view_component 2.47.0 → 2.49.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2c94e6fdeccccb7180494d100eef8c78a8dc8e3e9bc30e5647017b440788c6eb
-  data.tar.gz: c3836df9c15e8039ba673895ad5a9544aebe55325f9fbd418b96f4bb4238b8d6
+  metadata.gz: ef9372866a072103dd38b8da27bfcf57ad66012524b6a80f6caf311a97533435
+  data.tar.gz: 654c9561c09c8cae7ca8720d126060e8196d38b0cd832d6a5a6e1f7e8c8ad133
 SHA512:
-  metadata.gz: 644f964985c8418371fdcac45e1e7b1771d89ee65ed8a692ec51c50cbed8a578937ba1bb7b9bf1d3b3e3729bd418df5fb2e9d1aee3bbb8215bfbed4504457074
-  data.tar.gz: c4df9e14be4dc20e529beb794c96baf424087f7e36423b301402325e1b1ce0ae8ab575fe1b69334b3e27b5fa9e2fee227e9bd20e0e99fe5f384f2f535b43f80c
+  metadata.gz: fbd9bf43a06132fa0d26fba5155382be904bba9aaf181c9bb0f715a3caf103f5ae7bff74640e62c31e3ea8600a61f5405e364553b5f56f3cbc5af7a22a77f5f8
+  data.tar.gz: 946639d557fd6dd76889c6a645187fc1235bd7e76817944429f306be1d7798ac9fe9b8005301f3ea106c564d6502d3e1bc21fc1ea5b9902784d99296979c8d93

data/docs/CHANGELOG.md

@@ -7,6 +7,96 @@ title: Changelog
 
 ## main
 
+## 2.49.1
+
+* Patch XSS vulnerability in `Translatable` module caused by improperly escaped interpolation arguments.
+
+    *Cameron Dutro*
+
+## 2.49.0
+
+* Fix path handling for evaluated view components that broke in Ruby 3.1.
+
+    *Adam Hess*
+
+* Fix support for the `default:` option for a global translation.
+
+    *Elia Schito*
+
+* Ensure i18n scope is a symbol to protect lookups.
+
+    *Simon Fish*
+
+* Small update to preview docs to include rspec mention.
+
+    *Leigh Halliday*
+
+* Small improvements to collection iteration docs.
+
+    *Brian O'Rourke*
+
+* Add good and bad examples to `ViewComponents in practice`.
+
+    *Joel Hawksley*
+
+* Add Ruby 3.1 and Rails 7.0 to CI
+
+    *Peter Goldstein*
+
+## 2.48.0
+
+* Correct path in example test command in Contributing docs.
+
+    *Mark Wilkinson*
+
+* Update link to GOV.UK Components library in the resources list.
+
+    *Peter Yates*
+
+* Add Lookbook to Resources docs page.
+
+    *Mark Perkins*
+
+* Add blocking compiler mode for use in Rails development and testing modes, improving thread safety.
+
+    *Horia Radu*
+
+* Add generators to support `tailwindcss-rails`.
+
+    *Dino Maric*, *Hans Lemuet*
+
+* Add a namespaced component example to docs.
+
+    *Hans Lemuet*
+
+* Setup `Appraisal` to add flexibility when testing ViewComponent against multiple Rails versions.
+
+    *Hans Lemuet*
+
+* Return correct values for `request.path` and `request.query_string` methods when using the `with_request_url` test helper.
+
+    *Vasiliy Matyushin*
+
+* Improve style in generators docs.
+
+    *Hans Lemuet*
+
+* Correctly type Ruby version strings and update Rails versions used in CI configuration.
+
+    *Hans Lemuet*
+
+* Make `ViewComponent::Collection` act like a collection of view components.
+
+    *Sammy Henningsson*
+
+* Update `@param` of `#render_inline` to include `ViewComponent::Collection`.
+
+    *Yutaka Kamei*
+
+* Add Wecasa to users list.
+
+    *Mohamed Ziata*
+
 ## 2.47.0
 
 * Display preview source on previews that exclusively use templates.
@@ -17,7 +107,7 @@ title: Changelog
 
     *Simon Fish*
 
-* Add WEBrick as a depenency to the docs application.
+* Add WEBrick as a depenency to the application.
 
