actionview 7.1.6 → 7.2.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2234d202c8b6eeebd0c8d6fe0f1793f89f85ad8b6702f01453b965e3d724756f
-  data.tar.gz: 382574ea34dba4663b2b8037200b84c672f141b3add83ca0f3dabeca24bbc1f8
+  metadata.gz: 773338461dd6a54e8b6efa075c2be80d8f8c975ee46bd2167bc7e2fcd8e78f35
+  data.tar.gz: 22244120a030dfc49034d8d790fa86013b1de42b5ee7acbe75243580c9eec7c1
 SHA512:
-  metadata.gz: 7a3be568cf3a688761acfba31030ea5ccd259a27ff2e7267b716b36aaa087d1869833c9d93cf7e3ff873199d19815e0c8f6aa7448cbbb62a5f01f165768b05e1
-  data.tar.gz: 85ee2fd8e57e29f9c625d6d18ec84bf967e44504b2ee16af7637833069fd3e913b429c76432b10da813ffde33a9af27eb2956cbd35ec59eed98222753ecd801f
+  metadata.gz: 1c26e2052e3f599c7f28c19892948c6b3f8cdeef005a4dc54762b4e74309ac32ef794115b0e46d2364624b26debb85a6aaebc938813d08e69e9c670c3bf79ae6
+  data.tar.gz: 15bdc1f27280a327a1270ddf794b484d68f88af959c2d49361ef0e33c37e547b81166c8b92ef400f7e9a62c8192820bd58042733335ff4a9c3f1a77b660f775f

data/CHANGELOG.md

@@ -1,526 +1,200 @@
-## Rails 7.1.6 (October 28, 2025) ##
-
-*   No changes.
+## Rails 7.2.3 (October 28, 2025) ##
 
+*   Fix `javascript_include_tag` `type` option to accept either strings and symbols.
 
-## Rails 7.1.5.2 (August 13, 2025) ##
-
-*   No changes.
-
+    ```ruby
+    javascript_include_tag "application", type: :module
+    javascript_include_tag "application", type: "module"
+    ```
 
-## Rails 7.1.5.1 (December 10, 2024) ##
+    Previously, only the string value was recoginized.
 
-*   No changes.
+    *Jean Boussier*
 
+*   Fix `excerpt` helper with non-whitespace separator.
 
-## Rails 7.1.5 (October 30, 2024) ##
+    *Jonathan Hefner*
 
-*   No changes.
+*   Respect `html_options[:form]` when `collection_checkboxes` generates the
+    hidden `<input>`.
 
+    *Riccardo Odone*
 
-## Rails 7.1.4.2 (October 23, 2024) ##
+*   Layouts have access to local variables passed to `render`.
 
-*   No changes.
+    This fixes #31680 which was a regression in Rails 5.1.
 
+    *Mike Dalessio*
 
-## Rails 7.1.4.1 (October 15, 2024) ##
+*   Argument errors related to strict locals in templates now raise an
+    `ActionView::StrictLocalsError`, and all other argument errors are reraised as-is.
 
-*   No changes.
+    Previously, any `ArgumentError` raised during template rendering was swallowed during strict
+    local error handling, so that an `ArgumentError` unrelated to strict locals (e.g., a helper
+    method invoked with incorrect arguments) would be replaced by a similar `ArgumentError` with an
+    unrelated backtrace, making it difficult to debug templates.
 
+    Now, any `ArgumentError` unrelated to strict locals is reraised, preserving the original
+    backtrace for developers.
 
-## Rails 7.1.4 (August 22, 2024) ##
+    Also note that `ActionView::StrictLocalsError` is a subclass of `ArgumentError`, so any existing
+    code that rescues `ArgumentError` will continue to work.
 
-*   Action View Test Case `rendered` memoization.
+    Fixes #52227.
 
-    *Sean Doyle*
+    *Mike Dalessio*
 
-*   Restore the ability for templates to return any kind of object and not just strings
+*   Fix stack overflow error in dependency tracker when dealing with circular dependencies
 
     *Jean Boussier*
 
-*   Fix threading issue with strict locals.
+*   Fix a crash in ERB template error highlighting when the error occurs on a
+    line in the compiled template that is past the end of the source template.
 
