actionview 7.0.8 → 7.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a569f4f8e520c94ea5c5f0b9ab2005dd9a53e3d665bb11ecedf0f76886b6b848
-  data.tar.gz: 4e0fc28a999734b27cf9c02900cca0dc36670e89529cbb67d8f0d72e121f5593
+  metadata.gz: 00d61ae3c549bc7d1a9cff55cfa4f096b50878775309401644a1d6fe23032c8c
+  data.tar.gz: 46dd30ccb2b17b5de7ac58dd981d616e3fbef55794c51a50865d68c10b6875ce
 SHA512:
-  metadata.gz: 3ce2666c92327eeef024073a9780fd53c10320ef0b10c07d200fffe7ca9ec4d7634ad045a958f136a3c64432db5d2aff59b12e3ed81037118b6e67083398af64
-  data.tar.gz: 92089fb1751e5399ddd65b5728067ff4cec2751823a320dce88418d430a22ff18c29e84fc186eb5c3514becbeb39fd372ab87f41fd44fc1543a46097642c04e1
+  metadata.gz: 73a1ea9695efd725f3b50f547852f1c708cc1bc63de0f2a90c6d31c79fd2161c6eb8d08feb9e019c84012d224bd30bf63d4d1535f1e874e287328935141b1f30
+  data.tar.gz: 818d59c9d7c22fa30695f1f1ad64d040f1187c686cf10d8f679f4f01e623bb809689acf212499cb6058314b2f4097c94b64a85d3e19aec9c708adef29ce38b39

data/CHANGELOG.md

@@ -1,493 +1,108 @@
-## Rails 7.0.8 (September 09, 2023) ##
+## Rails 7.2.0 (August 09, 2024) ##
 
-*   Fix `form_for` missing the hidden `_method` input for models with a
-    namespaced route.
+*   Fix templates with strict locals to also include `local_assigns`.
 
-    *Hartley McGuire*
-
-*   Fix `render collection: @records, cache: true` inside `jbuilder` templates
-
-    The previous fix that shipped in `7.0.7` assumed template fragments are always strings,
-    this isn't true with `jbuilder`.
+    Previously templates defining strict locals wouldn't receive the `local_assigns`
+    hash.
 
     *Jean Boussier*
 
-## Rails 7.0.7.2 (August 22, 2023) ##
-
-*   No changes.
-
-
-## Rails 7.0.7.1 (August 22, 2023) ##
-
-*   No changes.
-
-
-## Rails 7.0.7 (August 09, 2023) ##
-
-*   Fix `render collection: @records, cache: true` to cache fragments as bare strings
-
-    Previously it would incorrectly cache them as Action View buffers.
-
-    *Jean Boussier*
-
-*   Don't double-encode nested `field_id` and `field_name` index values
-
-    Pass `index: @options` as a default keyword argument to `field_id` and
-    `field_name` view helper methods.
-
-    *Sean Doyle*
-
-
-## Rails 7.0.6 (June 29, 2023) ##
-
-*   No changes.
-
-
-## Rails 7.0.5.1 (June 26, 2023) ##
-
-*   No changes.
-
-
-## Rails 7.0.5 (May 24, 2023) ##
-
-*   `FormBuilder#id` finds id set by `form_for` and `form_with`.
-
-    *Matt Polito*
-
-*   Allow all available locales for template lookups.
-
-    *Ben Dilley*
-
-*   Choices of `select` can optionally contain html attributes as the last element
-    of the child arrays when using grouped/nested collections
-
-    ```erb
-    <%= form.select :foo, [["North America", [["United States","US"],["Canada","CA"]], { disabled: "disabled" }]] %>
-    # => <select><optgroup label="North America" disabled="disabled"><option value="US">United States</option><option value="CA">Canada</option></optgroup></select>
-    ```
-
-    *Chris Gunther*
-
-
-## Rails 7.0.4.3 (March 13, 2023) ##
-
-*   Ignore certain data-* attributes in rails-ujs when element is contenteditable
-
-    [CVE-2023-23913]
-
-
-## Rails 7.0.4.2 (January 24, 2023) ##
-
-*   No changes.
-
-
-## Rails 7.0.4.1 (January 17, 2023) ##
-
-*   No changes.
-
-
-## Rails 7.0.4 (September 09, 2022) ##
+*   Add queries count to template rendering instrumentation.
 
