actionview 7.1.5.2 → 7.2.3.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2aeec9b1f8aa7329a12b915a01643502803b90d4d27fb7ccce1bd0ce83259ebf
-  data.tar.gz: 3a1a8e48e41c1bfc2dd55ef5d62a155db86ff94dfc5575665e96ae3a5b6e1cb7
+  metadata.gz: 61f8e3426843a85e006134bb5d330f91e09457e3392025afab472d470d706929
+  data.tar.gz: c066f5cc2718465d6f24a8c81ee5361c3c9fcbef2288a8d04b77334e9c724ad9
 SHA512:
-  metadata.gz: 78166989c02e7657381b83bcb34dcb7867c2d866fa282d2db7ad4c25b9c874499d8e6a0bcbce1bb94ec83d0db48d789da15211abe197a309b0e21718be996c74
-  data.tar.gz: 204df71ee43e468f66334d81d55617da2badea9e0ac18c12cbd17e0771e5d376ad549db5986cd44b838bdeb5e562622e7dd4dc7ee3829289ccd619461b9ec3ed
+  metadata.gz: 0a9f2a3f39681a4687a4b8a42b10e00be43c0ee413037c9f236b3bbc04961c8d9993ee955bb0b940a5f05c0024c8f17abb3106d4420f0dea593dd020f038df55
+  data.tar.gz: b259ce7c6e668708a25ca4e61551bbe65aee7c898cf6c2da3ba0d2c40f64e6ccc5adc2067f817e95ac1f913edbb34b9e75ec4de89e058899c7644ecf4fbf5fb5

data/CHANGELOG.md

@@ -1,521 +1,209 @@
-## Rails 7.1.5.2 (August 13, 2025) ##
+## Rails 7.2.3.1 (March 23, 2026) ##
 
-*   No changes.
-
-
-## Rails 7.1.5.1 (December 10, 2024) ##
-
-*   No changes.
-
-
-## Rails 7.1.5 (October 30, 2024) ##
-
-*   No changes.
-
-
-## Rails 7.1.4.2 (October 23, 2024) ##
-
-*   No changes.
+*   Skip blank attribute names in tag helpers to avoid generating invalid HTML.
 
+    [CVE-2026-33168]
 
-## Rails 7.1.4.1 (October 15, 2024) ##
-
-*   No changes.
+    *Mike Dalessio*
 
 
-## Rails 7.1.4 (August 22, 2024) ##
+## Rails 7.2.3 (October 28, 2025) ##
 
-*   Action View Test Case `rendered` memoization.
+*   Fix `javascript_include_tag` `type` option to accept either strings and symbols.
 
-    *Sean Doyle*
+    ```ruby
+    javascript_include_tag "application", type: :module
+    javascript_include_tag "application", type: "module"
+    ```
 
-*   Restore the ability for templates to return any kind of object and not just strings
+    Previously, only the string value was recoginized.
 
     *Jean Boussier*
 
-*   Fix threading issue with strict locals.
-
-    *Robert Fletcher*
-
-
-## Rails 7.1.3.4 (June 04, 2024) ##
-
-*   No changes.
-
-
-## Rails 7.1.3.3 (May 16, 2024) ##
-
-*   No changes.
-
-
-## Rails 7.1.3.2 (February 21, 2024) ##
-
-*   No changes.
-
-
-## Rails 7.1.3.1 (February 21, 2024) ##
-
-*   No changes.
-
-
-## Rails 7.1.3 (January 16, 2024) ##
-
-*   Better handle SyntaxError in Action View.
-
-    *Mario Caropreso*
-
-*   Fix `word_wrap` with empty string.
+*   Fix `excerpt` helper with non-whitespace separator.
 
     *Jonathan Hefner*
 
-*   Rename `ActionView::TestCase::Behavior::Content` to `ActionView::TestCase::Behavior::RenderedViewContent`.
-
-    Make `RenderedViewContent` inherit from `String`. Make private API with `:nodoc:`.
-
-    *Sean Doyle*
-
-*   Fix detection of required strict locals.
-
-    Further fix `render @collection` compatibility with strict locals
-
-    *Jean Boussier*
-
+*   Respect `html_options[:form]` when `collection_checkboxes` generates the
+    hidden `<input>`.
 
