diff options
Diffstat (limited to 'actionview')
| -rw-r--r-- | actionview/CHANGELOG.md | 33 | ||||
| -rw-r--r-- | actionview/actionview.gemspec | 3 | ||||
| -rw-r--r-- | actionview/app/assets/javascripts/rails-ujs/features/remote.coffee | 7 | ||||
| -rw-r--r-- | actionview/app/assets/javascripts/rails-ujs/start.coffee | 8 | ||||
| -rw-r--r-- | actionview/lib/action_view/helpers/form_helper.rb | 3 | ||||
| -rw-r--r-- | actionview/lib/action_view/helpers/text_helper.rb | 2 | ||||
| -rw-r--r-- | actionview/test/template/text_helper_test.rb | 4 | ||||
| -rw-r--r-- | actionview/test/ujs/public/test/data-disable-with.js | 19 | ||||
| -rw-r--r-- | actionview/test/ujs/public/test/data-disable.js | 19 | ||||
| -rw-r--r-- | actionview/test/ujs/public/test/data-remote.js | 38 | ||||
| -rw-r--r-- | actionview/test/ujs/public/test/settings.js | 2 |
11 files changed, 130 insertions, 8 deletions
diff --git a/actionview/CHANGELOG.md b/actionview/CHANGELOG.md index fd8bae0cdf..f32bc3ab40 100644 --- a/actionview/CHANGELOG.md +++ b/actionview/CHANGELOG.md @@ -1,3 +1,34 @@ +* Prevent non-primary mouse keys from triggering Rails UJS click handlers. + Firefox fires click events even if the click was triggered by non-primary mouse keys such as right- or scroll-wheel-clicks. + For example, right-clicking a link such as the one described below (with an underlying ajax request registered on click) should not cause that request to occur. + + ``` + <%= link_to 'Remote', remote_path, class: 'remote', remote: true, data: { type: :json } %> + ``` + + Fixes #34541 + + *Wolfgang Hobmaier* + + +* Prevent `ActionView::TextHelper#word_wrap` from unexpectedly stripping white space from the _left_ side of lines. + + For example, given input like this: + + ``` + This is a paragraph with an initial indent, + followed by additional lines that are not indented, + and finally terminated with a blockquote: + "A pithy saying" + ``` + + Calling `word_wrap` should not trim the indents on the first and last lines. + + Fixes #34487 + + *Lyle Mullican* + + * Add allocations to template rendering instrumentation. Adds the allocations for template and partial rendering to the server output on render. @@ -11,7 +42,7 @@ *Eileen M. Uchitelle*, *Aaron Patterson* * Respect the `only_path` option passed to `url_for` when the options are passed in as an array - + Fixes #33237. *Joel Ambass* diff --git a/actionview/actionview.gemspec b/actionview/actionview.gemspec index 49ee1a292b..5f1e746421 100644 --- a/actionview/actionview.gemspec +++ b/actionview/actionview.gemspec @@ -26,6 +26,9 @@ Gem::Specification.new do |s| "changelog_uri" => "https://github.com/rails/rails/blob/v#{version}/actionview/CHANGELOG.md" } + # NOTE: Please read our dependency guidelines before updating versions: + # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves + s.add_dependency "activesupport", version s.add_dependency "builder", "~> 3.1" diff --git a/actionview/app/assets/javascripts/rails-ujs/features/remote.coffee b/actionview/app/assets/javascripts/rails-ujs/features/remote.coffee index b3448dabac..a5b61220bb 100644 --- a/actionview/app/assets/javascripts/rails-ujs/features/remote.coffee +++ b/actionview/app/assets/javascripts/rails-ujs/features/remote.coffee @@ -82,9 +82,12 @@ Rails.formSubmitButtonClick = (e) -> setData(form, 'ujs:submit-button-formaction', button.getAttribute('formaction')) setData(form, 'ujs:submit-button-formmethod', button.getAttribute('formmethod')) -Rails.handleMetaClick = (e) -> +Rails.preventInsignificantClick = (e) -> link = this method = (link.getAttribute('data-method') or 'GET').toUpperCase() data = link.getAttribute('data-params') metaClick = e.metaKey or e.ctrlKey - e.stopImmediatePropagation() if metaClick and method is 'GET' and not data + insignificantMetaClick = metaClick and method is 'GET' and not data + primaryMouseKey = e.button is 0 + e.stopImmediatePropagation() if not primaryMouseKey or insignificantMetaClick + diff --git a/actionview/app/assets/javascripts/rails-ujs/start.coffee b/actionview/app/assets/javascripts/rails-ujs/start.coffee index 32a915ac0b..5c1214df59 100644 --- a/actionview/app/assets/javascripts/rails-ujs/start.coffee +++ b/actionview/app/assets/javascripts/rails-ujs/start.coffee @@ -3,8 +3,8 @@ getData, $ refreshCSRFTokens, CSRFProtection enableElement, disableElement, handleDisabledElement - handleConfirm - handleRemote, formSubmitButtonClick, handleMetaClick + handleConfirm, preventInsignificantClick + handleRemote, formSubmitButtonClick, handleMethod } = Rails @@ -35,13 +35,14 @@ Rails.start = -> delegate document, Rails.buttonDisableSelector, 'ajax:complete', enableElement delegate document, Rails.buttonDisableSelector, 'ajax:stopped', enableElement + delegate document, Rails.linkClickSelector, 'click', preventInsignificantClick delegate document, Rails.linkClickSelector, 'click', handleDisabledElement delegate document, Rails.linkClickSelector, 'click', handleConfirm - delegate document, Rails.linkClickSelector, 'click', handleMetaClick delegate document, Rails.linkClickSelector, 'click', disableElement delegate document, Rails.linkClickSelector, 'click', handleRemote delegate document, Rails.linkClickSelector, 'click', handleMethod + delegate document, Rails.buttonClickSelector, 'click', preventInsignificantClick delegate document, Rails.buttonClickSelector, 'click', handleDisabledElement delegate document, Rails.buttonClickSelector, 'click', handleConfirm delegate document, Rails.buttonClickSelector, 'click', disableElement @@ -60,6 +61,7 @@ Rails.start = -> delegate document, Rails.formSubmitSelector, 'ajax:send', disableElement delegate document, Rails.formSubmitSelector, 'ajax:complete', enableElement + delegate document, Rails.formInputClickSelector, 'click', preventInsignificantClick delegate document, Rails.formInputClickSelector, 'click', handleDisabledElement delegate document, Rails.formInputClickSelector, 'click', handleConfirm delegate document, Rails.formInputClickSelector, 'click', formSubmitButtonClick diff --git a/actionview/lib/action_view/helpers/form_helper.rb b/actionview/lib/action_view/helpers/form_helper.rb index 6e769aa560..c2caa77afb 100644 --- a/actionview/lib/action_view/helpers/form_helper.rb +++ b/actionview/lib/action_view/helpers/form_helper.rb @@ -1130,6 +1130,9 @@ module ActionView # text_field(:post, :title, class: "create_input") # # => <input type="text" id="post_title" name="post[title]" value="#{@post.title}" class="create_input" /> # + # text_field(:post, :title, maxlength: 30, class: "title_input") + # # => <input type="text" id="post_title" name="post[title]" maxlength="30" size="30" value="#{@post.title}" class="title_input" /> + # # text_field(:session, :user, onchange: "if ($('#session_user').val() === 'admin') { alert('Your login cannot be admin!'); }") # # => <input type="text" id="session_user" name="session[user]" value="#{@session.user}" onchange="if ($('#session_user').val() === 'admin') { alert('Your login cannot be admin!'); }"/> # diff --git a/actionview/lib/action_view/helpers/text_helper.rb b/actionview/lib/action_view/helpers/text_helper.rb index a338d076e4..3d378dcb2f 100644 --- a/actionview/lib/action_view/helpers/text_helper.rb +++ b/actionview/lib/action_view/helpers/text_helper.rb @@ -259,7 +259,7 @@ module ActionView # # => Once\r\nupon\r\na\r\ntime def word_wrap(text, line_width: 80, break_sequence: "\n") text.split("\n").collect! do |line| - line.length > line_width ? line.gsub(/(.{1,#{line_width}})(\s+|$)/, "\\1#{break_sequence}").strip : line + line.length > line_width ? line.gsub(/(.{1,#{line_width}})(\s+|$)/, "\\1#{break_sequence}").rstrip : line end * break_sequence end diff --git a/actionview/test/template/text_helper_test.rb b/actionview/test/template/text_helper_test.rb index 2925489f5d..e961a770e6 100644 --- a/actionview/test/template/text_helper_test.rb +++ b/actionview/test/template/text_helper_test.rb @@ -361,6 +361,10 @@ class TextHelperTest < ActionView::TestCase assert_equal("my very very\nvery long\nstring\n\nwith another\nline", word_wrap("my very very very long string\n\nwith another line", line_width: 15)) end + def test_word_wrap_with_leading_spaces + assert_equal(" This is a paragraph\nthat includes some\nindented lines:\n Like this sample\n blockquote", word_wrap(" This is a paragraph that includes some\nindented lines:\n Like this sample\n blockquote", line_width: 25)) + end + def test_word_wrap_does_not_modify_the_options_hash options = { line_width: 15 } passed_options = options.dup diff --git a/actionview/test/ujs/public/test/data-disable-with.js b/actionview/test/ujs/public/test/data-disable-with.js index 645ad494c3..b5684e0938 100644 --- a/actionview/test/ujs/public/test/data-disable-with.js +++ b/actionview/test/ujs/public/test/data-disable-with.js @@ -322,6 +322,25 @@ asyncTest('ctrl-clicking on a link does not disables the link', 6, function() { start() }) +asyncTest('right/mouse-wheel-clicking on a link does not disables the link', 10, function() { + var link = $('a[data-disable-with]') + + App.checkEnabledState(link, 'Click me') + + link.triggerNative('click', { button: 1 }) + App.checkEnabledState(link, 'Click me') + + link.triggerNative('click', { button: 1 }) + App.checkEnabledState(link, 'Click me') + + link.triggerNative('click', { button: 2 }) + App.checkEnabledState(link, 'Click me') + + link.triggerNative('click', { button: 2 }) + App.checkEnabledState(link, 'Click me') + start() +}) + asyncTest('button[data-remote][data-disable-with] disables and re-enables', 6, function() { var button = $('button[data-remote][data-disable-with]') diff --git a/actionview/test/ujs/public/test/data-disable.js b/actionview/test/ujs/public/test/data-disable.js index 88dc801b2f..9f84c4647e 100644 --- a/actionview/test/ujs/public/test/data-disable.js +++ b/actionview/test/ujs/public/test/data-disable.js @@ -250,6 +250,25 @@ asyncTest('ctrl-clicking on a link does not disables the link', 6, function() { start() }) +asyncTest('right/mouse-wheel-clicking on a link does not disable the link', 10, function() { + var link = $('a[data-disable]') + + App.checkEnabledState(link, 'Click me') + + link.triggerNative('click', { button: 1 }) + App.checkEnabledState(link, 'Click me') + + link.triggerNative('click', { button: 1 }) + App.checkEnabledState(link, 'Click me') + + link.triggerNative('click', { button: 2 }) + App.checkEnabledState(link, 'Click me') + + link.triggerNative('click', { button: 2 }) + App.checkEnabledState(link, 'Click me') + start() +}) + asyncTest('button[data-remote][data-disable] disables and re-enables', 6, function() { var button = $('button[data-remote][data-disable]') diff --git a/actionview/test/ujs/public/test/data-remote.js b/actionview/test/ujs/public/test/data-remote.js index 3503c2cff3..55d39b0a52 100644 --- a/actionview/test/ujs/public/test/data-remote.js +++ b/actionview/test/ujs/public/test/data-remote.js @@ -63,6 +63,25 @@ asyncTest('ctrl-clicking on a link does not fire ajaxyness', 0, function() { setTimeout(function() { start() }, 13) }) +asyncTest('right/mouse-wheel-clicking on a link does not fire ajaxyness', 0, function() { + var link = $('a[data-remote]') + + // Ideally, we'd setup an iframe to intercept normal link clicks + // and add a test to make sure the iframe:loaded event is triggered. + // However, jquery doesn't actually cause a native `click` event and + // follow links using `trigger('click')`, it only fires bindings. + link + .removeAttr('data-params') + .bindNative('ajax:beforeSend', function() { + ok(false, 'ajax should not be triggered') + }) + + link.triggerNative('click', { button: 1 }) + link.triggerNative('click', { button: 2 }) + + setTimeout(function() { start() }, 13) +}) + asyncTest('ctrl-clicking on a link still fires ajax for non-GET links and for links with "data-params"', 2, function() { var link = $('a[data-remote]') @@ -148,6 +167,25 @@ asyncTest('clicking on a button with data-remote attribute', 5, function() { .triggerNative('click') }) +asyncTest('right/mouse-wheel-clicking on a button with data-remote attribute does not fire ajaxyness', 0, function() { + var button = $('button[data-remote]') + + // Ideally, we'd setup an iframe to intercept normal link clicks + // and add a test to make sure the iframe:loaded event is triggered. + // However, jquery doesn't actually cause a native `click` event and + // follow links using `trigger('click')`, it only fires bindings. + button + .removeAttr('data-params') + .bindNative('ajax:beforeSend', function() { + ok(false, 'ajax should not be triggered') + }) + + button.triggerNative('click', { button: 1 }) + button.triggerNative('click', { button: 2 }) + + setTimeout(function() { start() }, 13) +}) + asyncTest('changing a select option with data-remote attribute', 5, function() { buildSelect() diff --git a/actionview/test/ujs/public/test/settings.js b/actionview/test/ujs/public/test/settings.js index 05677f2595..682d044403 100644 --- a/actionview/test/ujs/public/test/settings.js +++ b/actionview/test/ujs/public/test/settings.js @@ -71,7 +71,7 @@ try { } catch (e) { _MouseEvent = function(type, options) { var evt = document.createEvent('MouseEvents') - evt.initMouseEvent(type, options.bubbles, options.cancelable, window, options.detail, 0, 0, 80, 20, options.ctrlKey, options.altKey, options.shiftKey, options.metaKey, 0, null) + evt.initMouseEvent(type, options.bubbles, options.cancelable, window, options.detail, 0, 0, 80, 20, options.ctrlKey, options.altKey, options.shiftKey, options.metaKey, options.button, null) return evt } } |