-*   Guard against `ActionView::Helpers::FormTagHelper#field_name` calls with nil
-    `object_name` arguments. For example:
-
-    ```erb
-    <%= fields do |f| %>
-      <%= f.field_name :body %>
-    <% end %>
     ```
+    # Before
+    Completed 200 OK in 3804ms (Views: 41.0ms | ActiveRecord: 33.5ms | Allocations: 112788)
 
-    *Sean Doyle*
-
-*   Strings returned from `strip_tags` are correctly tagged `html_safe?`
-
-    Because these strings contain no HTML elements and the basic entities are escaped, they are safe
-    to be included as-is as PCDATA in HTML content. Tagging them as html-safe avoids double-escaping
-    entities when being concatenated to a SafeBuffer during rendering.
-
-    Fixes [rails/rails-html-sanitizer#124](https://github.com/rails/rails-html-sanitizer/issues/124)
-
-    *Mike Dalessio*
-
-## Rails 7.0.3.1 (July 12, 2022) ##
-
-*   No changes.
-
-
-## Rails 7.0.3 (May 09, 2022) ##
-
-*   Ensure models passed to `form_for` attempt to call `to_model`.
-
-    *Sean Doyle*
-
-## Rails 7.0.2.4 (April 26, 2022) ##
-
-*   Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`.
-
-    Escape dangerous characters in names of tags and names of attributes in the
-    tag helpers, following the XML specification. Rename the option
-    `:escape_attributes` to `:escape`, to simplify by applying the option to the
-    whole tag.
-
-    *Álvaro Martín Fraguas*
-
-## Rails 7.0.2.3 (March 08, 2022) ##
-
-*   No changes.
-
-
-## Rails 7.0.2.2 (February 11, 2022) ##
-
-*   No changes.
-
-
-## Rails 7.0.2.1 (February 11, 2022) ##
-
-*   No changes.
-
-
-## Rails 7.0.2 (February 08, 2022) ##
-
-*   Ensure `preload_link_tag` preloads JavaScript modules correctly.
-
-    *Máximo Mussini*
-
-*   Fix `stylesheet_link_tag` and similar helpers are being used to work in objects with
-    a `response` method.
-
-    *dark-panda*
-
-
-## Rails 7.0.1 (January 06, 2022) ##
-
-*   Fix `button_to` to work with a hash parameter as URL.
-
-    *MingyuanQin*
-
-*   Fix `link_to` with a model passed as an argument twice.
-
-    *Alex Ghiculescu*
-
-
-## Rails 7.0.0 (December 15, 2021) ##
-
-*   Support `include_hidden:` option in calls to
-    `ActionView::Helper::FormBuilder#file_field` with `multiple: true` to
-    support submitting an empty collection of files.
-
-    ```ruby
-    form.file_field :attachments, multiple: true
-    # => <input type="hidden" autocomplete="off" name="post[attachments][]" value="">
-         <input type="file" multiple="multiple" id="post_attachments" name="post[attachments][]">
-
-    form.file_field :attachments, multiple: true, include_hidden: false
-    # => <input type="file" multiple="multiple" id="post_attachments" name="post[attachments][]">
+    # After
+    Completed 200 OK in 3804ms (Views: 41.0ms | ActiveRecord: 33.5ms (2 queries, 1 cached) | Allocations: 112788)
     ```
 
-    *Sean Doyle*
-
-*   Fix `number_with_precision(raise: true)` always raising even on valid numbers.
+    *fatkodima*
 
-    *Pedro Moreira*
-
-
-## Rails 7.0.0.rc3 (December 14, 2021) ##
-
-*   No changes.
-
-
-## Rails 7.0.0.rc2 (December 14, 2021) ##
-
-*   No changes.
-
-## Rails 7.0.0.rc1 (December 06, 2021) ##
-
-*   Support `fields model: [@nested, @model]` the same way as `form_with model:
-    [@nested, @model]`.
+*   Raise `ArgumentError` if `:renderable` object does not respond to `#render_in`.
 
     *Sean Doyle*
 
-*   Infer HTTP verb `[method]` from a model or Array with model as the first
-    argument to `button_to` when combined with a block:
+*   Add the `nonce: true` option for `stylesheet_link_tag` helper to support automatic nonce generation for Content Security Policy.
 
-    ```ruby
-    button_to(Workshop.find(1)){ "Update" }
-    #=> <form method="post" action="/workshops/1" class="button_to">
-    #=>   <input type="hidden" name="_method" value="patch" autocomplete="off" />
-    #=>   <button type="submit">Update</button>
-    #=> </form>
-
-    button_to([ Workshop.find(1), Session.find(1) ]) { "Update" }
-    #=> <form method="post" action="/workshops/1/sessions/1" class="button_to">
-    #=>   <input type="hidden" name="_method" value="patch" autocomplete="off" />
-    #=>   <button type="submit">Update</button>
-    #=> </form>
-    ```
+    Works the same way as `javascript_include_tag nonce: true` does.
 