-## Rails 7.1.2 (November 10, 2023) ##
+    *Riccardo Odone*
 
-*   Fix the `number_to_human_size` view helper to correctly work with negative numbers.
+*   Layouts have access to local variables passed to `render`.
 
-    *Earlopain*
+    This fixes #31680 which was a regression in Rails 5.1.
 
-*   Automatically discard the implicit locals injected by collection rendering for template that can't accept them
+    *Mike Dalessio*
 
-    When rendering a collection, two implicit variables are injected, which breaks templates with strict locals.
+*   Argument errors related to strict locals in templates now raise an
+    `ActionView::StrictLocalsError`, and all other argument errors are reraised as-is.
 
-    Now they are only passed if the template will actually accept them.
+    Previously, any `ArgumentError` raised during template rendering was swallowed during strict
+    local error handling, so that an `ArgumentError` unrelated to strict locals (e.g., a helper
+    method invoked with incorrect arguments) would be replaced by a similar `ArgumentError` with an
+    unrelated backtrace, making it difficult to debug templates.
 
-    *Yasha Krasnou*, *Jean Boussier*
+    Now, any `ArgumentError` unrelated to strict locals is reraised, preserving the original
+    backtrace for developers.
 
-*   Fix `@rails/ujs` calling `start()` an extra time when using bundlers
+    Also note that `ActionView::StrictLocalsError` is a subclass of `ArgumentError`, so any existing
+    code that rescues `ArgumentError` will continue to work.
 
-    *Hartley McGuire*, *Ryunosuke Sato*
+    Fixes #52227.
 
-*   Fix the `capture` view helper compatibility with HAML and Slim
+    *Mike Dalessio*
 
-    When a blank string was captured in HAML or Slim (and possibly other template engines)
-    it would instead return the entire buffer.
+*   Fix stack overflow error in dependency tracker when dealing with circular dependencies
 
     *Jean Boussier*
 
+*   Fix a crash in ERB template error highlighting when the error occurs on a
+    line in the compiled template that is past the end of the source template.
 
-## Rails 7.1.1 (October 11, 2023) ##
+    *Martin Emde*
 
-*   Updated `@rails/ujs` files to ignore certain data-* attributes when element is contenteditable.
+*   Improve reliability of ERB template error highlighting.
+    Fix infinite loops and crashes in highlighting and
+    improve tolerance for alternate ERB handlers.
 
-    This fix was already landed in >= 7.0.4.3, < 7.1.0.
-    [[CVE-2023-23913](https://github.com/advisories/GHSA-xp5h-f8jf-rc8q)]
-
-    *Ryunosuke Sato*
+    *Martin Emde*
 
 
-## Rails 7.1.0 (October 05, 2023) ##
+## Rails 7.2.2.2 (August 13, 2025) ##
 
 *   No changes.
 
 
-## Rails 7.1.0.rc2 (October 01, 2023) ##
+## Rails 7.2.2.1 (December 10, 2024) ##
 
 *   No changes.
 
 
-## Rails 7.1.0.rc1 (September 27, 2023) ##
-
-*   Introduce `ActionView::TestCase.register_parser`
-
-    ```ruby
-    register_parser :rss, -> rendered { RSS::Parser.parse(rendered) }
-
-    test "renders RSS" do
-      article = Article.create!(title: "Hello, world")
-
-      render formats: :rss, partial: article
-
-      assert_equal "Hello, world", rendered.rss.items.last.title
-    end
-    ```
-
-    By default, register parsers for `:html` and `:json`.
+## Rails 7.2.2 (October 30, 2024) ##
 
-    *Sean Doyle*
-
-
-## Rails 7.1.0.beta1 (September 13, 2023) ##
-
-*   Fix `simple_format` with blank `wrapper_tag` option returns plain html tag
-
-    By default `simple_format` method returns the text wrapped with `<p>`. But if we explicitly specify
-    the `wrapper_tag: nil` in the options, it returns the text wrapped with `<></>` tag.
-
-    Before:
-
-    ```ruby
-    simple_format("Hello World", {},  { wrapper_tag: nil })
-    # <>Hello World</>
-    ```
+*   No changes.
 
