actionview 8.0.3 → 8.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d906f994cc2a7151f2763ccfd5505479b2ba0dd408797b28716d495b4ec89089
-  data.tar.gz: 10cb316f59e90d20729c7f61ec92c0e3b6b28e359ea13b2692736e5ffbe7e7a4
+  metadata.gz: 7f70267d79c46c7a98b2431d33b61baeb64f0ef65eb37c1d37c55065ae61c716
+  data.tar.gz: 7f4fae9bbf0c0ff4ce36df78f051089c94e1fbba377aeab3a7db0d06670c19b5
 SHA512:
-  metadata.gz: a845f01c731db0f215c2a7d29888924fa1e50d3c68a17e1ed37e6dd746aa47a3250c7018d6d66639fc9ef7039f0b6d64234110edd310870bdae2074932044356
-  data.tar.gz: be07fd924f900d3d8c537652678d941fed5ea46ff657197e2182fdbaf4554923a1f1c41e27873735911a85b7a4d5819c330b35ceacefa90ca542c04e9b6053a8
+  metadata.gz: cf26a3aad0023c5f193b2b983ea9dbb2886d353573d873851611281d0c2b493e47a50af671b2049aa7b7610c2f46998a39f8610beede3c0f88837eb56bfa7640
+  data.tar.gz: 5f4d8c3c016b0a8bb9cdd493e05d7aed49c1bca1e664cd9e99499f8d6d033df1b7c12daa89958c96ebf22f1e908812e5b5e4780182c3f9699d212de005ee30e6

data/CHANGELOG.md

@@ -1,31 +1,80 @@
-## Rails 8.0.3 (September 22, 2025) ##
+## Rails 8.1.0 (October 22, 2025) ##
+
+*   The BEGIN template annotation/comment was previously printed on the same line as the following element. We now insert a newline inside the comment so it spans two lines without adding visible whitespace to the HTML output to enhance readability.
+
+    Before:
+    ```
+    <!-- BEGIN /Users/siaw23/Desktop/rails/actionview/test/fixtures/actionpack/test/greeting.html.erb --><p>This is grand!</p>
+    ```
+
+    After:
+    ```
+    <!-- BEGIN /Users/siaw23/Desktop/rails/actionview/test/fixtures/actionpack/test/greeting.html.erb
+    --><p>This is grand!</p>
+    ```
+    *Emmanuel Hayford*
+
+*   Add structured events for Action View:
+    - `action_view.render_template`
+    - `action_view.render_partial`
+    - `action_view.render_layout`
+    - `action_view.render_collection`
+    - `action_view.render_start`
+
+    *Gannon McGibbon*
 
 *   Fix label with `for` option not getting prefixed by form `namespace` value
 
     *Abeid Ahmed*, *Hartley McGuire*
 
-*   Fix `javascript_include_tag` `type` option to accept either strings and symbols.
+*   Add `fetchpriority` to Link headers to match HTML generated by `preload_link_tag`.
 
-    ```ruby
-    javascript_include_tag "application", type: :module
-    javascript_include_tag "application", type: "module"
-    ```
+    *Guillermo Iguaran*
+
+*   Add CSP `nonce` to Link headers generated by `preload_link_tag`.
 
-    Previously, only the string value was recognized.
+    *Alexander Gitter*
 
-    *Jean Boussier*
+*   Allow `current_page?` to match against specific HTTP method(s) with a `method:` option.
 
-*   Fix `excerpt` helper with non-whitespace separator.
+    *Ben Sheldon*
 
-    *Jonathan Hefner*
+*   Remove `autocomplete="off"` on hidden inputs generated by the following
+    tags:
 
+    * `form_tag`, `token_tag`, `method_tag`
 
-## Rails 8.0.2.1 (August 13, 2025) ##
+    As well as the hidden parameter fields included in `button_to`,
+    `check_box`, `select` (with `multiple`) and `file_field` forms.
 
-*   No changes.
+    *nkulway*
 
+*   Enable configuring the strategy for tracking dependencies between Action
+    View templates.
 
