishing returns so it's preferable not to go overboard with them.
|
170
147
|
|
148
|
+
If tighter control is needed, it's recommended to disable automatic generation of preloads
|
149
|
+
and to generate them manually from the controller or from a middleware.
|
171
150
|
|
172
|
-
|
151
|
+
*Jean Boussier*
|
173
152
|
|
174
|
-
*
|
175
|
-
`ActionView::Helper::FormBuilder#file_field` with `multiple: true` to
|
176
|
-
support submitting an empty collection of files.
|
153
|
+
* `simple_format` helper now handles a `:sanitize_options` - any extra options you want appending to the sanitize.
|
177
154
|
|
155
|
+
Before:
|
178
156
|
```ruby
|
179
|
-
|
180
|
-
|
181
|
-
<input type="file" multiple="multiple" id="post_attachments" name="post[attachments][]">
|
182
|
-
|
183
|
-
form.file_field :attachments, multiple: true, include_hidden: false
|
184
|
-
# => <input type="file" multiple="multiple" id="post_attachments" name="post[attachments][]">
|
157
|
+
simple_format("<a target=\"_blank\" href=\"http://example.com\">Continue</a>")
|
158
|
+
# => "<p><a href=\"http://example.com\">Continue</a></p>"
|
185
159
|
```
|
186
160
|
|
187
|
-
|
188
|
-
|
189
|
-
|
190
|
-
|
191
|
-
|
192
|
-
|
193
|
-
|
194
|
-
## Rails 7.0.0.rc3 (December 14, 2021) ##
|
161
|
+
After:
|
162
|
+
```ruby
|
163
|
+
simple_format("<a target=\"_blank\" href=\"http://example.com\">Continue</a>", {}, { sanitize_options: { attributes: %w[target href] } })
|
164
|
+
# => "<p><a target=\"_blank\" href=\"http://example.com\">Continue</a></p>"
|
165
|
+
```
|
195
166
|
|
196
|
-
*
|
167
|
+
*Andrei Andriichuk*
|
197
168
|
|
169
|
+
* Add support for HTML5 standards-compliant sanitizers, and default to `Rails::HTML5::Sanitizer`
|
170
|
+
in the Rails 7.1 configuration if it is supported.
|
198
171
|
|
199
|
-
|
172
|
+
Action View's HTML sanitizers can be configured by setting
|
173
|
+
`config.action_view.sanitizer_vendor`. Supported values are `Rails::HTML4::Sanitizer` or
|
174
|
+
`Rails::HTML5::Sanitizer`.
|
200
175
|
|
201
|
-
|
176
|
+
The Rails 7.1 configuration will set this to `Rails::HTML5::Sanitizer` when it is supported, and
|
177
|
+
fall back to `Rails::HTML4::Sanitizer`. Previous configurations default to
|
178
|
+
`Rails::HTML4::Sanitizer`.
|
202
179
|
|
203
|
-
|
180
|
+
*Mike Dalessio*
|
204
181
|
|
205
|
-
*
|
206
|
-
|
182
|
+
* `config.dom_testing_default_html_version` controls the HTML parser used by
|
183
|
+
`ActionView::TestCase#document_root_element`, which creates the DOM used by the assertions in
|
184
|
+
Rails::Dom::Testing.
|
207
185
|
|
208
|
-
|
186
|
+
The Rails 7.1 default configuration opts into the HTML5 parser when it is supported, to better
|
187
|
+
represent what the DOM would be in a browser user agent. Previously this test helper always used
|
188
|
+
Nokogiri's HTML4 parser.
|
209
189
|
|
210
|
-
*
|
211
|
-
argument to `button_to` when combined with a block:
|
190
|
+
*Mike Dalessio*
|
212
191
|
|
213
|
-
|
214
|
-
|
215
|
-
|
216
|
-
|
217
|
-
#=> <button type="submit">Update</button>
|
218
|
-
#=> </form>
|
192
|
+
* Add support for the HTML picture tag. It supports passing a String, an Array or a Block.