-    After:
 
-    ```ruby
-    simple_format("Hello World", {},  { wrapper_tag: nil })
-    # <p>Hello World</p>
-    ```
+## Rails 7.2.1.2 (October 23, 2024) ##
 
-    *Akhil G Krishnan*, *Junichi Ito*
+*   No changes.
 
-*   Don't double-encode nested `field_id` and `field_name` index values
 
-    Pass `index: @options` as a default keyword argument to `field_id` and
-    `field_name` view helper methods.
+## Rails 7.2.1.1 (October 15, 2024) ##
 
-    *Sean Doyle*
+*   No changes.
 
-*   Allow opting in/out of `Link preload` headers when calling `stylesheet_link_tag` or `javascript_include_tag`
 
-    ```ruby
-    # will exclude header, even if setting is enabled:
-    javascript_include_tag("http://example.com/all.js", preload_links_header: false)
+## Rails 7.2.1 (August 22, 2024) ##
 
-    # will include header, even if setting is disabled:
-    stylesheet_link_tag("http://example.com/all.js", preload_links_header: true)
-    ```
+*   No changes.
 
-    *Alex Ghiculescu*
 
-*   Stop generating `Link preload` headers once it has reached 1KB.
+## Rails 7.2.0 (August 09, 2024) ##
 
-    Some proxies have trouble handling large headers, but more importantly preload links
-    have diminishing returns so it's preferable not to go overboard with them.
+*   Fix templates with strict locals to also include `local_assigns`.
 
-    If tighter control is needed, it's recommended to disable automatic generation of preloads
-    and to generate them manually from the controller or from a middleware.
+    Previously templates defining strict locals wouldn't receive the `local_assigns`
+    hash.
 
     *Jean Boussier*
 
-*   `simple_format` helper now handles a `:sanitize_options` - any extra options you want appending to the sanitize.
+*   Add queries count to template rendering instrumentation.
 
-    Before:
-    ```ruby
-      simple_format("<a target=\"_blank\" href=\"http://example.com\">Continue</a>")
-      # => "<p><a href=\"http://example.com\">Continue</a></p>"
     ```
+    # Before
+    Completed 200 OK in 3804ms (Views: 41.0ms | ActiveRecord: 33.5ms | Allocations: 112788)
 
-    After:
-    ```ruby
-      simple_format("<a target=\"_blank\" href=\"http://example.com\">Continue</a>", {}, { sanitize_options: { attributes: %w[target href] } })
-      # => "<p><a target=\"_blank\" href=\"http://example.com\">Continue</a></p>"
+    # After
+    Completed 200 OK in 3804ms (Views: 41.0ms | ActiveRecord: 33.5ms (2 queries, 1 cached) | Allocations: 112788)
     ```
 
-    *Andrei Andriichuk*
-
-*   Add support for HTML5 standards-compliant sanitizers, and default to `Rails::HTML5::Sanitizer`
-    in the Rails 7.1 configuration if it is supported.
-
-    Action View's HTML sanitizers can be configured by setting
-    `config.action_view.sanitizer_vendor`. Supported values are `Rails::HTML4::Sanitizer` or
-    `Rails::HTML5::Sanitizer`.
-
-    The Rails 7.1 configuration will set this to `Rails::HTML5::Sanitizer` when it is supported, and
-    fall back to `Rails::HTML4::Sanitizer`. Previous configurations default to
-    `Rails::HTML4::Sanitizer`.
-
-    *Mike Dalessio*
-
-*   `config.dom_testing_default_html_version` controls the HTML parser used by
-    `ActionView::TestCase#document_root_element`, which creates the DOM used by the assertions in
-    Rails::Dom::Testing.
-
-    The Rails 7.1 default configuration opts into the HTML5 parser when it is supported, to better
-    represent what the DOM would be in a browser user agent. Previously this test helper always used
-    Nokogiri's HTML4 parser.
-
-    *Mike Dalessio*
+    *fatkodima*
 