     *Connor McQuillan*
 
@@ -79,6 +169,10 @@ title: Changelog
 
     *Bob Maerten*
 
+* Add config option `config.view_component.generate_sidecar` to always generate in the sidecar directory.
+
+    *Gleydson Tavares*
+
 ## 2.46.0
 
 * Add thread safety to the compiler.
@@ -569,6 +663,12 @@ _Note: This release includes an underlying change to Slots that may affect incor
 
     *Joel Hawksley*
 
+## 2.29.1
+
+* Patch XSS vulnerability in `ViewComponent::Translatable` module caused by improperly escaped interpolation arguments.
+
+    *Cameron Dutro*
+
 ## 2.29.0
 
 * Allow Slot lambdas to share data from the parent component and allow chaining on the returned component.

data/lib/rails/generators/abstract_generator.rb

@@ -15,7 +15,7 @@ module ViewComponent
     end
 
     def destination_directory
-      if options["sidecar"]
+      if sidecar?
         File.join(component_path, class_path, destination_file_name)
       else
         File.join(component_path, class_path)
@@ -42,5 +42,9 @@ module ViewComponent
           gsub("/", "--")
       end
     end
+
+    def sidecar?
+      options["sidecar"] || ViewComponent::Base.generate_sidecar
+    end
   end
 end

data/lib/rails/generators/locale/component_generator.rb

@@ -35,7 +35,7 @@ module Locale
 
       def destination(locale = nil)
         extention = ".#{locale}" if locale
-        if options["sidecar"]
+        if sidecar?
           File.join(component_path, class_path, "#{file_name}_component", "#{file_name}_component#{extention}.yml")
         else
           File.join(component_path, class_path, "#{file_name}_component#{extention}.yml")

data/lib/rails/generators/stimulus/component_generator.rb

@@ -23,7 +23,7 @@ module Stimulus
       private
 
       def destination
-        if options["sidecar"]
+        if sidecar?
           File.join(component_path, class_path, "#{file_name}_component", "#{file_name}_component_controller.js")
         else
           File.join(component_path, class_path, "#{file_name}_component_controller.js")

data/lib/rails/generators/tailwindcss/component_generator.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+require "rails/generators/erb/component_generator"
+
+module Tailwindcss
+  module Generators
+    class ComponentGenerator < Erb::Generators::ComponentGenerator
+      source_root File.expand_path("templates", __dir__)
+    end
+  end
+end

data/lib/rails/generators/tailwindcss/templates/component.html.erb.tt

@@ -0,0 +1 @@
+<div<%= data_attributes %>>Add <%= class_name %> template here</div>

data/lib/view_component/base.rb

@@ -303,6 +303,7 @@ module ViewComponent
     #     config.view_component.view_component_path = "app/my_components"
     #
     # Defaults to `app/components`.
+    #
     mattr_accessor :view_component_path, instance_writer: false, default: "app/components"
 
     # Parent class for generated components
@@ -310,8 +311,16 @@ module ViewComponent
     #     config.view_component.component_parent_class = "MyBaseComponent"
     #
     # Defaults to "ApplicationComponent" if defined, "ViewComponent::Base" otherwise.
-    mattr_accessor :component_parent_class,
-                   instance_writer: false
+    #
+    mattr_accessor :component_parent_class, instance_writer: false
+
+    # Always generate a component with a sidecar directory:
+    #
+    #     config.view_component.generate_sidecar = true
+    #
+    # Defaults to `false`.
+    #
+    mattr_accessor :generate_sidecar, instance_writer: false, default: false
 
     class << self
       # @private
@@ -392,7 +401,7 @@ module ViewComponent
         # Derive the source location of the component Ruby file from the call stack.
         # We need to ignore `inherited` frames here as they indicate that `inherited`
         # has been re-defined by the consuming application, likely in ApplicationComponent.
-        child.source_location = caller_locations(1, 10).reject { |l| l.label == "inherited" }[0].absolute_path
+        child.source_location = caller_locations(1, 10).reject { |l| l.label == "inherited" }[0].path
 
