actionview 4.2.0 → 4.2.1.rc1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 0503c205f74374f1bd9546f78eb9ba1104422442
-  data.tar.gz: 078287724c6f3edb82315d9b1e4d290c6c7ea586
+  metadata.gz: 7e4bb093df93d79e327de2207d98acdf3c5deaff
+  data.tar.gz: 5dab0ceaec0500f33bfab92d370f263276b147e7
 SHA512:
-  metadata.gz: dd11d39ed416d37ed21fdebccfd15c0b3ac073ae6cc46df411ff373b8489db97e99c163252fcde3d04db825f9a6d40bae29e9f9c037d417ab93eae503567c96e
-  data.tar.gz: 73eb1806ee44c7bda00b502ce6f8ab334c49eb42c67408a7f6222e9629d3b50fe71848a706caae5cc70e9fa6918ab9cfd6682d54f9cf157fceba1eb43b07e799
+  metadata.gz: c820990800d373b967614367b586645b377ee22184421cbbd9b1dfdc4a3e424192eccc5d89bc3d8b0fe163990ba29ece731c6a5a1340eb7021190d418c37a5b1
+  data.tar.gz: 1b2f323028acb15ca997d7050fc1d41df8ba05f926fee0c56345153ae1733ed1aa4d8706bb6614379d10e7e507c54ae51678ada2defef3b9c61f4e95ee2719e3

data/CHANGELOG.md

@@ -1,3 +1,16 @@
+*   Default translations that have a lower precidence than an html safe default,
+    but are not themselves safe, should not be marked as html_safe.
+
+    *Justin Coyne*
+
+*   Added an explicit error message, in `ActionView::PartialRenderer`
+    for partial `rendering`, when the value of option `as` has invalid characters.
+
+    *Angelo Capilleri*
+
+
+## Rails 4.2.0 (December 20, 2014) ##
+
 *   Local variable in a partial is now available even if a falsy value is
     passed to `:object` when rendering a partial.
 

data/lib/action_view/gem_version.rb

@@ -7,8 +7,8 @@ module ActionView
   module VERSION
     MAJOR = 4
     MINOR = 2
-    TINY  = 0
-    PRE   = nil
+    TINY  = 1
+    PRE   = "rc1"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

data/lib/action_view/helpers/cache_helper.rb

@@ -122,7 +122,7 @@ module ActionView
 
       # Cache fragments of a view if +condition+ is true
       #
-      #   <%= cache_if admin?, project do %>
+      #   <% cache_if admin?, project do %>
       #     <b>All the topics on this project</b>
       #     <%= render project.topics %>
       #   <% end %>
@@ -138,7 +138,7 @@ module ActionView
 
       # Cache fragments of a view unless +condition+ is true
       #
-      #   <%= cache_unless admin?, project do %>
+      #   <% cache_unless admin?, project do %>
       #     <b>All the topics on this project</b>
       #     <%= render project.topics %>
       #   <% end %>

data/lib/action_view/helpers/form_helper.rb

@@ -1206,11 +1206,11 @@ module ActionView
             object_name = model_name_from_record_or_class(object).param_key
           end
 
-          builder = options[:builder] || default_form_builder
+          builder = options[:builder] || default_form_builder_class
           builder.new(object_name, object, self, options)
         end
 
-        def default_form_builder
+        def default_form_builder_class
           builder = ActionView::Base.default_form_builder
           builder.respond_to?(:constantize) ? builder.constantize : builder
         end