-    *Sean Doyle*
+    *Akhil G Krishnan*, *AJ Esler*
 
-*   Support passing a Symbol as the first argument to `FormBuilder#button`:
-
-    ```ruby
-    form.button(:draft, value: true)
-    # => <button name="post[draft]" value="true" type="submit">Create post</button>
-
-    form.button(:draft, value: true) do
-      content_tag(:strong, "Save as draft")
-    end
-    # =>  <button name="post[draft]" value="true" type="submit">
-    #       <strong>Save as draft</strong>
-    #     </button>
-    ```
+*   Parse `ActionView::TestCase#rendered` HTML content as `Nokogiri::XML::DocumentFragment` instead of `Nokogiri::XML::Document`.
 
     *Sean Doyle*
 
-*   Introduce the `field_name` view helper, along with the
-    `FormBuilder#field_name` counterpart:
+*   Rename `ActionView::TestCase::Behavior::Content` to `ActionView::TestCase::Behavior::RenderedViewContent`.
 
-    ```ruby
-    form_for @post do |f|
-      f.field_tag :tag, name: f.field_name(:tag, multiple: true)
-      # => <input type="text" name="post[tag][]">
-    end
-    ```
+    Make `RenderedViewContent` inherit from `String`. Make private API with `:nodoc:`
 
     *Sean Doyle*
 
-*   Execute the `ActionView::Base.field_error_proc` within the context of the
-    `ActionView::Base` instance:
+*   Deprecate passing `nil` as value for the `model:` argument to the `form_with` method.
 
-    ```ruby
-    config.action_view.field_error_proc = proc { |html| content_tag(:div, html, class: "field_with_errors") }
-    ```
-
-    *Sean Doyle*
-
-*   Add support for `button_to ..., authenticity_token: false`
-
-    ```ruby
-    button_to "Create", Post.new, authenticity_token: false
-    # => <form class="button_to" method="post" action="/posts"><button type="submit">Create</button></form>
+    *Collin Jilbert*
 
-    button_to "Create", Post.new, authenticity_token: true
-    # => <form class="button_to" method="post" action="/posts"><button type="submit">Create</button><input type="hidden" name="form_token" value="abc123..." autocomplete="off" /></form>
-
-    button_to "Create", Post.new, authenticity_token: "secret"
-    # => <form class="button_to" method="post" action="/posts"><button type="submit">Create</button><input type="hidden" name="form_token" value="secret" autocomplete="off" /></form>
-    ```
-
-    *Sean Doyle*
-
-*   Support rendering `<form>` elements _without_ `[action]` attributes by:
-
-    * `form_with url: false` or `form_with ..., html: { action: false }`
-    * `form_for ..., url: false` or `form_for ..., html: { action: false }`
-    * `form_tag false` or `form_tag ..., action: false`
-    * `button_to "...", false` or `button_to(false) { ... }`
+*   Alias `field_set_tag` helper to `fieldset_tag` to match `<fieldset>` element.
 
     *Sean Doyle*
 
-*   Add `:day_format` option to `date_select`
-
-        date_select("article", "written_on", day_format: ->(day) { day.ordinalize })
-        # generates day options like <option value="1">1st</option>\n<option value="2">2nd</option>...
-
-    *Shunichi Ikegami*
-
-*   Allow `link_to` helper to infer link name from `Model#to_s` when it
-    is used with a single argument:
-
-        link_to @profile
-        #=> <a href="/profiles/1">Eileen</a>
-
-    This assumes the model class implements a `to_s` method like this:
-
-        class Profile < ApplicationRecord
-          # ...
-          def to_s
-            name
-          end
-        end
-
-    Previously you had to supply a second argument even if the `Profile`
-    model implemented a `#to_s` method that called the `name` method.
-
-        link_to @profile, @profile.name
-        #=> <a href="/profiles/1">Eileen</a>
-
-    *Olivier Lacan*
-
-*   Support svg unpaired tags for `tag` helper.
-
-        tag.svg { tag.use('href' => "#cool-icon") }
-        # => <svg><use href="#cool-icon"></svg>
-
-    *Oleksii Vasyliev*
-
-
-## Rails 7.0.0.alpha2 (September 15, 2021) ##
-
-*   No changes.
-
+*   Deprecate passing content to void elements when using `tag.br` type tag builders.
 
