actionview 8.0.2.1 → 8.1.0.beta1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4b10a94983cf19c0bd7a2e4a1d5243ef133b98650f36a8afff60a9d980682ba7
-  data.tar.gz: 83b1cf28672cc2b57d06bf3e611d09ef869260304ec96372ec63972f2ee1a5b6
+  metadata.gz: 625c1e6b4e3cc45ecce5dafa0697614d9ac34d31bd582f53c46620b60ff323a1
+  data.tar.gz: 5aec58970306776aa8ffcc3738a2e8b8ebb0b266777946341601b8bf38c6ff47
 SHA512:
-  metadata.gz: 615c6ea6b985372edbb93621b555517b20ddfa12423cd20dbd80bf20f9393b93def8c80e2a9c9cd0f9203d0bb0588a7f1bf97f07d2c6799906f27eb63e0084fd
-  data.tar.gz: 4c1f66a2d367b6deafc4aed3c5938985957ac9fec60e53a637f86e8279ef94f3cf43b1b4b42c26f6ab5184e23efcd71aa3c4e6fbb2c6ca3bed4db40b54e31269
+  metadata.gz: e4e7e64f11986f77cf38942336bb217309275e4548fc6082f306551b25dc2b1bb016d50d85cb84619976e026696eba83796ca763aff8d86ac5b1009333b404ce
+  data.tar.gz: 397cf668c2a7dbd78e93ac4765c8adbbe6d245ea3c704b840297cae38b51779997be6caf62855b1ba3fb16e8a84180ff85fd6079ea8253809fe810521d5d8fac

data/CHANGELOG.md

@@ -1,14 +1,40 @@
-## Rails 8.0.2.1 (August 13, 2025) ##
+## Rails 8.1.0.beta1 (September 04, 2025) ##
 
-*   No changes.
+*   Allow `current_page?` to match against specific HTTP method(s) with a `method:` option.
 
+    *Ben Sheldon*
 
-## Rails 8.0.2 (March 12, 2025) ##
+*   remove `autocomplete="off"` on hidden inputs generated by `form_tag`, `token_tag`, `method_tag`, and the hidden
+    parameter fields included in `button_to` forms will omit the `autocomplete="off"` attribute.
 
-*   No changes.
+    *nkulway*
 
+*   Enable configuring the strategy for tracking dependencies between Action
+    View templates.
 
-## Rails 8.0.2 (March 12, 2025) ##
+    The existing `:regex` strategy is kept as the default, but with
+    `load_defaults 8.1` the strategy will be `:ruby` (using a real Ruby parser).
+
+    *Hartley McGuire*
+
+*   Introduce `relative_time_in_words` helper
+
+    ```ruby
+    relative_time_in_words(3.minutes.from_now) # => "in 3 minutes"
+    relative_time_in_words(3.minutes.ago) # => "3 minutes ago"
+    relative_time_in_words(10.seconds.ago, include_seconds: true) # => "less than 10 seconds ago"
+    ```
+
+    *Matheus Richard*
+
+*   Make `nonce: false` remove the nonce attribute from `javascript_tag`, `javascript_include_tag`, and `stylesheet_link_tag`.
+
+    *francktrouillez*
+
+*   Add `dom_target` helper to create `dom_id`-like strings from an unlimited
+    number of objects.
+
+    *Ben Sheldon*
 
 *   Respect `html_options[:form]` when `collection_checkboxes` generates the
     hidden `<input>`.
@@ -39,11 +65,10 @@
 
     *Mike Dalessio*
 
-*   Fix stack overflow error in dependency tracker when dealing with circular dependencies
+*   Improve error highlighting of multi-line methods in ERB templates or
+    templates where the error occurs within a do-end block.
 
-    *Jean Boussier*
-
-## Rails 8.0.1 (December 13, 2024) ##
+    *Martin Emde*
 
 *   Fix a crash in ERB template error highlighting when the error occurs on a
     line in the compiled template that is past the end of the source template.
@@ -56,57 +81,12 @@
 
     *Martin Emde*
 
+*   Allow `hidden_field` and `hidden_field_tag` to accept a custom autocomplete value.
 
