2.0 KiB
-
Add
include_seconds
option fordatetime_local_field
This allows to omit seconds part in the input field, by passing
include_seconds: false
Wojciech Wnętrzak
-
Guard against
ActionView::Helpers::FormTagHelper#field_name
calls with nilobject_name
arguments. For example:<%= fields do |f| %> <%= f.field_name :body %> <% end %>
Sean Doyle
-
Strings returned from
strip_tags
are correctly taggedhtml_safe?
Because these strings contain no HTML elements and the basic entities are escaped, they are safe to be included as-is as PCDATA in HTML content. Tagging them as html-safe avoids double-escaping entities when being concatenated to a SafeBuffer during rendering.
Fixes rails/rails-html-sanitizer#124
Mike Dalessio
-
Move
convert_to_model
call fromform_for
intoform_with
Now that
form_for
is implemented in terms ofform_with
, remove theconvert_to_model
call fromform_for
.Sean Doyle
-
Fix and add protections for XSS in
ActionView::Helpers
andERB::Util
.Escape dangerous characters in names of tags and names of attributes in the tag helpers, following the XML specification. Rename the option
:escape_attributes
to:escape
, to simplify by applying the option to the whole tag.Álvaro Martín Fraguas
-
Extend audio_tag and video_tag to accept Active Storage attachments.
Now it's possible to write
audio_tag(user.audio_file) video_tag(user.video_file)
Instead of
audio_tag(polymorphic_path(user.audio_file)) video_tag(polymorphic_path(user.video_file))
image_tag
already supported that, so this follows the same pattern.Matheus Richard
-
Ensure models passed to
form_for
attempt to callto_model
.Sean Doyle
Please check 7-0-stable for previous changes.