chartkick 3.2.1 → 3.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 93ec8731d7c59fefb8a68177487d611056e7b97ad239d71fb40e2fbe3ecb3765
-  data.tar.gz: 188133762bb0f53b70bd5a4bde03f8fef59233affae22f007908b1f9effd7272
+  metadata.gz: 5afacd4c10d0cfddc6a2a660efead206ee042e80d48dd749f9de79feb365c1fd
+  data.tar.gz: c7fc99b0b2b467a6326df99f5832de2b3674f5f80415749cf57177142eecfc45
 SHA512:
-  metadata.gz: d88b8cd9d7a5afef0a372a52c2b50e6833a445f3824ad14d00645d558546db8c1b3396c6a4c970510404eaa33bbae0bf816a582f77576d065f1e17e7ab5b7e59
-  data.tar.gz: 63bc3b1d692d0fcaff545e326b632fd2f59cc71ff41bf414fa6df2568c7a712b7cdc1a53dd4a50244c5a80bce313c5ef6f37c72e4828f29bfc74be64850e2046
+  metadata.gz: 75b1793b427c5d9d4604b813773253adb864b6134fad48f952c72377f75da40c8daa19eaf06fd7ce0b2da31a1ba436cfe54bde318ac849ec2080652582ac7076
+  data.tar.gz: 8f47e12f6e9c746871d02f0d5bd3093da1017c5a222837696b5b0d7b7e4008c400c8556e4f85ec7b0ccd79c15a9cb510a91a7d9ecf896d1a106b7c82e68ddc36

data/CHANGELOG.md

@@ -1,27 +1,50 @@
-## 3.2.1
+## 3.4.0 (2020-08-04)
+
+- Fixed CSS injection with `width` and `height` options
+
+## 3.3.2 (2020-07-23)
+
+- Updated Chartkick.js to 3.2.1
+
+## 3.3.1 (2019-12-26)
+
+- Updated Chart.js to 2.9.3
+- Fixed deprecating warnings in Ruby 2.7
+
+## 3.3.0 (2019-11-09)
+
+- Updated Chartkick.js to 3.2.0
+- Rolled back Chart.js to 2.8.0 due to legend change
+
+## 3.2.2 (2019-10-27)
+
+- Updated Chartkick.js to 3.1.3
+- Updated Chart.js to 2.9.1
+
+## 3.2.1 (2019-07-15)
 
 - Updated Chartkick.js to 3.1.1
 
-## 3.2.0
+## 3.2.0 (2019-06-04)
 
 - Fixed XSS vulnerability - see [#488](https://github.com/ankane/chartkick/issues/488)
 
-## 3.1.0
+## 3.1.0 (2019-05-26)
 
 - Updated Chartkick.js to 3.1.0
 - Updated Chart.js to 2.8.0
 
-## 3.0.2
+## 3.0.2 (2019-01-03)
 
 - Fixed error with `nonce` option with Secure Headers and Rails < 5.2
 - Updated Chartkick.js to 3.0.2
 - Updated Chart.js to 2.7.3
 
-## 3.0.1
+## 3.0.1 (2018-08-13)
 
 - Updated Chartkick.js to 3.0.1
 
-## 3.0.0
+## 3.0.0 (2018-08-08)
 
 - Updated Chartkick.js to 3.0.0
 - Added `code` option
@@ -35,55 +58,55 @@ Breaking changes
 - Removed `window.Chartkick = {...}` way to set config - use `Chartkick.configure` instead
 - Removed support for the Google Charts jsapi loader - use loader.js instead
 
-## 2.3.5
+## 2.3.5 (2018-06-15)
 
 - Updated Chartkick.js to 2.3.6
 
-## 2.3.4
+## 2.3.4 (2018-04-10)
 
 - Updated Chartkick.js to 2.3.5
 - Updated Chart.js to 2.7.2
 
-## 2.3.3
+## 2.3.3 (2018-03-25)
 
 - Updated Chartkick.js to 2.3.4
 
-## 2.3.2
+## 2.3.2 (2018-02-26)
 
 - Updated Chartkick.js to 2.3.3
 
-## 2.3.1
+## 2.3.1 (2018-02-23)
 
 - Updated Chartkick.js to 2.3.1
 
-## 2.3.0
+## 2.3.0 (2018-02-21)
 
 - Fixed deep merge error for non-Rails apps
 - Updated Chartkick.js to 2.3.0
 
-## 2.2.5
+## 2.2.5 (2017-10-28)
 
 - Updated Chart.js to 2.7.1
 
-## 2.2.4
+## 2.2.4 (2017-05-14)
 