-## Rails 8.0.2 (March 12, 2025) ##
+    The existing `:regex` strategy is kept as the default, but with
+    `load_defaults 8.1` the strategy will be `:ruby` (using a real Ruby parser).
+
+    *Hartley McGuire*
+
+*   Introduce `relative_time_in_words` helper
+
+    ```ruby
+    relative_time_in_words(3.minutes.from_now) # => "in 3 minutes"
+    relative_time_in_words(3.minutes.ago) # => "3 minutes ago"
+    relative_time_in_words(10.seconds.ago, include_seconds: true) # => "less than 10 seconds ago"
+    ```
+
+    *Matheus Richard*
+
+*   Make `nonce: false` remove the nonce attribute from `javascript_tag`, `javascript_include_tag`, and `stylesheet_link_tag`.
+
+    *francktrouillez*
+
+*   Add `dom_target` helper to create `dom_id`-like strings from an unlimited
+    number of objects.
+
+    *Ben Sheldon*
 
 *   Respect `html_options[:form]` when `collection_checkboxes` generates the
     hidden `<input>`.
@@ -56,11 +105,10 @@
 
     *Mike Dalessio*
 
-*   Fix stack overflow error in dependency tracker when dealing with circular dependencies
-
-    *Jean Boussier*
+*   Improve error highlighting of multi-line methods in ERB templates or
+    templates where the error occurs within a do-end block.
 
-## Rails 8.0.1 (December 13, 2024) ##
+    *Martin Emde*
 
 *   Fix a crash in ERB template error highlighting when the error occurs on a
     line in the compiled template that is past the end of the source template.
@@ -73,57 +121,12 @@
 
     *Martin Emde*
 
+*   Allow `hidden_field` and `hidden_field_tag` to accept a custom autocomplete value.
 
-## Rails 8.0.0.1 (December 10, 2024) ##
-
-*   No changes.
-
-
-## Rails 8.0.0 (November 07, 2024) ##
-
-*   No changes.
-
-
-## Rails 8.0.0.rc2 (October 30, 2024) ##
-
-*   No changes.
-
-
-## Rails 8.0.0.rc1 (October 19, 2024) ##
-
-*   Remove deprecated support to passing a content to void tag elements on the `tag` builder.
-
-    *Rafael Mendonça França*
-
-*   Remove deprecated support to passing `nil` to the `model:` argument of `form_with`.
-
-    *Rafael Mendonça França*
-
-
-## Rails 8.0.0.beta1 (September 26, 2024) ##
-
-*   Enable DependencyTracker to evaluate renders with trailing interpolation.
-
-    ```erb
-    <%= render "maintenance_tasks/runs/info/#{run.status}" %>
-    ```
-
-    Previously, the DependencyTracker would ignore this render, but now it will
-    mark all partials in the "maintenance_tasks/runs/info" folder as
-    dependencies.
-
-    *Hartley McGuire*
-
-*   Rename `text_area` methods into `textarea`
-
-    Old names are still available as aliases.
-
-    *Sean Doyle*
-
-*   Rename `check_box*` methods into `checkbox*`.
+    *brendon*
 
-    Old names are still available as aliases.
+*   Add a new configuration `content_security_policy_nonce_auto` for automatically adding a nonce to the tags affected by the directives specified by the `content_security_policy_nonce_directives` configuration option.
 
-    *Jean Boussier*
+    *francktrouillez*
 
-Please check [7-2-stable](https://github.com/rails/rails/blob/7-2-stable/actionview/CHANGELOG.md) for previous changes.
+Please check [8-0-stable](https://github.com/rails/rails/blob/8-0-stable/actionview/CHANGELOG.md) for previous changes.

data/lib/action_view/base.rb

@@ -4,6 +4,7 @@ require "active_support/core_ext/module/attr_internal"
 require "active_support/core_ext/module/attribute_accessors"
 require "active_support/ordered_options"
 require "action_view/log_subscriber"
+require "action_view/structured_event_subscriber"
 require "action_view/helpers"
 require "action_view/context"
 require "action_view/template"
@@ -181,6 +182,10 @@ module ActionView # :nodoc:
     class_attribute :_routes
     class_attribute :logger
 
+    # Specify whether to omit autocomplete="off" on hidden inputs generated by helpers.
+    # Configured via `config.action_view.remove_hidden_field_autocomplete`
+    cattr_accessor :remove_hidden_field_autocomplete, default: false
+
     class << self
       delegate :erb_trim_mode=, to: "ActionView::Template::Handlers::ERB"
 