|
193
|
+
Supports passing properties directly to the img tag via the `:image` key.
|
194
|
+
Since the picture tag requires an img tag, the last element you provide will be used for the img tag.
|
195
|
+
For complete control over the picture tag, a block can be passed, which will populate the contents of the tag accordingly.
|
219
196
|
|
220
|
-
|
221
|
-
|
222
|
-
|
223
|
-
#=> <button type="submit">Update</button>
|
224
|
-
#=> </form>
|
197
|
+
Can be used like this for a single source:
|
198
|
+
```erb
|
199
|
+
<%= picture_tag("picture.webp") %>
|
225
200
|
```
|
226
|
-
|
227
|
-
|
228
|
-
|
229
|
-
|
230
|
-
|
231
|
-
```ruby
|
232
|
-
form.button(:draft, value: true)
|
233
|
-
# => <button name="post[draft]" value="true" type="submit">Create post</button>
|
234
|
-
|
235
|
-
form.button(:draft, value: true) do
|
236
|
-
content_tag(:strong, "Save as draft")
|
237
|
-
end
|
238
|
-
# => <button name="post[draft]" value="true" type="submit">
|
239
|
-
# <strong>Save as draft</strong>
|
240
|
-
# </button>
|
201
|
+
which will generate the following:
|
202
|
+
```html
|
203
|
+
<picture>
|
204
|
+
<img src="/images/picture.webp" />
|
205
|
+
</picture>
|
241
206
|
```
|
242
207
|
|
243
|
-
|
244
|
-
|
245
|
-
|
246
|
-
|
247
|
-
|
248
|
-
```
|
249
|
-
|
250
|
-
|
251
|
-
|
252
|
-
|
208
|
+
For multiple sources:
|
209
|
+
```erb
|
210
|
+
<%= picture_tag("picture.webp", "picture.png", :class => "mt-2", :image => { alt: "Image", class: "responsive-img" }) %>
|
211
|
+
```
|
212
|
+
will generate:
|
213
|
+
```html
|
214
|
+
<picture class="mt-2">
|
215
|
+
<source srcset="/images/picture.webp" />
|
216
|
+
<source srcset="/images/picture.png" />
|
217
|
+
<img alt="Image" class="responsive-img" src="/images/picture.png" />
|
218
|
+
</picture>
|
253
219
|
```
|
254
220
|
|
255
|
-
|
256
|
-
|
257
|
-
|
258
|
-
|
259
|
-
|
260
|
-
|
261
|
-
|
221
|
+
Full control via a block:
|
222
|
+
```erb
|
223
|
+
<%= picture_tag(:class => "my-class") do %>
|
224
|
+
<%= tag(:source, :srcset => image_path("picture.webp")) %>
|
225
|
+
<%= tag(:source, :srcset => image_path("picture.png")) %>
|
226
|
+
<%= image_tag("picture.png", :alt => "Image") %>
|
227
|
+
<% end %>
|
228
|
+
```
|
229
|
+
will generate:
|
230
|
+
```html
|
231
|
+
<picture class="my-class">
|
232
|
+
<source srcset="/images/picture.webp" />
|
233
|
+
<source srcset="/images/picture.png" />
|
234
|
+
<img alt="Image" src="/images/picture.png" />
|
235
|
+
</picture>
|
262
236
|
```
|
263
237
|
|
264
|
-
*
|
238
|
+
*Juan Pablo Balarini*
|
265
239
|
|
266
|
-
*
|
240
|
+
* Remove deprecated support to passing instance variables as locals to partials.
|
267
241
|
|
268
|
-
|
269
|
-
button_to "Create", Post.new, authenticity_token: false
|
270
|
-
# => <form class="button_to" method="post" action="/posts"><button type="submit">Create</button></form>
|
242
|
+
*Rafael Mendonça França*
|
271
243
|
|
272
|
-
|
273
|
-
# => <form class="button_to" method="post" action="/posts"><button type="submit">Create</button><input type="hidden" name="form_token" value="abc123..." autocomplete="off" /></form>
|
244
|
+
* Remove deprecated constant `ActionView::Path`.