-    *Robert Fletcher*
+    *Martin Emde*
 
+*   Improve reliability of ERB template error highlighting.
+    Fix infinite loops and crashes in highlighting and
+    improve tolerance for alternate ERB handlers.
 
-## Rails 7.1.3.4 (June 04, 2024) ##
+    *Martin Emde*
 
-*   No changes.
 
-
-## Rails 7.1.3.3 (May 16, 2024) ##
+## Rails 7.2.2.2 (August 13, 2025) ##
 
 *   No changes.
 
 
-## Rails 7.1.3.2 (February 21, 2024) ##
+## Rails 7.2.2.1 (December 10, 2024) ##
 
 *   No changes.
 
 
-## Rails 7.1.3.1 (February 21, 2024) ##
+## Rails 7.2.2 (October 30, 2024) ##
 
 *   No changes.
 
 
-## Rails 7.1.3 (January 16, 2024) ##
-
-*   Better handle SyntaxError in Action View.
-
-    *Mario Caropreso*
-
-*   Fix `word_wrap` with empty string.
-
-    *Jonathan Hefner*
-
-*   Rename `ActionView::TestCase::Behavior::Content` to `ActionView::TestCase::Behavior::RenderedViewContent`.
-
-    Make `RenderedViewContent` inherit from `String`. Make private API with `:nodoc:`.
-
-    *Sean Doyle*
-
-*   Fix detection of required strict locals.
-
-    Further fix `render @collection` compatibility with strict locals
-
-    *Jean Boussier*
-
-
-## Rails 7.1.2 (November 10, 2023) ##
-
-*   Fix the `number_to_human_size` view helper to correctly work with negative numbers.
-
-    *Earlopain*
-
-*   Automatically discard the implicit locals injected by collection rendering for template that can't accept them
-
-    When rendering a collection, two implicit variables are injected, which breaks templates with strict locals.
-
-    Now they are only passed if the template will actually accept them.
-
-    *Yasha Krasnou*, *Jean Boussier*
-
-*   Fix `@rails/ujs` calling `start()` an extra time when using bundlers
-
-    *Hartley McGuire*, *Ryunosuke Sato*
-
-*   Fix the `capture` view helper compatibility with HAML and Slim
-
-    When a blank string was captured in HAML or Slim (and possibly other template engines)
-    it would instead return the entire buffer.
-
-    *Jean Boussier*
-
-
-## Rails 7.1.1 (October 11, 2023) ##
-
-*   Updated `@rails/ujs` files to ignore certain data-* attributes when element is contenteditable.
-
-    This fix was already landed in >= 7.0.4.3, < 7.1.0.
-    [[CVE-2023-23913](https://github.com/advisories/GHSA-xp5h-f8jf-rc8q)]
-
-    *Ryunosuke Sato*
-
-
-## Rails 7.1.0 (October 05, 2023) ##
+## Rails 7.2.1.2 (October 23, 2024) ##
 
 *   No changes.
 
 
-## Rails 7.1.0.rc2 (October 01, 2023) ##
+## Rails 7.2.1.1 (October 15, 2024) ##
 
 *   No changes.
 
 
-## Rails 7.1.0.rc1 (September 27, 2023) ##
-
-*   Introduce `ActionView::TestCase.register_parser`
-
-    ```ruby
-    register_parser :rss, -> rendered { RSS::Parser.parse(rendered) }
-
-    test "renders RSS" do
-      article = Article.create!(title: "Hello, world")
-
-      render formats: :rss, partial: article
-
-      assert_equal "Hello, world", rendered.rss.items.last.title
-    end
-    ```
-
-    By default, register parsers for `:html` and `:json`.
-
-    *Sean Doyle*
-
-
-## Rails 7.1.0.beta1 (September 13, 2023) ##
-
-*   Fix `simple_format` with blank `wrapper_tag` option returns plain html tag
-
-    By default `simple_format` method returns the text wrapped with `<p>`. But if we explicitly specify
-    the `wrapper_tag: nil` in the options, it returns the text wrapped with `<></>` tag.
-
-    Before:
-
-    ```ruby
-    simple_format("Hello World", {},  { wrapper_tag: nil })
-    # <>Hello World</>
-    ```
-
-    After:
-
-    ```ruby
-    simple_format("Hello World", {},  { wrapper_tag: nil })
-    # <p>Hello World</p>
-    ```
-
-    *Akhil G Krishnan*, *Junichi Ito*
-
-*   Don't double-encode nested `field_id` and `field_name` index values
+## Rails 7.2.1 (August 22, 2024) ##
 