-## Rails 8.0.0.1 (December 10, 2024) ##
-
-*   No changes.
-
-
-## Rails 8.0.0 (November 07, 2024) ##
-
-*   No changes.
-
-
-## Rails 8.0.0.rc2 (October 30, 2024) ##
-
-*   No changes.
-
-
-## Rails 8.0.0.rc1 (October 19, 2024) ##
-
-*   Remove deprecated support to passing a content to void tag elements on the `tag` builder.
-
-    *Rafael Mendonça França*
-
-*   Remove deprecated support to passing `nil` to the `model:` argument of `form_with`.
-
-    *Rafael Mendonça França*
-
-
-## Rails 8.0.0.beta1 (September 26, 2024) ##
-
-*   Enable DependencyTracker to evaluate renders with trailing interpolation.
-
-    ```erb
-    <%= render "maintenance_tasks/runs/info/#{run.status}" %>
-    ```
-
-    Previously, the DependencyTracker would ignore this render, but now it will
-    mark all partials in the "maintenance_tasks/runs/info" folder as
-    dependencies.
-
-    *Hartley McGuire*
-
-*   Rename `text_area` methods into `textarea`
-
-    Old names are still available as aliases.
-
-    *Sean Doyle*
-
-*   Rename `check_box*` methods into `checkbox*`.
+    *brendon*
 
-    Old names are still available as aliases.
+*   Add a new configuration `content_security_policy_nonce_auto` for automatically adding a nonce to the tags affected by the directives specified by the `content_security_policy_nonce_directives` configuration option.
 
-    *Jean Boussier*
+    *francktrouillez*
 
-Please check [7-2-stable](https://github.com/rails/rails/blob/7-2-stable/actionview/CHANGELOG.md) for previous changes.
+Please check [8-0-stable](https://github.com/rails/rails/blob/8-0-stable/actionview/CHANGELOG.md) for previous changes.

data/README.rdoc

@@ -35,6 +35,6 @@ Bug reports for the Ruby on \Rails project can be filed here:
 
 * https://github.com/rails/rails/issues
 
-Feature requests should be discussed on the rails-core mailing list here:
+Feature requests should be discussed on the rubyonrails-core forum here:
 
 * https://discuss.rubyonrails.org/c/rubyonrails-core

data/lib/action_view/base.rb

@@ -181,6 +181,10 @@ module ActionView # :nodoc:
     class_attribute :_routes
     class_attribute :logger
 
+    # Specify whether to omit autocomplete="off" on hidden inputs generated by helpers.
+    # Configured via `config.action_view.remove_hidden_field_autocomplete`
+    cattr_accessor :remove_hidden_field_autocomplete, default: false
+
     class << self
       delegate :erb_trim_mode=, to: "ActionView::Template::Handlers::ERB"
 
@@ -242,8 +246,6 @@ module ActionView # :nodoc:
     # :startdoc:
 
     def initialize(lookup_context, assigns, controller) # :nodoc:
-      @_config = ActiveSupport::InheritableOptions.new
-
       @lookup_context = lookup_context
 
       @view_renderer = ActionView::Renderer.new @lookup_context

data/lib/action_view/buffers.rb

@@ -45,7 +45,7 @@ module ActionView
         @raw_buffer << if value.html_safe?
           value
         else
-          CGI.escapeHTML(value)
+          ERB::Util.unwrapped_html_escape(value)
         end
       end
       self

data/lib/action_view/dependency_tracker/erb_tracker.rb

@@ -91,7 +91,7 @@ module ActionView
 
         def render_dependencies
           dependencies = []
-          render_calls = source.split(/\brender\b/).drop(1)
+          render_calls = source.scan(/<%(?:(?:(?!<%).)*?\brender\b((?:(?!%>).)*?))%>/m).flatten
 
           render_calls.each do |arguments|
             add_dependencies(dependencies, arguments, LAYOUT_DEPENDENCY)

data/lib/action_view/dependency_tracker.rb

@@ -36,6 +36,11 @@ module ActionView
       @trackers.delete(handler)
     end
 
-    register_tracker :erb, ERBTracker
+    case ActionView.render_tracker
+    when :ruby
+      register_tracker :erb, RubyTracker
+    else
+      register_tracker :erb, ERBTracker
+    end
   end
 end

data/lib/action_view/gem_version.rb

@@ -8,9 +8,9 @@ module ActionView
 
   module VERSION
     MAJOR = 8
-    MINOR = 0
-    TINY  = 2
-    PRE   = "1"
+    MINOR = 1
+    TINY  = 0
+    PRE   = "beta1"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

data/lib/action_view/helpers/asset_tag_helper.rb

@@ -26,6 +26,8 @@ module ActionView
       mattr_accessor :image_decoding
       mattr_accessor :preload_links_header
       mattr_accessor :apply_stylesheet_media_default
+      mattr_accessor :auto_include_nonce_for_scripts
+      mattr_accessor :auto_include_nonce_for_styles
 