|
274
245
|
|
275
|
-
|
276
|
-
# => <form class="button_to" method="post" action="/posts"><button type="submit">Create</button><input type="hidden" name="form_token" value="secret" autocomplete="off" /></form>
|
277
|
-
```
|
246
|
+
*Rafael Mendonça França*
|
278
247
|
|
279
|
-
|
280
|
-
|
281
|
-
* Support rendering `<form>` elements _without_ `[action]` attributes by:
|
282
|
-
|
283
|
-
* `form_with url: false` or `form_with ..., html: { action: false }`
|
284
|
-
* `form_for ..., url: false` or `form_for ..., html: { action: false }`
|
285
|
-
* `form_tag false` or `form_tag ..., action: false`
|
286
|
-
* `button_to "...", false` or `button_to(false) { ... }`
|
248
|
+
* Guard `token_list` calls from escaping HTML too often
|
287
249
|
|
288
250
|
*Sean Doyle*
|
289
251
|
|
290
|
-
*
|
291
|
-
|
292
|
-
date_select("article", "written_on", day_format: ->(day) { day.ordinalize })
|
293
|
-
# generates day options like <option value="1">1st</option>\n<option value="2">2nd</option>...
|
252
|
+
* `select` can now be called with a single hash containing options and some HTML options
|
294
253
|
|
295
|
-
|
254
|
+
Previously this would not work as expected:
|
296
255
|
|
297
|
-
|
298
|
-
|
299
|
-
|
300
|
-
link_to @profile
|
301
|
-
#=> <a href="/profiles/1">Eileen</a>
|
256
|
+
```erb
|
257
|
+
<%= select :post, :author, authors, required: true %>
|
258
|
+
```
|
302
259
|
|
303
|
-
|
260
|
+
Instead you needed to do this:
|
304
261
|
|
305
|
-
|
306
|
-
|
307
|
-
|
308
|
-
name
|
309
|
-
end
|
310
|
-
end
|
262
|
+
```erb
|
263
|
+
<%= select :post, :author, authors, {}, required: true %>
|
264
|
+
```
|
311
265
|
|
312
|
-
|
313
|
-
model implemented a `#to_s` method that called the `name` method.
|
266
|
+
Now, either form is accepted, for the following HTML attributes: `required`, `multiple`, `size`.
|
314
267
|
|
315
|
-
|
316
|
-
#=> <a href="/profiles/1">Eileen</a>
|
268
|
+
*Alex Ghiculescu*
|
317
269
|
|
318
|
-
|
270
|
+
* Datetime form helpers (`time_field`, `date_field`, `datetime_field`, `week_field`, `month_field`) now accept an instance of Time/Date/DateTime as `:value` option.