data/lib/action_view/helpers/form_tag_helper.rb

@@ -84,14 +84,13 @@ module ActionView
       # * <tt>:disabled</tt> - If set to true, the user will not be able to use this input.
       # * <tt>:include_blank</tt> - If set to true, an empty option will be created. If set to a string, the string will be used as the option's content and the value will be empty.
       # * <tt>:prompt</tt> - Create a prompt option with blank value and the text asking user to select something.
-      # * <tt>:selected</tt> - Provide a default selected value. It should be of the exact type as the provided options.
       # * Any other key creates standard HTML attributes for the tag.
       #
       # ==== Examples
       #   select_tag "people", options_from_collection_for_select(@people, "id", "name")
       #   # <select id="people" name="people"><option value="1">David</option></select>
       #
-      #   select_tag "people", options_from_collection_for_select(@people, "id", "name"), selected: ["1", "David"]
+      #   select_tag "people", options_from_collection_for_select(@people, "id", "name", "1")
       #   # <select id="people" name="people"><option value="1" selected="selected">David</option></select>
       #
       #   select_tag "people", "<option>David</option>".html_safe

data/lib/action_view/helpers/sanitize_helper.rb

@@ -9,76 +9,77 @@ module ActionView
     # These helper methods extend Action View making them callable within your template files.
     module SanitizeHelper
       extend ActiveSupport::Concern
-      # This +sanitize+ helper will HTML encode all tags and strip all attributes that
-      # aren't specifically allowed.
+      # Sanitizes HTML input, stripping all tags and attributes that aren't whitelisted.
       #
-      # It also strips href/src tags with invalid protocols, like javascript: especially.
-      # It does its best to counter any  tricks that hackers may use, like throwing in
-      # unicode/ascii/hex values to get past the javascript: filters. Check out
-      # the extensive test suite.
+      # It also strips href/src attributes with unsafe protocols like
+      # <tt>javascript:</tt>, while also protecting against attempts to use Unicode,
+      # ASCII, and hex character references to work around these protocol filters.
       #
-      #   <%= sanitize @article.body %>
+      # The default sanitizer is Rails::Html::WhiteListSanitizer. See {Rails HTML
+      # Sanitizers}[https://github.com/rails/rails-html-sanitizer] for more information.
       #
-      # You can add or remove tags/attributes if you want to customize it a bit.
-      # See ActionView::Base for full docs on the available options. You can add
-      # tags/attributes for single uses of +sanitize+ by passing either the
-      # <tt>:attributes</tt> or <tt>:tags</tt> options:
+      # Custom sanitization rules can also be provided.
       #
-      # Normal Use
-      #
-      #   <%= sanitize @article.body %>
+      # Please note that sanitizing user-provided text does not guarantee that the
+      # resulting markup is valid or even well-formed. For example, the output may still
+      # contain unescaped characters like <tt><</tt>, <tt>></tt>, or <tt>&</tt>.
       #
-      # Custom Use - Custom Scrubber
-      # (supply a Loofah::Scrubber that does the sanitization)
+      # ==== Options
       #
-      # scrubber can either wrap a block:
-      # scrubber = Loofah::Scrubber.new do |node|
-      #   node.text = "dawn of cats"
-      # end
+      # * <tt>:tags</tt> - An array of allowed tags.
+      # * <tt>:attributes</tt> - An array of allowed attributes.
+      # * <tt>:scrubber</tt> - A {Rails::Html scrubber}[https://github.com/rails/rails-html-sanitizer]
+      #   or {Loofah::Scrubber}[https://github.com/flavorjones/loofah] object that
+      #   defines custom sanitization rules. A custom scrubber takes precedence over
+      #   custom tags and attributes.
       #
-      # or be a subclass of Loofah::Scrubber which responds to scrub:
-      # class KittyApocalypse < Loofah::Scrubber
-      #   def scrub(node)
-      #     node.text = "dawn of cats"
-      #   end
-      # end
-      # scrubber = KittyApocalypse.new
+      # ==== Examples
       #
-      # <%= sanitize @article.body, scrubber: scrubber %>
+      # Normal use:
       #
-      # A custom scrubber takes precedence over custom tags and attributes
-      # Learn more about scrubbers here: https://github.com/flavorjones/loofah
+      #   <%= sanitize @comment.body %>
       #
-      # Custom Use - tags and attributes
-      # (only the mentioned tags and attributes are allowed, nothing else)
+      # Providing custom whitelisted tags and attributes:
       #
-      #   <%= sanitize @article.body, tags: %w(table tr td), attributes: %w(id class style) %>
+      #   <%= sanitize @comment.body, tags: %w(strong em a), attributes: %w(href) %>
       #
-      # Add table tags to the default allowed tags
+      # Providing a custom Rails::Html scrubber:
       #
-      #   class Application < Rails::Application
-      #     config.action_view.sanitized_allowed_tags = ['table', 'tr', 'td']
-      #   end
+      #   class CommentScrubber < Rails::Html::PermitScrubber
+      #     def allowed_node?(node)
+      #       !%w(form script comment blockquote).include?(node.name)
+      #     end
       #
-      # Remove tags to the default allowed tags
+      #     def skip_node?(node)
+      #       node.text?
+      #     end
       #
-      #   class Application < Rails::Application
-      #     config.after_initialize do
-      #       ActionView::Base.sanitized_allowed_tags.delete 'div'
+      #     def scrub_attribute?(name)
+      #       name == 'style'
       #     end
       #   end
       #
-      # Change allowed default attributes
+      #   <%= sanitize @comment.body, scrubber: CommentScrubber.new %>
+      #
+      # See {Rails HTML Sanitizer}[https://github.com/rails/rails-html-sanitizer] for
+      # documentation about Rails::Html scrubbers.
       #
-      #   class Application < Rails::Application
-      #     config.action_view.sanitized_allowed_attributes = ['id', 'class', 'style']
+      # Providing a custom Loofah::Scrubber:
+      #
+      #   scrubber = Loofah::Scrubber.new do |node|
+      #     node.remove if node.name == 'script'
       #   end
       #
-      # Please note that sanitizing user-provided text does not guarantee that the
-      # resulting markup is valid (conforming to a document type) or even well-formed.
-      # The output may still contain e.g. unescaped '<', '>', '&' characters and
-      # confuse browsers.
+      #   <%= sanitize @comment.body, scrubber: scrubber %>
+      #
+      # See {Loofah's documentation}[https://github.com/flavorjones/loofah] for more
+      # information about defining custom Loofah::Scrubber objects.
       #
+      # To set the default allowed tags or attributes across your application:
+      #
+      #   # In config/application.rb
+      #   config.action_view.sanitized_allowed_tags = ['strong', 'em', 'a']
+      #   config.action_view.sanitized_allowed_attributes = ['href', 'title']
       def sanitize(html, options = {})
         self.class.white_list_sanitizer.sanitize(html, options).try(:html_safe)
       end
@@ -88,9 +89,7 @@ module ActionView
         self.class.white_list_sanitizer.sanitize_css(style)
       end
 
