actionview 7.1.0 → 7.1.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 32185e4d0d7cd6d977741871632481ac24d5e8dc510ffdd91738c704c6a7713f
-  data.tar.gz: 18f1a181d6ca4aa6f0572e269b79046384ce61a76eaa3a7d8c94535de1119d4c
+  metadata.gz: 2ec34555888d78ec7dd238a5845d5a0a6861aabf4b43b532b9001de74d7f69f8
+  data.tar.gz: fa36f1e81bea968392435051307a0ad371e856f8fa4760b6e341df5412a017e5
 SHA512:
-  metadata.gz: db7eeb976f3e336aec8472acd0a4a4cb9fbfb7aded98236c671d98d0c081fd1331be49a67127c619691931c7f8317b0fa7af0205bd26627f11d61dfe313f2bd4
-  data.tar.gz: abd1bff9bf3b89b81fb8008641cd77299892b856b19a2788bd25d913af2c2d78963bdda2157b14aa7c7ac03a3300ef41e6acdf2ac836580406df2710d08ee6e1
+  metadata.gz: 229637c660fba19dcba6f8e15e83cf748b1e8ee0c123bc32d2b0417265df296254dfd3f9ef07d64b930f96c1e1b94a3ad9f9304a9c9e4ce734357208924019f7
+  data.tar.gz: 5ef080a91aa2611698efca00142c79aa3f005ab680cbe804c41636df0318f05ce432429a3420d06515be43f2d249e7d38d8b9e7496d64b58a9ba218451310808

data/CHANGELOG.md

@@ -1,3 +1,39 @@
+## Rails 7.1.2 (November 10, 2023) ##
+
+*   Fix the `number_to_human_size` view helper to correctly work with negative numbers.
+
+    *Earlopain*
+
+*   Automatically discard the implicit locals injected by collection rendering for template that can't accept them
+
+    When rendering a collection, two implicit variables are injected, which breaks templates with strict locals.
+
+    Now they are only passed if the template will actually accept them.
+
+    *Yasha Krasnou*, *Jean Boussier*
+
+*   Fix `@rails/ujs` calling `start()` an extra time when using bundlers
+
+    *Hartley McGuire*, *Ryunosuke Sato*
+
+*   Fix the `capture` view helper compatibility with HAML and Slim
+
+    When a blank string was captured in HAML or Slim (and possibly other template engines)
+    it would instead return the entire buffer.
+
+    *Jean Boussier*
+
+
+## Rails 7.1.1 (October 11, 2023) ##
+
+*   Updated `@rails/ujs` files to ignore certain data-* attributes when element is contenteditable.
+
+    This fix was already landed in >= 7.0.4.3, < 7.1.0.
+    [[CVE-2023-23913](https://github.com/advisories/GHSA-xp5h-f8jf-rc8q)]
+
+    *Ryunosuke Sato*
+
+
 ## Rails 7.1.0 (October 05, 2023) ##
 
 *   No changes.

data/app/assets/javascripts/rails-ujs.esm.js

@@ -58,6 +58,18 @@ const setData = function(element, key, value) {
 
 const $ = selector => Array.prototype.slice.call(document.querySelectorAll(selector));
 
+const isContentEditable = function(element) {
+  var isEditable = false;
+  do {
+    if (element.isContentEditable) {
+      isEditable = true;
+      break;
+    }
+    element = element.parentElement;
+  } while (element);
+  return isEditable;
+};
+
 const csrfToken = () => {
   const meta = document.querySelector("meta[name=csrf-token]");
   return meta && meta.content;
@@ -336,6 +348,9 @@ const enableElement = e => {
   } else {
     element = e;
   }
+  if (isContentEditable(element)) {
+    return;
+  }
   if (matches(element, linkDisableSelector)) {
     return enableLinkElement(element);
   } else if (matches(element, buttonDisableSelector) || matches(element, formEnableSelector)) {
@@ -347,6 +362,9 @@ const enableElement = e => {
 
 const disableElement = e => {
   const element = e instanceof Event ? e.target : e;
+  if (isContentEditable(element)) {
+    return;
+  }
   if (matches(element, linkDisableSelector)) {
     return disableLinkElement(element);
   } else if (matches(element, buttonDisableSelector) || matches(element, formDisableSelector)) {
@@ -426,6 +444,9 @@ const handleMethodWithRails = rails => function(e) {
   if (!method) {
     return;
   }
+  if (isContentEditable(this)) {
+    return;
+  }
   const href = rails.href(link);
   const csrfToken$1 = csrfToken();
   const csrfParam$1 = csrfParam();
@@ -460,6 +481,10 @@ const handleRemoteWithRails = rails => function(e) {
     fire(element, "ajax:stopped");
     return false;
   }
+  if (isContentEditable(element)) {
+    fire(element, "ajax:stopped");
+    return false;
+  }
   const withCredentials = element.getAttribute("data-with-credentials");
   const dataType = element.getAttribute("data-type") || "script";
   if (matches(element, formSubmitSelector)) {
@@ -658,11 +683,4 @@ if (typeof jQuery !== "undefined" && jQuery && jQuery.ajax) {
   }));
 }
 