@@ -242,8 +247,6 @@ module ActionView # :nodoc:
     # :startdoc:
 
     def initialize(lookup_context, assigns, controller) # :nodoc:
-      @_config = ActiveSupport::InheritableOptions.new
-
       @lookup_context = lookup_context
 
       @view_renderer = ActionView::Renderer.new @lookup_context

data/lib/action_view/buffers.rb

@@ -45,7 +45,7 @@ module ActionView
         @raw_buffer << if value.html_safe?
           value
         else
-          CGI.escapeHTML(value)
+          ERB::Util.unwrapped_html_escape(value)
         end
       end
       self

data/lib/action_view/dependency_tracker/erb_tracker.rb

@@ -91,7 +91,7 @@ module ActionView
 
         def render_dependencies
           dependencies = []
-          render_calls = source.split(/\brender\b/).drop(1)
+          render_calls = source.scan(/<%(?:(?:(?!<%).)*?\brender\b((?:(?!%>).)*?))%>/m).flatten
 
           render_calls.each do |arguments|
             add_dependencies(dependencies, arguments, LAYOUT_DEPENDENCY)

data/lib/action_view/dependency_tracker.rb

@@ -36,6 +36,11 @@ module ActionView
       @trackers.delete(handler)
     end
 
-    register_tracker :erb, ERBTracker
+    case ActionView.render_tracker
+    when :ruby
+      register_tracker :erb, RubyTracker
+    else
+      register_tracker :erb, ERBTracker
+    end
   end
 end

data/lib/action_view/gem_version.rb

@@ -8,8 +8,8 @@ module ActionView
 
   module VERSION
     MAJOR = 8
-    MINOR = 0
-    TINY  = 3
+    MINOR = 1
+    TINY  = 0
     PRE   = nil
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")

data/lib/action_view/helpers/asset_tag_helper.rb

@@ -26,6 +26,8 @@ module ActionView
       mattr_accessor :image_decoding
       mattr_accessor :preload_links_header
       mattr_accessor :apply_stylesheet_media_default
+      mattr_accessor :auto_include_nonce_for_scripts
+      mattr_accessor :auto_include_nonce_for_styles
 
       # Returns an HTML script tag for each of the +sources+ provided.
       #
@@ -115,7 +117,7 @@ module ActionView
         path_options = options.extract!("protocol", "extname", "host", "skip_pipeline").symbolize_keys
         preload_links = []
         use_preload_links_header = options["preload_links_header"].nil? ? preload_links_header : options.delete("preload_links_header")
-        nopush = options["nopush"].nil? ? true : options.delete("nopush")
+        nopush = options["nopush"].nil? || options.delete("nopush")
         crossorigin = options.delete("crossorigin")
         crossorigin = "anonymous" if crossorigin == true
         integrity = options["integrity"]
@@ -127,6 +129,7 @@ module ActionView
             preload_link = "<#{href}>; rel=#{rel}; as=script"
             preload_link += "; crossorigin=#{crossorigin}" unless crossorigin.nil?
             preload_link += "; integrity=#{integrity}" unless integrity.nil?
+            preload_link += "; nonce=#{content_security_policy_nonce}" if options["nonce"] == true
             preload_link += "; nopush" if nopush
             preload_links << preload_link
           end
@@ -134,8 +137,10 @@ module ActionView
             "src" => href,
             "crossorigin" => crossorigin
           }.merge!(options)
-          if tag_options["nonce"] == true
+          if tag_options["nonce"] == true || (!tag_options.key?("nonce") && auto_include_nonce_for_scripts)
             tag_options["nonce"] = content_security_policy_nonce
+          elsif tag_options["nonce"] == false
+            tag_options.delete("nonce")
           end
           content_tag("script", "", tag_options)
         }.join("\n").html_safe
@@ -206,7 +211,7 @@ module ActionView
         preload_links = []
         crossorigin = options.delete("crossorigin")
         crossorigin = "anonymous" if crossorigin == true
-        nopush = options["nopush"].nil? ? true : options.delete("nopush")
+        nopush = options["nopush"].nil? || options.delete("nopush")
         integrity = options["integrity"]
 