-*   Add support for the HTML picture tag. It supports passing a String, an Array or a Block.
-    Supports passing properties directly to the img tag via the `:image` key.
-    Since the picture tag requires an img tag, the last element you provide will be used for the img tag.
-    For complete control over the picture tag, a block can be passed, which will populate the contents of the tag accordingly.
-
-    Can be used like this for a single source:
-    ```erb
-    <%= picture_tag("picture.webp") %>
-    ```
-    which will generate the following:
-    ```html
-    <picture>
-        <img src="/images/picture.webp" />
-    </picture>
-    ```
+*   Raise `ArgumentError` if `:renderable` object does not respond to `#render_in`.
 
-    For multiple sources:
-    ```erb
-    <%= picture_tag("picture.webp", "picture.png", :class => "mt-2", :image => { alt: "Image", class: "responsive-img" }) %>
-    ```
-    will generate:
-    ```html
-    <picture class="mt-2">
-        <source srcset="/images/picture.webp" />
-        <source srcset="/images/picture.png" />
-        <img alt="Image" class="responsive-img" src="/images/picture.png" />
-    </picture>
-    ```
+    *Sean Doyle*
 
-    Full control via a block:
-    ```erb
-    <%= picture_tag(:class => "my-class") do %>
-        <%= tag(:source, :srcset => image_path("picture.webp")) %>
-        <%= tag(:source, :srcset => image_path("picture.png")) %>
-        <%= image_tag("picture.png", :alt => "Image") %>
-    <% end %>
-    ```
-    will generate:
-    ```html
-    <picture class="my-class">
-        <source srcset="/images/picture.webp" />
-        <source srcset="/images/picture.png" />
-        <img alt="Image" src="/images/picture.png" />
-    </picture>
-    ```
+*   Add the `nonce: true` option for `stylesheet_link_tag` helper to support automatic nonce generation for Content Security Policy.
 
-    *Juan Pablo Balarini*
+    Works the same way as `javascript_include_tag nonce: true` does.
 
-*   Remove deprecated support to passing instance variables as locals to partials.
+    *Akhil G Krishnan*, *AJ Esler*
 
-    *Rafael Mendonça França*
+*   Parse `ActionView::TestCase#rendered` HTML content as `Nokogiri::XML::DocumentFragment` instead of `Nokogiri::XML::Document`.
 
-*   Remove deprecated constant `ActionView::Path`.
+    *Sean Doyle*
 
-    *Rafael Mendonça França*
+*   Rename `ActionView::TestCase::Behavior::Content` to `ActionView::TestCase::Behavior::RenderedViewContent`.
 
-*   Guard `token_list` calls from escaping HTML too often
+    Make `RenderedViewContent` inherit from `String`. Make private API with `:nodoc:`
 
     *Sean Doyle*
 
-*   `select` can now be called with a single hash containing options and some HTML options
-
-    Previously this would not work as expected:
-
-    ```erb
-    <%= select :post, :author, authors, required: true %>
-    ```
+*   Deprecate passing `nil` as value for the `model:` argument to the `form_with` method.
 
-    Instead you needed to do this:
+    *Collin Jilbert*
 
-    ```erb
-    <%= select :post, :author, authors, {}, required: true %>
-    ```
+*   Alias `field_set_tag` helper to `fieldset_tag` to match `<fieldset>` element.
 
-    Now, either form is accepted, for the following HTML attributes: `required`, `multiple`, `size`.
+    *Sean Doyle*
 
-    *Alex Ghiculescu*
+*   Deprecate passing content to void elements when using `tag.br` type tag builders.
 
-*   Datetime form helpers (`time_field`, `date_field`, `datetime_field`, `week_field`, `month_field`) now accept an instance of Time/Date/DateTime as `:value` option.
+    *Hartley McGuire*
 
-    Before:
-    ```erb
-    <%= form.datetime_field :written_at, value: Time.current.strftime("%Y-%m-%dT%T") %>
-    ```
+*   Fix the `number_to_human_size` view helper to correctly work with negative numbers.
 
