activesupport 7.0.4 → 7.1.5.1

data/lib/active_support/core_ext/erb/util.rb

@@ -0,0 +1,196 @@
+# frozen_string_literal: true
+
+require "erb"
+
+module ActiveSupport
+  module CoreExt
+    module ERBUtil
+      # HTML escapes strings but doesn't wrap them with an ActiveSupport::SafeBuffer.
+      # This method is not for public consumption! Seriously!
+      def html_escape(s) # :nodoc:
+        s = s.to_s
+        if s.html_safe?
+          s
+        else
+          super(ActiveSupport::Multibyte::Unicode.tidy_bytes(s))
+        end
+      end
+      alias :unwrapped_html_escape :html_escape # :nodoc:
+
+      # A utility method for escaping HTML tag characters.
+      # This method is also aliased as <tt>h</tt>.
+      #
+      #   puts html_escape('is a > 0 & a < 10?')
+      #   # => is a &gt; 0 &amp; a &lt; 10?
+      def html_escape(s) # rubocop:disable Lint/DuplicateMethods
+        unwrapped_html_escape(s).html_safe
+      end
+      alias h html_escape
+    end
+
+    module ERBUtilPrivate
+      include ERBUtil
+      private :unwrapped_html_escape, :html_escape, :h
+    end
+  end
+end
+
+class ERB
+  module Util
+    HTML_ESCAPE = { "&" => "&amp;",  ">" => "&gt;",   "<" => "&lt;", '"' => "&quot;", "'" => "&#39;" }
+    HTML_ESCAPE_ONCE_REGEXP = /["><']|&(?!([a-zA-Z]+|(#\d+)|(#[xX][\dA-Fa-f]+));)/
+
+    # Following XML requirements: https://www.w3.org/TR/REC-xml/#NT-Name
+    TAG_NAME_START_CODEPOINTS = "@:A-Z_a-z\u{C0}-\u{D6}\u{D8}-\u{F6}\u{F8}-\u{2FF}\u{370}-\u{37D}\u{37F}-\u{1FFF}" \
+                                "\u{200C}-\u{200D}\u{2070}-\u{218F}\u{2C00}-\u{2FEF}\u{3001}-\u{D7FF}\u{F900}-\u{FDCF}" \
+                                "\u{FDF0}-\u{FFFD}\u{10000}-\u{EFFFF}"
+    INVALID_TAG_NAME_START_REGEXP = /[^#{TAG_NAME_START_CODEPOINTS}]/
+    TAG_NAME_FOLLOWING_CODEPOINTS = "#{TAG_NAME_START_CODEPOINTS}\\-.0-9\u{B7}\u{0300}-\u{036F}\u{203F}-\u{2040}"
+    INVALID_TAG_NAME_FOLLOWING_REGEXP = /[^#{TAG_NAME_FOLLOWING_CODEPOINTS}]/
+    SAFE_XML_TAG_NAME_REGEXP = /\A[#{TAG_NAME_START_CODEPOINTS}][#{TAG_NAME_FOLLOWING_CODEPOINTS}]*\z/
+    TAG_NAME_REPLACEMENT_CHAR = "_"
+
+    prepend ActiveSupport::CoreExt::ERBUtilPrivate
+    singleton_class.prepend ActiveSupport::CoreExt::ERBUtil
+
+    # A utility method for escaping HTML without affecting existing escaped entities.
+    #
+    #   html_escape_once('1 < 2 &amp; 3')
+    #   # => "1 &lt; 2 &amp; 3"
+    #
+    #   html_escape_once('&lt;&lt; Accept & Checkout')
+    #   # => "&lt;&lt; Accept &amp; Checkout"
+    def html_escape_once(s)
+      ActiveSupport::Multibyte::Unicode.tidy_bytes(s.to_s).gsub(HTML_ESCAPE_ONCE_REGEXP, HTML_ESCAPE).html_safe
+    end
+
+    module_function :html_escape_once
+
+    # A utility method for escaping HTML entities in JSON strings. Specifically, the
+    # &, > and < characters are replaced with their equivalent unicode escaped form -
+    # \u0026, \u003e, and \u003c. The Unicode sequences \u2028 and \u2029 are also
+    # escaped as they are treated as newline characters in some JavaScript engines.
+    # These sequences have identical meaning as the original characters inside the
+    # context of a JSON string, so assuming the input is a valid and well-formed
+    # JSON value, the output will have equivalent meaning when parsed:
+    #
+    #   json = JSON.generate({ name: "</script><script>alert('PWNED!!!')</script>"})
+    #   # => "{\"name\":\"</script><script>alert('PWNED!!!')</script>\"}"
+    #
+    #   json_escape(json)
+    #   # => "{\"name\":\"\\u003C/script\\u003E\\u003Cscript\\u003Ealert('PWNED!!!')\\u003C/script\\u003E\"}"
+    #
+    #   JSON.parse(json) == JSON.parse(json_escape(json))
+    #   # => true
+    #
+    # The intended use case for this method is to escape JSON strings before including
+    # them inside a script tag to avoid XSS vulnerability:
+    #
+    #   <script>
+    #     var currentUser = <%= raw json_escape(current_user.to_json) %>;
+    #   </script>
+    #
+    # It is necessary to +raw+ the result of +json_escape+, so that quotation marks
+    # don't get converted to <tt>&quot;</tt> entities. +json_escape+ doesn't
