Use public_send in value_for_collection

Avoid exposing private methods in view's helpers.

Fixes https://github.com/rails/rails/issues/33546

2 files changed, 11 insertions, 1 deletions

diff --git a/actionview/CHANGELOG.md b/actionview/CHANGELOG.md
index 6d45cc1d8a..8597fea48d 100644
--- a/actionview/CHANGELOG.md
+++ b/actionview/CHANGELOG.md
@@ -1,3 +1,13 @@
+*  Stop exposing public methods in view's helpers.
+
+   For example, in methods like `options_from_collection_for_select`,
+   it was possible to call private methods from the objects used.
+
+   See [#33546](https://github.com/rails/rails/issues/33546) for details.
+
+   *[Ana María Martínez Gómez](https://github.com/Ana06)*  
+
+
 *   Fix issue with `button_to`'s `to_form_params`
 
     `button_to` was throwing exception when invoked with `params` hash that
diff --git a/actionview/lib/action_view/helpers/form_options_helper.rb b/actionview/lib/action_view/helpers/form_options_helper.rb
index 7884a8d997..9c0238a01a 100644
--- a/actionview/lib/action_view/helpers/form_options_helper.rb
+++ b/actionview/lib/action_view/helpers/form_options_helper.rb
@@ -802,7 +802,7 @@ module ActionView
         end
 
         def value_for_collection(item, value)
-          value.respond_to?(:call) ? value.call(item) : item.send(value)
+          value.respond_to?(:call) ? value.call(item) : item.public_send(value)
         end
 
         def prompt_text(prompt)