actionview 7.2.2.1 → 8.1.2

data/lib/action_view/helpers/form_options_helper.rb

@@ -1,6 +1,5 @@
 # frozen_string_literal: true
 
-require "cgi"
 require "erb"
 require "active_support/core_ext/string/output_safety"
 require "active_support/core_ext/array/extract_options"
@@ -13,7 +12,7 @@ module ActionView
     #
     # Provides a number of methods for turning different kinds of containers into a set of option tags.
     #
-    # The <tt>collection_select</tt>, <tt>select</tt> and <tt>time_zone_select</tt> methods take an <tt>options</tt> parameter, a hash:
+    # The #collection_select, #select and #time_zone_select methods take an <tt>options</tt> parameter, a hash:
     #
     # * <tt>:include_blank</tt> - set to true or a prompt string if the first option element of the select element is a blank. Useful if there is not a default value required for the select element.
     #
@@ -55,7 +54,7 @@ module ActionView
     #       <option value="3">Rafael</option>
     #     </select>
     #
-    # * <tt>:index</tt> - like the other form helpers, <tt>select</tt> can accept an <tt>:index</tt> option to manually set the ID used in the resulting output. Unlike other helpers, <tt>select</tt> expects this
+    # * <tt>:index</tt> - like the other form helpers, #select can accept an <tt>:index</tt> option to manually set the ID used in the resulting output. Unlike other helpers, #select expects this
     #   option to be in the +html_options+ parameter.
     #
     #     select("album[]", :genre, %w[ rap rock country ], {}, { index: nil })
@@ -80,7 +79,7 @@ module ActionView
     #       <option disabled="disabled" value="restricted">restricted</option>
     #     </select>
     #
-    #   When used with the <tt>collection_select</tt> helper, <tt>:disabled</tt> can also be a Proc that identifies those options that should be disabled.
+    #   When used with the #collection_select helper, <tt>:disabled</tt> can also be a Proc that identifies those options that should be disabled.
     #
     #     collection_select(:post, :category_id, Category.all, :id, :name, { disabled: -> (category) { category.archived? } })
     #
@@ -105,7 +104,7 @@ module ActionView
       #
       # Example with <tt>@post.person_id => 2</tt>:
       #
-      #   select :post, :person_id, Person.all.collect { |p| [ p.name, p.id ] }, { include_blank: true })
+      #   select :post, :person_id, Person.all.collect { |p| [ p.name, p.id ] }, { include_blank: true }
       #
       # would become:
       #
@@ -126,7 +125,7 @@ module ActionView
       # or <tt>selected: nil</tt> to leave all options unselected. Similarly, you can specify values to be disabled in the option
       # tags by specifying the <tt>:disabled</tt> option. This can either be a single value or an array of values to be disabled.
       #
-      # A block can be passed to +select+ to customize how the options tags will be rendered. This
+      # A block can be passed to #select to customize how the options tags will be rendered. This
       # is useful when the options tag has complex attributes.
       #
       #   select(report, :campaign_ids) do
@@ -265,7 +264,7 @@ module ActionView
       # In addition to the <tt>:include_blank</tt> option documented above,
       # this method also supports a <tt>:model</tt> option, which defaults
       # to ActiveSupport::TimeZone. This may be used by users to specify a
-      # different time zone model object. (See +time_zone_options_for_select+
+      # different time zone model object. (See #time_zone_options_for_select
       # for more information.)
       #
       # You can also supply an array of ActiveSupport::TimeZone objects
@@ -294,7 +293,7 @@ module ActionView
       end
 
       # Returns select and option tags for the given object and method, using
-      # <tt>weekday_options_for_select</tt> to generate the list of option tags.
+      # #weekday_options_for_select to generate the list of option tags.
       def weekday_select(object, method, options = {}, html_options = {}, &block)
         Tags::WeekdaySelect.new(object, method, self, options, html_options, &block).render
       end
@@ -370,7 +369,7 @@ module ActionView
           html_attributes[:disabled] ||= disabled && option_value_selected?(value, disabled)
           html_attributes[:value] = value
 