-      # Strips all HTML tags from the +html+, including comments. This uses
-      # Nokogiri for tokenization (via Loofah) and so its HTML parsing ability
-      # is limited by that of Nokogiri.
+      # Strips all HTML tags from +html+, including comments.
       #
       #   strip_tags("Strip <i>these</i> tags!")
       #   # => Strip these tags!
@@ -104,7 +103,7 @@ module ActionView
         self.class.full_sanitizer.sanitize(html)
       end
 
-      # Strips all link tags from +text+ leaving just the link text.
+      # Strips all link tags from +html+ leaving just the link text.
       #
       #   strip_links('<a href="http://www.rubyonrails.org">Ruby on Rails</a>')
       #   # => Ruby on Rails
@@ -167,30 +166,6 @@ module ActionView
         def white_list_sanitizer
           @white_list_sanitizer ||= sanitizer_vendor.white_list_sanitizer.new
         end
-
-        ##
-        # :method: sanitized_allowed_tags=
-        #
-        # :call-seq: sanitized_allowed_tags=(tags)
-        #
-        # Replaces the allowed tags for the +sanitize+ helper.
-        #
-        #   class Application < Rails::Application
-        #     config.action_view.sanitized_allowed_tags = ['table', 'tr', 'td']
-        #   end
-        #
-
-        ##
-        # :method: sanitized_allowed_attributes=
-        #
-        # :call-seq: sanitized_allowed_attributes=(attributes)
-        #
-        # Replaces the allowed HTML attributes for the +sanitize+ helper.
-        #
-        #   class Application < Rails::Application
-        #     config.action_view.sanitized_allowed_attributes = ['onclick', 'longdesc']
-        #   end
-        #
       end
     end
   end

