RubyGems - actionview - Versions diffs - 5.2.0.rc1 → 5.2.0.rc2 - Mend

actionview 5.2.0.rc1 → 5.2.0.rc2

Potentially problematic release.

This version of actionview might be problematic. Click here for more details.

Files changed (13) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +11 -2
data/README.rdoc +1 -1
data/lib/action_view/digestor.rb +2 -4
data/lib/action_view/gem_version.rb +1 -1
data/lib/action_view/helpers.rb +2 -0
data/lib/action_view/helpers/asset_tag_helper.rb +1 -1
data/lib/action_view/helpers/csp_helper.rb +24 -0
data/lib/action_view/helpers/debug_helper.rb +1 -1
data/lib/action_view/helpers/form_tag_helper.rb +2 -1
data/lib/action_view/helpers/javascript_helper.rb +11 -0
data/lib/assets/compiled/rails-ujs.js +13 -2
metadata +12 -11

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7546a7966a4112a3dc5a0145fd071e37c819723d2153c0fe153a6a50511ff5a7
-  data.tar.gz: f92dc57125505c479d7107817ae59aedd14a37e28a4078777a78fb968c77a5ee
+  metadata.gz: 1de19c8d96db2fc6a2999f264678d34f5c0705ffdc4d26dce33b20213c081b48
+  data.tar.gz: 93b4c29e7bc979064ef651e8d472c430280868cc8593cafdab25755325e1ca02
 SHA512:
-  metadata.gz: cc5caf199d1c8d187c3835ba18fe1d874d6dbbf537cc6046f52f7b7dc8c5407539450d6cae37cc352e580b261cded9c3c9695f79eff81a6190dd0c80cd99e570
-  data.tar.gz: ea54f7079224d349df20dd66aa8de28e7c4af61059646ecc93d1c630ef53a678cc8e9ac650ab945049a6f3b856397008ad98defe51ed9c6d83d191595d7d8f62
+  metadata.gz: b4539104410cef4c14021f818e6ec147c5fc7704588e951fa9e3a145d6e4e79ac62124117412b21b9a4611382bd3beece39ee3a68835b3ad70de8adae3e69031
+  data.tar.gz: c0a7d7f51dafeeb49cf2a1f373e89e72a1f8bd45b167da622bfd3a5f61afc08949473e9503c922d40b560300795567325985e2af4abf07f8d7fb5ab42502e6c8

data/CHANGELOG.md CHANGED

@@ -1,3 +1,12 @@
+## Rails 5.2.0.rc2 (March 20, 2018) ##
+*   Pass the `:skip_pipeline` option in `image_submit_tag` when calling `path_to_image`.
+    Fixes #32248.
+    *Andrew White*
 ## Rails 5.2.0.rc1 (January 30, 2018) ##
 *   Allow the use of callable objects as group methods for grouped selects.
@@ -8,7 +17,7 @@
     *Jérémie Bonal*
-*   Add `preload_link_tag` helper
+*   Add `preload_link_tag` helper.
     This helper that allows to the browser to initiate early fetch of resources
     (different to the specified in `javascript_include_tag` and `stylesheet_link_tag`).
@@ -68,7 +77,7 @@
     *Yuji Yaginuma*
-*   Add `:json` type to `auto_discovery_link_tag` to support [JSON Feeds](https://jsonfeed.org/version/1)
+*   Add `:json` type to `auto_discovery_link_tag` to support [JSON Feeds](https://jsonfeed.org/version/1).
     *Mike Gunderloy*

data/README.rdoc CHANGED

@@ -13,7 +13,7 @@ The latest version of Action View can be installed with RubyGems:
 Source code can be downloaded as part of the Rails project on GitHub:
-* https://github.com/rails/rails/tree/master/actionview
+* https://github.com/rails/rails/tree/5-2-stable/actionview
 == License