-          tag_builder.content_tag_string(:option, text, html_attributes)
+          tag_builder.option(text, **html_attributes)
         end.join("\n").html_safe
       end
 
@@ -411,7 +410,7 @@ module ActionView
         options_for_select(options, select_deselect)
       end
 
-      # Returns a string of <tt><option></tt> tags, like <tt>options_from_collection_for_select</tt>, but
+      # Returns a string of <tt><option></tt> tags, like #options_from_collection_for_select, but
       # groups them by <tt><optgroup></tt> tags based on the object relationships of the arguments.
       #
       # Parameters:
@@ -468,7 +467,7 @@ module ActionView
         end.join.html_safe
       end
 
-      # Returns a string of <tt><option></tt> tags, like <tt>options_for_select</tt>, but
+      # Returns a string of <tt><option></tt> tags, like #options_for_select, but
       # wraps them with <tt><optgroup></tt> tags:
       #
       #   grouped_options = [
@@ -496,7 +495,8 @@ module ActionView
       #     <option value="France">France</option>
       #   </optgroup>
       #
-      # Parameters:
+      # ==== Parameters
+      #
       # * +grouped_options+ - Accepts a nested array or hash of strings. The first value serves as the
       #   <tt><optgroup></tt> label while the second value must be an array of options. The second value can be a
       #   nested array of text-value pairs. See <tt>options_for_select</tt> for more info.
@@ -507,7 +507,8 @@ module ActionView
       #   which will have the +selected+ attribute set. Note: It is possible for this value to match multiple options
       #   as you might have the same option in multiple groups. Each will then get <tt>selected="selected"</tt>.
       #
-      # Options:
+      # ==== Options
+      #
       # * <tt>:prompt</tt> - set to true or a prompt string. When the select element doesn't have a value yet, this
       #   prepends an option with a generic prompt - "Please select" - or the given prompt string.
       # * <tt>:divider</tt> - the divider for the options groups.
@@ -599,7 +600,8 @@ module ActionView
 
