activesupport 7.0.4 → 7.1.3.4

data/lib/active_support/core_ext/string/output_safety.rb

@@ -1,151 +1,8 @@
 # frozen_string_literal: true
 
-require "erb"
-require "active_support/core_ext/module/redefine_method"
+require "active_support/core_ext/erb/util"
 require "active_support/multibyte/unicode"
 
-class ERB
-  module Util
-    HTML_ESCAPE = { "&" => "&amp;",  ">" => "&gt;",   "<" => "&lt;", '"' => "&quot;", "'" => "&#39;" }
-    JSON_ESCAPE = { "&" => '\u0026', ">" => '\u003e', "<" => '\u003c', "\u2028" => '\u2028', "\u2029" => '\u2029' }
-    HTML_ESCAPE_ONCE_REGEXP = /["><']|&(?!([a-zA-Z]+|(#\d+)|(#[xX][\dA-Fa-f]+));)/
-    JSON_ESCAPE_REGEXP = /[\u2028\u2029&><]/u
-
-    # Following XML requirements: https://www.w3.org/TR/REC-xml/#NT-Name
-    TAG_NAME_START_REGEXP_SET = "@:A-Z_a-z\u{C0}-\u{D6}\u{D8}-\u{F6}\u{F8}-\u{2FF}\u{370}-\u{37D}\u{37F}-\u{1FFF}" \
-                                "\u{200C}-\u{200D}\u{2070}-\u{218F}\u{2C00}-\u{2FEF}\u{3001}-\u{D7FF}\u{F900}-\u{FDCF}" \
-                                "\u{FDF0}-\u{FFFD}\u{10000}-\u{EFFFF}"
-    TAG_NAME_START_REGEXP = /[^#{TAG_NAME_START_REGEXP_SET}]/
-    TAG_NAME_FOLLOWING_REGEXP = /[^#{TAG_NAME_START_REGEXP_SET}\-.0-9\u{B7}\u{0300}-\u{036F}\u{203F}-\u{2040}]/
-    TAG_NAME_REPLACEMENT_CHAR = "_"
-
-    # A utility method for escaping HTML tag characters.
-    # This method is also aliased as <tt>h</tt>.
-    #
-    #   puts html_escape('is a > 0 & a < 10?')
-    #   # => is a &gt; 0 &amp; a &lt; 10?
-    def html_escape(s)
-      unwrapped_html_escape(s).html_safe
-    end
-
-    silence_redefinition_of_method :h
-    alias h html_escape
-
-    module_function :h
-
-    singleton_class.silence_redefinition_of_method :html_escape
-    module_function :html_escape
-
-    # HTML escapes strings but doesn't wrap them with an ActiveSupport::SafeBuffer.
-    # This method is not for public consumption! Seriously!
-    def unwrapped_html_escape(s) # :nodoc:
-      s = s.to_s
-      if s.html_safe?
-        s
-      else
-        CGI.escapeHTML(ActiveSupport::Multibyte::Unicode.tidy_bytes(s))
-      end
-    end
-    module_function :unwrapped_html_escape
-
-    # A utility method for escaping HTML without affecting existing escaped entities.
-    #
-    #   html_escape_once('1 < 2 &amp; 3')
-    #   # => "1 &lt; 2 &amp; 3"
-    #
-    #   html_escape_once('&lt;&lt; Accept & Checkout')
-    #   # => "&lt;&lt; Accept &amp; Checkout"
-    def html_escape_once(s)
-      result = ActiveSupport::Multibyte::Unicode.tidy_bytes(s.to_s).gsub(HTML_ESCAPE_ONCE_REGEXP, HTML_ESCAPE)
-      s.html_safe? ? result.html_safe : result
-    end
-
-    module_function :html_escape_once
-
-    # A utility method for escaping HTML entities in JSON strings. Specifically, the
-    # &, > and < characters are replaced with their equivalent unicode escaped form -
-    # \u0026, \u003e, and \u003c. The Unicode sequences \u2028 and \u2029 are also
-    # escaped as they are treated as newline characters in some JavaScript engines.
-    # These sequences have identical meaning as the original characters inside the
-    # context of a JSON string, so assuming the input is a valid and well-formed
-    # JSON value, the output will have equivalent meaning when parsed:
-    #
-    #   json = JSON.generate({ name: "</script><script>alert('PWNED!!!')</script>"})
-    #   # => "{\"name\":\"</script><script>alert('PWNED!!!')</script>\"}"
-    #
-    #   json_escape(json)
-    #   # => "{\"name\":\"\\u003C/script\\u003E\\u003Cscript\\u003Ealert('PWNED!!!')\\u003C/script\\u003E\"}"
-    #