       # Returns an HTML script tag for each of the +sources+ provided.
       #
@@ -115,7 +117,7 @@ module ActionView
         path_options = options.extract!("protocol", "extname", "host", "skip_pipeline").symbolize_keys
         preload_links = []
         use_preload_links_header = options["preload_links_header"].nil? ? preload_links_header : options.delete("preload_links_header")
-        nopush = options["nopush"].nil? ? true : options.delete("nopush")
+        nopush = options["nopush"].nil? || options.delete("nopush")
         crossorigin = options.delete("crossorigin")
         crossorigin = "anonymous" if crossorigin == true
         integrity = options["integrity"]
@@ -127,6 +129,7 @@ module ActionView
             preload_link = "<#{href}>; rel=#{rel}; as=script"
             preload_link += "; crossorigin=#{crossorigin}" unless crossorigin.nil?
             preload_link += "; integrity=#{integrity}" unless integrity.nil?
+            preload_link += "; nonce=#{content_security_policy_nonce}" if options["nonce"] == true
             preload_link += "; nopush" if nopush
             preload_links << preload_link
           end
@@ -134,8 +137,10 @@ module ActionView
             "src" => href,
             "crossorigin" => crossorigin
           }.merge!(options)
-          if tag_options["nonce"] == true
+          if tag_options["nonce"] == true || (!tag_options.key?("nonce") && auto_include_nonce_for_scripts)
             tag_options["nonce"] = content_security_policy_nonce
+          elsif tag_options["nonce"] == false
+            tag_options.delete("nonce")
           end
           content_tag("script", "", tag_options)
         }.join("\n").html_safe
@@ -206,7 +211,7 @@ module ActionView
         preload_links = []
         crossorigin = options.delete("crossorigin")
         crossorigin = "anonymous" if crossorigin == true
-        nopush = options["nopush"].nil? ? true : options.delete("nopush")
+        nopush = options["nopush"].nil? || options.delete("nopush")
         integrity = options["integrity"]
 
         sources_tags = sources.uniq.map { |source|
@@ -215,6 +220,7 @@ module ActionView
             preload_link = "<#{href}>; rel=preload; as=style"
             preload_link += "; crossorigin=#{crossorigin}" unless crossorigin.nil?
             preload_link += "; integrity=#{integrity}" unless integrity.nil?
+            preload_link += "; nonce=#{content_security_policy_nonce}" if options["nonce"] == true
             preload_link += "; nopush" if nopush
             preload_links << preload_link
           end
@@ -223,8 +229,10 @@ module ActionView
             "crossorigin" => crossorigin,
             "href" => href
           }.merge!(options)
-          if tag_options["nonce"] == true
+          if tag_options["nonce"] == true || (!tag_options.key?("nonce") && auto_include_nonce_for_styles)
             tag_options["nonce"] = content_security_policy_nonce
+          elsif tag_options["nonce"] == false
+            tag_options.delete("nonce")
           end
 
           if apply_stylesheet_media_default && tag_options["media"].blank?
@@ -362,6 +370,13 @@ module ActionView
         integrity = options[:integrity]
         nopush = options.delete(:nopush) || false
         rel = mime_type == "module" ? "modulepreload" : "preload"
+        add_nonce = content_security_policy_nonce &&
+          respond_to?(:request) &&
+          request.content_security_policy_nonce_directives&.include?("#{as_type}-src")
+
+        if add_nonce
+          options[:nonce] = content_security_policy_nonce
+        end
 
