-
Only accept formats from registered mime types
A lack of filtering on mime types could allow an attacker to read arbitrary files on the target server or to perform a denial of service attack.
Fixes CVE-2019-5418 Fixes CVE-2019-5419
John Hawthorn, Eileen M. Uchitelle, Aaron Patterson
- No changes.
- No changes.
- No changes.
- No changes.
- No changes.
- No changes.
- No changes.
- No changes.
- No changes.
-
Allow render locals to be assigned to instance variables in a view.
Fixes #27480.
Andrew White
-
Return correct object name in form helper method after
fields_for.Fixes #26931.
Yuji Yaginuma
- No changes.
-
Restore support for locals named
_,arg,args, andblock.Fixes #27302.
Toshimaru
-
Fix support to
ActionController::Parametersinbutton_to.Jon Moss
-
Render now accepts any keys for locals, including reserved words
Only locals with valid variable names get set directly. Others will still be available in local_assigns.
Example of render with reserved words:
<%= render "example", class: "text-center", message: "Hello world!" %> <!-- _example.html.erb: --> <%= tag.div class: local_assigns[:class] do %> <p><%= message %></p> <% end %>
Peter Schilling, Matthew Draper
-
Changed partial rendering with a collection to allow collections which implement
to_a.Extracting the collection option had an optimization to avoid unnecessary queries of ActiveRecord Relations by calling
#to_aryon the given collection. Instances ofEnumeratororEnumerableare valid collections, but they do not implement#to_ary. By changing this to#to_a, they will now be extracted and rendered as expected.Steven Harman
-
Fix
ActionView::Helpers#current_page?to work properly even with a trailing slash.Fixes #19472.
Stan Lo
-
Changed partial rendering with a collection to allow collections which implement
to_a.Extracting the collection option had an optimization to avoid unnecessary queries of ActiveRecord Relations by calling
#to_aryon the given collection. Instances ofEnumeratororEnumerableare valid collections, but they do not implement#to_ary. By changing this to#to_a, they will now be extracted and rendered as expected.Steven Harman
-
Change
datetime_fieldanddatetime_field_tagto generatedatetime-localfields.As a new specification of the HTML 5 the text field type
datetimewill no longer exist and it is recomended to usedatetime-local. Ref: https://html.spec.whatwg.org/multipage/forms.html#local-date-and-time-state-(type=datetime-local)Herminio Torres
-
Raw template handler (which is also the default template handler in Rails 5) now outputs HTML-safe strings.
In Rails 5 the default template handler was changed to the raw template handler. Because the ERB template handler escaped strings by default this broke some applications that expected plain JS or HTML files to be rendered unescaped. This fixes the issue caused by changing the default handler by changing the Raw template handler to output HTML-safe strings.
Eileen M. Uchitelle
-
select_tag'sinclude_blankoption for generation for blank option tag, now adds an empty space label, when the value as well as content for option tag are empty, so that we confirm with html specification. Ref: https://www.w3.org/TR/html5/forms.html#the-option-element.Generation of option before:
<option value=""></option>
Generation of option after:
<option value="" label=" "></option>
*Vipul A M *
-
date_selecthelper:with_css_classesoption now accepts a hash of strings for:year,:month,:day,:hour,:minute,:secondthat will extend the select type with the given css class value.<%= f.date_select :birthday, with_css_classes: { month: "my-month", year: "my-year" } %>
<select id="user_birthday_3i" name="user[birthday(3i)]">…</select> <select id="user_birthday_2i" name="user[birthday(2i)]" class="my-month">…</select> <select id="user_birthday_1i" name="user[birthday(1i)]" class="my-year">…</select>
Matthias Neumayr
-
Add
to_sentencehelper that is a HTML-safe aware version ofArray#to_sentence.Neil Matatall
-
Added log "Rendering ...", when starting to render a template to log that we have started rendering something. This helps to easily identify the origin of queries in the log whether they came from controller or views.
Vipul A M and Prem Sichanugrist
-
Collection rendering can cache and fetch multiple partials at once.
Collections rendered as:
<%= render partial: 'notifications/notification', collection: @notifications, as: :notification, cached: true %>
will read several partials from cache at once. The templates in the collection that haven't been cached already will automatically be written to cache. Works great alongside individual template fragment caching. For instance if the template the collection renders is cached like:
# notifications/_notification.html.erb <% cache notification do %> <%# ... %> <% end %>
Then any collection renders shares that cache when attempting to read multiple ones at once.
Kasper Timm Hansen
-
Add support for nested hashes/arrays to
:paramsoption ofbutton_tohelper.James Coleman
-
Fix stripping the digest from the automatically generated img tag alt attribute when assets are handled by Sprockets >=3.0.
Bart de Water
-
Create a new
ActiveSupport::SafeBufferinstance whencontent_foris flushed.Fixes #19890.
Yoong Kang Lim
-
Fix
collection_radio_buttonshidden_field name and make it appear before the actual input radio tags to make the real value override the hidden when passed.Fixes #22773.
Santiago Pastorino
-
ActionView::TestCase::Controller#paramsreturns an instance ofActionController::Parameters.Justin Coyne
-
Fix regression in
submit_tagwhen a symbol is used as label argument.Yuuji Yaginuma
-
I18n.translatehelper will wrap the missing translation keys in a tag only ifdebug_missing_translationconfiguration be true. Default value istrue. For example inapplication.rb:config.action_view.debug_missing_translation = false
Sameer Rahmani
-
Respect value of
:objectif:objectis false when rendering.Fixes #22260.