-    #   JSON.parse(json) == JSON.parse(json_escape(json))
-    #   # => true
-    #
-    # The intended use case for this method is to escape JSON strings before including
-    # them inside a script tag to avoid XSS vulnerability:
-    #
-    #   <script>
-    #     var currentUser = <%= raw json_escape(current_user.to_json) %>;
-    #   </script>
-    #
-    # It is necessary to +raw+ the result of +json_escape+, so that quotation marks
-    # don't get converted to <tt>&quot;</tt> entities. +json_escape+ doesn't
-    # automatically flag the result as HTML safe, since the raw value is unsafe to
-    # use inside HTML attributes.
-    #
-    # If your JSON is being used downstream for insertion into the DOM, be aware of
-    # whether or not it is being inserted via <tt>html()</tt>. Most jQuery plugins do this.
-    # If that is the case, be sure to +html_escape+ or +sanitize+ any user-generated
-    # content returned by your JSON.
-    #
-    # If you need to output JSON elsewhere in your HTML, you can just do something
-    # like this, as any unsafe characters (including quotation marks) will be
-    # automatically escaped for you:
-    #
-    #   <div data-user-info="<%= current_user.to_json %>">...</div>
-    #
-    # WARNING: this helper only works with valid JSON. Using this on non-JSON values
-    # will open up serious XSS vulnerabilities. For example, if you replace the
-    # +current_user.to_json+ in the example above with user input instead, the browser
-    # will happily <tt>eval()</tt> that string as JavaScript.
-    #
-    # The escaping performed in this method is identical to those performed in the
-    # Active Support JSON encoder when +ActiveSupport.escape_html_entities_in_json+ is
-    # set to true. Because this transformation is idempotent, this helper can be
-    # applied even if +ActiveSupport.escape_html_entities_in_json+ is already true.
-    #
-    # Therefore, when you are unsure if +ActiveSupport.escape_html_entities_in_json+
-    # is enabled, or if you are unsure where your JSON string originated from, it
-    # is recommended that you always apply this helper (other libraries, such as the
-    # JSON gem, do not provide this kind of protection by default; also some gems
-    # might override +to_json+ to bypass Active Support's encoder).
-    def json_escape(s)
-      result = s.to_s.gsub(JSON_ESCAPE_REGEXP, JSON_ESCAPE)
-      s.html_safe? ? result.html_safe : result
-    end
-
-    module_function :json_escape
-
-    # A utility method for escaping XML names of tags and names of attributes.
-    #
-    #   xml_name_escape('1 < 2 & 3')
-    #   # => "1___2___3"
-    #
-    # It follows the requirements of the specification: https://www.w3.org/TR/REC-xml/#NT-Name
-    def xml_name_escape(name)
-      name = name.to_s
-      return "" if name.blank?
-
-      starting_char = name[0].gsub(TAG_NAME_START_REGEXP, TAG_NAME_REPLACEMENT_CHAR)
-
-      return starting_char if name.size == 1
-
-      following_chars = name[1..-1].gsub(TAG_NAME_FOLLOWING_REGEXP, TAG_NAME_REPLACEMENT_CHAR)
-
-      starting_char + following_chars
-    end
-    module_function :xml_name_escape
-  end
-end
-
 class Object
   def html_safe?
     false
@@ -162,7 +19,7 @@ module ActiveSupport # :nodoc:
   class SafeBuffer < String
     UNSAFE_STRING_METHODS = %w(
       capitalize chomp chop delete delete_prefix delete_suffix
-      downcase lstrip next reverse rstrip scrub slice squeeze strip
+      downcase lstrip next reverse rstrip scrub squeeze strip
       succ swapcase tr tr_s unicode_normalize upcase
     )
 