         link_tag = tag.link(
           rel: rel,
@@ -375,6 +390,7 @@ module ActionView
         preload_link += "; type=#{mime_type}" if mime_type
         preload_link += "; crossorigin=#{crossorigin}" if crossorigin
         preload_link += "; integrity=#{integrity}" if integrity
+        preload_link += "; nonce=#{content_security_policy_nonce}" if add_nonce
         preload_link += "; nopush" if nopush
 
         send_preload_links_header([preload_link])

data/lib/action_view/helpers/atom_feed_helper.rb

@@ -170,7 +170,7 @@ module ActionView
 
         # Creates an entry tag for a specific record and prefills the id using class and id.
         #
-        # Options:
+        # ==== Options
         #
         # * <tt>:published</tt>: Time first published. Defaults to the created_at attribute on the record if one such exists.
         # * <tt>:updated</tt>: Time of update. Defaults to the updated_at attribute on the record if one such exists.

data/lib/action_view/helpers/capture_helper.rb

@@ -44,10 +44,10 @@ module ActionView
       #
       #   @greeting # => "Welcome to my shiny new web page! The date and time is 2018-09-06 11:09:16 -0500"
       #
-      def capture(*args, &block)
+      def capture(*, **, &block)
         value = nil
         @output_buffer ||= ActionView::OutputBuffer.new
-        buffer = @output_buffer.capture { value = yield(*args) }
+        buffer = @output_buffer.capture { value = yield(*, **) }
 
         string = if @output_buffer.equal?(value)
           buffer

data/lib/action_view/helpers/controller_helper.rb

@@ -20,11 +20,15 @@ module ActionView
       def assign_controller(controller)
         if @_controller = controller
           @_request = controller.request if controller.respond_to?(:request)
-          @_config  = controller.config.inheritable_copy if controller.respond_to?(:config)
+          if controller.respond_to?(:config)
+            @_config = controller.config.inheritable_copy
+          else
+            @_config = ActiveSupport::InheritableOptions.new
+          end
           @_default_form_builder = controller.default_form_builder if controller.respond_to?(:default_form_builder)
         else
           @_request ||= nil
-          @_config ||= nil
+          @_config = ActiveSupport::InheritableOptions.new
           @_default_form_builder ||= nil
         end
       end

data/lib/action_view/helpers/date_helper.rb

@@ -136,8 +136,15 @@ module ActionView
             from_year += 1 if from_time.month >= 3
             to_year = to_time.year
             to_year -= 1 if to_time.month < 3
-            leap_years = (from_year > to_year) ? 0 : (from_year..to_year).count { |x| Date.leap?(x) }
+
+            leap_years = if from_year > to_year
+              0
+            else
+              fyear = from_year - 1
+              (to_year / 4 - to_year / 100 + to_year / 400) - (fyear / 4 - fyear / 100 + fyear / 400)
+            end
             minute_offset_for_leap_year = leap_years * 1440
+
             # Discount the leap year days when calculating year distance.
             # e.g. if there are 20 leap year days between 2 dates having the same day
             # and month then based on 365 days calculation
@@ -179,6 +186,23 @@ module ActionView
 
       alias_method :distance_of_time_in_words_to_now, :time_ago_in_words
 
+      # Like <tt>time_ago_in_words</tt>, but adds a prefix/suffix depending on whether the time is in the past or future.
+      # You can use the <tt>scope</tt> option to customize the translation scope. All other options
+      # are forwarded to <tt>time_ago_in_words</tt>.
+      #
+      #   relative_time_in_words(3.minutes.from_now) # => "in 3 minutes"
+      #   relative_time_in_words(3.minutes.ago) # => "3 minutes ago"
+      #   relative_time_in_words(10.seconds.ago, include_seconds: true) # => "less than 10 seconds ago"
+      #
+      # See also #time_ago_in_words
+      def relative_time_in_words(from_time, options = {})
+        now = Time.now
+        time = distance_of_time_in_words(from_time, now, options.except(:scope))
+        key = from_time > now ? :future : :past
+
+        I18n.t(key, time: time, scope: options.fetch(:scope, :'datetime.relative'), locale: options[:locale])
+      end
+
       # Returns a set of select tags (one for year, month, and day) pre-selected for accessing a specified date-based
       # attribute (identified by +method+) on an object assigned to the template (identified by +object+).
       #