Yuichiro Kaneko
-
Generate
week_fieldinput values using a 1-based index and not a 0-based index as per the W3 spec: http://www.w3.org/TR/html-markup/datatypes.html#form.data.weekChristoph Geschwind
-
Allow
hostoption injavascript_include_tagandstylesheet_link_taghelpersGrzegorz Witek
-
Restrict
url_for :backto valid, non-JavaScript URLs. GH#14444Damien Burke
-
Allow
date_selecthelper selected option to accept hash like the default options.Lecky Lao
-
Collection input propagates input's
idto the label'sforattribute when using html options as the last element of collection.Vasiliy Ermolovich
-
Add a
hidden_fieldon thecollection_radio_buttonsto avoid raising an error when the only input on the form is thecollection_radio_buttons.Mauro George
-
url_fordoes not modify its arguments when generating polymorphic URLs.Bernerd Schaefer
-
number_to_currencyandnumber_with_delimiternow accept a customdelimiter_patternoption to handle placement of delimiter, to support currency formats like INR.Example:
number_to_currency(1230000, delimiter_pattern: /(\d+?)(?=(\d\d)+(\d)(?!\d))/, unit: '₹', format: "%u %n") # => '₹ 12,30,000.00'Vipul A M
-
Make
disable_withthe default behavior for submit tags. Disables the button on submit to prevent double submits.Justin Schiff
-
Add a break_sequence option to word_wrap so you can specify a custom break.
Mauricio Gomez
-
Add wildcard matching to explicit dependencies.
Turns:
<% # Template Dependency: recordings/threads/events/subscribers_changed %> <% # Template Dependency: recordings/threads/events/completed %> <% # Template Dependency: recordings/threads/events/uncompleted %>
Into:
<% # Template Dependency: recordings/threads/events/* %>
Kasper Timm Hansen
-
Allow defining explicit collection caching using a
# Template Collection: ...directive inside templates.Dov Murik
-
Asset helpers raise
ArgumentErrorwhennilis passed as a source.Anton Kolomiychuk
-
Always attach the template digest to the cache key for collection caching even when
virtual_pathis not available from the view context. Which could happen if the rendering was done directly in the controller and not in a template.Fixes #20535.
Roque Pinel
-
Improve detection of partial templates eligible for collection caching, now allowing multi-line comments at the beginning of the template file.
Dov Murik
-
Raise an
ArgumentErrorwhen a false value forinclude_blankis passed to a required select field (to comply with the HTML5 spec).Grey Baker
-
Do not put partial name to
local_assignswhen rendering without an object or a collection.Henrik Nygren
-
Remove
:rescue_formatoption fortranslatehelper since it's no longer supported by I18n.Bernard Potocki
-
translateshould handleraiseflag correctly in case of both main and default translation is missing.Fixes #19967.
Bernard Potocki
-
Load the
default_form_builderfrom the controller on initialization, which overrides the global config if it is present.Kevin McPhillips
-
Accept lambda as
child_indexoption infields_formethod.Karol Galanciak
-
translateallowsdefault: [[]]again for a default value of[].Fixes #19640.
Adam Prescott
-
translateshould accept nils as members of the:defaultparameter without raising a translation missing error.Fixes #19419.
Justin Coyne
-
number_to_percentagedoes not crash withFloat::NANorFloat::INFINITYas input whenprecision: 0is used.Fixes #19227.
Yves Senn
-
Fixed the translation helper method to accept different default values types besides String.
Ulisses Almeida
-
Fixed a dependency tracker bug that caused template dependencies not count layouts as dependencies for partials.
Juho Leinonen
-
Extracted
ActionView::Helpers::RecordTagHelperto external gem (record_tag_helper) and added removal notices.Todd Bealmear
-
Allow to pass an integer value to
sizeoption inimage_tagandvideo_tag.This makes the behavior more consistent with
widthorheightoptions.Mehdi Lahmam
-
Partial template name does no more have to be a valid Ruby identifier.
There used to be a naming rule that the partial name should start with underscore, and should be followed by any combination of letters, numbers and underscores. But now we can give our partials any name starting with underscore, such as _🍔.html.erb.
Akira Matsuda
-
Change the default template handler from
ERBtoRaw.Files without a template handler in their extension will be rendered using the raw handler instead of ERB.
Rafael Mendonça França
-
Remove deprecated
AbstractController::Base::parent_prefixes.Rafael Mendonça França
-
Default translations that have a lower precedence than a html safe default, but are not themselves safe, should not be marked as html_safe.
Justin Coyne
-
Make possible to use blocks with short version of
render "partial"helper.Nikolay Shebanov
-
Add a
hidden_fieldon thefile_fieldto avoid raising an error when the only input on the form is thefile_field.Mauro George
-
Add support for Reply-To field in
mail_tohelper.Mark Dodwell
-
Add an explicit error message, in
ActionView::PartialRendererfor partialrendering, when the value of optionashas invalid characters.Angelo Capilleri
-
Allow entries without a link tag in
AtomFeedHelper.Daniel Gomez de Souza
Please check 4-2-stable for previous changes.