+    # automatically flag the result as HTML safe, since the raw value is unsafe to
+    # use inside HTML attributes.
+    #
+    # If your JSON is being used downstream for insertion into the DOM, be aware of
+    # whether or not it is being inserted via <tt>html()</tt>. Most jQuery plugins do this.
+    # If that is the case, be sure to +html_escape+ or +sanitize+ any user-generated
+    # content returned by your JSON.
+    #
+    # If you need to output JSON elsewhere in your HTML, you can just do something
+    # like this, as any unsafe characters (including quotation marks) will be
+    # automatically escaped for you:
+    #
+    #   <div data-user-info="<%= current_user.to_json %>">...</div>
+    #
+    # WARNING: this helper only works with valid JSON. Using this on non-JSON values
+    # will open up serious XSS vulnerabilities. For example, if you replace the
+    # +current_user.to_json+ in the example above with user input instead, the browser
+    # will happily <tt>eval()</tt> that string as JavaScript.
+    #
+    # The escaping performed in this method is identical to those performed in the
+    # Active Support JSON encoder when +ActiveSupport.escape_html_entities_in_json+ is
+    # set to true. Because this transformation is idempotent, this helper can be
+    # applied even if +ActiveSupport.escape_html_entities_in_json+ is already true.
+    #
+    # Therefore, when you are unsure if +ActiveSupport.escape_html_entities_in_json+
+    # is enabled, or if you are unsure where your JSON string originated from, it
+    # is recommended that you always apply this helper (other libraries, such as the
+    # JSON gem, do not provide this kind of protection by default; also some gems
+    # might override +to_json+ to bypass Active Support's encoder).
+    def json_escape(s)
+      result = s.to_s.dup
+      result.gsub!(">", '\u003e')
+      result.gsub!("<", '\u003c')
+      result.gsub!("&", '\u0026')
+      result.gsub!("\u2028", '\u2028')
+      result.gsub!("\u2029", '\u2029')
+      s.html_safe? ? result.html_safe : result
+    end
+
+    module_function :json_escape
+
+    # A utility method for escaping XML names of tags and names of attributes.
+    #
+    #   xml_name_escape('1 < 2 & 3')
+    #   # => "1___2___3"
+    #
+    # It follows the requirements of the specification: https://www.w3.org/TR/REC-xml/#NT-Name
+    def xml_name_escape(name)
+      name = name.to_s
+      return "" if name.blank?
+      return name if name.match?(SAFE_XML_TAG_NAME_REGEXP)
+
+      starting_char = name[0]
+      starting_char.gsub!(INVALID_TAG_NAME_START_REGEXP, TAG_NAME_REPLACEMENT_CHAR)
+
+      return starting_char if name.size == 1
+
+      following_chars = name[1..-1]
+      following_chars.gsub!(INVALID_TAG_NAME_FOLLOWING_REGEXP, TAG_NAME_REPLACEMENT_CHAR)
+
+      starting_char << following_chars
+    end
+    module_function :xml_name_escape
+
+    # Tokenizes a line of ERB.  This is really just for error reporting and
+    # nobody should use it.
+    def self.tokenize(source) # :nodoc:
+      require "strscan"
+      source = StringScanner.new(source.chomp)
+      tokens = []
+
+      start_re = /<%(?:={1,2}|-|\#|%)?/m
+      finish_re = /(?:[-=])?%>/m
+
+      while !source.eos?
+        pos = source.pos
+        source.scan_until(/(?:#{start_re}|#{finish_re})/)
+        raise NotImplementedError if source.matched.nil?
+        len = source.pos - source.matched.bytesize - pos
+
+        case source.matched
+        when start_re
+          tokens << [:TEXT, source.string[pos, len]] if len > 0
+          tokens << [:OPEN, source.matched]
+          if source.scan(/(.*?)(?=#{finish_re}|\z)/m)
+            tokens << [:CODE, source.matched] unless source.matched.empty?
+            tokens << [:CLOSE, source.scan(finish_re)] unless source.eos?
+          else
+            raise NotImplementedError
+          end
+        when finish_re
+          tokens << [:CODE, source.string[pos, len]] if len > 0
+          tokens << [:CLOSE, source.matched]
+        else
+          raise NotImplementedError, source.matched
+        end
+      end
+
+      tokens
+    end
+  end
+end