         # Removes the first part of the path and the extension.
         child.virtual_path = child.source_location.gsub(

data/lib/view_component/collection.rb

@@ -4,20 +4,34 @@ require "action_view/renderer/collection_renderer" if Rails.version.to_f >= 6.1
 
 module ViewComponent
   class Collection
+    include Enumerable
     attr_reader :component
 
     delegate :format, to: :component
+    delegate :size, to: :@collection
 
     def render_in(view_context, &block)
+      components.map do |component|
+        component.render_in(view_context, &block)
+      end.join.html_safe # rubocop:disable Rails/OutputSafety
+    end
+
+    def components
+      return @components if defined? @components
+
       iterator = ActionView::PartialIteration.new(@collection.size)
 
       component.validate_collection_parameter!(validate_default: true)
 
-      @collection.map do |item|
-        content = component.new(**component_options(item, iterator)).render_in(view_context, &block)
-        iterator.iterate!
-        content
-      end.join.html_safe # rubocop:disable Rails/OutputSafety
+      @components = @collection.map do |item|
+        component.new(**component_options(item, iterator)).tap do |component|
+          iterator.iterate!
+        end
+      end
+    end
+
+    def each(&block)
+      components.each(&block)
     end
 
     private
@@ -42,7 +56,7 @@ module ViewComponent
     def component_options(item, iterator)
       item_options = { component.collection_parameter => item }
       item_options[component.collection_counter_parameter] = iterator.index + 1 if component.counter_argument_present?
-      item_options[component.collection_iteration_parameter] = iterator if component.iteration_argument_present?
+      item_options[component.collection_iteration_parameter] = iterator.dup if component.iteration_argument_present?
 
       @options.merge(item_options)
     end

data/lib/view_component/compiler.rb

@@ -5,6 +5,15 @@ module ViewComponent
     # Lock required to be obtained before compiling the component
     attr_reader :__vc_compiler_lock
 
+    # Compiler mode. Can be either:
+    # * development (a blocking mode which ensures thread safety when redefining the `call` method for components,
+    #                default in Rails development and test mode)
+    # * production (a non-blocking mode, default in Rails production mode)
+    DEVELOPMENT_MODE = :development
+    PRODUCTION_MODE = :production
+
+    class_attribute :mode, default: PRODUCTION_MODE
+
     def initialize(component_class)
       @component_class = component_class
       @__vc_compiler_lock = Monitor.new
@@ -14,10 +23,14 @@ module ViewComponent
       CompileCache.compiled?(component_class)
     end
 
+    def development?
+      self.class.mode == DEVELOPMENT_MODE
+    end
+
     def compile(raise_errors: false)
       return if compiled?
 
-      __vc_compiler_lock.synchronize do
+      with_lock do
         CompileCache.invalidate_class!(component_class)
 
         subclass_instance_methods = component_class.instance_methods(false)
@@ -57,10 +70,10 @@ module ViewComponent
           end
 
           component_class.class_eval <<-RUBY, template[:path], -1
-            def #{method_name}
-              @output_buffer = ActionView::OutputBuffer.new
-              #{compiled_template(template[:path])}
-            end
+          def #{method_name}
+            @output_buffer = ActionView::OutputBuffer.new
+            #{compiled_template(template[:path])}
+          end
           RUBY
         end
 
@@ -72,6 +85,14 @@ module ViewComponent
       end
     end
 
+    def with_lock(&block)
+      if development?
+        __vc_compiler_lock.synchronize(&block)
+      else
+        block.call
+      end
+    end
+
     private
 
     attr_reader :component_class
@@ -85,16 +106,30 @@ module ViewComponent
         "elsif variant.to_sym == :#{variant}\n    #{call_method_name(variant)}"
       end.join("\n")
 
