Merge branch 'master' into bug/filtered_parameters_class

6 files changed, 21 insertions, 13 deletions

diff --git a/actionview/lib/action_view/digestor.rb b/actionview/lib/action_view/digestor.rb
index 0658d8601d..ba189e23fe 100644
--- a/actionview/lib/action_view/digestor.rb
+++ b/actionview/lib/action_view/digestor.rb
@@ -62,8 +62,10 @@ module ActionView
             node
           end
         else
-          logger.error "  '#{name}' file doesn't exist, so no dependencies"
-          logger.error "  Couldn't find template for digesting: #{name}"
+          unless name.include?('#') # Dynamic template partial names can never be tracked
+            logger.error "  Couldn't find template for digesting: #{name}"
+          end
+
           seen[name] ||= Missing.new(name, logical_name, nil)
         end
       end
diff --git a/actionview/lib/action_view/gem_version.rb b/actionview/lib/action_view/gem_version.rb
index 5fc4f3f1b9..92e21d7a4f 100644
--- a/actionview/lib/action_view/gem_version.rb
+++ b/actionview/lib/action_view/gem_version.rb
@@ -6,7 +6,7 @@ module ActionView
 
   module VERSION
     MAJOR = 5
-    MINOR = 1
+    MINOR = 2
     TINY  = 0
     PRE   = "alpha"
 
diff --git a/actionview/lib/action_view/helpers/sanitize_helper.rb b/actionview/lib/action_view/helpers/sanitize_helper.rb
index 1e9b813d3d..0abd5bc5dc 100644
--- a/actionview/lib/action_view/helpers/sanitize_helper.rb
+++ b/actionview/lib/action_view/helpers/sanitize_helper.rb
@@ -13,6 +13,7 @@ module ActionView
       # It also strips href/src attributes with unsafe protocols like
       # <tt>javascript:</tt>, while also protecting against attempts to use Unicode,
       # ASCII, and hex character references to work around these protocol filters.
+      # All special characters will be escaped.
       #
       # The default sanitizer is Rails::Html::WhiteListSanitizer. See {Rails HTML
       # Sanitizers}[https://github.com/rails/rails-html-sanitizer] for more information.
@@ -20,8 +21,7 @@ module ActionView
       # Custom sanitization rules can also be provided.
       #
       # Please note that sanitizing user-provided text does not guarantee that the
-      # resulting markup is valid or even well-formed. For example, the output may still
-      # contain unescaped characters like <tt><</tt>, <tt>></tt>, or <tt>&</tt>.
+      # resulting markup is valid or even well-formed.
       #
       # ==== Options
       #
@@ -86,7 +86,7 @@ module ActionView
         self.class.white_list_sanitizer.sanitize_css(style)
       end
 
-      # Strips all HTML tags from +html+, including comments.
+      # Strips all HTML tags from +html+, including comments and special characters.
       #
       #   strip_tags("Strip <i>these</i> tags!")
       #   # => Strip these tags!
@@ -96,8 +96,11 @@ module ActionView
       #
       #   strip_tags("<div id='top-bar'>Welcome to my website!</div>")
       #   # => Welcome to my website!
+      #
+      #   strip_tags("> A quote from Smith & Wesson")
+      #   # => &gt; A quote from Smith &amp; Wesson
       def strip_tags(html)
-        self.class.full_sanitizer.sanitize(html, encode_special_chars: false)
+        self.class.full_sanitizer.sanitize(html)
       end
 
       # Strips all link tags from +html+ leaving just the link text.
@@ -110,6 +113,9 @@ module ActionView
       #
       #   strip_links('Blog: <a href="http://www.myblog.com/" class="nav" target=\"_blank\">Visit</a>.')
       #   # => Blog: Visit.
+      #
+      #   strip_links('<<a href="https://example.org">malformed & link</a>')
+      #   # => &lt;malformed &amp; link
       def strip_links(html)
         self.class.link_sanitizer.sanitize(html)
       end
diff --git a/actionview/lib/action_view/helpers/url_helper.rb b/actionview/lib/action_view/helpers/url_helper.rb
index a306903c60..304db38060 100644
--- a/actionview/lib/action_view/helpers/url_helper.rb
+++ b/actionview/lib/action_view/helpers/url_helper.rb
@@ -622,7 +622,7 @@ module ActionView
         def to_form_params(attribute, namespace = nil)
           attribute = if attribute.respond_to?(:permitted?)
             unless attribute.permitted?
-              raise ArgumentError, "Attempting to generate a buttom from non-sanitized request parameters!" \
+              raise ArgumentError, "Attempting to generate a button from non-sanitized request parameters!" \
                 " Whitelist and sanitize passed parameters to be secure."
             end
 
diff --git a/actionview/lib/action_view/template.rb b/actionview/lib/action_view/template.rb
index c067031d2d..b0e2f1e54e 100644
--- a/actionview/lib/action_view/template.rb
+++ b/actionview/lib/action_view/template.rb
@@ -345,7 +345,7 @@ module ActionView
       end
 
       def instrument(action, &block) # :doc:
-        ActiveSupport::Notifications.instrument("#{action}.action_view".freeze, instrument_payload, &block)
+        ActiveSupport::Notifications.instrument("#{action}.action_view", instrument_payload, &block)
       end
 
       def instrument_render_template(&block)
diff --git a/actionview/lib/action_view/test_case.rb b/actionview/lib/action_view/test_case.rb
index 2b981caa65..ae4fec4337 100644
--- a/actionview/lib/action_view/test_case.rb
+++ b/actionview/lib/action_view/test_case.rb
@@ -124,6 +124,10 @@ module ActionView
         @_rendered_views ||= RenderedViewsCollection.new
       end
 
+      def _routes
+        @controller._routes if @controller.respond_to?(:_routes)
+      end
+
       # Need to experiment if this priority is the best one: rendered => output_buffer
       class RenderedViewsCollection
         def initialize
@@ -258,10 +262,6 @@ module ActionView
         end]
       end
 
-      def _routes
-        @controller._routes if @controller.respond_to?(:_routes)
-      end
-
       def method_missing(selector, *args)
         begin
           routes = @controller.respond_to?(:_routes) && @controller._routes