6 files changed, 43 insertions, 7 deletions

diff --git a/actionview/CHANGELOG.md b/actionview/CHANGELOG.md
index b071b260c9..6e71809385 100644
--- a/actionview/CHANGELOG.md
+++ b/actionview/CHANGELOG.md
@@ -1,3 +1,14 @@
+*   Remove the option `encode_special_chars` misnomer from `strip_tags`
+
+    As of rails-html-sanitizer v1.0.3, the sanitizer will ignore the
+    `encode_special_chars` option.
+
+    Fixes #28060.
+
+    *Andrew Hood*
+
+## Rails 5.1.0.beta1 (February 23, 2017) ##
+
 *   Change the ERB handler from Erubis to Erubi.
 
     Erubi is an Erubis fork that's svelte, simple, and currently maintained.
@@ -88,6 +99,23 @@
 
     *Peter Schilling*, *Matthew Draper*
 
+*   Add `:skip_pipeline` option to several asset tag helpers
+
+    `javascript_include_tag`, `stylesheet_link_tag`, `favicon_link_tag`,
+    `image_tag` and `audio_tag` now accept a `:skip_pipeline` option which can
+    be set to true to bypass the asset pipeline and serve the assets from the
+    public folder.
+
+    *Richard Schneeman*
+
+*   Add `:poster_skip_pipeline` option to the `video_tag` helper
+
+    `video_tag` now accepts a `:poster_skip_pipeline` option which can be used
+    in combination with the `:poster` option to bypass the asset pipeline and
+    serve the poster image for the video from the public folder.
+
+    *Richard Schneeman*
+
 *   Show cache hits and misses when rendering partials.
 
     Partials using the `cache` helper will show whether a render hit or missed
diff --git a/actionview/lib/action_view/gem_version.rb b/actionview/lib/action_view/gem_version.rb
index 5fc4f3f1b9..662a85f191 100644
--- a/actionview/lib/action_view/gem_version.rb
+++ b/actionview/lib/action_view/gem_version.rb
@@ -8,7 +8,7 @@ module ActionView
     MAJOR = 5
     MINOR = 1
     TINY  = 0
-    PRE   = "alpha"
+    PRE   = "beta1"
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
   end
diff --git a/actionview/lib/action_view/helpers/sanitize_helper.rb b/actionview/lib/action_view/helpers/sanitize_helper.rb
index 1e9b813d3d..0abd5bc5dc 100644
--- a/actionview/lib/action_view/helpers/sanitize_helper.rb
+++ b/actionview/lib/action_view/helpers/sanitize_helper.rb
@@ -13,6 +13,7 @@ module ActionView
       # It also strips href/src attributes with unsafe protocols like
       # <tt>javascript:</tt>, while also protecting against attempts to use Unicode,
       # ASCII, and hex character references to work around these protocol filters.
+      # All special characters will be escaped.
       #
       # The default sanitizer is Rails::Html::WhiteListSanitizer. See {Rails HTML
       # Sanitizers}[https://github.com/rails/rails-html-sanitizer] for more information.
@@ -20,8 +21,7 @@ module ActionView
       # Custom sanitization rules can also be provided.
       #
       # Please note that sanitizing user-provided text does not guarantee that the
-      # resulting markup is valid or even well-formed. For example, the output may still
-      # contain unescaped characters like <tt><</tt>, <tt>></tt>, or <tt>&</tt>.
+      # resulting markup is valid or even well-formed.
       #
       # ==== Options
       #
@@ -86,7 +86,7 @@ module ActionView
         self.class.white_list_sanitizer.sanitize_css(style)
       end
 
-      # Strips all HTML tags from +html+, including comments.
+      # Strips all HTML tags from +html+, including comments and special characters.
       #
       #   strip_tags("Strip <i>these</i> tags!")
       #   # => Strip these tags!
@@ -96,8 +96,11 @@ module ActionView
       #
       #   strip_tags("<div id='top-bar'>Welcome to my website!</div>")
       #   # => Welcome to my website!
+      #
+      #   strip_tags("> A quote from Smith & Wesson")
+      #   # => &gt; A quote from Smith &amp; Wesson
       def strip_tags(html)
-        self.class.full_sanitizer.sanitize(html, encode_special_chars: false)
+        self.class.full_sanitizer.sanitize(html)
       end
 