         sources_tags = sources.uniq.map { |source|
@@ -215,6 +220,7 @@ module ActionView
             preload_link = "<#{href}>; rel=preload; as=style"
             preload_link += "; crossorigin=#{crossorigin}" unless crossorigin.nil?
             preload_link += "; integrity=#{integrity}" unless integrity.nil?
+            preload_link += "; nonce=#{content_security_policy_nonce}" if options["nonce"] == true
             preload_link += "; nopush" if nopush
             preload_links << preload_link
           end
@@ -223,8 +229,10 @@ module ActionView
             "crossorigin" => crossorigin,
             "href" => href
           }.merge!(options)
-          if tag_options["nonce"] == true
+          if tag_options["nonce"] == true || (!tag_options.key?("nonce") && auto_include_nonce_for_styles)
             tag_options["nonce"] = content_security_policy_nonce
+          elsif tag_options["nonce"] == false
+            tag_options.delete("nonce")
           end
 
           if apply_stylesheet_media_default && tag_options["media"].blank?
@@ -360,8 +368,16 @@ module ActionView
         crossorigin = options.delete(:crossorigin)
         crossorigin = "anonymous" if crossorigin == true || (crossorigin.blank? && as_type == "font")
         integrity = options[:integrity]
+        fetchpriority = options.delete(:fetchpriority)
         nopush = options.delete(:nopush) || false
         rel = mime_type == "module" || mime_type == :module ? "modulepreload" : "preload"
+        add_nonce = content_security_policy_nonce &&
+          respond_to?(:request) &&
+          request.content_security_policy_nonce_directives&.include?("#{as_type}-src")
+
+        if add_nonce
+          options[:nonce] = content_security_policy_nonce
+        end
 
         link_tag = tag.link(
           rel: rel,
@@ -369,12 +385,15 @@ module ActionView
           as: as_type,
           type: mime_type,
           crossorigin: crossorigin,
+          fetchpriority: fetchpriority,
           **options.symbolize_keys)
 
         preload_link = "<#{href}>; rel=#{rel}; as=#{as_type}"
         preload_link += "; type=#{mime_type}" if mime_type
         preload_link += "; crossorigin=#{crossorigin}" if crossorigin
+        preload_link += "; fetchpriority=#{fetchpriority}" if fetchpriority
         preload_link += "; integrity=#{integrity}" if integrity
+        preload_link += "; nonce=#{content_security_policy_nonce}" if add_nonce
         preload_link += "; nopush" if nopush
 
         send_preload_links_header([preload_link])

data/lib/action_view/helpers/capture_helper.rb

@@ -44,10 +44,10 @@ module ActionView
       #
       #   @greeting # => "Welcome to my shiny new web page! The date and time is 2018-09-06 11:09:16 -0500"
       #
-      def capture(*args, &block)
+      def capture(*, **, &block)
         value = nil
         @output_buffer ||= ActionView::OutputBuffer.new
-        buffer = @output_buffer.capture { value = yield(*args) }
+        buffer = @output_buffer.capture { value = yield(*, **) }
 
         string = if @output_buffer.equal?(value)
           buffer

data/lib/action_view/helpers/controller_helper.rb

@@ -20,11 +20,15 @@ module ActionView
       def assign_controller(controller)
         if @_controller = controller
           @_request = controller.request if controller.respond_to?(:request)
-          @_config  = controller.config.inheritable_copy if controller.respond_to?(:config)
+          if controller.respond_to?(:config)
+            @_config = controller.config.inheritable_copy
+          else
+            @_config = ActiveSupport::InheritableOptions.new
+          end
           @_default_form_builder = controller.default_form_builder if controller.respond_to?(:default_form_builder)
         else
           @_request ||= nil
-          @_config ||= nil
+          @_config = ActiveSupport::InheritableOptions.new
           @_default_form_builder ||= nil
         end
       end