       # Returns a string of option tags for the days of the week.
       #
-      # Options:
+      # ====Options
+      #
       # * <tt>:index_as_value</tt> - Defaults to false, set to true to use the indexes from
       #   <tt>I18n.translate("date.day_names")</tt> as the values. By default, Sunday is always 0.
       # * <tt>:day_format</tt> - The I18n key of the array to use for the weekday options.
@@ -686,7 +688,7 @@ module ActionView
       # if a +User+ model has a +category_id+ field and in the form no category is selected, no +category_id+ parameter is sent. So,
       # any strong parameters idiom like:
       #
-      #   params.require(:user).permit(...)
+      #   params.expect(user: [...])
       #
       # will raise an error since no <tt>{user: ...}</tt> will be present.
       #
@@ -723,7 +725,7 @@ module ActionView
       #   end
       #
       # Sample usage (selecting the associated Author for an instance of Post, <tt>@post</tt>):
-      #   collection_check_boxes(:post, :author_ids, Author.all, :id, :name_with_initial)
+      #   collection_checkboxes(:post, :author_ids, Author.all, :id, :name_with_initial)
       #
       # If <tt>@post.author_ids</tt> is already <tt>[1]</tt>, this would return:
       #   <input id="post_author_ids_1" name="post[author_ids][]" type="checkbox" value="1" checked="checked" />
@@ -736,8 +738,8 @@ module ActionView
       #
       # It is also possible to customize the way the elements will be shown by
       # giving a block to the method:
-      #   collection_check_boxes(:post, :author_ids, Author.all, :id, :name_with_initial) do |b|
-      #     b.label { b.check_box }
+      #   collection_checkboxes(:post, :author_ids, Author.all, :id, :name_with_initial) do |b|
+      #     b.label { b.checkbox }
       #   end
       #
       # The argument passed to the block is a special kind of builder for this
@@ -746,17 +748,17 @@ module ActionView
       # Using it, you can change the label and check box display order or even
       # use the label as wrapper, as in the example above.
       #
-      # The builder methods <tt>label</tt> and <tt>check_box</tt> also accept
+      # The builder methods <tt>label</tt> and <tt>checkbox</tt> also accept
       # extra HTML options:
-      #   collection_check_boxes(:post, :author_ids, Author.all, :id, :name_with_initial) do |b|
-      #     b.label(class: "check_box") { b.check_box(class: "check_box") }
+      #   collection_checkboxes(:post, :author_ids, Author.all, :id, :name_with_initial) do |b|
+      #     b.label(class: "checkbox") { b.checkbox(class: "checkbox") }
       #   end
       #
       # There are also three special methods available: <tt>object</tt>, <tt>text</tt> and
       # <tt>value</tt>, which are the current item being rendered, its text and value methods,
       # respectively. You can use them like this:
-      #   collection_check_boxes(:post, :author_ids, Author.all, :id, :name_with_initial) do |b|
-      #      b.label(:"data-value" => b.value) { b.check_box + b.text }
+      #   collection_checkboxes(:post, :author_ids, Author.all, :id, :name_with_initial) do |b|
+      #      b.label(:"data-value" => b.value) { b.checkbox + b.text }
       #   end
       #
       # ==== Gotcha
@@ -779,9 +781,10 @@ module ActionView
       #
       # In the rare case you don't want this hidden field, you can pass the
       # <tt>include_hidden: false</tt> option to the helper method.
-      def collection_check_boxes(object, method, collection, value_method, text_method, options = {}, html_options = {}, &block)
+      def collection_checkboxes(object, method, collection, value_method, text_method, options = {}, html_options = {}, &block)
         Tags::CollectionCheckBoxes.new(object, method, self, collection, value_method, text_method, options, html_options).render(&block)
       end
+      alias_method :collection_check_boxes, :collection_checkboxes
 
       private
         def option_html_attributes(element)
@@ -839,7 +842,7 @@ module ActionView
     class FormBuilder
       # Wraps ActionView::Helpers::FormOptionsHelper#select for form builders:
       #
-      #   <%= form_for @post do |f| %>
+      #   <%= form_with model: @post do |f| %>
       #     <%= f.select :person_id, Person.all.collect { |p| [ p.name, p.id ] }, include_blank: true %>
       #     <%= f.submit %>
       #   <% end %>
@@ -851,7 +854,7 @@ module ActionView
 
       # Wraps ActionView::Helpers::FormOptionsHelper#collection_select for form builders:
       #
-      #   <%= form_for @post do |f| %>
+      #   <%= form_with model: @post do |f| %>
       #     <%= f.collection_select :person_id, Author.all, :id, :name_with_initial, prompt: true %>
       #     <%= f.submit %>
       #   <% end %>
@@ -863,7 +866,7 @@ module ActionView
 
       # Wraps ActionView::Helpers::FormOptionsHelper#grouped_collection_select for form builders:
       #
-      #   <%= form_for @city do |f| %>
+      #   <%= form_with model: @city do |f| %>
       #     <%= f.grouped_collection_select :country_id, @continents, :countries, :name, :id, :name %>
       #     <%= f.submit %>
       #   <% end %>
@@ -875,7 +878,7 @@ module ActionView
 
       # Wraps ActionView::Helpers::FormOptionsHelper#time_zone_select for form builders:
       #
-      #   <%= form_for @user do |f| %>
+      #   <%= form_with model: @user do |f| %>
       #     <%= f.time_zone_select :time_zone, nil, include_blank: true %>
       #     <%= f.submit %>
       #   <% end %>
@@ -887,7 +890,7 @@ module ActionView
 