data/lib/action_view/helpers/form_helper.rb

@@ -1,6 +1,5 @@
 # frozen_string_literal: true
 
-require "cgi"
 require "action_view/helpers/date_helper"
 require "action_view/helpers/url_helper"
 require "action_view/helpers/form_tag_helper"
@@ -1632,7 +1631,8 @@ module ActionView
     #
     # A +FormBuilder+ object is associated with a particular model object and
     # allows you to generate fields associated with the model object. The
-    # +FormBuilder+ object is yielded when using #form_with or #fields_for.
+    # +FormBuilder+ object is yielded when using
+    # {form_with}[rdof-ref:ActionView::Helpers::FormHelper#form_with] or #fields_for.
     # For example:
     #
     #   <%= form_with model: @person do |person_form| %>

data/lib/action_view/helpers/form_options_helper.rb

@@ -1,6 +1,5 @@
 # frozen_string_literal: true
 
-require "cgi"
 require "erb"
 require "active_support/core_ext/string/output_safety"
 require "active_support/core_ext/array/extract_options"
@@ -13,7 +12,7 @@ module ActionView
     #
     # Provides a number of methods for turning different kinds of containers into a set of option tags.
     #
-    # The <tt>collection_select</tt>, <tt>select</tt> and <tt>time_zone_select</tt> methods take an <tt>options</tt> parameter, a hash:
+    # The #collection_select, #select and #time_zone_select methods take an <tt>options</tt> parameter, a hash:
     #
     # * <tt>:include_blank</tt> - set to true or a prompt string if the first option element of the select element is a blank. Useful if there is not a default value required for the select element.
     #
@@ -55,7 +54,7 @@ module ActionView
     #       <option value="3">Rafael</option>
     #     </select>
     #
-    # * <tt>:index</tt> - like the other form helpers, <tt>select</tt> can accept an <tt>:index</tt> option to manually set the ID used in the resulting output. Unlike other helpers, <tt>select</tt> expects this
+    # * <tt>:index</tt> - like the other form helpers, #select can accept an <tt>:index</tt> option to manually set the ID used in the resulting output. Unlike other helpers, #select expects this
     #   option to be in the +html_options+ parameter.
     #
     #     select("album[]", :genre, %w[ rap rock country ], {}, { index: nil })
@@ -80,7 +79,7 @@ module ActionView
     #       <option disabled="disabled" value="restricted">restricted</option>
     #     </select>
     #
-    #   When used with the <tt>collection_select</tt> helper, <tt>:disabled</tt> can also be a Proc that identifies those options that should be disabled.
+    #   When used with the #collection_select helper, <tt>:disabled</tt> can also be a Proc that identifies those options that should be disabled.
     #
     #     collection_select(:post, :category_id, Category.all, :id, :name, { disabled: -> (category) { category.archived? } })
     #
@@ -105,7 +104,7 @@ module ActionView
       #
       # Example with <tt>@post.person_id => 2</tt>:
       #
-      #   select :post, :person_id, Person.all.collect { |p| [ p.name, p.id ] }, { include_blank: true })
+      #   select :post, :person_id, Person.all.collect { |p| [ p.name, p.id ] }, { include_blank: true }
       #
       # would become:
       #
@@ -126,7 +125,7 @@ module ActionView
       # or <tt>selected: nil</tt> to leave all options unselected. Similarly, you can specify values to be disabled in the option
       # tags by specifying the <tt>:disabled</tt> option. This can either be a single value or an array of values to be disabled.
       #
-      # A block can be passed to +select+ to customize how the options tags will be rendered. This
+      # A block can be passed to #select to customize how the options tags will be rendered. This
       # is useful when the options tag has complex attributes.
       #
       #   select(report, :campaign_ids) do
@@ -265,7 +264,7 @@ module ActionView
       # In addition to the <tt>:include_blank</tt> option documented above,
       # this method also supports a <tt>:model</tt> option, which defaults
       # to ActiveSupport::TimeZone. This may be used by users to specify a
-      # different time zone model object. (See +time_zone_options_for_select+
+      # different time zone model object. (See #time_zone_options_for_select
       # for more information.)
       #
       # You can also supply an array of ActiveSupport::TimeZone objects
@@ -294,7 +293,7 @@ module ActionView
       end
 