-    Pass `index: @options` as a default keyword argument to `field_id` and
-    `field_name` view helper methods.
-
-    *Sean Doyle*
-
-*   Allow opting in/out of `Link preload` headers when calling `stylesheet_link_tag` or `javascript_include_tag`
-
-    ```ruby
-    # will exclude header, even if setting is enabled:
-    javascript_include_tag("http://example.com/all.js", preload_links_header: false)
-
-    # will include header, even if setting is disabled:
-    stylesheet_link_tag("http://example.com/all.js", preload_links_header: true)
-    ```
+*   No changes.
 
-    *Alex Ghiculescu*
 
-*   Stop generating `Link preload` headers once it has reached 1KB.
+## Rails 7.2.0 (August 09, 2024) ##
 
-    Some proxies have trouble handling large headers, but more importantly preload links
-    have diminishing returns so it's preferable not to go overboard with them.
+*   Fix templates with strict locals to also include `local_assigns`.
 
-    If tighter control is needed, it's recommended to disable automatic generation of preloads
-    and to generate them manually from the controller or from a middleware.
+    Previously templates defining strict locals wouldn't receive the `local_assigns`
+    hash.
 
     *Jean Boussier*
 
-*   `simple_format` helper now handles a `:sanitize_options` - any extra options you want appending to the sanitize.
+*   Add queries count to template rendering instrumentation.
 
-    Before:
-    ```ruby
-      simple_format("<a target=\"_blank\" href=\"http://example.com\">Continue</a>")
-      # => "<p><a href=\"http://example.com\">Continue</a></p>"
     ```
+    # Before
+    Completed 200 OK in 3804ms (Views: 41.0ms | ActiveRecord: 33.5ms | Allocations: 112788)
 
-    After:
-    ```ruby
-      simple_format("<a target=\"_blank\" href=\"http://example.com\">Continue</a>", {}, { sanitize_options: { attributes: %w[target href] } })
-      # => "<p><a target=\"_blank\" href=\"http://example.com\">Continue</a></p>"
+    # After
+    Completed 200 OK in 3804ms (Views: 41.0ms | ActiveRecord: 33.5ms (2 queries, 1 cached) | Allocations: 112788)
     ```
 
-    *Andrei Andriichuk*
-
-*   Add support for HTML5 standards-compliant sanitizers, and default to `Rails::HTML5::Sanitizer`
-    in the Rails 7.1 configuration if it is supported.
-
-    Action View's HTML sanitizers can be configured by setting
-    `config.action_view.sanitizer_vendor`. Supported values are `Rails::HTML4::Sanitizer` or
-    `Rails::HTML5::Sanitizer`.
+    *fatkodima*
 
-    The Rails 7.1 configuration will set this to `Rails::HTML5::Sanitizer` when it is supported, and
-    fall back to `Rails::HTML4::Sanitizer`. Previous configurations default to
-    `Rails::HTML4::Sanitizer`.
+*   Raise `ArgumentError` if `:renderable` object does not respond to `#render_in`.
 