       # Wraps ActionView::Helpers::FormOptionsHelper#weekday_select for form builders:
       #
-      #   <%= form_for @user do |f| %>
+      #   <%= form_with model: @user do |f| %>
       #     <%= f.weekday_select :weekday, include_blank: true %>
       #     <%= f.submit %>
       #   <% end %>
@@ -897,21 +900,22 @@ module ActionView
         @template.weekday_select(@object_name, method, objectify_options(options), @default_html_options.merge(html_options))
       end
 
-      # Wraps ActionView::Helpers::FormOptionsHelper#collection_check_boxes for form builders:
+      # Wraps ActionView::Helpers::FormOptionsHelper#collection_checkboxes for form builders:
       #
-      #   <%= form_for @post do |f| %>
-      #     <%= f.collection_check_boxes :author_ids, Author.all, :id, :name_with_initial %>
+      #   <%= form_with model: @post do |f| %>
+      #     <%= f.collection_checkboxes :author_ids, Author.all, :id, :name_with_initial %>
       #     <%= f.submit %>
       #   <% end %>
       #
       # Please refer to the documentation of the base helper for details.
-      def collection_check_boxes(method, collection, value_method, text_method, options = {}, html_options = {}, &block)
-        @template.collection_check_boxes(@object_name, method, collection, value_method, text_method, objectify_options(options), @default_html_options.merge(html_options), &block)
+      def collection_checkboxes(method, collection, value_method, text_method, options = {}, html_options = {}, &block)
+        @template.collection_checkboxes(@object_name, method, collection, value_method, text_method, objectify_options(options), @default_html_options.merge(html_options), &block)
       end
+      alias_method :collection_check_boxes, :collection_checkboxes
 
       # Wraps ActionView::Helpers::FormOptionsHelper#collection_radio_buttons for form builders:
       #
-      #   <%= form_for @post do |f| %>
+      #   <%= form_with model: @post do |f| %>
       #     <%= f.collection_radio_buttons :author_id, Author.all, :id, :name_with_initial %>
       #     <%= f.submit %>
       #   <% end %>

data/lib/action_view/helpers/form_tag_helper.rb

@@ -1,6 +1,5 @@
 # frozen_string_literal: true
 
-require "cgi"
 require "action_view/helpers/content_exfiltration_prevention_helper"
 require "action_view/helpers/url_helper"
 require "action_view/helpers/text_helper"
@@ -306,7 +305,11 @@ module ActionView
       #   # => <input type="hidden" name="collected_input" id="collected_input"
       #        value="" onchange="alert(&#39;Input collected!&#39;)" autocomplete="off" />
       def hidden_field_tag(name, value = nil, options = {})
-        text_field_tag(name, value, options.merge(type: :hidden, autocomplete: "off"))
+        html_options = options.merge(type: :hidden)
+        unless ActionView::Base.remove_hidden_field_autocomplete
+          html_options[:autocomplete] = "off" unless html_options.key?(:autocomplete)
+        end
+        text_field_tag(name, value, html_options)
       end
 
       # Creates a file upload field. If you are using file uploads then you will also need
@@ -393,24 +396,24 @@ module ActionView
       # * Any other key creates standard HTML attributes for the tag.
       #
       # ==== Examples
-      #   text_area_tag 'post'
+      #   textarea_tag 'post'
       #   # => <textarea id="post" name="post"></textarea>
       #
-      #   text_area_tag 'bio', @user.bio
+      #   textarea_tag 'bio', @user.bio
       #   # => <textarea id="bio" name="bio">This is my biography.</textarea>
       #
-      #   text_area_tag 'body', nil, rows: 10, cols: 25
+      #   textarea_tag 'body', nil, rows: 10, cols: 25
       #   # => <textarea cols="25" id="body" name="body" rows="10"></textarea>
       #
-      #   text_area_tag 'body', nil, size: "25x10"
+      #   textarea_tag 'body', nil, size: "25x10"
       #   # => <textarea name="body" id="body" cols="25" rows="10"></textarea>
       #
-      #   text_area_tag 'description', "Description goes here.", disabled: true
+      #   textarea_tag 'description', "Description goes here.", disabled: true
       #   # => <textarea disabled="disabled" id="description" name="description">Description goes here.</textarea>
       #
-      #   text_area_tag 'comment', nil, class: 'comment_input'
+      #   textarea_tag 'comment', nil, class: 'comment_input'
       #   # => <textarea class="comment_input" id="comment" name="comment"></textarea>
-      def text_area_tag(name, content = nil, options = {})
+      def textarea_tag(name, content = nil, options = {})
         options = options.stringify_keys
 
