It's possible for `ActionView::Helpers::FormTagHelper#field_name` calls
made by instances constructed through `fields` and `fields_for` helpers
to have an `object_name` argument that's `nil`. For example, the
following will raise an `undefined method `empty?' for nil:NilClass`
exception:
```erb
<%= fields do |f| %>
<%= f.field_name :body %>
<% end %>
```
To guard against those calls, replace the method's call to
`String#empty?` with `Object#blank?`, since `NilClass#empty?` is not
defined.
In
f075be3dcb
did_you_mean and error_highlight now use `detailed_message` over
`message` to display errors.
For cases where we are testing `message`, in 3.2 and above we need to
test against `detailed_message` instead.
As far as I can tell in a Rails console when these errors are raised the
`detailed_message` is used so we shouldn't need to make other changes to
Rails. The only case where this isn't true is in the Railties changes -
we are explicitly formatting the did you mean message so we need to be
sure to call `detailed_message` here.
This fixes most of the failing tests for ruby-trunk.
Because these strings contain no HTML elements and the basic entities
are escaped, they are safe to be included as-is as PCDATA in HTML
content. Tagging them as html-safe avoids double-escaping entities
when being concatenated to a SafeBuffer during rendering.
Fixes https://github.com/rails/rails-html-sanitizer/issues/124
Following the discussion here:
https://github.com/rails/rails/pull/44174/files#r785160819
Background: The `i18n` gem is relatively lax when it comes
to naming locales. It does not enforce any standard. Thus
it is possible to have e.g. per tenant locales (think
`en_tenant1`, `en_tenant2` etc.). This also worked for
translated templates up until rails 6.1.
Rails 7 changed the template lookup and enforced a naming
scheme for locales. This poses a problem for legacy apps
that use non-standard locale names.
This commit changes the way locale names are detected in
template file names. In addition to the previously used
regexp it also allows all known locales from
`I18n.available_locales`.
This makes it backwards compatible to rails 7.0
behavior while also allowing non-standard locale names.
Thanks to jvillarejo for the great idea.
Also introduce the usage of `Regexp.union`, a wonderful
suggestion by casperisfine.
Ensure models passed to `form_with` attempt to call `to_model`.
Now that `form_for` is implemented in terms of `form_with`, this commit
also removes the `convert_to_model` call from the `form_for` implementation.
To exercise this behavior, change existing `form_with` test coverage.
Prior to this change, a call to `form_with` made with a `model:` argument
that responds to `to_model` would not incorporate the instance's persistence
state into the form's HTTP verb. After this change, the persistence state
inferred from the `model:` argument's `to_model` call is incorporated into
the `<form>` element's `[method]` attribute.
This is a separate follow-up change proposed in [rails/rails#44328][].
The original change to restore old behavior _deliberately_ excluded
applying the same logic to `form_with`, since it would be a breaking
change from how `form_with` behaved previously.
This commit proposed making that breaking change.
[rails/rails#44328]: https://github.com/rails/rails/pull/44328#discussion_r808475585
Vue.js, alpinejs, and potentially other JS libraries support tags
starting with `@` symbols. This was broken by the recent security release in
649516ce0f
I've only added `@` to the list even though there are potentially other
safe characters. We can add more if necessary (and if safe).
Fixes:
* #45014
* #44972
Add the method ERB::Util.xml_name_escape to escape dangerous characters
in names of tags and names of attributes, following the specification of
XML.
Use that method in the tag helpers of ActionView::Helpers. Rename the option
:escape_attributes to :escape, to simplify by applying the option to the whole
tag.
Every time I write `config.cache_classes` I have to pause for a moment to make
sure I get it right. It makes you think.
On the other hand, if you read `config.enable_reloading = true`, does the
application reload? You do not need to spend 1 cycle of brain CPU to nod.
Because the indented code block follows an indented list item, RDoc
interprets the examples as a continuation of the list item prose,
instead of code. To distinguish the two, this commit moves the examples
to their own subsection with an intervening subheading.
Additionally, this commit applies a few other formatting tweaks.
Because the indented code block follows an indented list item, RDoc
interprets the examples as a continuation of the list item prose,
instead of code. To distinguish the two, this commit moves the examples
to their own subsection with an intervening subheading.
Additionally, this commit applies a few other formatting tweaks.
Follow up to https://github.com/rails/rails/pull/43112 and https://github.com/rails/rails/pull/44100
- `data-remote` is deprecated on links and buttons. Turbo doesn't need it since that is the default behaviour. You use `data-turbo=false` on elements that opt out of that, but I don't think that's in scope for Rails.
- `data-method` is deprecated on links. Turbo expects [data-turbo-method](https://turbo.hotwired.dev/handbook/drive#performing-visits-with-a-different-method).
Update actionview/lib/action_view/helpers/url_helper.rb
Co-authored-by: Hartley McGuire <skipkayhil@gmail.com>
Update actionview/lib/action_view/helpers/url_helper.rb
Co-authored-by: Hartley McGuire <skipkayhil@gmail.com>
Now it's possible to write
audio_tag(user.audio_file)
video_tag(user.video_file)
Instead of
audio_tag(polymorphic_path(user.audio_file))
video_tag(polymorphic_path(user.video_file))
image_tag already supported that, so this follows the same pattern.
These classes are relatively small, however they include lots of
modules as helpers. And if any of the included module hold constants
including it cause the global constant cache to be invalidated
which is really bad for performance.
So when eager loading is enabled we create all the possible classes
as part of the application boot.
RDoc will automatically format and link API references as long as they
are not already marked up as inline code.
This commit removes markup from various API references so that those
references will link to the relevant API docs.
"Overwrite" means "destructively replace", and is more suitable when,
for example, talking about writing data to a location.
"Override" means "supersede", and is more suitable when, for example,
talking about redifining methods in a subclass.
Previously one subscriber was used for both the "Rendering" (before) and
"Rendered" (after) events. With the previous change to AS::Subscriber
these need to be split.
Co-authored-by: Adam Hess <HParker@github.com>