data/lib/active_support/core_ext/hash/conversions.rb

@@ -68,7 +68,7 @@ class Hash
   #
   # By default the root node is "hash", but that's configurable via the <tt>:root</tt> option.
   #
-  # The default XML builder is a fresh instance of <tt>Builder::XmlMarkup</tt>. You can
+  # The default XML builder is a fresh instance of +Builder::XmlMarkup+. You can
   # configure your own builder with the <tt>:builder</tt> option. The method also accepts
   # options like <tt>:dasherize</tt> and friends, they are forwarded to the builder.
   def to_xml(options = {})

data/lib/active_support/core_ext/hash/deep_merge.rb

@@ -1,6 +1,14 @@
 # frozen_string_literal: true
 
+require "active_support/deep_mergeable"
+
 class Hash
+  include ActiveSupport::DeepMergeable
+
+  ##
+  # :method: deep_merge
+  # :call-seq: deep_merge(other_hash, &block)
+  #
   # Returns a new hash with +self+ and +other_hash+ merged recursively.
   #
   #   h1 = { a: true, b: { c: [1, 2, 3] } }
@@ -15,20 +23,20 @@ class Hash
   #   h2 = { b: 250, c: { c1: 200 } }
   #   h1.deep_merge(h2) { |key, this_val, other_val| this_val + other_val }
   #   # => { a: 100, b: 450, c: { c1: 300 } }
-  def deep_merge(other_hash, &block)
-    dup.deep_merge!(other_hash, &block)
-  end
+  #
+  #--
+  # Implemented by ActiveSupport::DeepMergeable#deep_merge.
+
+  ##
+  # :method: deep_merge!
+  # :call-seq: deep_merge!(other_hash, &block)
+  #
+  # Same as #deep_merge, but modifies +self+.
+  #
+  #--
+  # Implemented by ActiveSupport::DeepMergeable#deep_merge!.
 