data/lib/action_view/helpers/tags.rb

@@ -5,6 +5,7 @@ module ActionView
 
       eager_autoload do
         autoload :Base
+        autoload :Translator
         autoload :CheckBox
         autoload :CollectionCheckBoxes
         autoload :CollectionRadioButtons

data/lib/action_view/helpers/tags/base.rb

@@ -32,12 +32,19 @@ module ActionView
           unless object.nil?
             method_before_type_cast = @method_name + "_before_type_cast"
 
-            object.respond_to?(method_before_type_cast) ?
-              object.send(method_before_type_cast) :
+            if value_came_from_user?(object) && object.respond_to?(method_before_type_cast)
+              object.public_send(method_before_type_cast)
+            else
               value(object)
+            end
           end
         end
 
+        def value_came_from_user?(object)
+          method_name = "#{@method_name}_came_from_user?"
+          !object.respond_to?(method_name) || object.public_send(method_name)
+        end
+
         def retrieve_object(object)
           if object
             object

data/lib/action_view/helpers/tags/label.rb

@@ -15,20 +15,10 @@ module ActionView
 
           def translation
             method_and_value = @tag_value.present? ? "#{@method_name}.#{@tag_value}" : @method_name
-            @object_name.gsub!(/\[(.*)_attributes\]\[\d+\]/, '.\1')
-
-            if object.respond_to?(:to_model)
-              key = object.model_name.i18n_key
-              i18n_default = ["#{key}.#{method_and_value}".to_sym, ""]
-            end
-
-            i18n_default ||= ""
-            content = I18n.t("#{@object_name}.#{method_and_value}", :default => i18n_default, :scope => "helpers.label").presence
-
-            content ||= if object && object.class.respond_to?(:human_attribute_name)
-                          object.class.human_attribute_name(method_and_value)
-                        end
 
+            content ||= Translator
+              .new(object, @object_name, method_and_value, "helpers.label")
+              .translate
             content ||= @method_name.humanize
 
             content

data/lib/action_view/helpers/tags/placeholderable.rb

@@ -7,24 +7,12 @@ module ActionView
 
           if tag_value = @options[:placeholder]
             placeholder = tag_value if tag_value.is_a?(String)
-
-            object_name = @object_name.gsub(/\[(.*)_attributes\]\[\d+\]/, '.\1')
             method_and_value = tag_value.is_a?(TrueClass) ? @method_name : "#{@method_name}.#{tag_value}"
 
-            if object.respond_to?(:to_model)
-              key = object.class.model_name.i18n_key
-              i18n_default = ["#{key}.#{method_and_value}".to_sym, ""]
-            end
-
-            i18n_default ||= ""
-            placeholder ||= I18n.t("#{object_name}.#{method_and_value}", :default => i18n_default, :scope => "helpers.placeholder").presence
-
-            placeholder ||= if object && object.class.respond_to?(:human_attribute_name)
-                          object.class.human_attribute_name(method_and_value)
-                        end
-
+            placeholder ||= Tags::Translator
+              .new(object, @object_name, method_and_value, "helpers.placeholder")
+              .translate
             placeholder ||= @method_name.humanize
-
             @options[:placeholder] = placeholder
           end
         end

data/lib/action_view/helpers/tags/search_field.rb

@@ -3,20 +3,18 @@ module ActionView
     module Tags # :nodoc:
       class SearchField < TextField # :nodoc:
         def render
-          options = @options.stringify_keys
-
-          if options["autosave"]
-            if options["autosave"] == true
-              options["autosave"] = request.host.split(".").reverse.join(".")
+          super do |options|
+            if options["autosave"]
+              if options["autosave"] == true
+                options["autosave"] = request.host.split(".").reverse.join(".")
+              end
+              options["results"] ||= 10
             end
-            options["results"] ||= 10
-          end
 
