aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--actionview/CHANGELOG.md10
-rw-r--r--actionview/lib/action_view/helpers/form_options_helper.rb2
2 files changed, 11 insertions, 1 deletions
diff --git a/actionview/CHANGELOG.md b/actionview/CHANGELOG.md
index 6d45cc1d8a..8597fea48d 100644
--- a/actionview/CHANGELOG.md
+++ b/actionview/CHANGELOG.md
@@ -1,3 +1,13 @@
+* Stop exposing public methods in view's helpers.
+
+ For example, in methods like `options_from_collection_for_select`,
+ it was possible to call private methods from the objects used.
+
+ See [#33546](https://github.com/rails/rails/issues/33546) for details.
+
+ *[Ana María Martínez Gómez](https://github.com/Ana06)*
+
+
* Fix issue with `button_to`'s `to_form_params`
`button_to` was throwing exception when invoked with `params` hash that
diff --git a/actionview/lib/action_view/helpers/form_options_helper.rb b/actionview/lib/action_view/helpers/form_options_helper.rb
index 7884a8d997..9c0238a01a 100644
--- a/actionview/lib/action_view/helpers/form_options_helper.rb
+++ b/actionview/lib/action_view/helpers/form_options_helper.rb
@@ -802,7 +802,7 @@ module ActionView
end
def value_for_collection(item, value)
- value.respond_to?(:call) ? value.call(item) : item.send(value)
+ value.respond_to?(:call) ? value.call(item) : item.public_send(value)
end
def prompt_text(prompt)