-  # Same as +deep_merge+, but modifies +self+.
-  def deep_merge!(other_hash, &block)
-    merge!(other_hash) do |key, this_val, other_val|
-      if this_val.is_a?(Hash) && other_val.is_a?(Hash)
-        this_val.deep_merge(other_val, &block)
-      elsif block_given?
-        block.call(key, this_val, other_val)
-      else
-        other_val
-      end
-    end
+  def deep_merge?(other) # :nodoc:
+    other.is_a?(Hash)
   end
 end

data/lib/active_support/core_ext/hash/deep_transform_values.rb

@@ -5,10 +5,10 @@ class Hash
   # This includes the values from the root hash and from all
   # nested hashes and arrays.
   #
-  #  hash = { person: { name: 'Rob', age: '28' } }
+  #   hash = { person: { name: 'Rob', age: '28' } }
   #
-  #  hash.deep_transform_values{ |value| value.to_s.upcase }
-  #  # => {person: {name: "ROB", age: "28"}}
+  #   hash.deep_transform_values{ |value| value.to_s.upcase }
+  #   # => {person: {name: "ROB", age: "28"}}
   def deep_transform_values(&block)
     _deep_transform_values_in_object(self, &block)
   end

data/lib/active_support/core_ext/hash/keys.rb

@@ -58,10 +58,10 @@ class Hash
   # This includes the keys from the root hash and from all
   # nested hashes and arrays.
   #
-  #  hash = { person: { name: 'Rob', age: '28' } }
+  #   hash = { person: { name: 'Rob', age: '28' } }
   #
-  #  hash.deep_transform_keys{ |key| key.to_s.upcase }
-  #  # => {"PERSON"=>{"NAME"=>"Rob", "AGE"=>"28"}}
+  #   hash.deep_transform_keys{ |key| key.to_s.upcase }
+  #   # => {"PERSON"=>{"NAME"=>"Rob", "AGE"=>"28"}}
   def deep_transform_keys(&block)
     _deep_transform_keys_in_object(self, &block)
   end

data/lib/active_support/core_ext/integer/inflections.rb

@@ -6,12 +6,12 @@ class Integer
   # Ordinalize turns a number into an ordinal string used to denote the
   # position in an ordered sequence such as 1st, 2nd, 3rd, 4th.
   #
-  #  1.ordinalize     # => "1st"
-  #  2.ordinalize     # => "2nd"
-  #  1002.ordinalize  # => "1002nd"
-  #  1003.ordinalize  # => "1003rd"
-  #  -11.ordinalize   # => "-11th"
-  #  -1001.ordinalize # => "-1001st"
+  #   1.ordinalize     # => "1st"
+  #   2.ordinalize     # => "2nd"
+  #   1002.ordinalize  # => "1002nd"
+  #   1003.ordinalize  # => "1003rd"
+  #   -11.ordinalize   # => "-11th"
+  #   -1001.ordinalize # => "-1001st"
   def ordinalize
     ActiveSupport::Inflector.ordinalize(self)
   end
@@ -19,12 +19,12 @@ class Integer
   # Ordinal returns the suffix used to denote the position
   # in an ordered sequence such as 1st, 2nd, 3rd, 4th.
   #
-  #  1.ordinal     # => "st"
-  #  2.ordinal     # => "nd"
-  #  1002.ordinal  # => "nd"
-  #  1003.ordinal  # => "rd"
-  #  -11.ordinal   # => "th"
-  #  -1001.ordinal # => "st"
+  #   1.ordinal     # => "st"
+  #   2.ordinal     # => "nd"
+  #   1002.ordinal  # => "nd"
+  #   1003.ordinal  # => "rd"
+  #   -11.ordinal   # => "th"
+  #   -1001.ordinal # => "st"
   def ordinal
     ActiveSupport::Inflector.ordinal(self)
   end