-## Rails 7.0.0.alpha1 (September 15, 2021) ##
-
-*   Improves the performance of ActionView::Helpers::NumberHelper formatters by avoiding the use of
-    exceptions as flow control.
-
-    *Mike Dalessio*
-
-*   `preload_link_tag` properly inserts `as` attributes for files with `image` MIME types, such as JPG or SVG.
-
-    *Nate Berkopec*
-
-*   Add `weekday_options_for_select` and `weekday_select` helper methods. Also adds `weekday_select` to `FormBuilder`.
-
-    *Drew Bragg*, *Dana Kashubeck*, *Kasper Timm Hansen*
-
-*   Add `caching?` helper that returns whether the current code path is being cached and `uncacheable!` to denote helper methods that can't participate in fragment caching.
+    *Hartley McGuire*
 
-    *Ben Toews*, *John Hawthorn*, *Kasper Timm Hansen*, *Joel Hawksley*
+*   Fix the `number_to_human_size` view helper to correctly work with negative numbers.
 
-*   Add `include_seconds` option for `time_field`.
+    *Earlopain*
 
-        <%= form.time_field :foo, include_seconds: false %>
-        # => <input value="16:22" type="time" />
+*   Automatically discard the implicit locals injected by collection rendering for template that can't accept them.
 
-    Default includes seconds:
+    When rendering a collection, two implicit variables are injected, which breaks templates with strict locals.
 
-        <%= form.time_field :foo %>
-        # => <input value="16:22:01.440" type="time" />
+    Now they are only passed if the template will actually accept them.
 
-    This allows you to take advantage of [different rendering options](https://developer.mozilla.org/en-US/docs/Web/HTML/Element/input/time#time_value_format) in some browsers.
+    *Yasha Krasnou*, *Jean Boussier*
 
-    *Alex Ghiculescu*
+*   Fix `@rails/ujs` calling `start()` an extra time when using bundlers.
 
-*   Improve error messages when template file does not exist at absolute filepath.
+    *Hartley McGuire*, *Ryunosuke Sato*
 
-    *Ted Whang*
+*   Fix the `capture` view helper compatibility with HAML and Slim.
 
-*   Add `:country_code` option to `sms_to` for consistency with `phone_to`.
+    When a blank string was captured in HAML or Slim (and possibly other template engines)
+    it would instead return the entire buffer.
 
-    *Jonathan Hefner*
+    *Jean Boussier*
 
-*   OpenSSL constants are now used for Digest computations.
+*   Updated `@rails/ujs` files to ignore certain data-* attributes when element is contenteditable.
 
-    *Dirkjan Bussink*
+    This fix was already landed in >= 7.0.4.3, < 7.1.0.
+    [[CVE-2023-23913](https://github.com/advisories/GHSA-xp5h-f8jf-rc8q)]
 
-*   The `translate` helper now passes `default` values that aren't
-    translation keys through `I18n.translate` for interpolation.
+    *Ryunosuke Sato*
 
-    *Jonathan Hefner*
+*   Added validation for HTML tag names in the `tag` and `content_tag` helper method.
 
-*   Adds option `extname` to `stylesheet_link_tag` to skip default
-    `.css` extension appended to the stylesheet path.
+    The `tag` and `content_tag` method now checks that the provided tag name adheres to the HTML
+    specification. If an invalid HTML tag name is provided, the method raises an `ArgumentError`
+    with an appropriate error message.
 
-    Before:
+    Examples:
 