 - Added compatibility with Rails API
 - Updated Chartkick.js to 2.2.4
 
-## 2.2.3
+## 2.2.3 (2017-02-22)
 
 - Updated Chartkick.js to 2.2.3
 - Updated Chart.js to 2.5.0
 
-## 2.2.2
+## 2.2.2 (2017-01-07)
 
 - Updated Chartkick.js to 2.2.2
 
-## 2.2.1
+## 2.2.1 (2016-12-05)
 
 - Updated Chartkick.js to 2.2.1
 
-## 2.2.0
+## 2.2.0 (2016-12-03)
 
 - Updated Chartkick.js to 2.2.0
 - Improved JavaScript API
@@ -91,59 +114,59 @@ Breaking changes
 - Added `refresh` option
 - Added `donut` option to pie chart
 
-## 2.1.3
+## 2.1.3 (2016-11-29)
 
 - Updated Chartkick.js to 2.1.2 - fixes missing zero values for Chart.js
 
-## 2.1.2
+## 2.1.2 (2016-11-28)
 
 - Added `defer` option
 - Added `nonce` option
 - Updated Chartkick.js to 2.1.1
 
-## 2.1.1
+## 2.1.1 (2016-09-11)
 
 - Use custom version of Chart.js to fix label overlap
 
-## 2.1.0
+## 2.1.0 (2016-09-10)
 
 - Added basic support for new Google Charts loader
 - Added `configure` function
 - Dropped jQuery and Zepto dependencies for AJAX
 - Updated Chart.js to 2.2.2
 
-## 2.0.2
+## 2.0.2 (2016-08-11)
 
 - Updated Chartkick.js to 2.0.1
 - Updated Chart.js to 2.2.1
 
-## 2.0.1
+## 2.0.1 (2016-07-29)
 
 - Small Chartkick.js fixes
 - Updated Chart.js to 2.2.0
 
-## 2.0.0
+## 2.0.0 (2016-05-30)
 
 - Chart.js is now the default adapter - yay open source!
 - Axis types are automatically detected - no need for `discrete: true`
 - Better date support
 - New JavaScript API
 
-## 1.5.2
+## 1.5.2 (2016-05-05)
 
 - Fixed Sprockets error
 
-## 1.5.1
+## 1.5.1 (2016-05-03)
 
 - Updated chartkick.js to latest version
 - Included `Chart.bundle.js`
 
-## 1.5.0
+## 1.5.0 (2016-05-01)
 
 - Added Chart.js adapter **beta**
 - Fixed line height on timeline charts
 
-## 1.4.2
+## 1.4.2 (2016-02-29)
 
 - Added `width` option
 - Added `label` option
@@ -152,86 +175,86 @@ Breaking changes
 - Better tooltip for dates for Google Charts
 - Fixed asset precompilation issue with Rails 5
 
-## 1.4.1
+## 1.4.1 (2015-09-07)
 
 - Fixed regression with `min: nil`
 
-## 1.4.0
+## 1.4.0 (2015-08-31)
 
 - Added scatter chart
 - Added axis titles
 
-## 1.3.2
+## 1.3.2 (2014-07-04)
 
 - Fixed `except` error when not using Rails
 
-## 1.3.1
+## 1.3.1 (2014-06-30)
 
 - Fixed blank screen bug
 - Fixed language support
 
-## 1.3.0
+## 1.3.0 (2014-06-28)
 
 - Added timelines
 
-## 1.2.5
+## 1.2.5 (2014-06-12)
 
 - Added support for multiple groups
 - Added `html` option
 
-## 1.2.4
+## 1.2.4 (2014-03-24)
 
 - Added global options
 - Added `colors` option
 
-## 1.2.3
+## 1.2.3 (2014-03-23)
 
 - Added geo chart
 - Added `discrete` option
 
-## 1.2.2
+## 1.2.2 (2014-02-23)
 
 - Added global `content_for` option
 - Added `stacked` option
 
-## 1.2.1
+## 1.2.1 (2013-12-08)
 
 - Added localization for Google Charts
 
-## 1.2.0
+## 1.2.0 (2013-07-27)
 
 - Added bar chart and area chart
 - Resize Google Charts on window resize
 
-## 1.1.3
+## 1.1.3 (2013-06-26)
 
 - Added content_for option
 
-## 1.1.2
+## 1.1.2 (2013-06-11)
 
 - Updated chartkick.js to v1.0.1
 
-## 1.1.1
+## 1.1.1 (2013-06-10)
 
 - Added support for Sinatra
 
-## 1.1.0
+## 1.1.0 (2013-06-03)
 