@@ -174,7 +31,7 @@ module ActiveSupport # :nodoc:
     # Raised when ActiveSupport::SafeBuffer#safe_concat is called on unsafe buffers.
     class SafeConcatError < StandardError
       def initialize
-        super "Could not concatenate to the buffer because it is not html safe."
+        super "Could not concatenate to the buffer because it is not HTML safe."
       end
     end
 
@@ -184,13 +41,26 @@ module ActiveSupport # :nodoc:
 
         return unless new_string
 
-        new_safe_buffer = new_string.is_a?(SafeBuffer) ? new_string : SafeBuffer.new(new_string)
-        new_safe_buffer.instance_variable_set :@html_safe, true
-        new_safe_buffer
+        string_into_safe_buffer(new_string, true)
       else
         to_str[*args]
       end
     end
+    alias_method :slice, :[]
+
+    def slice!(*args)
+      new_string = super
+
+      return new_string if !html_safe? || new_string.nil?
+
+      string_into_safe_buffer(new_string, true)
+    end
+
+    def chr
+      return super unless html_safe?
+
+      string_into_safe_buffer(super, true)
+    end
 
     def safe_concat(value)
       raise SafeConcatError unless html_safe?
@@ -207,7 +77,10 @@ module ActiveSupport # :nodoc:
       @html_safe = other.html_safe?
     end
 
-    def clone_empty
+    def clone_empty # :nodoc:
+      ActiveSupport.deprecator.warn <<~EOM
+        ActiveSupport::SafeBuffer#clone_empty is deprecated and will be removed in Rails 7.2.
+      EOM
       self[0, 0]
     end
 
@@ -219,6 +92,10 @@ module ActiveSupport # :nodoc:
     end
     alias << concat
 
+    def bytesplice(*args, value)
+      super(*args, implicit_html_escape_interpolated_argument(value))
+    end
+
     def insert(index, value)
       super(index, implicit_html_escape_interpolated_argument(value))
     end
@@ -231,11 +108,11 @@ module ActiveSupport # :nodoc:
       super(implicit_html_escape_interpolated_argument(value))
     end
 
-    def []=(*args)
-      if args.length == 3
-        super(args[0], args[1], implicit_html_escape_interpolated_argument(args[2]))
+    def []=(arg1, arg2, arg3 = nil)
+      if arg3
+        super(arg1, arg2, implicit_html_escape_interpolated_argument(arg3))
       else
-        super(args[0], implicit_html_escape_interpolated_argument(args[1]))
+        super(arg1, implicit_html_escape_interpolated_argument(arg2))
       end
     end
 
@@ -243,7 +120,7 @@ module ActiveSupport # :nodoc:
       dup.concat(other)
     end
 
-    def *(*)
+    def *(_)
       new_string = super
       new_safe_buffer = new_string.is_a?(SafeBuffer) ? new_string : SafeBuffer.new(new_string)
       new_safe_buffer.instance_variable_set(:@html_safe, @html_safe)
@@ -261,9 +138,9 @@ module ActiveSupport # :nodoc:
       self.class.new(super(escaped_args))
     end
 
-    def html_safe?
-      defined?(@html_safe) && @html_safe
-    end
+    attr_reader :html_safe
+    alias_method :html_safe?, :html_safe
+    remove_method :html_safe
 
     def to_s
       self
@@ -328,22 +205,7 @@ module ActiveSupport # :nodoc:
         if !html_safe? || arg.html_safe?
           arg
         else
-          arg_string = begin
-            arg.to_str
-          rescue NoMethodError => error
-            if error.name == :to_str
-              str = arg.to_s
-              ActiveSupport::Deprecation.warn <<~MSG.squish
-                Implicit conversion of #{arg.class} into String by ActiveSupport::SafeBuffer
-                is deprecated and will be removed in Rails 7.1.
-                You must explicitly cast it to a String.
-              MSG
-              str
-            else
-              raise
-            end
-          end
-          CGI.escapeHTML(arg_string)
+          CGI.escapeHTML(arg.to_str)
         end
       end
 
