aboutsummaryrefslogtreecommitdiffstats
path: root/actionview/CHANGELOG.md
blob: f465e08859837632698c67675bac2efbd8d23717 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
*   Fix partial caching skips same item issue

    If we render cached collection partials with repeated items, those repeated items
    will get skipped. For example, if you have 5 identical items in your collection, Rails
    only renders the first one when `cached` is set to true. But it should render all
    5 items instead.

    This fixes #35114

    *Stan Lo*

*   Only clear ActionView cache in development on file changes

    To speed up development mode, view caches are only cleared when files in
    the view paths have changed. Applications which have implemented custom
    `ActionView::Resolver` subclasses may need to add their own cache clearing.

    *John Hawthorn*

*   Fix `ActionView::FixtureResolver` so that it handles template variants correctly.

    *Edward Rudd*


## Rails 6.0.0.beta3 (March 11, 2019) ##

*   Only accept formats from registered mime types

    A lack of filtering on mime types could allow an attacker to read
    arbitrary files on the target server or to perform a denial of service
    attack.

    Fixes CVE-2019-5418
    Fixes CVE-2019-5419

    *John Hawthorn*, *Eileen M. Uchitelle*, *Aaron Patterson*


## Rails 6.0.0.beta2 (February 25, 2019) ##

*   `ActionView::Template.finalize_compiled_template_methods` is deprecated with
    no replacement.

    *tenderlove*

*   `config.action_view.finalize_compiled_template_methods` is deprecated with
    no replacement.

    *tenderlove*

*   Ensure unique DOM IDs for collection inputs with float values.

    Fixes #34974.

    *Mark Edmondson*


## Rails 6.0.0.beta1 (January 18, 2019) ##

*   [Rename npm package](https://github.com/rails/rails/pull/34905) from
    [`rails-ujs`](https://www.npmjs.com/package/rails-ujs) to
    [`@rails/ujs`](https://www.npmjs.com/package/@rails/ujs).

    *Javan Makhmali*

*   Remove deprecated `image_alt` helper.

    *Rafael Mendonça França*

*   Fix the need of `#protect_against_forgery?` method defined in
    `ActionView::Base` subclasses. This prevents the use of forms and buttons.

    *Genadi Samokovarov*

*   Fix UJS permanently showing disabled text in a[data-remote][data-disable-with] elements within forms.

    Fixes #33889.

    *Wolfgang Hobmaier*

*   Prevent non-primary mouse keys from triggering Rails UJS click handlers.
    Firefox fires click events even if the click was triggered by non-primary mouse keys such as right- or scroll-wheel-clicks.
    For example, right-clicking a link such as the one described below (with an underlying ajax request registered on click) should not cause that request to occur.

    ```
    <%= link_to 'Remote', remote_path, class: 'remote', remote: true, data: { type: :json } %>
    ```

    Fixes #34541.

    *Wolfgang Hobmaier*

*   Prevent `ActionView::TextHelper#word_wrap` from unexpectedly stripping white space from the _left_ side of lines.

    For example, given input like this:

    ```
        This is a paragraph with an initial indent,
    followed by additional lines that are not indented,
    and finally terminated with a blockquote:
      "A pithy saying"
    ```

    Calling `word_wrap` should not trim the indents on the first and last lines.

    Fixes #34487.

    *Lyle Mullican*

*   Add allocations to template rendering instrumentation.

    Adds the allocations for template and partial rendering to the server output on render.

    ```
      Rendered posts/_form.html.erb (Duration: 7.1ms | Allocations: 6004)
      Rendered posts/new.html.erb within layouts/application (Duration: 8.3ms | Allocations: 6654)
    Completed 200 OK in 858ms (Views: 848.4ms | ActiveRecord: 0.4ms | Allocations: 1539564)
    ```

    *Eileen M. Uchitelle*, *Aaron Patterson*

*   Respect the `only_path` option passed to `url_for` when the options are passed in as an array

    Fixes #33237.

    *Joel Ambass*

*   Deprecate calling private model methods from view helpers.

    For example, in methods like `options_from_collection_for_select`
    and `collection_select` it is possible to call private methods from
    the objects used.

    Fixes #33546.

    *Ana María Martínez Gómez*

*   Fix issue with `button_to`'s `to_form_params`

    `button_to` was throwing exception when invoked with `params` hash that
    contains symbol and string keys. The reason for the exception was that
    `to_form_params` was comparing the given symbol and string keys.

    The issue is fixed by turning all keys to strings inside
    `to_form_params` before comparing them.

    *Georgi Georgiev*

*   Mark arrays of translations as trusted safe by using the `_html` suffix.

    Example:

        en:
          foo_html:
            - "One"
            - "<strong>Two</strong>"
            - "Three &#128075; &#128578;"

    *Juan Broullon*

*   Add `year_format` option to date_select tag. This option makes it possible to customize year
    names. Lambda should be passed to use this option.

    Example:

        date_select('user_birthday', '', start_year: 1998, end_year: 2000, year_format: ->year { "Heisei #{year - 1988}" })

    The HTML produced:

        <select id="user_birthday__1i" name="user_birthday[(1i)]">
        <option value="1998">Heisei 10</option>
        <option value="1999">Heisei 11</option>
        <option value="2000">Heisei 12</option>
        </select>
        /* The rest is omitted */

    *Koki Ryu*

*   Fix JavaScript views rendering does not work with Firefox when using
    Content Security Policy.

    Fixes #32577.

    *Yuji Yaginuma*

*   Add the `nonce: true` option for `javascript_include_tag` helper to
    support automatic nonce generation for Content Security Policy.
    Works the same way as `javascript_tag nonce: true` does.

    *Yaroslav Markin*

*   Remove `ActionView::Helpers::RecordTagHelper`.

    *Yoshiyuki Hirano*

*   Disable `ActionView::Template` finalizers in test environment.

    Template finalization can be expensive in large view test suites.
    Add a configuration option,
    `action_view.finalize_compiled_template_methods`, and turn it off in
    the test environment.

    *Simon Coffey*

*   Extract the `confirm` call in its own, overridable method in `rails_ujs`.

    Example:

        Rails.confirm = function(message, element) {
          return (my_bootstrap_modal_confirm(message));
        }

    *Mathieu Mahé*

*   Enable select tag helper to mark `prompt` option as `selected` and/or `disabled` for `required`
    field.

    Example:

        select :post,
               :category,
               ["lifestyle", "programming", "spiritual"],
               { selected: "", disabled: "", prompt: "Choose one" },
               { required: true }

    Placeholder option would be selected and disabled.

    The HTML produced:

        <select required="required" name="post[category]" id="post_category">
        <option disabled="disabled" selected="selected" value="">Choose one</option>
        <option value="lifestyle">lifestyle</option>
        <option value="programming">programming</option>
        <option value="spiritual">spiritual</option></select>

    *Sergey Prikhodko*

*   Don't enforce UTF-8 by default.

    With the disabling of TLS 1.0 by most major websites, continuing to run
    IE8 or lower becomes increasingly difficult so default to not enforcing
    UTF-8 encoding as it's not relevant to other browsers.

    *Andrew White*

*   Change translation key of `submit_tag` from `module_name_class_name` to `module_name/class_name`.

    *Rui Onodera*

*   Rails 6 requires Ruby 2.5.0 or newer.

    *Jeremy Daer*, *Kasper Timm Hansen*


Please check [5-2-stable](https://github.com/rails/rails/blob/5-2-stable/actionview/CHANGELOG.md) for previous changes.