-      component_class.class_eval <<-RUBY, __FILE__, __LINE__ + 1
+      body = <<-RUBY
+        if variant.nil?
+          call
+        #{variant_elsifs}
+        else
+          call
+        end
+      RUBY
+
+      if development?
+        component_class.class_eval <<-RUBY, __FILE__, __LINE__ + 1
         def render_template_for(variant = nil)
-          if variant.nil?
-            call
-          #{variant_elsifs}
-          else
-            call
+          self.class.compiler.with_lock do
+            #{body}
           end
         end
-      RUBY
+        RUBY
+      else
+        component_class.class_eval <<-RUBY, __FILE__, __LINE__ + 1
+        def render_template_for(variant = nil)
+          #{body}
+        end
+        RUBY
+      end
     end
 
     def template_errors

data/lib/view_component/engine.rb

@@ -115,6 +115,14 @@ module ViewComponent
       end
     end
 
+    initializer "compiler mode" do |app|
+      ViewComponent::Compiler.mode = if Rails.env.development? || Rails.env.test?
+                                       ViewComponent::Compiler::DEVELOPMENT_MODE
+                                     else
+                                       ViewComponent::Compiler::PRODUCTION_MODE
+                                     end
+    end
+
     config.after_initialize do |app|
       options = app.config.view_component
 

data/lib/view_component/instrumentation.rb

@@ -5,14 +5,16 @@ require "active_support/notifications"
 module ViewComponent # :nodoc:
   module Instrumentation
     def self.included(mod)
-      mod.prepend(self)
+      mod.prepend(self) unless ancestors.include?(ViewComponent::Instrumentation)
     end
 
     def render_in(view_context, &block)
       ActiveSupport::Notifications.instrument(
         "!render.view_component",
-        name: self.class.name,
-        identifier: self.class.identifier
+        {
+          name: self.class.name,
+          identifier: self.class.identifier
+        }
       ) do
         super(view_context, &block)
       end

data/lib/view_component/test_helpers.rb

@@ -38,7 +38,7 @@ module ViewComponent
     # assert_text("Hello, World!")
     # ```
     #
-    # @param component [ViewComponent::Base] The instance of the component to be rendered.
+    # @param component [ViewComponent::Base, ViewComponent::Collection] The instance of the component to be rendered.
     # @return [Nokogiri::HTML]
     def render_inline(component, **args, &block)
       @rendered_component =
@@ -113,16 +113,22 @@ module ViewComponent
     #
     # @param path [String] The path to set for the current request.
     def with_request_url(path)
+      old_request_path_info = request.path_info
       old_request_path_parameters = request.path_parameters
       old_request_query_parameters = request.query_parameters
+      old_request_query_string = request.query_string
       old_controller = defined?(@controller) && @controller
 
+      request.path_info = path
       request.path_parameters = Rails.application.routes.recognize_path(path)
       request.set_header("action_dispatch.request.query_parameters", Rack::Utils.parse_query(path.split("?")[1]))
+      request.set_header(Rack::QUERY_STRING, path.split("?")[1])
       yield
     ensure
+      request.path_info = old_request_path_info
       request.path_parameters = old_request_path_parameters
       request.set_header("action_dispatch.request.query_parameters", old_request_query_parameters)
+      request.set_header(Rack::QUERY_STRING, old_request_query_string)
       @controller = old_controller
     end
 

data/lib/view_component/translatable.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 
+require "erb"
 require "set"
 require "i18n"
 require "action_view/helpers/translation_helper"
@@ -41,7 +42,7 @@ module ViewComponent
       EMPTY_HASH = {}.freeze
 
       def initialize(i18n_scope:, load_paths:)
-        @i18n_scope = i18n_scope.split(".")
+        @i18n_scope = i18n_scope.split(".").map(&:to_sym)
         @load_paths = load_paths
       end
 
@@ -70,21 +71,29 @@ module ViewComponent
       key = key&.to_s unless key.is_a?(String)
       key = "#{i18n_scope}#{key}" if key.start_with?(".")
 