@@ -352,6 +214,12 @@ module ActiveSupport # :nodoc:
       rescue ArgumentError
         # Can't create binding from C level Proc
       end
+
+      def string_into_safe_buffer(new_string, is_html_safe)
+        new_safe_buffer = new_string.is_a?(SafeBuffer) ? new_string : SafeBuffer.new(new_string)
+        new_safe_buffer.instance_variable_set :@html_safe, is_html_safe
+        new_safe_buffer
+      end
   end
 end
 

data/lib/active_support/core_ext/thread/backtrace/location.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+class Thread::Backtrace::Location # :nodoc:
+  if defined?(ErrorHighlight) && Gem::Version.new(ErrorHighlight::VERSION) >= Gem::Version.new("0.4.0")
+    def spot(ex)
+      ErrorHighlight.spot(ex, backtrace_location: self)
+    end
+  else
+    def spot(ex)
+    end
+  end
+end

data/lib/active_support/core_ext/time/calculations.rb

@@ -160,9 +160,25 @@ class Time
     elsif utc?
       ::Time.utc(new_year, new_month, new_day, new_hour, new_min, new_sec)
     elsif zone&.respond_to?(:utc_to_local)
-      ::Time.new(new_year, new_month, new_day, new_hour, new_min, new_sec, zone)
+      new_time = ::Time.new(new_year, new_month, new_day, new_hour, new_min, new_sec, zone)
+
+      # When there are two occurrences of a nominal time due to DST ending,
+      # `Time.new` chooses the first chronological occurrence (the one with a
+      # larger UTC offset). However, for `change`, we want to choose the
+      # occurrence that matches this time's UTC offset.
+      #
+      # If the new time's UTC offset is larger than this time's UTC offset, the
+      # new time might be a first chronological occurrence. So we add the offset
+      # difference to fast-forward the new time, and check if the result has the
+      # desired UTC offset (i.e. is the second chronological occurrence).
+      offset_difference = new_time.utc_offset - utc_offset
+      if offset_difference > 0 && (new_time_2 = new_time + offset_difference).utc_offset == utc_offset
+        new_time_2
+      else
+        new_time
+      end
     elsif zone
-      ::Time.local(new_year, new_month, new_day, new_hour, new_min, new_sec)
+      ::Time.local(new_sec, new_min, new_hour, new_day, new_month, new_year, nil, nil, isdst, nil)
     else
       ::Time.new(new_year, new_month, new_day, new_hour, new_min, new_sec, utc_offset)
     end
@@ -179,6 +195,10 @@ class Time
   #   Time.new(2015, 8, 1, 14, 35, 0).advance(hours: 1)   # => 2015-08-01 15:35:00 -0700
   #   Time.new(2015, 8, 1, 14, 35, 0).advance(days: 1)    # => 2015-08-02 14:35:00 -0700
   #   Time.new(2015, 8, 1, 14, 35, 0).advance(weeks: 1)   # => 2015-08-08 14:35:00 -0700
+  #
+  # Just like Date#advance, increments are applied in order of time units from
+  # largest to smallest. This order can affect the result around the end of a
+  # month.
   def advance(options)
     unless options[:weeks].nil?
       options[:weeks], partial_weeks = options[:weeks].divmod(1)

data/lib/active_support/core_ext/time/conversions.rb

@@ -54,12 +54,12 @@ class Time
     if formatter = DATE_FORMATS[format]
       formatter.respond_to?(:call) ? formatter.call(self).to_s : strftime(formatter)
     else
-      # Change to `to_s` when deprecation is gone. Also deprecate `to_default_s`.
-      to_default_s
+      to_s
     end
   end
   alias_method :to_formatted_s, :to_fs
   alias_method :to_default_s, :to_s
+  deprecate to_default_s: :to_s, deprecator: ActiveSupport.deprecator
 