data/lib/action_view/digestor.rb CHANGED

@@ -45,11 +45,9 @@ module ActionView
       # Create a dependency tree for template named +name+.
       def tree(name, finder, partial = false, seen = {})
         logical_name = name.gsub(%r|/_|, "/")
+        finder.formats = [finder.rendered_format] if finder.rendered_format
-        options = {}
-        options[:formats] = [finder.rendered_format] if finder.rendered_format
-        if template = finder.disable_cache { finder.find_all(logical_name, [], partial, [], options).first }
+        if template = finder.disable_cache { finder.find_all(logical_name, [], partial, []).first }
           finder.rendered_format ||= template.formats.first
           if node = seen[template.identifier] # handle cycles in the tree

data/lib/action_view/gem_version.rb CHANGED

@@ -10,7 +10,7 @@ module ActionView
     MAJOR = 5
     MINOR = 2
     TINY  = 0
-    PRE   = "rc1"
+    PRE   = "rc2"
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end

data/lib/action_view/helpers.rb CHANGED

@@ -13,6 +13,7 @@ module ActionView #:nodoc:
     autoload :CacheHelper
     autoload :CaptureHelper
     autoload :ControllerHelper
+    autoload :CspHelper
     autoload :CsrfHelper
     autoload :DateHelper
     autoload :DebugHelper
@@ -46,6 +47,7 @@ module ActionView #:nodoc:
     include CacheHelper
     include CaptureHelper
     include ControllerHelper
+    include CspHelper
     include CsrfHelper
     include DateHelper
     include DebugHelper

data/lib/action_view/helpers/asset_tag_helper.rb CHANGED

@@ -133,7 +133,7 @@ module ActionView
         sources_tags = sources.uniq.map { |source|
           href = path_to_stylesheet(source, path_options)
-          early_hints_links << "<#{href}>; rel=preload; as=stylesheet"
+          early_hints_links << "<#{href}>; rel=preload; as=style"
           tag_options = {
             "rel" => "stylesheet",
             "media" => "screen",

data/lib/action_view/helpers/csp_helper.rb ADDED

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+module ActionView
+  # = Action View CSP Helper
+  module Helpers #:nodoc:
+    module CspHelper
+      # Returns a meta tag "csp-nonce" with the per-session nonce value
+      # for allowing inline <script> tags.
+      #
+      #   <head>
+      #     <%= csp_meta_tag %>
+      #   </head>
+      #
+      # This is used by the Rails UJS helper to create dynamically
+      # loaded inline <script> elements.
+      #
+      def csp_meta_tag
+        if content_security_policy?
+          tag("meta", name: "csp-nonce", content: content_security_policy_nonce)
+        end
+      end
+    end
+  end
+end

data/lib/action_view/helpers/debug_helper.rb CHANGED

@@ -24,7 +24,7 @@ module ActionView
       #     created_at:
       #   </pre>
       def debug(object)
-        Marshal::dump(object)
+        Marshal.dump(object)
         object = ERB::Util.html_escape(object.to_yaml)
         content_tag(:pre, object, class: "debug_dump")
       rescue # errors from Marshal or YAML

data/lib/action_view/helpers/form_tag_helper.rb CHANGED

@@ -549,7 +549,8 @@ module ActionView
       #   # => <input src="/assets/save.png" data-confirm="Are you sure?" type="image" />
       def image_submit_tag(source, options = {})
         options = options.stringify_keys
-        tag :input, { "type" => "image", "src" => path_to_image(source) }.update(options)
+        src = path_to_image(source, skip_pipeline: options.delete("skip_pipeline"))
+        tag :input, { "type" => "image", "src" => src }.update(options)
       end
       # Creates a field set for grouping HTML form elements.