-    After:
-    ```erb
-    <%= form.datetime_field :written_at, value: Time.current %>
-    ```
+    *Earlopain*
 
-    *Andrey Samsonov*
+*   Automatically discard the implicit locals injected by collection rendering for template that can't accept them.
 
-*   Choices of `select` can optionally contain html attributes as the last element
-    of the child arrays when using grouped/nested collections
+    When rendering a collection, two implicit variables are injected, which breaks templates with strict locals.
 
-    ```erb
-    <%= form.select :foo, [["North America", [["United States","US"],["Canada","CA"]], { disabled: "disabled" }]] %>
-    # => <select><optgroup label="North America" disabled="disabled"><option value="US">United States</option><option value="CA">Canada</option></optgroup></select>
-    ```
+    Now they are only passed if the template will actually accept them.
 
-    *Chris Gunther*
+    *Yasha Krasnou*, *Jean Boussier*
 
-*   `check_box_tag` and `radio_button_tag` now accept `checked` as a keyword argument
+*   Fix `@rails/ujs` calling `start()` an extra time when using bundlers.
 
-    This is to make the API more consistent with the `FormHelper` variants. You can now
-    provide `checked` as a positional or keyword argument:
+    *Hartley McGuire*, *Ryunosuke Sato*
 
-    ```erb
-    = check_box_tag "admin", "1", false
-    = check_box_tag "admin", "1", checked: false
+*   Fix the `capture` view helper compatibility with HAML and Slim.
 
-    = radio_button_tag 'favorite_color', 'maroon', false
-    = radio_button_tag 'favorite_color', 'maroon', checked: false
-    ```
+    When a blank string was captured in HAML or Slim (and possibly other template engines)
+    it would instead return the entire buffer.
 
-    *Alex Ghiculescu*
+    *Jean Boussier*
 
-*   Allow passing a class to `dom_id`.
-    You no longer need to call `new` when passing a class to `dom_id`.
-    This makes `dom_id` behave like `dom_class` in this regard.
-    Apart from saving a few keystrokes, it prevents Ruby from needing
-    to instantiate a whole new object just to generate a string.
+*   Updated `@rails/ujs` files to ignore certain data-* attributes when element is contenteditable.
 
-    Before:
-    ```ruby
-    dom_id(Post) # => NoMethodError: undefined method `to_key' for Post:Class
-    ```
+    This fix was already landed in >= 7.0.4.3, < 7.1.0.
+    [[CVE-2023-23913](https://github.com/advisories/GHSA-xp5h-f8jf-rc8q)]
 
-    After:
-    ```ruby
-    dom_id(Post) # => "new_post"
-    ```
+    *Ryunosuke Sato*
 
-    *Goulven Champenois*
+*   Added validation for HTML tag names in the `tag` and `content_tag` helper method.
 
-*   Report `:locals` as part of the data returned by ActionView render instrumentation.
+    The `tag` and `content_tag` method now checks that the provided tag name adheres to the HTML
+    specification. If an invalid HTML tag name is provided, the method raises an `ArgumentError`
+    with an appropriate error message.
 
-    Before:
-    ```ruby
-    {
-    identifier: "/Users/adam/projects/notifications/app/views/posts/index.html.erb",
-    layout: "layouts/application"
-    }
-    ```
+    Examples:
 
-    After:
     ```ruby
-    {
-    identifier: "/Users/adam/projects/notifications/app/views/posts/index.html.erb",
-    layout: "layouts/application",
-    locals: {foo: "bar"}
-    }
-    ```
-
-    *Aaron Gough*
-
-*   Strip `break_sequence` at the end of `word_wrap`.
-
-    This fixes a bug where `word_wrap` didn't properly strip off break sequences that had printable characters.
-
-    For example, compare the outputs of this template:
-
-    ```erb
-    # <%= word_wrap("11 22\n33 44", line_width: 2, break_sequence: "\n# ") %>
-    ```
+    # Raises ArgumentError: Invalid HTML5 tag name: 12p
+    content_tag("12p") # Starting with a number
 
-    Before:
+    # Raises ArgumentError: Invalid HTML5 tag name: ""
+    content_tag("") # Empty tag name
 