-          if options["onsearch"]
-            options["incremental"] = true unless options.has_key?("incremental")
+            if options["onsearch"]
+              options["incremental"] = true unless options.has_key?("incremental")
+            end
           end
-
-          super
         end
       end
     end

data/lib/action_view/helpers/tags/text_field.rb

@@ -11,6 +11,7 @@ module ActionView
           options["size"] = options["maxlength"] unless options.key?("size")
           options["type"] ||= field_type
           options["value"] = options.fetch("value") { value_before_type_cast(object) } unless field_type == "file"
+          yield options if block_given?
           add_default_name_and_id(options)
           tag("input", options)
         end

data/lib/action_view/helpers/tags/translator.rb

@@ -0,0 +1,40 @@
+module ActionView
+  module Helpers
+    module Tags # :nodoc:
+      class Translator # :nodoc:
+        def initialize(object, object_name, method_and_value, scope)
+          @object_name = object_name.gsub(/\[(.*)_attributes\]\[\d+\]/, '.\1')
+          @method_and_value = method_and_value
+          @scope = scope
+          @model = object.respond_to?(:to_model) ? object.to_model : nil
+        end
+
+        def translate
+          translated_attribute = I18n.t("#{object_name}.#{method_and_value}", default: i18n_default, scope: scope).presence
+          translated_attribute || human_attribute_name
+        end
+
+        protected
+
+        attr_reader :object_name, :method_and_value, :scope, :model
+
+        private
+
+        def i18n_default
+          if model
+            key = model.model_name.i18n_key
+            ["#{key}.#{method_and_value}".to_sym, ""]
+          else
+            ""
+          end
+        end
+
+        def human_attribute_name
+          if model && model.class.respond_to?(:human_attribute_name)
+            model.class.human_attribute_name(method_and_value)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/action_view/helpers/translation_helper.rb

@@ -37,14 +37,17 @@ module ActionView
       # you know what kind of output to expect when you call translate in a template.
       def translate(key, options = {})
         options = options.dup
-        options[:default] = wrap_translate_defaults(options[:default]) if options[:default]
+        remaining_defaults = Array(options.delete(:default))
+        options[:default] = remaining_defaults.shift if remaining_defaults.first.kind_of? String
 
-        # If the user has specified rescue_format then pass it all through, otherwise use
-        # raise and do the work ourselves
-        options[:raise] ||= ActionView::Base.raise_on_missing_translations
-
-        raise_error = options[:raise] || options.key?(:rescue_format)
-        unless raise_error
+        # If the user has explicitly decided to NOT raise errors, pass that option to I18n.
+        # Otherwise, tell I18n to raise an exception, which we rescue further in this method.
+        # Note: `raise_error` refers to us re-raising the error in this method. I18n is forced to raise by default.
+        if options[:raise] == false || (options.key?(:rescue_format) && options[:rescue_format].nil?)
+          raise_error = false
+          options[:raise] = false
+        else
+          raise_error = options[:raise] || options[:rescue_format] || ActionView::Base.raise_on_missing_translations
           options[:raise] = true
         end
 
@@ -62,10 +65,14 @@ module ActionView
           I18n.translate(scope_key_by_partial(key), options)
         end
       rescue I18n::MissingTranslationData => e
-        raise e if raise_error
+        if remaining_defaults.present?
+          translate remaining_defaults.shift, options.merge(default: remaining_defaults)
+        else
+          raise e if raise_error
 