data/lib/action_view/helpers/date_helper.rb

@@ -186,6 +186,23 @@ module ActionView
 
       alias_method :distance_of_time_in_words_to_now, :time_ago_in_words
 
+      # Like <tt>time_ago_in_words</tt>, but adds a prefix/suffix depending on whether the time is in the past or future.
+      # You can use the <tt>scope</tt> option to customize the translation scope. All other options
+      # are forwarded to <tt>time_ago_in_words</tt>.
+      #
+      #   relative_time_in_words(3.minutes.from_now) # => "in 3 minutes"
+      #   relative_time_in_words(3.minutes.ago) # => "3 minutes ago"
+      #   relative_time_in_words(10.seconds.ago, include_seconds: true) # => "less than 10 seconds ago"
+      #
+      # See also #time_ago_in_words
+      def relative_time_in_words(from_time, options = {})
+        now = Time.now
+        time = distance_of_time_in_words(from_time, now, options.except(:scope))
+        key = from_time > now ? :future : :past
+
+        I18n.t(key, time: time, scope: options.fetch(:scope, :'datetime.relative'), locale: options[:locale])
+      end
+
       # Returns a set of select tags (one for year, month, and day) pre-selected for accessing a specified date-based
       # attribute (identified by +method+) on an object assigned to the template (identified by +object+).
       #

data/lib/action_view/helpers/form_helper.rb

@@ -1,7 +1,5 @@
 # frozen_string_literal: true
 
-require "cgi/escape"
-require "cgi/util" if RUBY_VERSION < "3.5"
 require "action_view/helpers/date_helper"
 require "action_view/helpers/url_helper"
 require "action_view/helpers/form_tag_helper"
@@ -1633,7 +1631,8 @@ module ActionView
     #
     # A +FormBuilder+ object is associated with a particular model object and
     # allows you to generate fields associated with the model object. The
-    # +FormBuilder+ object is yielded when using #form_with or #fields_for.
+    # +FormBuilder+ object is yielded when using
+    # {form_with}[rdof-ref:ActionView::Helpers::FormHelper#form_with] or #fields_for.
     # For example:
     #
     #   <%= form_with model: @person do |person_form| %>

data/lib/action_view/helpers/form_options_helper.rb

@@ -1,7 +1,5 @@
 # frozen_string_literal: true
 
-require "cgi/escape"
-require "cgi/util" if RUBY_VERSION < "3.5"
 require "erb"
 require "active_support/core_ext/string/output_safety"
 require "active_support/core_ext/array/extract_options"
@@ -14,7 +12,7 @@ module ActionView
     #
     # Provides a number of methods for turning different kinds of containers into a set of option tags.
     #
-    # The <tt>collection_select</tt>, <tt>select</tt> and <tt>time_zone_select</tt> methods take an <tt>options</tt> parameter, a hash:
+    # The #collection_select, #select and #time_zone_select methods take an <tt>options</tt> parameter, a hash:
     #
     # * <tt>:include_blank</tt> - set to true or a prompt string if the first option element of the select element is a blank. Useful if there is not a default value required for the select element.
     #
@@ -56,7 +54,7 @@ module ActionView
     #       <option value="3">Rafael</option>
     #     </select>
     #
-    # * <tt>:index</tt> - like the other form helpers, <tt>select</tt> can accept an <tt>:index</tt> option to manually set the ID used in the resulting output. Unlike other helpers, <tt>select</tt> expects this
+    # * <tt>:index</tt> - like the other form helpers, #select can accept an <tt>:index</tt> option to manually set the ID used in the resulting output. Unlike other helpers, #select expects this
     #   option to be in the +html_options+ parameter.
     #
     #     select("album[]", :genre, %w[ rap rock country ], {}, { index: nil })
@@ -81,7 +79,7 @@ module ActionView
     #       <option disabled="disabled" value="restricted">restricted</option>
     #     </select>
     #
-    #   When used with the <tt>collection_select</tt> helper, <tt>:disabled</tt> can also be a Proc that identifies those options that should be disabled.
+    #   When used with the #collection_select helper, <tt>:disabled</tt> can also be a Proc that identifies those options that should be disabled.
     #
     #     collection_select(:post, :category_id, Category.all, :id, :name, { disabled: -> (category) { category.archived? } })
     #
@@ -106,7 +104,7 @@ module ActionView
       #
       # Example with <tt>@post.person_id => 2</tt>:
       #
-      #   select :post, :person_id, Person.all.collect { |p| [ p.name, p.id ] }, { include_blank: true })
+      #   select :post, :person_id, Person.all.collect { |p| [ p.name, p.id ] }, { include_blank: true }
       #
       # would become:
       #
@@ -127,7 +125,7 @@ module ActionView
       # or <tt>selected: nil</tt> to leave all options unselected. Similarly, you can specify values to be disabled in the option
       # tags by specifying the <tt>:disabled</tt> option. This can either be a single value or an array of values to be disabled.
       #
-      # A block can be passed to +select+ to customize how the options tags will be rendered. This
+      # A block can be passed to #select to customize how the options tags will be rendered. This
       # is useful when the options tag has complex attributes.
       #
       #   select(report, :campaign_ids) do
@@ -266,7 +264,7 @@ module ActionView
       # In addition to the <tt>:include_blank</tt> option documented above,
       # this method also supports a <tt>:model</tt> option, which defaults
       # to ActiveSupport::TimeZone. This may be used by users to specify a
-      # different time zone model object. (See +time_zone_options_for_select+
+      # different time zone model object. (See #time_zone_options_for_select
       # for more information.)
       #
       # You can also supply an array of ActiveSupport::TimeZone objects
@@ -295,7 +293,7 @@ module ActionView
       end
 