-if (typeof exports !== "object" && typeof module === "undefined") {
-  window.Rails = Rails;
-  if (fire(document, "rails:attachBindings")) {
-    start();
-  }
-}
-
-export default Rails;
+export { Rails as default };

data/app/assets/javascripts/rails-ujs.js

@@ -44,6 +44,17 @@ Released under the MIT license
     return element[EXPANDO][key] = value;
   };
   const $ = selector => Array.prototype.slice.call(document.querySelectorAll(selector));
+  const isContentEditable = function(element) {
+    var isEditable = false;
+    do {
+      if (element.isContentEditable) {
+        isEditable = true;
+        break;
+      }
+      element = element.parentElement;
+    } while (element);
+    return isEditable;
+  };
   const csrfToken = () => {
     const meta = document.querySelector("meta[name=csrf-token]");
     return meta && meta.content;
@@ -298,6 +309,9 @@ Released under the MIT license
     } else {
       element = e;
     }
+    if (isContentEditable(element)) {
+      return;
+    }
     if (matches(element, linkDisableSelector)) {
       return enableLinkElement(element);
     } else if (matches(element, buttonDisableSelector) || matches(element, formEnableSelector)) {
@@ -308,6 +322,9 @@ Released under the MIT license
   };
   const disableElement = e => {
     const element = e instanceof Event ? e.target : e;
+    if (isContentEditable(element)) {
+      return;
+    }
     if (matches(element, linkDisableSelector)) {
       return disableLinkElement(element);
     } else if (matches(element, buttonDisableSelector) || matches(element, formDisableSelector)) {
@@ -379,6 +396,9 @@ Released under the MIT license
     if (!method) {
       return;
     }
+    if (isContentEditable(this)) {
+      return;
+    }
     const href = rails.href(link);
     const csrfToken$1 = csrfToken();
     const csrfParam$1 = csrfParam();
@@ -411,6 +431,10 @@ Released under the MIT license
       fire(element, "ajax:stopped");
       return false;
     }
+    if (isContentEditable(element)) {
+      fire(element, "ajax:stopped");
+      return false;
+    }
     const withCredentials = element.getAttribute("data-with-credentials");
     const dataType = element.getAttribute("data-type") || "script";
     if (matches(element, formSubmitSelector)) {

data/lib/action_view/gem_version.rb

@@ -9,7 +9,7 @@ module ActionView
   module VERSION
     MAJOR = 7
     MINOR = 1
-    TINY  = 0
+    TINY  = 2
     PRE   = nil
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")

data/lib/action_view/helpers/asset_tag_helper.rb

@@ -378,8 +378,8 @@ module ActionView
       # You can add HTML attributes using the +options+. The +options+ supports
       # additional keys for convenience and conformance:
       #
-      # * <tt>:size</tt> - Supplied as "{Width}x{Height}" or "{Number}", so "30x45" becomes
-      #   width="30" and height="45", and "50" becomes width="50" and height="50".
+      # * <tt>:size</tt> - Supplied as <tt>"#{width}x#{height}"</tt> or <tt>"#{number}"</tt>, so <tt>"30x45"</tt> becomes
+      #   <tt>width="30" height="45"</tt>, and <tt>"50"</tt> becomes <tt>width="50" height="50"</tt>.
       #   <tt>:size</tt> will be ignored if the value is not in the correct format.
       # * <tt>:srcset</tt> - If supplied as a hash or array of <tt>[source, descriptor]</tt>
       #   pairs, each image path will be expanded before the list is formatted as a string.
@@ -511,8 +511,8 @@ module ActionView
       #
       # * <tt>:poster</tt> - Set an image (like a screenshot) to be shown
       #   before the video loads. The path is calculated like the +src+ of +image_tag+.
-      # * <tt>:size</tt> - Supplied as "{Width}x{Height}" or "{Number}", so "30x45" becomes
-      #   width="30" and height="45", and "50" becomes width="50" and height="50".
+      # * <tt>:size</tt> - Supplied as <tt>"#{width}x#{height}"</tt> or <tt>"#{number}"</tt>, so <tt>"30x45"</tt> becomes
+      #   <tt>width="30" height="45"</tt>, and <tt>"50"</tt> becomes <tt>width="50" height="50"</tt>.
       #   <tt>:size</tt> will be ignored if the value is not in the correct format.
       # * <tt>:poster_skip_pipeline</tt> will bypass the asset pipeline when using
       #   the <tt>:poster</tt> option instead using an asset in the public folder.