 - Added support for Padrino and Rails 2.3+
 
-## 1.0.1
+## 1.0.1 (2013-05-23)
 
 - Updated chartkick.js to v1.0.1
 
-## 1.0.0
+## 1.0.0 (2013-05-15)
 
 - Use semantic versioning (no changes)
 
-## 0.0.5
+## 0.0.5 (2013-05-14)
 
 - Removed `:min => 0` default for charts with negative values
 - Show legend when data given in `{:name => "", :data => {}}` format
 
-## 0.0.4
+## 0.0.4 (2013-05-13)
 
 - Fix for `Uncaught ReferenceError: Chartkick is not defined` when chartkick.js is included in the `<head>`

data/README.md

@@ -8,6 +8,8 @@ Create beautiful JavaScript charts with one line of Ruby. No more fighting with
 
 :two_hearts: A perfect companion to [Groupdate](https://github.com/ankane/groupdate), [Hightop](https://github.com/ankane/hightop), and [ActiveMedian](https://github.com/ankane/active_median)
 
+[![Build Status](https://travis-ci.org/ankane/chartkick.svg?branch=master)](https://travis-ci.org/ankane/chartkick)
+
 ## Quick Start
 
 Add this line to your application's Gemfile:
@@ -242,6 +244,30 @@ Set a decimal separator - *Chart.js, Highcharts*
 <%= line_chart data, decimal: "," %>
 ```
 
+Set significant digits - *Chart.js, Highcharts*
+
+```erb
+<%= line_chart data, precision: 3 %>
+```
+
+Set rounding - *Chart.js, Highcharts*
+
+```erb
+<%= line_chart data, round: 2 %>
+```
+
+Show insignificant zeros, useful for currency - *Chart.js, Highcharts*
+
+```erb
+<%= line_chart data, round: 2, zeros: true %>
+```
+
+Friendly byte sizes - *Chart.js 2.8+*
+
+```erb
+<%= line_chart data, bytes: true %>
+```
+
 Show a message when data is empty
 
 ```erb
@@ -299,7 +325,7 @@ Then, in your layout, use:
 <%= yield :charts_js %>
 ```
 
-> For Padrino, use `yield_content` instead of `yield`
+For Padrino, use `yield_content` instead of `yield`.
 
 This is great for including all of your JavaScript at the bottom of the page.
 
@@ -346,9 +372,7 @@ If you want to use the charting library directly, get the code with:
 <%= line_chart data, code: true %>
 ```
 
-The code will be logged to the JavaScript console.
-
-> JavaScript functions cannot be logged, so it may not be identical.
+The code will be logged to the JavaScript console. JavaScript functions cannot be logged, so it may not be identical.
 
 ### Download Charts
 
@@ -360,7 +384,7 @@ Give users the ability to download charts. It all happens in the browser - no se
 <%= line_chart data, download: true %>
 ```
 
-> Safari will open the image in a new window instead of downloading.
+Safari will open the image in a new window instead of downloading.
 
 Set the filename
 
@@ -394,7 +418,7 @@ Next, choose your charting library.
 - [Google Charts](#google-charts)
 - [Highcharts](#highcharts)
 
-> In the instructions below, `application.js` must be included **before** the charts in your views, unless using the `:content_for` option.
+In the instructions below, `application.js` must be included **before** the charts in your views, unless using the `:content_for` option.
 
 ### Chart.js
 
@@ -538,6 +562,12 @@ Redraw the chart with:
 chart.redraw()
 ```
 