       # Returns select and option tags for the given object and method, using
-      # <tt>weekday_options_for_select</tt> to generate the list of option tags.
+      # #weekday_options_for_select to generate the list of option tags.
       def weekday_select(object, method, options = {}, html_options = {}, &block)
         Tags::WeekdaySelect.new(object, method, self, options, html_options, &block).render
       end
@@ -371,7 +369,7 @@ module ActionView
           html_attributes[:disabled] ||= disabled && option_value_selected?(value, disabled)
           html_attributes[:value] = value
 
-          tag_builder.content_tag_string(:option, text, html_attributes)
+          tag_builder.option(text, **html_attributes)
         end.join("\n").html_safe
       end
 
@@ -412,7 +410,7 @@ module ActionView
         options_for_select(options, select_deselect)
       end
 
-      # Returns a string of <tt><option></tt> tags, like <tt>options_from_collection_for_select</tt>, but
+      # Returns a string of <tt><option></tt> tags, like #options_from_collection_for_select, but
       # groups them by <tt><optgroup></tt> tags based on the object relationships of the arguments.
       #
       # Parameters:
@@ -469,7 +467,7 @@ module ActionView
         end.join.html_safe
       end
 
-      # Returns a string of <tt><option></tt> tags, like <tt>options_for_select</tt>, but
+      # Returns a string of <tt><option></tt> tags, like #options_for_select, but
       # wraps them with <tt><optgroup></tt> tags:
       #
       #   grouped_options = [

data/lib/action_view/helpers/form_tag_helper.rb

@@ -1,7 +1,5 @@
 # frozen_string_literal: true
 
-require "cgi/escape"
-require "cgi/util" if RUBY_VERSION < "3.5"
 require "action_view/helpers/content_exfiltration_prevention_helper"
 require "action_view/helpers/url_helper"
 require "action_view/helpers/text_helper"
@@ -307,7 +305,11 @@ module ActionView
       #   # => <input type="hidden" name="collected_input" id="collected_input"
       #        value="" onchange="alert(&#39;Input collected!&#39;)" autocomplete="off" />
       def hidden_field_tag(name, value = nil, options = {})
-        text_field_tag(name, value, options.merge(type: :hidden, autocomplete: "off"))
+        html_options = options.merge(type: :hidden)
+        unless ActionView::Base.remove_hidden_field_autocomplete
+          html_options[:autocomplete] = "off" unless html_options.key?(:autocomplete)
+        end
+        text_field_tag(name, value, html_options)
       end
 