data/lib/action_view/helpers/capture_helper.rb

@@ -49,7 +49,13 @@ module ActionView
         @output_buffer ||= ActionView::OutputBuffer.new
         buffer = @output_buffer.capture { value = yield(*args) }
 
-        case string = buffer.presence || value
+        string = if @output_buffer.equal?(value)
+          buffer
+        else
+          buffer.presence || value
+        end
+
+        case string
         when OutputBuffer
           string.to_s
         when ActiveSupport::SafeBuffer

data/lib/action_view/helpers/form_helper.rb

@@ -1783,7 +1783,7 @@ module ActionView
       #   <% end %>
       #
       #   <%= form_for @post do |f| %>
-      #     <%= f.field_tag :tag, name: f.field_name(:tag, multiple: true) %>
+      #     <%= f.text_field :tag, name: f.field_name(:tag, multiple: true) %>
       #     <%# => <input type="text" name="post[tag][]">
       #   <% end %>
       #
@@ -2263,7 +2263,7 @@ module ActionView
       #   <% end %>
       #
       # When a collection is used you might want to know the index of each
-      # object into the array. For this purpose, the <tt>index</tt> method
+      # object in the array. For this purpose, the <tt>index</tt> method
       # is available in the FormBuilder object.
       #
       #   <%= form_for @person do |person_form| %>

data/lib/action_view/renderer/collection_renderer.rb

@@ -194,7 +194,7 @@ module ActionView
 
           _template = (cache[path] ||= (template || find_template(path, @locals.keys + [as, counter, iteration])))
 
-          content = _template.render(view, locals)
+          content = _template.render(view, locals, implicit_locals: [counter, iteration])
           content = layout.render(view, locals) { content } if layout
           partial_iteration.iterate!
           build_rendered_template(content, _template)

data/lib/action_view/template.rb

@@ -201,6 +201,7 @@ module ActionView
       @variant           = variant
       @compile_mutex     = Mutex.new
       @strict_locals     = NONE
+      @strict_local_keys = nil
       @type              = nil
     end
 
@@ -244,9 +245,15 @@ module ActionView
     # This method is instrumented as "!render_template.action_view". Notice that
     # we use a bang in this instrumentation because you don't want to
     # consume this in production. This is only slow if it's being listened to.
-    def render(view, locals, buffer = nil, add_to_stack: true, &block)
+    def render(view, locals, buffer = nil, implicit_locals: [], add_to_stack: true, &block)
       instrument_render_template do
         compile!(view)
+
+        if strict_locals? && @strict_local_keys && !implicit_locals.empty?
+          locals_to_ignore = implicit_locals - @strict_local_keys
+          locals.except!(*locals_to_ignore)
+        end
+
         if buffer
           view._run(method_name, self, locals, buffer, add_to_stack: add_to_stack, has_strict_locals: strict_locals?, &block)
           nil
@@ -283,7 +290,7 @@ module ActionView
     # the same as <tt>Encoding.default_external</tt>.
     #
     # The user can also specify the encoding via a comment on the first
-    # line of the template (# encoding: NAME-OF-ENCODING). This will work
+    # line of the template (<tt># encoding: NAME-OF-ENCODING</tt>). This will work
     # with any template engine, as we process out the encoding comment
     # before passing the source on to the template engine, leaving a
     # blank line in its stead.
@@ -474,23 +481,30 @@ module ActionView
 
         return unless strict_locals?
 
+        parameters = mod.instance_method(method_name).parameters - [[:req, :output_buffer]]
         # Check compiled method parameters to ensure that only kwargs
         # were provided as strict locals, preventing `locals: (foo, *foo)` etc
         # and allowing `locals: (foo:)`.
 
-        non_kwarg_parameters =
-          (mod.instance_method(method_name).parameters - [[:req, :output_buffer]]).
-            select { |parameter| ![:keyreq, :key, :keyrest, :nokey].include?(parameter[0]) }
+        non_kwarg_parameters = parameters.select do |parameter|
+          ![:keyreq, :key, :keyrest, :nokey].include?(parameter[0])
+        end
 
-        return unless non_kwarg_parameters.any?
+        unless non_kwarg_parameters.empty?
+          mod.undef_method(method_name)
 
-        mod.undef_method(method_name)
+          raise ArgumentError.new(
+            "#{non_kwarg_parameters.map { |_, name| "`#{name}`" }.to_sentence} set as non-keyword " \
+            "#{'argument'.pluralize(non_kwarg_parameters.length)} for #{short_identifier}. " \
+            "Locals can only be set as keyword arguments."
+          )
+        end
 