+Destroy the chart with:
+
+```javascript
+chart.destroy()
+```
+
 Loop over charts with:
 
 ```javascript
@@ -573,14 +603,6 @@ Breaking changes
 - Removed `window.Chartkick = {...}` way to set config - use `Chartkick.configure` instead
 - Removed support for the Google Charts jsapi loader - use loader.js instead
 
-### 2.0
-
-Breaking changes
-
-- Chart.js is now the default adapter if multiple are loaded - yay open source!
-- Axis types are automatically detected - no need for `discrete: true`
-- Better date support - dates are no longer treated as UTC
-
 ## Credits
 
 Chartkick uses [iso8601.js](https://github.com/Do/iso8601.js) to parse dates and times.
@@ -589,8 +611,6 @@ Chartkick uses [iso8601.js](https://github.com/Do/iso8601.js) to parse dates and
 
 View the [changelog](https://github.com/ankane/chartkick/blob/master/CHANGELOG.md)
 
-Chartkick follows [Semantic Versioning](https://semver.org/)
-
 ## Contributing
 
 Everyone is encouraged to help improve this project. Here are a few ways you can help:
@@ -599,3 +619,12 @@ Everyone is encouraged to help improve this project. Here are a few ways you can
 - Fix bugs and [submit pull requests](https://github.com/ankane/chartkick/pulls)
 - Write, clarify, or fix documentation
 - Suggest or add new features
+
+To get started with development:
+
+```sh
+git clone https://github.com/ankane/chartkick.git
+cd chartkick
+bundle install
+bundle exec rake test
+```

data/lib/chartkick/helper.rb

@@ -4,35 +4,35 @@ require "erb"
 module Chartkick
   module Helper
     def line_chart(data_source, **options)
-      chartkick_chart "LineChart", data_source, options
+      chartkick_chart "LineChart", data_source, **options
     end
 
     def pie_chart(data_source, **options)
-      chartkick_chart "PieChart", data_source, options
+      chartkick_chart "PieChart", data_source, **options
     end
 
     def column_chart(data_source, **options)
-      chartkick_chart "ColumnChart", data_source, options
+      chartkick_chart "ColumnChart", data_source, **options
     end
 
     def bar_chart(data_source, **options)
-      chartkick_chart "BarChart", data_source, options
+      chartkick_chart "BarChart", data_source, **options
     end
 
     def area_chart(data_source, **options)
-      chartkick_chart "AreaChart", data_source, options
+      chartkick_chart "AreaChart", data_source, **options
     end
 
     def scatter_chart(data_source, **options)
-      chartkick_chart "ScatterChart", data_source, options
+      chartkick_chart "ScatterChart", data_source, **options
     end
 
     def geo_chart(data_source, **options)
-      chartkick_chart "GeoChart", data_source, options
+      chartkick_chart "GeoChart", data_source, **options
     end
 
     def timeline(data_source, **options)
-      chartkick_chart "Timeline", data_source, options
+      chartkick_chart "Timeline", data_source, **options
     end
 
     private
@@ -41,8 +41,8 @@ module Chartkick
       @chartkick_chart_id ||= 0
       options = chartkick_deep_merge(Chartkick.options, options)
       element_id = options.delete(:id) || "chart-#{@chartkick_chart_id += 1}"
-      height = options.delete(:height) || "300px"
-      width = options.delete(:width) || "100%"
+      height = (options.delete(:height) || "300px").to_s
+      width = (options.delete(:width) || "100%").to_s
       defer = !!options.delete(:defer)
       # content_for: nil must override default
       content_for = options.key?(:content_for) ? options.delete(:content_for) : Chartkick.content_for
@@ -63,14 +63,27 @@ module Chartkick
 
       # html vars
       html_vars = {
-        id: element_id,
-        height: height,
-        width: width
+        id: element_id
       }
       html_vars.each_key do |k|
         html_vars[k] = ERB::Util.html_escape(html_vars[k])
       end
-      html = (options.delete(:html) || %(<div id="%{id}" style="height: %{height}; width: %{width}; text-align: center; color: #999; line-height: %{height}; font-size: 14px; font-family: 'Lucida Grande', 'Lucida Sans Unicode', Verdana, Arial, Helvetica, sans-serif;">Loading...</div>)) % html_vars
+
+      # css vars
+      css_vars = {
+        height: height,
+        width: width
+      }
+      css_vars.each_key do |k|
+        # limit to alphanumeric and % for simplicity
+        # this prevents things like calc() but safety is the priority
+        raise ArgumentError, "Invalid #{k}" unless css_vars[k] =~ /\A[a-zA-Z0-9%]*\z/
+        # we limit above, but escape for safety as fail-safe
+        # to prevent XSS injection in worse-case scenario
+        css_vars[k] = ERB::Util.html_escape(css_vars[k])
+      end
+
+      html = (options.delete(:html) || %(<div id="%{id}" style="height: %{height}; width: %{width}; text-align: center; color: #999; line-height: %{height}; font-size: 14px; font-family: 'Lucida Grande', 'Lucida Sans Unicode', Verdana, Arial, Helvetica, sans-serif;">Loading...</div>)) % html_vars.merge(css_vars)
 
       # js vars
       js_vars = {
@@ -85,6 +98,7 @@ module Chartkick
       createjs = "new Chartkick[%{type}](%{id}, %{data}, %{options});" % js_vars
 
       if defer
+        # TODO remove type in 4.0
         js = <<JS
 <script type="text/javascript"#{nonce_html}>
   (function() {
@@ -100,6 +114,7 @@ module Chartkick
 </script>
 JS
       else
+        # TODO remove type in 4.0
         js = <<JS
 <script type="text/javascript"#{nonce_html}>
   #{createjs}