       # Creates a file upload field. If you are using file uploads then you will also need
@@ -977,10 +979,15 @@ module ActionView
       # Creates the hidden UTF-8 enforcer tag. Override this method in a helper
       # to customize the tag.
       def utf8_enforcer_tag
-        # Use raw HTML to ensure the value is written as an HTML entity; it
-        # needs to be the right character regardless of which encoding the
-        # browser infers.
-        '<input name="utf8" type="hidden" value="&#x2713;" autocomplete="off" />'.html_safe
+        options = {
+          type: "hidden",
+          name: "utf8",
+          value: "&#x2713;".html_safe
+        }
+
+        options[:autocomplete] = "off" unless ActionView::Base.remove_hidden_field_autocomplete
+
+        tag(:input, options)
       end
 
       private
@@ -1048,9 +1055,9 @@ module ActionView
         end
 
         def form_tag_with_body(html_options, content)
-          output = form_tag_html(html_options)
-          output << content.to_s if content
-          output.safe_concat("</form>")
+          extra_tags = extra_tags_for_form(html_options)
+          html = content_tag(:form, safe_join([extra_tags, content]), html_options)
+          prevent_content_exfiltration(html)
         end
 
         # see http://www.w3.org/TR/html4/types.html#type-name

data/lib/action_view/helpers/javascript_helper.rb

@@ -4,6 +4,8 @@ module ActionView
   module Helpers # :nodoc:
     # = Action View JavaScript \Helpers
     module JavaScriptHelper
+      mattr_accessor :auto_include_nonce
+
       JS_ESCAPE_MAP = {
         "\\"    => "\\\\",
         "</"    => '<\/',
@@ -81,8 +83,10 @@ module ActionView
             content_or_options_with_block
           end
 
-        if html_options[:nonce] == true
+        if html_options[:nonce] == true || (!html_options.key?(:nonce) && auto_include_nonce)
           html_options[:nonce] = content_security_policy_nonce
+        elsif html_options[:nonce] == false
+          html_options.delete(:nonce)
         end
 
         content_tag("script", javascript_cdata_section(content), html_options)

data/lib/action_view/helpers/number_helper.rb

@@ -26,6 +26,8 @@ module ActionView
 
       # Delegates to ActiveSupport::NumberHelper#number_to_phone.
       #
+      #   number_to_phone("1234567890")         # => "123-456-7890"
+      #
       # Additionally, supports a +:raise+ option that will cause
       # InvalidNumberError to be raised if +number+ is not a valid number:
       #
@@ -42,6 +44,8 @@ module ActionView
 
       # Delegates to ActiveSupport::NumberHelper#number_to_currency.
       #
+      #   number_to_currency("1234")               # => "$1234.00"
+      #
       # Additionally, supports a +:raise+ option that will cause
       # InvalidNumberError to be raised if +number+ is not a valid number:
       #
@@ -54,6 +58,8 @@ module ActionView
 
       # Delegates to ActiveSupport::NumberHelper#number_to_percentage.
       #
+      #   number_to_percentage("99")               # => "99.000%"
+      #
       # Additionally, supports a +:raise+ option that will cause
       # InvalidNumberError to be raised if +number+ is not a valid number:
       #
@@ -66,6 +72,8 @@ module ActionView
 
       # Delegates to ActiveSupport::NumberHelper#number_to_delimited.
       #
+      #   number_with_delimiter("1234")               # => "1,234"
+      #
       # Additionally, supports a +:raise+ option that will cause
       # InvalidNumberError to be raised if +number+ is not a valid number:
       #
@@ -78,6 +86,8 @@ module ActionView
 
       # Delegates to ActiveSupport::NumberHelper#number_to_rounded.
       #
+      #   number_with_precision("1234")               # => "1234.000"
+      #
       # Additionally, supports a +:raise+ option that will cause
       # InvalidNumberError to be raised if +number+ is not a valid number:
       #
@@ -90,6 +100,8 @@ module ActionView
 
       # Delegates to ActiveSupport::NumberHelper#number_to_human_size.
       #
+      #   number_to_human_size("1234")               # => "1.21 KB"
+      #
       # Additionally, supports a +:raise+ option that will cause
       # InvalidNumberError to be raised if +number+ is not a valid number:
       #
@@ -102,6 +114,8 @@ module ActionView
 
       # Delegates to ActiveSupport::NumberHelper#number_to_human.
       #
+      #   number_to_human("1234")               # => "1.23 Thousand"
+      #
       # Additionally, supports a +:raise+ option that will cause
       # InvalidNumberError to be raised if +number+ is not a valid number:
       #