-    *Mike Dalessio*
-
-*   `config.dom_testing_default_html_version` controls the HTML parser used by
-    `ActionView::TestCase#document_root_element`, which creates the DOM used by the assertions in
-    Rails::Dom::Testing.
-
-    The Rails 7.1 default configuration opts into the HTML5 parser when it is supported, to better
-    represent what the DOM would be in a browser user agent. Previously this test helper always used
-    Nokogiri's HTML4 parser.
-
-    *Mike Dalessio*
-
-*   Add support for the HTML picture tag. It supports passing a String, an Array or a Block.
-    Supports passing properties directly to the img tag via the `:image` key.
-    Since the picture tag requires an img tag, the last element you provide will be used for the img tag.
-    For complete control over the picture tag, a block can be passed, which will populate the contents of the tag accordingly.
-
-    Can be used like this for a single source:
-    ```erb
-    <%= picture_tag("picture.webp") %>
-    ```
-    which will generate the following:
-    ```html
-    <picture>
-        <img src="/images/picture.webp" />
-    </picture>
-    ```
-
-    For multiple sources:
-    ```erb
-    <%= picture_tag("picture.webp", "picture.png", :class => "mt-2", :image => { alt: "Image", class: "responsive-img" }) %>
-    ```
-    will generate:
-    ```html
-    <picture class="mt-2">
-        <source srcset="/images/picture.webp" />
-        <source srcset="/images/picture.png" />
-        <img alt="Image" class="responsive-img" src="/images/picture.png" />
-    </picture>
-    ```
+    *Sean Doyle*
 
-    Full control via a block:
-    ```erb
-    <%= picture_tag(:class => "my-class") do %>
-        <%= tag(:source, :srcset => image_path("picture.webp")) %>
-        <%= tag(:source, :srcset => image_path("picture.png")) %>
-        <%= image_tag("picture.png", :alt => "Image") %>
-    <% end %>
-    ```
-    will generate:
-    ```html
-    <picture class="my-class">
-        <source srcset="/images/picture.webp" />
-        <source srcset="/images/picture.png" />
-        <img alt="Image" src="/images/picture.png" />
-    </picture>
-    ```
+*   Add the `nonce: true` option for `stylesheet_link_tag` helper to support automatic nonce generation for Content Security Policy.
 
-    *Juan Pablo Balarini*
+    Works the same way as `javascript_include_tag nonce: true` does.
 
-*   Remove deprecated support to passing instance variables as locals to partials.
+    *Akhil G Krishnan*, *AJ Esler*
 
-    *Rafael Mendonça França*
+*   Parse `ActionView::TestCase#rendered` HTML content as `Nokogiri::XML::DocumentFragment` instead of `Nokogiri::XML::Document`.
 
-*   Remove deprecated constant `ActionView::Path`.
+    *Sean Doyle*
 
-    *Rafael Mendonça França*
+*   Rename `ActionView::TestCase::Behavior::Content` to `ActionView::TestCase::Behavior::RenderedViewContent`.
 
-*   Guard `token_list` calls from escaping HTML too often
+    Make `RenderedViewContent` inherit from `String`. Make private API with `:nodoc:`
 
     *Sean Doyle*
 
-*   `select` can now be called with a single hash containing options and some HTML options
+*   Deprecate passing `nil` as value for the `model:` argument to the `form_with` method.
 
-    Previously this would not work as expected:
+    *Collin Jilbert*
 
-    ```erb
-    <%= select :post, :author, authors, required: true %>
-    ```
-
-    Instead you needed to do this:
+*   Alias `field_set_tag` helper to `fieldset_tag` to match `<fieldset>` element.
 
-    ```erb
-    <%= select :post, :author, authors, {}, required: true %>
-    ```
-
-    Now, either form is accepted, for the following HTML attributes: `required`, `multiple`, `size`.
+    *Sean Doyle*
 
-    *Alex Ghiculescu*
+*   Deprecate passing content to void elements when using `tag.br` type tag builders.
 
-*   Datetime form helpers (`time_field`, `date_field`, `datetime_field`, `week_field`, `month_field`) now accept an instance of Time/Date/DateTime as `:value` option.
+    *Hartley McGuire*
 
-    Before:
-    ```erb
-    <%= form.datetime_field :written_at, value: Time.current.strftime("%Y-%m-%dT%T") %>
-    ```
+*   Fix the `number_to_human_size` view helper to correctly work with negative numbers.
 