|
319
271
|
|
320
|
-
|
272
|
+
Before:
|
273
|
+
```erb
|
274
|
+
<%= form.datetime_field :written_at, value: Time.current.strftime("%Y-%m-%dT%T") %>
|
275
|
+
```
|
321
276
|
|
322
|
-
|
323
|
-
|
277
|
+
After:
|
278
|
+
```erb
|
279
|
+
<%= form.datetime_field :written_at, value: Time.current %>
|
280
|
+
```
|
324
281
|
|
325
|
-
*
|
282
|
+
*Andrey Samsonov*
|
326
283
|
|
284
|
+
* Choices of `select` can optionally contain html attributes as the last element
|
285
|
+
of the child arrays when using grouped/nested collections
|
327
286
|
|
328
|
-
|
287
|
+
```erb
|
288
|
+
<%= form.select :foo, [["North America", [["United States","US"],["Canada","CA"]], { disabled: "disabled" }]] %>
|
289
|
+
# => <select><optgroup label="North America" disabled="disabled"><option value="US">United States</option><option value="CA">Canada</option></optgroup></select>
|
290
|
+
```
|
329
291
|
|
330
|
-
*
|
292
|
+
*Chris Gunther*
|
331
293
|
|
294
|
+
* `check_box_tag` and `radio_button_tag` now accept `checked` as a keyword argument
|
332
295
|
|
333
|
-
|
296
|
+
This is to make the API more consistent with the `FormHelper` variants. You can now
|
297
|
+
provide `checked` as a positional or keyword argument:
|
334
298
|
|
335
|
-
|
336
|
-
|
299
|
+
```erb
|
300
|
+
= check_box_tag "admin", "1", false
|
301
|
+
= check_box_tag "admin", "1", checked: false
|
337
302
|
|
338
|
-
|
303
|
+
= radio_button_tag 'favorite_color', 'maroon', false
|
304
|
+
= radio_button_tag 'favorite_color', 'maroon', checked: false
|
305
|
+
```
|
339
306
|
|
340
|
-
*
|
307
|
+
*Alex Ghiculescu*
|
341
308
|
|
342
|
-
|
309
|
+
* Allow passing a class to `dom_id`.
|
310
|
+
You no longer need to call `new` when passing a class to `dom_id`.
|
311
|
+
This makes `dom_id` behave like `dom_class` in this regard.
|
312
|
+
Apart from saving a few keystrokes, it prevents Ruby from needing
|
313
|
+
to instantiate a whole new object just to generate a string.
|
343
314
|
|
344
|
-
|
315
|
+
Before:
|
316
|
+
```ruby
|
317
|
+
dom_id(Post) # => NoMethodError: undefined method `to_key' for Post:Class
|
318
|
+
```
|
345
319
|
|
346
|
-
|
320
|
+
After:
|
321
|
+
```ruby
|
322
|
+
dom_id(Post) # => "new_post"
|
323
|
+
```
|
347
324
|
|
348
|
-
*
|
325
|
+
*Goulven Champenois*
|
349
326
|
|
350
|
-
|
327
|
+
* Report `:locals` as part of the data returned by ActionView render instrumentation.
|
351
328
|
|
352
|
-
|
329
|
+
Before:
|
330
|
+
```ruby
|
331
|
+
{
|
332
|
+
identifier: "/Users/adam/projects/notifications/app/views/posts/index.html.erb",
|
333
|
+
layout: "layouts/application"
|
334
|
+
}
|
335
|
+
```
|
353
336
|
|
354
|
-
|
355
|
-
|
337
|
+
After:
|
338
|
+
```ruby
|
339
|
+
{
|
340
|
+
identifier: "/Users/adam/projects/notifications/app/views/posts/index.html.erb",
|
341
|
+
layout: "layouts/application",
|
342
|
+
locals: {foo: "bar"}
|
343
|
+
}
|
344
|
+
```
|
356
345
|
|
357
|
-
|
346
|
+
*Aaron Gough*
|
358
347
|
|
359
|
-
|
360
|
-
# => <input value="16:22:01.440" type="time" />
|
348
|
+
* Strip `break_sequence` at the end of `word_wrap`.
|
361
349
|
|
362
|
-
This
|
350
|
+
This fixes a bug where `word_wrap` didn't properly strip off break sequences that had printable characters.