     ```ruby
-    stylesheet_link_tag "style.less"
-    # <link href="/stylesheets/style.less.scss" rel="stylesheet">
-    ```
-
-    After:
-
-    ```ruby
-    stylesheet_link_tag "style.less", extname: false, skip_pipeline: true, rel: "stylesheet/less"
-    # <link href="/stylesheets/style.less" rel="stylesheet/less">
-    ```
-
-    *Abhay Nikam*
-
-*   Deprecate `render` locals to be assigned to instance variables.
-
-    *Petrik de Heus*
-
-*   Remove legacy default `media=screen` from `stylesheet_link_tag`.
-
-    *André Luis Leal Cardoso Junior*
-
-*   Change `ActionView::Helpers::FormBuilder#button` to transform `formmethod`
-    attributes into `_method="$VERB"` Form Data to enable varied same-form actions:
-
-        <%= form_with model: post, method: :put do %>
-          <%= form.button "Update" %>
-          <%= form.button "Delete", formmethod: :delete %>
-        <% end %>
-        <%# => <form action="posts/1">
-            =>   <input type="hidden" name="_method" value="put">
-            =>   <button type="submit">Update</button>
-            =>   <button type="submit" formmethod="post" name="_method" value="delete">Delete</button>
-            => </form>
-        %>
-
-    *Sean Doyle*
+    # Raises ArgumentError: Invalid HTML5 tag name: 12p
+    content_tag("12p") # Starting with a number
 
-*   Change `ActionView::Helpers::UrlHelper#button_to` to *always* render a
-    `<button>` element, regardless of whether or not the content is passed as
-    the first argument or as a block.
+    # Raises ArgumentError: Invalid HTML5 tag name: ""
+    content_tag("") # Empty tag name
 
-        <%= button_to "Delete", post_path(@post), method: :delete %>
-        # => <form action="/posts/1"><input type="hidden" name="_method" value="delete"><button type="submit">Delete</button></form>
+    # Raises ArgumentError: Invalid HTML5 tag name: div/
+    tag("div/") # Contains a solidus
 
-        <%= button_to post_path(@post), method: :delete do %>
-          Delete
-        <% end %>
-        # => <form action="/posts/1"><input type="hidden" name="_method" value="delete"><button type="submit">Delete</button></form>
-
-    *Sean Doyle*, *Dusan Orlovic*
-
-*   Add `config.action_view.preload_links_header` to allow disabling of
-    the `Link` header being added by default when using `stylesheet_link_tag`
-    and `javascript_include_tag`.
-
-    *Andrew White*
-
-*   The `translate` helper now resolves `default` values when a `nil` key is
-    specified, instead of always returning `nil`.
-
-    *Jonathan Hefner*
-
-*   Add `config.action_view.image_loading` to configure the default value of
-    the `image_tag` `:loading` option.
-
-    By setting `config.action_view.image_loading = "lazy"`, an application can opt in to
-    lazy loading images sitewide, without changing view code.
-
-    *Jonathan Hefner*
-
-*   `ActionView::Helpers::FormBuilder#id` returns the value
-    of the `<form>` element's `id` attribute. With a `method` argument, returns
-    the `id` attribute for a form field with that name.
-
-        <%= form_for @post do |f| %>
-          <%# ... %>
-
-          <% content_for :sticky_footer do %>
-            <%= form.button(form: f.id) %>
-          <% end %>
-        <% end %>
-
-    *Sean Doyle*
-
-*   `ActionView::Helpers::FormBuilder#field_id` returns the value generated by
-    the FormBuilder for the given attribute name.
-
-        <%= form_for @post do |f| %>
-          <%= f.label :title %>
-          <%= f.text_field :title, aria: { describedby: f.field_id(:title, :error) } %>
-          <%= tag.span("is blank", id: f.field_id(:title, :error) %>
-        <% end %>
-
-    *Sean Doyle*
-
-*   Add `tag.attributes` to transform a Hash into HTML Attributes, ready to be
-    interpolated into ERB.
-
-        <input <%= tag.attributes(type: :text, aria: { label: "Search" }) %> >
-        # => <input type="text" aria-label="Search">
-
-    *Sean Doyle*
+    # Raises ArgumentError: Invalid HTML5 tag name: "image file"
+    tag("image file") # Contains a space
+    ```
 
+    *Akhil G Krishnan*
 
-Please check [6-1-stable](https://github.com/rails/rails/blob/6-1-stable/actionview/CHANGELOG.md) for previous changes.
+Please check [7-1-stable](https://github.com/rails/rails/blob/7-1-stable/actionview/CHANGELOG.md) for previous changes.

data/MIT-LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2004-2022 David Heinemeier Hansson
+Copyright (c) David Heinemeier Hansson
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

data/README.rdoc

@@ -5,7 +5,7 @@ view helpers that assist when building HTML forms, Atom feeds and more.
 Template formats that Action View handles are ERB (embedded Ruby, typically
 used to inline short Ruby snippets inside HTML), and XML Builder.
 
-You can read more about Action View in the {Action View Overview}[https://edgeguides.rubyonrails.org/action_view_overview.html] guide.
+You can read more about Action View in the {Action View Overview}[https://guides.rubyonrails.org/action_view_overview.html] guide.
 
 == Download and installation