data/lib/action_view/helpers/javascript_helper.rb CHANGED

@@ -63,6 +63,13 @@ module ActionView
       #   <%= javascript_tag defer: 'defer' do -%>
       #     alert('All is good')
       #   <% end -%>
+      #
+      # If you have a content security policy enabled then you can add an automatic
+      # nonce value by passing +nonce: true+ as part of +html_options+. Example:
+      #
+      #   <%= javascript_tag nonce: true do -%>
+      #     alert('All is good')
+      #   <% end -%>
       def javascript_tag(content_or_options_with_block = nil, html_options = {}, &block)
         content =
           if block_given?
@@ -72,6 +79,10 @@ module ActionView
             content_or_options_with_block
           end
+        if html_options[:nonce] == true
+          html_options[:nonce] = content_security_policy_nonce
+        end
         content_tag("script".freeze, javascript_cdata_section(content), html_options)
       end

data/lib/assets/compiled/rails-ujs.js CHANGED

@@ -31,6 +31,16 @@ Released under the MIT license
   var Rails = context.Rails;
   (function() {
+    (function() {
+      var cspNonce;
+      cspNonce = Rails.cspNonce = function() {
+        var meta;
+        meta = document.querySelector('meta[name=csp-nonce]');
+        return meta && meta.content;
+      };
+    }).call(this);
     (function() {
       var expando, m;
@@ -164,9 +174,9 @@ Released under the MIT license
     }).call(this);
     (function() {
-      var AcceptHeaders, CSRFProtection, createXHR, fire, prepareOptions, processResponse;
+      var AcceptHeaders, CSRFProtection, createXHR, cspNonce, fire, prepareOptions, processResponse;
-      CSRFProtection = Rails.CSRFProtection, fire = Rails.fire;
+      cspNonce = Rails.cspNonce, CSRFProtection = Rails.CSRFProtection, fire = Rails.fire;
       AcceptHeaders = {
         '*': '*/*',
@@ -252,6 +262,7 @@ Released under the MIT license
             } catch (error) {}
           } else if (type.match(/\b(?:java|ecma)script\b/)) {
             script = document.createElement('script');
+            script.nonce = cspNonce();
             script.text = response;
             document.head.appendChild(script).parentNode.removeChild(script);
           } else if (type.match(/\b(xml|html|svg)\b/)) {

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: actionview
 version: !ruby/object:Gem::Version
-  version: 5.2.0.rc1
+  version: 5.2.0.rc2
 platform: ruby
 authors:
 - David Heinemeier Hansson
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2018-01-30 00:00:00.000000000 Z
+date: 2018-03-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.2.0.rc1
+        version: 5.2.0.rc2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.2.0.rc1
+        version: 5.2.0.rc2
 - !ruby/object:Gem::Dependency
   name: builder
   requirement: !ruby/object:Gem::Requirement
@@ -92,28 +92,28 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.2.0.rc1
+        version: 5.2.0.rc2
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.2.0.rc1
+        version: 5.2.0.rc2
 - !ruby/object:Gem::Dependency
   name: activemodel
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.2.0.rc1
+        version: 5.2.0.rc2
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 5.2.0.rc1
+        version: 5.2.0.rc2
 description: Simple, battle-tested conventions and helpers for building web pages.
 email: david@loudthinking.com
 executables: []
@@ -139,6 +139,7 @@ files:
 - lib/action_view/helpers/cache_helper.rb
 - lib/action_view/helpers/capture_helper.rb
 - lib/action_view/helpers/controller_helper.rb
+- lib/action_view/helpers/csp_helper.rb
 - lib/action_view/helpers/csrf_helper.rb
 - lib/action_view/helpers/date_helper.rb
 - lib/action_view/helpers/debug_helper.rb
@@ -229,8 +230,8 @@ homepage: http://rubyonrails.org
 licenses:
 - MIT
 metadata:
-  source_code_uri: https://github.com/rails/rails/tree/v5.2.0.rc1/actionview
-  changelog_uri: https://github.com/rails/rails/blob/v5.2.0.rc1/actionview/CHANGELOG.md
+  source_code_uri: https://github.com/rails/rails/tree/v5.2.0.rc2/actionview
+  changelog_uri: https://github.com/rails/rails/blob/v5.2.0.rc2/actionview/CHANGELOG.md
 post_install_message:
 rdoc_options: []
 require_paths:
@@ -248,7 +249,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
 requirements:
 - none
 rubyforge_project:
-rubygems_version: 2.7.3
+rubygems_version: 2.7.6
 signing_key:
 specification_version: 4
 summary: Rendering framework putting the V in MVC (part of Rails).