         if size = options.delete("size")
@@ -422,12 +425,13 @@ module ActionView
 
         content_tag :textarea, content.to_s.html_safe, { "name" => name, "id" => sanitize_to_id(name) }.update(options)
       end
+      alias_method :text_area_tag, :textarea_tag
 
       ##
       # :call-seq:
-      #   check_box_tag(name, options = {})
-      #   check_box_tag(name, value, options = {})
-      #   check_box_tag(name, value, checked, options = {})
+      #   checkbox_tag(name, options = {})
+      #   checkbox_tag(name, value, options = {})
+      #   checkbox_tag(name, value, checked, options = {})
       #
       # Creates a check box form input tag.
       #
@@ -438,21 +442,21 @@ module ActionView
       # * Any other key creates standard HTML options for the tag.
       #
       # ==== Examples
-      #   check_box_tag 'accept'
+      #   checkbox_tag 'accept'
       #   # => <input id="accept" name="accept" type="checkbox" value="1" />
       #
-      #   check_box_tag 'rock', 'rock music'
+      #   checkbox_tag 'rock', 'rock music'
       #   # => <input id="rock" name="rock" type="checkbox" value="rock music" />
       #
-      #   check_box_tag 'receive_email', 'yes', true
+      #   checkbox_tag 'receive_email', 'yes', true
       #   # => <input checked="checked" id="receive_email" name="receive_email" type="checkbox" value="yes" />
       #
-      #   check_box_tag 'tos', 'yes', false, class: 'accept_tos'
+      #   checkbox_tag 'tos', 'yes', false, class: 'accept_tos'
       #   # => <input class="accept_tos" id="tos" name="tos" type="checkbox" value="yes" />
       #
-      #   check_box_tag 'eula', 'accepted', false, disabled: true
+      #   checkbox_tag 'eula', 'accepted', false, disabled: true
       #   # => <input disabled="disabled" id="eula" name="eula" type="checkbox" value="accepted" />
-      def check_box_tag(name, *args)
+      def checkbox_tag(name, *args)
         if args.length >= 4
           raise ArgumentError, "wrong number of arguments (given #{args.length + 1}, expected 1..4)"
         end
@@ -462,6 +466,7 @@ module ActionView
         html_options["checked"] = "checked" if checked
         tag :input, html_options
       end
+      alias_method :check_box_tag, :checkbox_tag
 
       ##
       # :call-seq:
@@ -974,10 +979,15 @@ module ActionView
       # Creates the hidden UTF-8 enforcer tag. Override this method in a helper
       # to customize the tag.
       def utf8_enforcer_tag
-        # Use raw HTML to ensure the value is written as an HTML entity; it
-        # needs to be the right character regardless of which encoding the
-        # browser infers.
-        '<input name="utf8" type="hidden" value="&#x2713;" autocomplete="off" />'.html_safe
+        options = {
+          type: "hidden",
+          name: "utf8",
+          value: "&#x2713;".html_safe
+        }
+
+        options[:autocomplete] = "off" unless ActionView::Base.remove_hidden_field_autocomplete
+
+        tag(:input, options)
       end
 
       private
@@ -1045,9 +1055,9 @@ module ActionView
         end
 
         def form_tag_with_body(html_options, content)
-          output = form_tag_html(html_options)
-          output << content.to_s if content
-          output.safe_concat("</form>")
+          extra_tags = extra_tags_for_form(html_options)
+          html = content_tag(:form, safe_join([extra_tags, content]), html_options)
+          prevent_content_exfiltration(html)
         end
 