-        keys = I18n.normalize_keys(e.locale, e.key, e.options[:scope])
-        content_tag('span', keys.last.to_s.titleize, :class => 'translation_missing', :title => "translation missing: #{keys.join('.')}")
+          keys = I18n.normalize_keys(e.locale, e.key, e.options[:scope])
+          content_tag('span', keys.last.to_s.titleize, :class => 'translation_missing', :title => "translation missing: #{keys.join('.')}")
+        end
       end
       alias :t :translate
 
@@ -94,21 +101,6 @@ module ActionView
         def html_safe_translation_key?(key)
           key.to_s =~ /(\b|_|\.)html$/
         end
-
-        def wrap_translate_defaults(defaults)
-          new_defaults = []
-          defaults     = Array(defaults)
-          while key = defaults.shift
-            if key.is_a?(Symbol)
-              new_defaults << lambda { |_, options| translate key, options.merge(:default => defaults) }
-              break
-            else
-              new_defaults << key
-            end
-          end
-
-          new_defaults
-        end
     end
   end
 end

data/lib/action_view/renderer/partial_renderer.rb

@@ -384,7 +384,7 @@ module ActionView
       end
 
       if as = options[:as]
-        raise_invalid_identifier(as) unless as.to_s =~ /\A[a-z_]\w*\z/
+        raise_invalid_option_as(as) unless as.to_s =~ /\A[a-z_]\w*\z/
         as = as.to_sym
       end
 
@@ -530,11 +530,19 @@ module ActionView
     end
 
     IDENTIFIER_ERROR_MESSAGE = "The partial name (%s) is not a valid Ruby identifier; " +
-                               "make sure your partial name starts with a lowercase letter or underscore, " +
+                               "make sure your partial name starts with underscore, " +
+                               "and is followed by any combination of letters, numbers and underscores."
+
+    OPTION_AS_ERROR_MESSAGE  = "The value (%s) of the option `as` is not a valid Ruby identifier; " +
+                               "make sure it starts with lowercase letter, " +
                                "and is followed by any combination of letters, numbers and underscores."
 
     def raise_invalid_identifier(path)
       raise ArgumentError.new(IDENTIFIER_ERROR_MESSAGE % (path))
     end
+
+    def raise_invalid_option_as(as)
+      raise ArgumentError.new(OPTION_AS_ERROR_MESSAGE % (as))
+    end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: actionview
 version: !ruby/object:Gem::Version
-  version: 4.2.0
+  version: 4.2.1.rc1
 platform: ruby
 authors:
 - David Heinemeier Hansson
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-12-20 00:00:00.000000000 Z
+date: 2015-02-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.2.0
+        version: 4.2.1.rc1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.2.0
+        version: 4.2.1.rc1
 - !ruby/object:Gem::Dependency
   name: builder
   requirement: !ruby/object:Gem::Requirement
@@ -98,28 +98,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.2.0
+        version: 4.2.1.rc1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.2.0
+        version: 4.2.1.rc1
 - !ruby/object:Gem::Dependency
   name: activemodel
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.2.0
+        version: 4.2.1.rc1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 4.2.0
+        version: 4.2.1.rc1
 description: Simple, battle-tested conventions and helpers for building web pages.
 email: david@loudthinking.com
 executables: []
@@ -191,6 +191,7 @@ files:
 - lib/action_view/helpers/tags/time_field.rb
 - lib/action_view/helpers/tags/time_select.rb
 - lib/action_view/helpers/tags/time_zone_select.rb
+- lib/action_view/helpers/tags/translator.rb
 - lib/action_view/helpers/tags/url_field.rb
 - lib/action_view/helpers/tags/week_field.rb
 - lib/action_view/helpers/text_helper.rb
@@ -241,13 +242,13 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: 1.9.3
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements:
 - none
 rubyforge_project: 
-rubygems_version: 2.2.2
+rubygems_version: 2.4.5
 signing_key: 
 specification_version: 4
 summary: Rendering framework putting the V in MVC (part of Rails).