-    After:
-    ```erb
-    <%= form.datetime_field :written_at, value: Time.current %>
-    ```
+    *Earlopain*
 
-    *Andrey Samsonov*
+*   Automatically discard the implicit locals injected by collection rendering for template that can't accept them.
 
-*   Choices of `select` can optionally contain html attributes as the last element
-    of the child arrays when using grouped/nested collections
+    When rendering a collection, two implicit variables are injected, which breaks templates with strict locals.
 
-    ```erb
-    <%= form.select :foo, [["North America", [["United States","US"],["Canada","CA"]], { disabled: "disabled" }]] %>
-    # => <select><optgroup label="North America" disabled="disabled"><option value="US">United States</option><option value="CA">Canada</option></optgroup></select>
-    ```
+    Now they are only passed if the template will actually accept them.
 
-    *Chris Gunther*
+    *Yasha Krasnou*, *Jean Boussier*
 
-*   `check_box_tag` and `radio_button_tag` now accept `checked` as a keyword argument
+*   Fix `@rails/ujs` calling `start()` an extra time when using bundlers.
 
-    This is to make the API more consistent with the `FormHelper` variants. You can now
-    provide `checked` as a positional or keyword argument:
+    *Hartley McGuire*, *Ryunosuke Sato*
 
-    ```erb
-    = check_box_tag "admin", "1", false
-    = check_box_tag "admin", "1", checked: false
+*   Fix the `capture` view helper compatibility with HAML and Slim.
 
-    = radio_button_tag 'favorite_color', 'maroon', false
-    = radio_button_tag 'favorite_color', 'maroon', checked: false
-    ```
+    When a blank string was captured in HAML or Slim (and possibly other template engines)
+    it would instead return the entire buffer.
 
-    *Alex Ghiculescu*
+    *Jean Boussier*
 
-*   Allow passing a class to `dom_id`.
-    You no longer need to call `new` when passing a class to `dom_id`.
-    This makes `dom_id` behave like `dom_class` in this regard.
-    Apart from saving a few keystrokes, it prevents Ruby from needing
-    to instantiate a whole new object just to generate a string.
+*   Updated `@rails/ujs` files to ignore certain data-* attributes when element is contenteditable.
 
-    Before:
-    ```ruby
-    dom_id(Post) # => NoMethodError: undefined method `to_key' for Post:Class
-    ```
+    This fix was already landed in >= 7.0.4.3, < 7.1.0.
+    [[CVE-2023-23913](https://github.com/advisories/GHSA-xp5h-f8jf-rc8q)]
 
-    After:
-    ```ruby
-    dom_id(Post) # => "new_post"
-    ```
+    *Ryunosuke Sato*
 
-    *Goulven Champenois*
+*   Added validation for HTML tag names in the `tag` and `content_tag` helper method.
 
-*   Report `:locals` as part of the data returned by ActionView render instrumentation.
+    The `tag` and `content_tag` method now checks that the provided tag name adheres to the HTML
+    specification. If an invalid HTML tag name is provided, the method raises an `ArgumentError`
+    with an appropriate error message.
 
-    Before:
-    ```ruby
-    {
-    identifier: "/Users/adam/projects/notifications/app/views/posts/index.html.erb",
-    layout: "layouts/application"
-    }
-    ```
+    Examples:
 
-    After:
     ```ruby
-    {
-    identifier: "/Users/adam/projects/notifications/app/views/posts/index.html.erb",
-    layout: "layouts/application",
-    locals: {foo: "bar"}
-    }
-    ```
-
-    *Aaron Gough*
-
-*   Strip `break_sequence` at the end of `word_wrap`.
+    # Raises ArgumentError: Invalid HTML5 tag name: 12p
+    content_tag("12p") # Starting with a number
 
-    This fixes a bug where `word_wrap` didn't properly strip off break sequences that had printable characters.
+    # Raises ArgumentError: Invalid HTML5 tag name: ""
+    content_tag("") # Empty tag name
 
-    For example, compare the outputs of this template:
+    # Raises ArgumentError: Invalid HTML5 tag name: div/
+    tag("div/") # Contains a solidus
 