-        raise ArgumentError.new(
-          "#{non_kwarg_parameters.map { |_, name| "`#{name}`" }.to_sentence} set as non-keyword " \
-          "#{'argument'.pluralize(non_kwarg_parameters.length)} for #{short_identifier}. " \
-          "Locals can only be set as keyword arguments."
-        )
+        unless parameters.any? { |type, _| type == :keyrest }
+          parameters.map!(&:first)
+          parameters.sort!
+          @strict_local_keys = parameters.freeze
+        end
       end
 
       def offset

data/lib/action_view/test_case.rb

@@ -82,25 +82,27 @@ module ActionView
         # method, where +[FORMAT]+ corresponds to the value of the
         # +format+ argument.
         #
-        # === Arguments
+        # By default, ActionView::TestCase defines parsers for:
         #
-        # <tt>format</tt> - Symbol the name of the format used to render view's content
-        # <tt>callable</tt> - Callable to parse the String. Accepts the String.
-        #                     value as its only argument.
-        # <tt>block</tt> - Block serves as the parser when the
-        #                  <tt>callable</tt> is omitted.
+        # * +:html+ - returns an instance of +Nokogiri::XML::Node+
+        # * +:json+ - returns an instance of ActiveSupport::HashWithIndifferentAccess
         #
-        # By default, ActionView::TestCase defines a parser for:
+        # These pre-registered parsers also define corresponding helpers:
         #
-        #   * :html - returns an instance of Nokogiri::XML::Node
-        #   * :json - returns an instance of ActiveSupport::HashWithIndifferentAccess
+        # * +:html+ - defines +rendered.html+
+        # * +:json+ - defines +rendered.json+
         #
-        # Each pre-registered parser also defines a corresponding helper:
+        # ==== Parameters
         #
-        #   * :html - defines `rendered.html`
-        #   * :json - defines `rendered.json`
+        # [+format+]
+        #   The name (as a +Symbol+) of the format used to render the content.
         #
-        # === Examples
+        # [+callable+]
+        #   The parser. A callable object that accepts the rendered string as
+        #   its sole argument. Alternatively, the parser can be specified as a
+        #   block.
+        #
+        # ==== Examples
         #
         #   test "renders HTML" do
         #     article = Article.create!(title: "Hello, world")
@@ -118,7 +120,7 @@ module ActionView
         #     assert_pattern { rendered.json => { title: "Hello, world" } }
         #   end
         #
-        # To parse the rendered content into RSS, register a call to <tt>RSS::Parser.parse</tt>:
+        # To parse the rendered content into RSS, register a call to +RSS::Parser.parse+:
         #
         #   register_parser :rss, -> rendered { RSS::Parser.parse(rendered) }
         #
@@ -130,9 +132,8 @@ module ActionView
         #     assert_equal "Hello, world", rendered.rss.items.last.title
         #   end
         #
-        # To parse the rendered content into a Capybara::Simple::Node,
-        # re-register an <tt>:html</tt> parser with a call to
-        # <tt>Capybara.string</tt>:
+        # To parse the rendered content into a +Capybara::Simple::Node+,
+        # re-register an +:html+ parser with a call to +Capybara.string+:
         #
         #   register_parser :html, -> rendered { Capybara.string(rendered) }
         #
@@ -143,6 +144,7 @@ module ActionView
         #
         #     rendered.html.assert_css "h1", text: "Hello, world"
         #   end
+        #
         def register_parser(format, callable = nil, &block)
           parser = callable || block || :itself.to_proc
           content_class.redefine_method(format) do

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: actionview
 version: !ruby/object:Gem::Version
-  version: 7.1.0
+  version: 7.1.2
 platform: ruby
 authors:
 - David Heinemeier Hansson
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-10-05 00:00:00.000000000 Z
+date: 2023-11-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.1.0
+        version: 7.1.2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.1.0
+        version: 7.1.2
 - !ruby/object:Gem::Dependency
   name: builder
   requirement: !ruby/object:Gem::Requirement
@@ -86,28 +86,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.1.0
+        version: 7.1.2
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.1.0
+        version: 7.1.2
 - !ruby/object:Gem::Dependency
   name: activemodel
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.1.0
+        version: 7.1.2
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 7.1.0
+        version: 7.1.2
 description: Simple, battle-tested conventions and helpers for building web pages.
 email: david@loudthinking.com
 executables: []
@@ -246,10 +246,10 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/rails/rails/issues
-  changelog_uri: https://github.com/rails/rails/blob/v7.1.0/actionview/CHANGELOG.md
-  documentation_uri: https://api.rubyonrails.org/v7.1.0/
+  changelog_uri: https://github.com/rails/rails/blob/v7.1.2/actionview/CHANGELOG.md
+  documentation_uri: https://api.rubyonrails.org/v7.1.2/
   mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
-  source_code_uri: https://github.com/rails/rails/tree/v7.1.0/actionview
+  source_code_uri: https://github.com/rails/rails/tree/v7.1.2/actionview
   rubygems_mfa_required: 'true'
 post_install_message:
 rdoc_options: []