|
363
351
|
|
364
|
-
|
352
|
+
For example, compare the outputs of this template:
|
365
353
|
|
366
|
-
|
354
|
+
```erb
|
355
|
+
# <%= word_wrap("11 22\n33 44", line_width: 2, break_sequence: "\n# ") %>
|
356
|
+
```
|
367
357
|
|
368
|
-
|
358
|
+
Before:
|
369
359
|
|
370
|
-
|
360
|
+
```
|
361
|
+
# 11
|
362
|
+
# 22
|
363
|
+
#
|
364
|
+
# 33
|
365
|
+
# 44
|
366
|
+
#
|
367
|
+
```
|
371
368
|
|
372
|
-
|
369
|
+
After:
|
373
370
|
|
374
|
-
|
371
|
+
```
|
372
|
+
# 11
|
373
|
+
# 22
|
374
|
+
# 33
|
375
|
+
# 44
|
376
|
+
```
|
375
377
|
|
376
|
-
*
|
378
|
+
*Max Chernyak*
|
377
379
|
|
378
|
-
*
|
379
|
-
translation keys through `I18n.translate` for interpolation.
|
380
|
+
* Allow templates to set strict `locals`.
|
380
381
|
|
381
|
-
|
382
|
+
By default, templates will accept any `locals` as keyword arguments. To define what `locals` a template accepts, add a `locals` magic comment:
|
382
383
|
|
383
|
-
|
384
|
-
|
384
|
+
```erb
|
385
|
+
<%# locals: (message:) -%>
|
386
|
+
<%= message %>
|
387
|
+
```
|
385
388
|
|
386
|
-
|
389
|
+
Default values can also be provided:
|
387
390
|
|
388
|
-
```
|
389
|
-
|
390
|
-
|
391
|
+
```erb
|
392
|
+
<%# locals: (message: "Hello, world!") -%>
|
393
|
+
<%= message %>
|
391
394
|
```
|
392
395
|
|
393
|
-
|
396
|
+
Or `locals` can be disabled entirely:
|
394
397
|
|
395
|
-
```
|
396
|
-
|
397
|
-
# <link href="/stylesheets/style.less" rel="stylesheet/less">
|
398
|
+
```erb
|
399
|
+
<%# locals: () %>
|
398
400
|
```
|
399
401
|
|
400
|
-
*
|
401
|
-
|
402
|
-
* Deprecate `render` locals to be assigned to instance variables.
|
402
|
+
*Joel Hawksley*
|
403
403
|
|
404
|
-
|
404
|
+
* Add `include_seconds` option for `datetime_local_field`
|
405
405
|
|
406
|
-
|
406
|
+
This allows to omit seconds part in the input field, by passing `include_seconds: false`
|
407
407
|
|
408
|
-
*
|
408
|
+
*Wojciech Wnętrzak*
|
409
409
|
|
410
|
-
*
|
411
|
-
|
410
|
+
* Guard against `ActionView::Helpers::FormTagHelper#field_name` calls with nil
|
411
|
+
`object_name` arguments. For example:
|
412
412
|
|
413
|
-
|
414
|
-
|
415
|
-
|
416
|
-
|
417
|
-
|
418
|
-
=> <input type="hidden" name="_method" value="put">
|
419
|
-
=> <button type="submit">Update</button>
|
420
|
-
=> <button type="submit" formmethod="post" name="_method" value="delete">Delete</button>
|
421
|
-
=> </form>
|
422
|
-
%>
|
413
|
+
```erb
|
414
|
+
<%= fields do |f| %>
|
415
|
+
<%= f.field_name :body %>
|
416
|
+
<% end %>
|
417
|
+
```
|
423
418
|
|
424
419
|
*Sean Doyle*
|
425
420
|
|
426
|
-
*
|
427
|
-
`<button>` element, regardless of whether or not the content is passed as
|
428
|
-
the first argument or as a block.
|
429
|
-
|
430
|
-
<%= button_to "Delete", post_path(@post), method: :delete %>
|
431
|
-
# => <form action="/posts/1"><input type="hidden" name="_method" value="delete"><button type="submit">Delete</button></form>
|
432
|
-
|
433
|
-
<%= button_to post_path(@post), method: :delete do %>
|
434
|
-
Delete
|
435
|
-
<% end %>
|
436
|
-
# => <form action="/posts/1"><input type="hidden" name="_method" value="delete"><button type="submit">Delete</button></form>
|
421
|
+
* Strings returned from `strip_tags` are correctly tagged `html_safe?`
|
437
422
|
|
438
|
-
|
423
|
+
Because these strings contain no HTML elements and the basic entities are escaped, they are safe
|
424
|
+
to be included as-is as PCDATA in HTML content. Tagging them as html-safe avoids double-escaping
|
425
|
+
entities when being concatenated to a SafeBuffer during rendering.