       # Returns select and option tags for the given object and method, using
-      # <tt>weekday_options_for_select</tt> to generate the list of option tags.
+      # #weekday_options_for_select to generate the list of option tags.
       def weekday_select(object, method, options = {}, html_options = {}, &block)
         Tags::WeekdaySelect.new(object, method, self, options, html_options, &block).render
       end
@@ -370,7 +369,7 @@ module ActionView
           html_attributes[:disabled] ||= disabled && option_value_selected?(value, disabled)
           html_attributes[:value] = value
 
-          tag_builder.content_tag_string(:option, text, html_attributes)
+          tag_builder.option(text, **html_attributes)
         end.join("\n").html_safe
       end
 
@@ -411,7 +410,7 @@ module ActionView
         options_for_select(options, select_deselect)
       end
 
-      # Returns a string of <tt><option></tt> tags, like <tt>options_from_collection_for_select</tt>, but
+      # Returns a string of <tt><option></tt> tags, like #options_from_collection_for_select, but
       # groups them by <tt><optgroup></tt> tags based on the object relationships of the arguments.
       #
       # Parameters:
@@ -468,7 +467,7 @@ module ActionView
         end.join.html_safe
       end
 
-      # Returns a string of <tt><option></tt> tags, like <tt>options_for_select</tt>, but
+      # Returns a string of <tt><option></tt> tags, like #options_for_select, but
       # wraps them with <tt><optgroup></tt> tags:
       #
       #   grouped_options = [
@@ -496,7 +495,8 @@ module ActionView
       #     <option value="France">France</option>
       #   </optgroup>
       #
-      # Parameters:
+      # ==== Parameters
+      #
       # * +grouped_options+ - Accepts a nested array or hash of strings. The first value serves as the
       #   <tt><optgroup></tt> label while the second value must be an array of options. The second value can be a
       #   nested array of text-value pairs. See <tt>options_for_select</tt> for more info.
@@ -507,7 +507,8 @@ module ActionView
       #   which will have the +selected+ attribute set. Note: It is possible for this value to match multiple options
       #   as you might have the same option in multiple groups. Each will then get <tt>selected="selected"</tt>.
       #
-      # Options:
+      # ==== Options
+      #
       # * <tt>:prompt</tt> - set to true or a prompt string. When the select element doesn't have a value yet, this
       #   prepends an option with a generic prompt - "Please select" - or the given prompt string.
       # * <tt>:divider</tt> - the divider for the options groups.
@@ -599,7 +600,8 @@ module ActionView
 
       # Returns a string of option tags for the days of the week.
       #
-      # Options:
+      # ====Options
+      #
       # * <tt>:index_as_value</tt> - Defaults to false, set to true to use the indexes from
       #   <tt>I18n.translate("date.day_names")</tt> as the values. By default, Sunday is always 0.
       # * <tt>:day_format</tt> - The I18n key of the array to use for the weekday options.

data/lib/action_view/helpers/form_tag_helper.rb

@@ -1,6 +1,5 @@
 # frozen_string_literal: true
 
-require "cgi"
 require "action_view/helpers/content_exfiltration_prevention_helper"
 require "action_view/helpers/url_helper"
 require "action_view/helpers/text_helper"
@@ -306,7 +305,11 @@ module ActionView
       #   # => <input type="hidden" name="collected_input" id="collected_input"
       #        value="" onchange="alert(&#39;Input collected!&#39;)" autocomplete="off" />
       def hidden_field_tag(name, value = nil, options = {})
-        text_field_tag(name, value, options.merge(type: :hidden, autocomplete: "off"))
+        html_options = options.merge(type: :hidden)
+        unless ActionView::Base.remove_hidden_field_autocomplete
+          html_options[:autocomplete] = "off" unless html_options.key?(:autocomplete)
+        end
+        text_field_tag(name, value, html_options)
       end
 