data/lib/active_support/core_ext/module/attribute_accessors.rb

@@ -43,6 +43,7 @@ class Module
   #
   #   module HairColors
   #     mattr_reader :hair_colors, default: [:brown, :black, :blonde, :red]
+  #     mattr_reader(:hair_styles) { [:long, :short] }
   #   end
   #
   #   class Person
@@ -50,6 +51,7 @@ class Module
   #   end
   #
   #   Person.new.hair_colors # => [:brown, :black, :blonde, :red]
+  #   Person.new.hair_styles # => [:long, :short]
   def mattr_reader(*syms, instance_reader: true, instance_accessor: true, default: nil, location: nil)
     raise TypeError, "module attributes should be defined directly on class, not singleton" if singleton_class?
     location ||= caller_locations(1, 1).first
@@ -107,6 +109,7 @@ class Module
   #
   #   module HairColors
   #     mattr_writer :hair_colors, default: [:brown, :black, :blonde, :red]
+  #     mattr_writer(:hair_styles) { [:long, :short] }
   #   end
   #
   #   class Person
@@ -114,6 +117,7 @@ class Module
   #   end
   #
   #   Person.class_variable_get("@@hair_colors") # => [:brown, :black, :blonde, :red]
+  #   Person.class_variable_get("@@hair_styles") # => [:long, :short]
   def mattr_writer(*syms, instance_writer: true, instance_accessor: true, default: nil, location: nil)
     raise TypeError, "module attributes should be defined directly on class, not singleton" if singleton_class?
     location ||= caller_locations(1, 1).first
@@ -192,6 +196,7 @@ class Module
   #
   #   module HairColors
   #     mattr_accessor :hair_colors, default: [:brown, :black, :blonde, :red]
+  #     mattr_accessor(:hair_styles) { [:long, :short] }
   #   end
   #
   #   class Person
@@ -199,6 +204,7 @@ class Module
   #   end
   #
   #   Person.class_variable_get("@@hair_colors") # => [:brown, :black, :blonde, :red]
+  #   Person.class_variable_get("@@hair_styles") # => [:long, :short]
   def mattr_accessor(*syms, instance_reader: true, instance_writer: true, instance_accessor: true, default: nil, &blk)
     location = caller_locations(1, 1).first
     mattr_reader(*syms, instance_reader: instance_reader, instance_accessor: instance_accessor, default: default, location: location, &blk)

data/lib/active_support/core_ext/module/attribute_accessors_per_thread.rb

@@ -42,14 +42,32 @@ class Module
     syms.each do |sym|
       raise NameError.new("invalid attribute name: #{sym}") unless /^[_A-Za-z]\w*$/.match?(sym)
 
-      # The following generated method concatenates `name` because we want it
-      # to work with inheritance via polymorphism.
-      class_eval(<<-EOS, __FILE__, __LINE__ + 1)
-        def self.#{sym}
-          @__thread_mattr_#{sym} ||= "attr_\#{name}_#{sym}"
-          ::ActiveSupport::IsolatedExecutionState[@__thread_mattr_#{sym}]
-        end
-      EOS
+      # The following generated method concatenates `object_id` because we want
+      # subclasses to maintain independent values.
+      if default.nil?
+        class_eval(<<-EOS, __FILE__, __LINE__ + 1)
+          def self.#{sym}
+            @__thread_mattr_#{sym} ||= "attr_#{sym}_\#{object_id}"
+            ::ActiveSupport::IsolatedExecutionState[@__thread_mattr_#{sym}]
+          end
+        EOS
+      else
+        default = default.dup.freeze unless default.frozen?
+        singleton_class.define_method("#{sym}_default_value") { default }
+
+        class_eval(<<-EOS, __FILE__, __LINE__ + 1)
+          def self.#{sym}
+            @__thread_mattr_#{sym} ||= "attr_#{sym}_\#{object_id}"
+            value = ::ActiveSupport::IsolatedExecutionState[@__thread_mattr_#{sym}]
+
+            if value.nil? && !::ActiveSupport::IsolatedExecutionState.key?(@__thread_mattr_#{sym})
+              ::ActiveSupport::IsolatedExecutionState[@__thread_mattr_#{sym}] = #{sym}_default_value
+            else
+              value
+            end
+          end
+        EOS
+      end
 