       # Strips all link tags from +html+ leaving just the link text.
@@ -110,6 +113,9 @@ module ActionView
       #
       #   strip_links('Blog: <a href="http://www.myblog.com/" class="nav" target=\"_blank\">Visit</a>.')
       #   # => Blog: Visit.
+      #
+      #   strip_links('<<a href="https://example.org">malformed & link</a>')
+      #   # => &lt;malformed &amp; link
       def strip_links(html)
         self.class.link_sanitizer.sanitize(html)
       end
diff --git a/actionview/package.json b/actionview/package.json
index 5c2ba75e8a..a1da13315e 100644
--- a/actionview/package.json
+++ b/actionview/package.json
@@ -1,6 +1,6 @@
 {
   "name": "rails-ujs",
-  "version": "0.0.1",
+  "version": "5.1.0-beta1",
   "description": "Ruby on Rails unobtrusive scripting adapter",
   "main": "lib/assets/compiled/rails-ujs.js",
   "files": [
diff --git a/actionview/test/template/date_helper_test.rb b/actionview/test/template/date_helper_test.rb
index bfd3ecd6fd..d257147e1f 100644
--- a/actionview/test/template/date_helper_test.rb
+++ b/actionview/test/template/date_helper_test.rb
@@ -832,7 +832,7 @@ class DateHelperTest < ActionView::TestCase
 
   def test_select_date_with_too_big_range_between_start_year_and_end_year
     assert_raise(ArgumentError) { select_date(Time.mktime(2003, 8, 16), start_year: 2000, end_year: 20000, prefix: "date[first]", order: [:month, :day, :year]) }
-    assert_raise(ArgumentError) { select_date(Time.mktime(2003, 8, 16), start_year: Date.today.year - 100.years, end_year: 2000, prefix: "date[first]", order: [:month, :day, :year]) }
+    assert_raise(ArgumentError) { select_date(Time.mktime(2003, 8, 16), start_year: 100, end_year: 2000, prefix: "date[first]", order: [:month, :day, :year]) }
   end
 
   def test_select_date_can_have_more_then_1000_years_interval_if_forced_via_parameter
diff --git a/actionview/test/template/sanitize_helper_test.rb b/actionview/test/template/sanitize_helper_test.rb
index c8963fee9c..11ed55456f 100644
--- a/actionview/test/template/sanitize_helper_test.rb
+++ b/actionview/test/template/sanitize_helper_test.rb
@@ -10,6 +10,7 @@ class SanitizeHelperTest < ActionView::TestCase
     assert_equal "on my mind\nall day long", strip_links("<a href='almost'>on my mind</a>\n<A href='almost'>all day long</A>")
     assert_equal "Magic", strip_links("<a href='http://www.rubyonrails.com/'>Mag<a href='http://www.ruby-lang.org/'>ic")
     assert_equal "My mind\nall <b>day</b> long", strip_links("<a href='almost'>My mind</a>\n<A href='almost'>all <b>day</b> long</A>")
+    assert_equal "&lt;malformed &amp; link", strip_links('<<a href="https://example.org">malformed & link</a>')
   end
 
   def test_sanitize_form
@@ -26,6 +27,7 @@ class SanitizeHelperTest < ActionView::TestCase
     assert_equal("Dont touch me", strip_tags("Dont touch me"))
     assert_equal("This is a test.", strip_tags("<p>This <u>is<u> a <a href='test.html'><strong>test</strong></a>.</p>"))
     assert_equal "This has a  here.", strip_tags("This has a <!-- comment --> here.")
+    assert_equal("Jekyll &amp; Hyde", strip_tags("Jekyll & Hyde"))
     assert_equal "", strip_tags("<script>")
   end