-    ```
-    # 11
-    # 22
-    #
-    # 33
-    # 44
-    #
-    ```
+    # Raises ArgumentError: Invalid HTML5 tag name: div/
+    tag("div/") # Contains a solidus
 
-    After:
-
-    ```
-    # 11
-    # 22
-    # 33
-    # 44
+    # Raises ArgumentError: Invalid HTML5 tag name: "image file"
+    tag("image file") # Contains a space
     ```
 
-    *Max Chernyak*
-
-*   Allow templates to set strict `locals`.
-
-    By default, templates will accept any `locals` as keyword arguments. To define what `locals` a template accepts, add a `locals` magic comment:
-
-    ```erb
-    <%# locals: (message:) -%>
-    <%= message %>
-    ```
-
-    Default values can also be provided:
-
-    ```erb
-    <%# locals: (message: "Hello, world!") -%>
-    <%= message %>
-    ```
-
-    Or `locals` can be disabled entirely:
-
-    ```erb
-    <%# locals: () %>
-    ```
-
-    *Joel Hawksley*
-
-*   Add `include_seconds` option for `datetime_local_field`
-
-    This allows to omit seconds part in the input field, by passing `include_seconds: false`
-
-    *Wojciech Wnętrzak*
-
-*   Guard against `ActionView::Helpers::FormTagHelper#field_name` calls with nil
-    `object_name` arguments. For example:
-
-    ```erb
-    <%= fields do |f| %>
-      <%= f.field_name :body %>
-    <% end %>
-    ```
-
-    *Sean Doyle*
-
-*   Strings returned from `strip_tags` are correctly tagged `html_safe?`
-
-    Because these strings contain no HTML elements and the basic entities are escaped, they are safe
-    to be included as-is as PCDATA in HTML content. Tagging them as html-safe avoids double-escaping
-    entities when being concatenated to a SafeBuffer during rendering.
-
-    Fixes [rails/rails-html-sanitizer#124](https://github.com/rails/rails-html-sanitizer/issues/124)
-
-    *Mike Dalessio*
-
-*   Move `convert_to_model` call from `form_for` into `form_with`
-
-    Now that `form_for` is implemented in terms of `form_with`, remove the
-    `convert_to_model` call from `form_for`.
-
-    *Sean Doyle*
-
-*   Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`.
-
-    Escape dangerous characters in names of tags and names of attributes in the
-    tag helpers, following the XML specification. Rename the option
-    `:escape_attributes` to `:escape`, to simplify by applying the option to the
-    whole tag.
-
-    *Álvaro Martín Fraguas*
-
-*   Extend audio_tag and video_tag to accept Active Storage attachments.
-
-    Now it's possible to write
-
-    ```ruby
-    audio_tag(user.audio_file)
-    video_tag(user.video_file)
-    ```
-
-    Instead of
-
-    ```ruby
-    audio_tag(polymorphic_path(user.audio_file))
-    video_tag(polymorphic_path(user.video_file))
-    ```
-
-    `image_tag` already supported that, so this follows the same pattern.
-
-    *Matheus Richard*
-
-*   Ensure models passed to `form_for` attempt to call `to_model`.
-
-    *Sean Doyle*
+    *Akhil G Krishnan*
 
-Please check [7-0-stable](https://github.com/rails/rails/blob/7-0-stable/actionview/CHANGELOG.md) for previous changes.
+Please check [7-1-stable](https://github.com/rails/rails/blob/7-1-stable/actionview/CHANGELOG.md) for previous changes.

data/README.rdoc

@@ -35,6 +35,6 @@ Bug reports for the Ruby on \Rails project can be filed here:
 
 * https://github.com/rails/rails/issues
 
-Feature requests should be discussed on the rails-core mailing list here:
+Feature requests should be discussed on the rubyonrails-core forum here:
 
 * https://discuss.rubyonrails.org/c/rubyonrails-core