       if instance_reader && instance_accessor
         class_eval(<<-EOS, __FILE__, __LINE__ + 1)
@@ -58,8 +76,6 @@ class Module
           end
         EOS
       end
-
-      ::ActiveSupport::IsolatedExecutionState["attr_#{name}_#{sym}"] = default unless default.nil?
     end
   end
   alias :thread_cattr_reader :thread_mattr_reader
@@ -82,15 +98,15 @@ class Module
   #   end
   #
   #   Current.new.user = "DHH" # => NoMethodError
-  def thread_mattr_writer(*syms, instance_writer: true, instance_accessor: true, default: nil) # :nodoc:
+  def thread_mattr_writer(*syms, instance_writer: true, instance_accessor: true) # :nodoc:
     syms.each do |sym|
       raise NameError.new("invalid attribute name: #{sym}") unless /^[_A-Za-z]\w*$/.match?(sym)
 
-      # The following generated method concatenates `name` because we want it
-      # to work with inheritance via polymorphism.
+      # The following generated method concatenates `object_id` because we want
+      # subclasses to maintain independent values.
       class_eval(<<-EOS, __FILE__, __LINE__ + 1)
         def self.#{sym}=(obj)
-          @__thread_mattr_#{sym} ||= "attr_\#{name}_#{sym}"
+          @__thread_mattr_#{sym} ||= "attr_#{sym}_\#{object_id}"
           ::ActiveSupport::IsolatedExecutionState[@__thread_mattr_#{sym}] = obj
         end
       EOS
@@ -102,8 +118,6 @@ class Module
           end
         EOS
       end
-
-      public_send("#{sym}=", default) unless default.nil?
     end
   end
   alias :thread_cattr_writer :thread_mattr_writer
@@ -149,6 +163,10 @@ class Module
   #
   #   Current.new.user = "DHH"  # => NoMethodError
   #   Current.new.user          # => NoMethodError
+  #
+  # A default value may be specified using the +:default+ option. Because
+  # multiple threads can access the default value, non-frozen default values
+  # will be <tt>dup</tt>ed and frozen.
   def thread_mattr_accessor(*syms, instance_reader: true, instance_writer: true, instance_accessor: true, default: nil)
     thread_mattr_reader(*syms, instance_reader: instance_reader, instance_accessor: instance_accessor, default: default)
     thread_mattr_writer(*syms, instance_writer: instance_writer, instance_accessor: instance_accessor)

data/lib/active_support/core_ext/module/concerning.rb

@@ -3,7 +3,7 @@
 require "active_support/concern"
 
 class Module
-  # = Bite-sized separation of concerns
+  # == Bite-sized separation of concerns
   #
   # We often find ourselves with a medium-sized chunk of behavior that we'd
   # like to extract, but only mix in to a single class.
@@ -18,9 +18,9 @@ class Module
   # with a comment, as a least-bad alternative. Using modules in separate files
   # means tedious sifting to get a big-picture view.
   #
-  # = Dissatisfying ways to separate small concerns
+  # == Dissatisfying ways to separate small concerns
   #
-  # == Using comments:
+  # === Using comments:
   #
   #   class Todo < ApplicationRecord
   #     # Other todo implementation
@@ -37,7 +37,7 @@ class Module
   #       end
   #   end
   #
-  # == With an inline module:
+  # === With an inline module:
   #
   # Noisy syntax.
   #
@@ -61,7 +61,7 @@ class Module
   #     include EventTracking
   #   end
   #
-  # == Mix-in noise exiled to its own file:
+  # === Mix-in noise exiled to its own file:
   #
   # Once our chunk of behavior starts pushing the scroll-to-understand-it
   # boundary, we give in and move it to a separate file. At this size, the
@@ -75,7 +75,7 @@ class Module
   #     include TodoEventTracking
   #   end
   #
-  # = Introducing Module#concerning
+  # == Introducing Module#concerning
   #
   # By quieting the mix-in noise, we arrive at a natural, low-ceremony way to
   # separate bite-sized concerns.