   # Returns a formatted string of the offset from UTC, or an alternative
   # string if the time zone is already UTC.

data/lib/active_support/core_ext/time/zones.rb

@@ -19,10 +19,10 @@ class Time
     #
     # This method accepts any of the following:
     #
-    # * A Rails TimeZone object.
-    # * An identifier for a Rails TimeZone object (e.g., "Eastern Time (US & Canada)", <tt>-5.hours</tt>).
-    # * A <tt>TZInfo::Timezone</tt> object.
-    # * An identifier for a <tt>TZInfo::Timezone</tt> object (e.g., "America/New_York").
+    # * A \Rails TimeZone object.
+    # * An identifier for a \Rails TimeZone object (e.g., "Eastern Time (US & Canada)", <tt>-5.hours</tt>).
+    # * A +TZInfo::Timezone+ object.
+    # * An identifier for a +TZInfo::Timezone+ object (e.g., "America/New_York").
     #
     # Here's an example of how you might set <tt>Time.zone</tt> on a per request basis and reset it when the request is done.
     # <tt>current_user.time_zone</tt> just needs to return a string identifying the user's preferred time zone:
@@ -49,10 +49,9 @@ class Time
     #     around_action :set_time_zone
     #
     #     private
-    #
-    #     def set_time_zone
-    #       Time.use_zone(current_user.timezone) { yield }
-    #     end
+    #       def set_time_zone
+    #         Time.use_zone(current_user.timezone) { yield }
+    #       end
     #   end
     #
     # NOTE: This won't affect any ActiveSupport::TimeWithZone

data/lib/active_support/core_ext/time.rb

@@ -4,5 +4,4 @@ require "active_support/core_ext/time/acts_like"
 require "active_support/core_ext/time/calculations"
 require "active_support/core_ext/time/compatibility"
 require "active_support/core_ext/time/conversions"
-require "active_support/core_ext/time/deprecated_conversions" unless ENV["RAILS_DISABLE_DEPRECATED_TO_S_CONVERSION"]
 require "active_support/core_ext/time/zones"

data/lib/active_support/current_attributes.rb

@@ -5,6 +5,8 @@ require "active_support/core_ext/enumerable"
 require "active_support/core_ext/module/delegation"
 
 module ActiveSupport
+  # = Current Attributes
+  #
   # Abstract super class that provides a thread-isolated attributes singleton, which resets automatically
   # before and after each request. This allows you to keep all the per-request attributes easily
   # available to the whole system.
@@ -90,6 +92,8 @@ module ActiveSupport
     include ActiveSupport::Callbacks
     define_callbacks :reset
 
+    INVALID_ATTRIBUTE_NAMES = [:set, :reset, :resets, :instance, :before_reset, :after_reset, :reset_all, :clear_all] # :nodoc:
+
     class << self
       # Returns singleton instance for this class in this thread. If none exists, one is created.
       def instance
@@ -98,6 +102,11 @@ module ActiveSupport
 
       # Declares one or more attributes that will be given both class and instance accessor methods.
       def attribute(*names)
+        invalid_attribute_names = names.map(&:to_sym) & INVALID_ATTRIBUTE_NAMES
+        if invalid_attribute_names.any?
+          raise ArgumentError, "Restricted attribute names: #{invalid_attribute_names.join(", ")}"
+        end
+
         ActiveSupport::CodeGenerator.batch(generated_attribute_methods, __FILE__, __LINE__) do |owner|
           names.each do |name|
             owner.define_cached_method(name, namespace: :current_attributes) do |batch|
@@ -133,14 +142,14 @@ module ActiveSupport
         end
       end
 
-      # Calls this block before #reset is called on the instance. Used for resetting external collaborators that depend on current values.
-      def before_reset(&block)
-        set_callback :reset, :before, &block
+      # Calls this callback before #reset is called on the instance. Used for resetting external collaborators that depend on current values.
+      def before_reset(*methods, &block)
+        set_callback :reset, :before, *methods, &block
       end
 