-    ```erb
-    # <%= word_wrap("11 22\n33 44", line_width: 2, break_sequence: "\n# ") %>
+    # Raises ArgumentError: Invalid HTML5 tag name: "image file"
+    tag("image file") # Contains a space
     ```
 
-    Before:
-
-    ```
-    # 11
-    # 22
-    #
-    # 33
-    # 44
-    #
-    ```
-
-    After:
-
-    ```
-    # 11
-    # 22
-    # 33
-    # 44
-    ```
-
-    *Max Chernyak*
-
-*   Allow templates to set strict `locals`.
-
-    By default, templates will accept any `locals` as keyword arguments. To define what `locals` a template accepts, add a `locals` magic comment:
-
-    ```erb
-    <%# locals: (message:) -%>
-    <%= message %>
-    ```
-
-    Default values can also be provided:
-
-    ```erb
-    <%# locals: (message: "Hello, world!") -%>
-    <%= message %>
-    ```
-
-    Or `locals` can be disabled entirely:
-
-    ```erb
-    <%# locals: () %>
-    ```
-
-    *Joel Hawksley*
-
-*   Add `include_seconds` option for `datetime_local_field`
-
-    This allows to omit seconds part in the input field, by passing `include_seconds: false`
-
-    *Wojciech Wnętrzak*
-
-*   Guard against `ActionView::Helpers::FormTagHelper#field_name` calls with nil
-    `object_name` arguments. For example:
-
-    ```erb
-    <%= fields do |f| %>
-      <%= f.field_name :body %>
-    <% end %>
-    ```
-
-    *Sean Doyle*
-
-*   Strings returned from `strip_tags` are correctly tagged `html_safe?`
-
-    Because these strings contain no HTML elements and the basic entities are escaped, they are safe
-    to be included as-is as PCDATA in HTML content. Tagging them as html-safe avoids double-escaping
-    entities when being concatenated to a SafeBuffer during rendering.
-
-    Fixes [rails/rails-html-sanitizer#124](https://github.com/rails/rails-html-sanitizer/issues/124)
-
-    *Mike Dalessio*
-
-*   Move `convert_to_model` call from `form_for` into `form_with`
-
-    Now that `form_for` is implemented in terms of `form_with`, remove the
-    `convert_to_model` call from `form_for`.
-
-    *Sean Doyle*
-
-*   Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`.
-
-    Escape dangerous characters in names of tags and names of attributes in the
-    tag helpers, following the XML specification. Rename the option
-    `:escape_attributes` to `:escape`, to simplify by applying the option to the
-    whole tag.
-
-    *Álvaro Martín Fraguas*
-
-*   Extend audio_tag and video_tag to accept Active Storage attachments.
-
-    Now it's possible to write
-
-    ```ruby
-    audio_tag(user.audio_file)
-    video_tag(user.video_file)
-    ```
-
-    Instead of
-
-    ```ruby
-    audio_tag(polymorphic_path(user.audio_file))
-    video_tag(polymorphic_path(user.video_file))
-    ```
-
-    `image_tag` already supported that, so this follows the same pattern.
-
-    *Matheus Richard*
-
-*   Ensure models passed to `form_for` attempt to call `to_model`.
-
-    *Sean Doyle*
+    *Akhil G Krishnan*
 
-Please check [7-0-stable](https://github.com/rails/rails/blob/7-0-stable/actionview/CHANGELOG.md) for previous changes.
+Please check [7-1-stable](https://github.com/rails/rails/blob/7-1-stable/actionview/CHANGELOG.md) for previous changes.

data/README.rdoc

@@ -35,6 +35,6 @@ Bug reports for the Ruby on \Rails project can be filed here:
 
 * https://github.com/rails/rails/issues
 
-Feature requests should be discussed on the rails-core mailing list here:
+Feature requests should be discussed on the rubyonrails-core forum here:
 
 * https://discuss.rubyonrails.org/c/rubyonrails-core