         # see http://www.w3.org/TR/html4/types.html#type-name

data/lib/action_view/helpers/javascript_helper.rb

@@ -4,6 +4,8 @@ module ActionView
   module Helpers # :nodoc:
     # = Action View JavaScript \Helpers
     module JavaScriptHelper
+      mattr_accessor :auto_include_nonce
+
       JS_ESCAPE_MAP = {
         "\\"    => "\\\\",
         "</"    => '<\/',
@@ -81,8 +83,10 @@ module ActionView
             content_or_options_with_block
           end
 
-        if html_options[:nonce] == true
+        if html_options[:nonce] == true || (!html_options.key?(:nonce) && auto_include_nonce)
           html_options[:nonce] = content_security_policy_nonce
+        elsif html_options[:nonce] == false
+          html_options.delete(:nonce)
         end
 
         content_tag("script", javascript_cdata_section(content), html_options)

data/lib/action_view/helpers/number_helper.rb

@@ -26,6 +26,8 @@ module ActionView
 
       # Delegates to ActiveSupport::NumberHelper#number_to_phone.
       #
+      #   number_to_phone("1234567890")         # => "123-456-7890"
+      #
       # Additionally, supports a +:raise+ option that will cause
       # InvalidNumberError to be raised if +number+ is not a valid number:
       #
@@ -42,6 +44,8 @@ module ActionView
 
       # Delegates to ActiveSupport::NumberHelper#number_to_currency.
       #
+      #   number_to_currency("1234")               # => "$1234.00"
+      #
       # Additionally, supports a +:raise+ option that will cause
       # InvalidNumberError to be raised if +number+ is not a valid number:
       #
@@ -54,6 +58,8 @@ module ActionView
 
       # Delegates to ActiveSupport::NumberHelper#number_to_percentage.
       #
+      #   number_to_percentage("99")               # => "99.000%"
+      #
       # Additionally, supports a +:raise+ option that will cause
       # InvalidNumberError to be raised if +number+ is not a valid number:
       #
@@ -66,6 +72,8 @@ module ActionView
 
       # Delegates to ActiveSupport::NumberHelper#number_to_delimited.
       #
+      #   number_with_delimiter("1234")               # => "1,234"
+      #
       # Additionally, supports a +:raise+ option that will cause
       # InvalidNumberError to be raised if +number+ is not a valid number:
       #
@@ -78,6 +86,8 @@ module ActionView
 
       # Delegates to ActiveSupport::NumberHelper#number_to_rounded.
       #
+      #   number_with_precision("1234")               # => "1234.000"
+      #
       # Additionally, supports a +:raise+ option that will cause
       # InvalidNumberError to be raised if +number+ is not a valid number:
       #
@@ -90,6 +100,8 @@ module ActionView
 
       # Delegates to ActiveSupport::NumberHelper#number_to_human_size.
       #
+      #   number_to_human_size("1234")               # => "1.21 KB"
+      #
       # Additionally, supports a +:raise+ option that will cause
       # InvalidNumberError to be raised if +number+ is not a valid number:
       #
@@ -102,6 +114,8 @@ module ActionView
 
       # Delegates to ActiveSupport::NumberHelper#number_to_human.
       #
+      #   number_to_human("1234")               # => "1.23 Thousand"
+      #
       # Additionally, supports a +:raise+ option that will cause
       # InvalidNumberError to be raised if +number+ is not a valid number:
       #

data/lib/action_view/helpers/output_safety_helper.rb

@@ -38,8 +38,7 @@ module ActionView # :nodoc:
 
       # Converts the array to a comma-separated sentence where the last element is
       # joined by the connector word. This is the html_safe-aware version of
-      # ActiveSupport's {Array#to_sentence}[https://api.rubyonrails.org/classes/Array.html#method-i-to_sentence].
-      #
+      # ActiveSupport's Array#to_sentence.
       def to_sentence(array, options = {})
         options.assert_valid_keys(:words_connector, :two_words_connector, :last_word_connector, :locale)