|
439
426
|
|
440
|
-
|
441
|
-
the `Link` header being added by default when using `stylesheet_link_tag`
|
442
|
-
and `javascript_include_tag`.
|
427
|
+
Fixes [rails/rails-html-sanitizer#124](https://github.com/rails/rails-html-sanitizer/issues/124)
|
443
428
|
|
444
|
-
*
|
429
|
+
*Mike Dalessio*
|
445
430
|
|
446
|
-
*
|
447
|
-
specified, instead of always returning `nil`.
|
431
|
+
* Move `convert_to_model` call from `form_for` into `form_with`
|
448
432
|
|
449
|
-
|
433
|
+
Now that `form_for` is implemented in terms of `form_with`, remove the
|
434
|
+
`convert_to_model` call from `form_for`.
|
450
435
|
|
451
|
-
*
|
452
|
-
the `image_tag` `:loading` option.
|
436
|
+
*Sean Doyle*
|
453
437
|
|
454
|
-
|
455
|
-
lazy loading images sitewide, without changing view code.
|
438
|
+
* Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`.
|
456
439
|
|
457
|
-
|
440
|
+
Escape dangerous characters in names of tags and names of attributes in the
|
441
|
+
tag helpers, following the XML specification. Rename the option
|
442
|
+
`:escape_attributes` to `:escape`, to simplify by applying the option to the
|
443
|
+
whole tag.
|
458
444
|
|
459
|
-
|
460
|
-
of the `<form>` element's `id` attribute. With a `method` argument, returns
|
461
|
-
the `id` attribute for a form field with that name.
|
445
|
+
*Álvaro Martín Fraguas*
|
462
446
|
|
463
|
-
|
464
|
-
<%# ... %>
|
447
|
+
* Extend audio_tag and video_tag to accept Active Storage attachments.
|
465
448
|
|
466
|
-
|
467
|
-
<%= form.button(form: f.id) %>
|
468
|
-
<% end %>
|
469
|
-
<% end %>
|
449
|
+
Now it's possible to write
|
470
450
|
|
471
|
-
|
451
|
+
```ruby
|
452
|
+
audio_tag(user.audio_file)
|
453
|
+
video_tag(user.video_file)
|
454
|
+
```
|
472
455
|
|
473
|
-
|
474
|
-
the FormBuilder for the given attribute name.
|
456
|
+
Instead of
|
475
457
|
|
476
|
-
|
477
|
-
|
478
|
-
|
479
|
-
|
480
|
-
<% end %>
|
458
|
+
```ruby
|
459
|
+
audio_tag(polymorphic_path(user.audio_file))
|
460
|
+
video_tag(polymorphic_path(user.video_file))
|
461
|
+
```
|
481
462
|
|
482
|
-
|
463
|
+
`image_tag` already supported that, so this follows the same pattern.
|
483
464
|
|
484
|
-
*
|
485
|
-
interpolated into ERB.
|
465
|
+
*Matheus Richard*
|
486
466
|
|
487
|
-
|
488
|
-
# => <input type="text" aria-label="Search">
|
467
|
+
* Ensure models passed to `form_for` attempt to call `to_model`.
|
489
468
|
|
490
469
|
*Sean Doyle*
|
491
470
|
|
492
|
-
|
493
|
-
Please check [6-1-stable](https://github.com/rails/rails/blob/6-1-stable/actionview/CHANGELOG.md) for previous changes.
|
471
|
+
Please check [7-0-stable](https://github.com/rails/rails/blob/7-0-stable/actionview/CHANGELOG.md) for previous changes.
|