       # Creates a file upload field. If you are using file uploads then you will also need
@@ -976,10 +979,15 @@ module ActionView
       # Creates the hidden UTF-8 enforcer tag. Override this method in a helper
       # to customize the tag.
       def utf8_enforcer_tag
-        # Use raw HTML to ensure the value is written as an HTML entity; it
-        # needs to be the right character regardless of which encoding the
-        # browser infers.
-        '<input name="utf8" type="hidden" value="&#x2713;" autocomplete="off" />'.html_safe
+        options = {
+          type: "hidden",
+          name: "utf8",
+          value: "&#x2713;".html_safe
+        }
+
+        options[:autocomplete] = "off" unless ActionView::Base.remove_hidden_field_autocomplete
+
+        tag(:input, options)
       end
 
       private
@@ -1047,9 +1055,9 @@ module ActionView
         end
 
         def form_tag_with_body(html_options, content)
-          output = form_tag_html(html_options)
-          output << content.to_s if content
-          output.safe_concat("</form>")
+          extra_tags = extra_tags_for_form(html_options)
+          html = content_tag(:form, safe_join([extra_tags, content]), html_options)
+          prevent_content_exfiltration(html)
         end
 
         # see http://www.w3.org/TR/html4/types.html#type-name

data/lib/action_view/helpers/javascript_helper.rb

@@ -4,6 +4,8 @@ module ActionView
   module Helpers # :nodoc:
     # = Action View JavaScript \Helpers
     module JavaScriptHelper
+      mattr_accessor :auto_include_nonce
+
       JS_ESCAPE_MAP = {
         "\\"    => "\\\\",
         "</"    => '<\/',
@@ -81,8 +83,10 @@ module ActionView
             content_or_options_with_block
           end
 
-        if html_options[:nonce] == true
+        if html_options[:nonce] == true || (!html_options.key?(:nonce) && auto_include_nonce)
           html_options[:nonce] = content_security_policy_nonce
+        elsif html_options[:nonce] == false
+          html_options.delete(:nonce)
         end
 
         content_tag("script", javascript_cdata_section(content), html_options)

data/lib/action_view/helpers/number_helper.rb

@@ -26,6 +26,8 @@ module ActionView
 
       # Delegates to ActiveSupport::NumberHelper#number_to_phone.
       #
+      #   number_to_phone("1234567890")         # => "123-456-7890"
+      #
       # Additionally, supports a +:raise+ option that will cause
       # InvalidNumberError to be raised if +number+ is not a valid number:
       #
@@ -42,6 +44,8 @@ module ActionView
 
       # Delegates to ActiveSupport::NumberHelper#number_to_currency.
       #
+      #   number_to_currency("1234")               # => "$1234.00"
+      #
       # Additionally, supports a +:raise+ option that will cause
       # InvalidNumberError to be raised if +number+ is not a valid number:
       #
@@ -54,6 +58,8 @@ module ActionView
 
       # Delegates to ActiveSupport::NumberHelper#number_to_percentage.
       #
+      #   number_to_percentage("99")               # => "99.000%"
+      #
       # Additionally, supports a +:raise+ option that will cause
       # InvalidNumberError to be raised if +number+ is not a valid number:
       #
@@ -66,6 +72,8 @@ module ActionView
 
       # Delegates to ActiveSupport::NumberHelper#number_to_delimited.
       #
+      #   number_with_delimiter("1234")               # => "1,234"
+      #
       # Additionally, supports a +:raise+ option that will cause
       # InvalidNumberError to be raised if +number+ is not a valid number:
       #
@@ -78,6 +86,8 @@ module ActionView
 
       # Delegates to ActiveSupport::NumberHelper#number_to_rounded.
       #
+      #   number_with_precision("1234")               # => "1234.000"
+      #
       # Additionally, supports a +:raise+ option that will cause
       # InvalidNumberError to be raised if +number+ is not a valid number:
       #
@@ -90,6 +100,8 @@ module ActionView
 
       # Delegates to ActiveSupport::NumberHelper#number_to_human_size.
       #
+      #   number_to_human_size("1234")               # => "1.21 KB"
+      #
       # Additionally, supports a +:raise+ option that will cause
       # InvalidNumberError to be raised if +number+ is not a valid number:
       #
@@ -102,6 +114,8 @@ module ActionView
 
       # Delegates to ActiveSupport::NumberHelper#number_to_human.
       #
+      #   number_to_human("1234")               # => "1.23 Thousand"
+      #
       # Additionally, supports a +:raise+ option that will cause
       # InvalidNumberError to be raised if +number+ is not a valid number:
       #