-      # Calls this block after #reset is called on the instance. Used for resetting external collaborators, like Time.zone.
-      def resets(&block)
-        set_callback :reset, :after, &block
+      # Calls this callback after #reset is called on the instance. Used for resetting external collaborators, like Time.zone.
+      def resets(*methods, &block)
+        set_callback :reset, :after, *methods, &block
       end
       alias_method :after_reset, :resets
 

data/lib/active_support/deep_mergeable.rb

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+module ActiveSupport
+  # Provides +deep_merge+ and +deep_merge!+ methods. Expects the including class
+  # to provide a <tt>merge!(other, &block)</tt> method.
+  module DeepMergeable # :nodoc:
+    # Returns a new instance with the values from +other+ merged recursively.
+    #
+    #   class Hash
+    #     include ActiveSupport::DeepMergeable
+    #   end
+    #
+    #   hash_1 = { a: true, b: { c: [1, 2, 3] } }
+    #   hash_2 = { a: false, b: { x: [3, 4, 5] } }
+    #
+    #   hash_1.deep_merge(hash_2)
+    #   # => { a: false, b: { c: [1, 2, 3], x: [3, 4, 5] } }
+    #
+    # A block can be provided to merge non-<tt>DeepMergeable</tt> values:
+    #
+    #   hash_1 = { a: 100, b: 200, c: { c1: 100 } }
+    #   hash_2 = { b: 250, c: { c1: 200 } }
+    #
+    #   hash_1.deep_merge(hash_2) do |key, this_val, other_val|
+    #     this_val + other_val
+    #   end
+    #   # => { a: 100, b: 450, c: { c1: 300 } }
+    #
+    def deep_merge(other, &block)
+      dup.deep_merge!(other, &block)
+    end
+
+    # Same as #deep_merge, but modifies +self+.
+    def deep_merge!(other, &block)
+      merge!(other) do |key, this_val, other_val|
+        if this_val.is_a?(DeepMergeable) && this_val.deep_merge?(other_val)
+          this_val.deep_merge(other_val, &block)
+        elsif block_given?
+          block.call(key, this_val, other_val)
+        else
+          other_val
+        end
+      end
+    end
+
+    # Returns true if +other+ can be deep merged into +self+. Classes may
+    # override this method to restrict or expand the domain of deep mergeable
+    # values. Defaults to checking that +other+ is of type +self.class+.
+    def deep_merge?(other)
+      other.is_a?(self.class)
+    end
+  end
+end

data/lib/active_support/dependencies/autoload.rb

@@ -3,10 +3,12 @@
 require "active_support/inflector/methods"
 
 module ActiveSupport
+  # = Active Support \Autoload
+  #
   # Autoload and eager load conveniences for your library.
   #
   # This module allows you to define autoloads based on
-  # Rails conventions (i.e. no need to define the path
+  # \Rails conventions (i.e. no need to define the path
   # it is automatically guessed based on the filename)
   # and also define a set of constants that needs to be
   # eager loaded:
@@ -26,11 +28,14 @@ module ActiveSupport
   #   MyLib.eager_load!
   module Autoload
     def self.extended(base) # :nodoc:
-      base.class_eval do
-        @_autoloads = {}
-        @_under_path = nil
-        @_at_path = nil
-        @_eager_autoload = false
+      if RUBY_VERSION < "3"
+        base.class_eval do
+          @_autoloads = nil
+          @_under_path = nil
+          @_at_path = nil
+          @_eager_autoload = false
+          @_eagerloaded_constants = nil
+        end
       end
     end
 
@@ -41,7 +46,8 @@ module ActiveSupport
       end
 
       if @_eager_autoload
-        @_autoloads[const_name] = path
+        @_eagerloaded_constants ||= []
+        @_eagerloaded_constants << const_name
       end
 
       super const_name, path
@@ -69,11 +75,10 @@ module ActiveSupport
     end
 
     def eager_load!
-      @_autoloads.each_value { |file| require file }
-    end
-
-    def autoloads
-      @_autoloads
+      if @_eagerloaded_constants
+        @_eagerloaded_constants.each { |const_name| const_get(const_name) }
+        @_eagerloaded_constants = nil
+      end
     end
   end
 end