-      translated =
-        catch(:exception) do
-          i18n_backend.translate(locale, key, options)
+      if HTML_SAFE_TRANSLATION_KEY.match?(key)
+        html_escape_translation_options!(options)
+      end
+
+      if key.start_with?(i18n_scope + ".")
+        translated =
+          catch(:exception) do
+            i18n_backend.translate(locale, key, options)
+          end
+
+        # Fallback to the global translations
+        if translated.is_a? ::I18n::MissingTranslation
+          return super(key, locale: locale, **options)
         end
 
-      # Fallback to the global translations
-      if translated.is_a? ::I18n::MissingTranslation
-        return super(key, locale: locale, **options)
-      end
+        if HTML_SAFE_TRANSLATION_KEY.match?(key)
+          translated = translated.html_safe # rubocop:disable Rails/OutputSafety
+        end
 
-      if HTML_SAFE_TRANSLATION_KEY.match?(key)
-        translated = translated.html_safe # rubocop:disable Rails/OutputSafety
+        translated
+      else
+        super(key, locale: locale, **options)
       end
-
-      translated
     end
     alias :t :translate
 
@@ -92,5 +101,30 @@ module ViewComponent
     def i18n_scope
       self.class.i18n_scope
     end
+
+    def html_safe_translation(translation)
+      if translation.respond_to?(:map)
+        translation.map { |element| html_safe_translation(element) }
+      else
+        # It's assumed here that objects loaded by the i18n backend will respond to `#html_safe?`.
+        # It's reasonable that if we're in Rails, `active_support/core_ext/string/output_safety.rb`
+        # will provide this to `Object`.
+        translation.html_safe # rubocop:disable Rails/OutputSafety
+      end
+    end
+
+    private
+
+    def html_escape_translation_options!(options)
+      options.each do |name, value|
+        unless i18n_option?(name) || (name == :count && value.is_a?(Numeric))
+          options[name] = ERB::Util.html_escape(value.to_s)
+        end
+      end
+    end
+
+    def i18n_option?(name)
+      (@i18n_option_names ||= I18n::RESERVED_KEYS.to_set).include?(name)
+    end
   end
 end

data/lib/view_component/version.rb

@@ -3,8 +3,8 @@
 module ViewComponent
   module VERSION
     MAJOR = 2
-    MINOR = 47
-    PATCH = 0
+    MINOR = 49
+    PATCH = 1
 
     STRING = [MAJOR, MINOR, PATCH].join(".")
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: view_component
 version: !ruby/object:Gem::Version
-  version: 2.47.0
+  version: 2.49.1
 platform: ruby
 authors:
 - GitHub Open Source
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-12-20 00:00:00.000000000 Z
+date: 2022-03-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -44,6 +44,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.0'
+- !ruby/object:Gem::Dependency
+  name: appraisal
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.4'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.4'
 - !ruby/object:Gem::Dependency
   name: benchmark-ips
   requirement: !ruby/object:Gem::Requirement
@@ -268,7 +282,7 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-description: 
+description:
 email:
 - opensource+view_component@github.com
 executables: []
@@ -304,6 +318,8 @@ files:
 - lib/rails/generators/slim/templates/component.html.slim.tt
 - lib/rails/generators/stimulus/component_generator.rb
 - lib/rails/generators/stimulus/templates/component_controller.js.tt
+- lib/rails/generators/tailwindcss/component_generator.rb
+- lib/rails/generators/tailwindcss/templates/component.html.erb.tt
 - lib/rails/generators/test_unit/component_generator.rb
 - lib/rails/generators/test_unit/templates/component_test.rb.tt
 - lib/view_component.rb
@@ -342,7 +358,7 @@ licenses:
 - MIT
 metadata:
   allowed_push_host: https://rubygems.org
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -357,8 +373,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
-signing_key: 
+rubygems_version: 3.2.32
+signing_key:
 specification_version: 4
 summary: View components for Rails
 test_files: []