When the `content` attribute is set for Action Text attachments, Trix
shows this content.
1ac6d40d36 introduced sanitizing the
`content` attribute of ActionText::Attachable::ContentAttachment.
However, it would also set the `content` attribute when it isn't
present. Instead of showing the image preview, Trix would use the
empty `content` attribute resulting in missing previews for images.
[CVE-2024-32464]
Instances of ActionText::Attachable::ContentAttachment included
within a rich_text_area tag could potentially contain unsanitized
HTML. This could lead to a potential cross site scripting issue
within the Trix editor.
This change enforces existing sanitization routines on
ActionText::Attachable::ContentAttachment attachments.
Currently if the Gemfile does not contain a commented out line for
image_processing, or the line uses single, not double quotes,
image_processing will not be installed and Trix will not be able to
correctly handle image attachments.
This ensures image_processing _is_ installed in those circumstances.
The Rails documentation uses the `:include:` directive to inline the
README of the framework into the main documentation page. As the
README's aren't in the root directory from where SDoc is run we need to
add the framework path to the include:
# :include: activesupport/README.md
This results in a warning when installing the gems as generating the rdoc for the gem is run from the gem/framework root:
Couldn't find file to include 'activesupport/README.rdoc' from lib/active_support.rb
The `:include:` RDoc directive supports includes relative to the current
file as well:
# :include: ../README.md
This makes sure it works for the Rails API docs and the separate gems.
Co-authored-by: Jonathan Hefner <jonathan@hefner.pro>
`eager_load` performs a single query using a `LEFT OUTER JOIN` to load
the associations. Loading the associations in a join can result in many
rows that contain redundant data and it performs poorly at scale.
With `includes` a separate query is performed for each association,
unless a join is required by conditions.
Co-authored-by: Rafael Mendonça França <rafael@franca.dev>
* Remove pidfile in production
* Update changelog
* Update activestorage/test/dummy/config/puma.rb
Co-authored-by: Rafael Mendonça França <rafael@franca.dev>
* Update template and other dummy files
---------
Co-authored-by: Rafael Mendonça França <rafael@franca.dev>
Adds space inside array literal brackets in ActiveStorage/ActionText migrations.
The new `rubocop-rails-omakase` enables `Layout/SpaceInsideArrayLiteralBrackets`,
which failed on the migrations created when installing ActiveStorage and ActionText.
Until now, Rails only droped compatibility with older
rubies on new majors, but I propose to change this policy
because it causes us to either keep compatibility with long
EOLed rubies or to bump the Rails major more often, and to
drop multiple Ruby versions at once when we bump the major.
In my opinion it's a bad alignments of incentives. And we'd
be much better to just drop support in new minors whenever they
go EOL (so 3 years).
Also Ruby being an upstream dependency, it's not even
a semver violation AFAICT.
Since Rails 7.2 isn't planned before a few months, we
can already drop Ruby 3.0 as it will be EOL in March.
Since `ActionText::Content` wraps an `ActionText::Fragment`, and
`ActionText::Fragment` wraps a `Nokogiri::XML::DocumentFragment`, then
`ActionText::Content` should be able to rely on the newer Ruby pattern
matching introduced by [nokogiri@1.16.0][] (mainly the
[DocumentFragment#deconstruct][] method):
```ruby
content = ActionText::Content.new <<~HTML
<h1>Hello, world</h1>
<div>The body</div>
HTML
content => [h1, div]
assert_pattern { h1 => { content: "Hello, world" } }
assert_pattern { div => { content: "The body" } }
```
The implementation change relies on delegating from `Content` to
`Fragment`, and from `Fragment` to `DocumentFragment#elements` (to
deliberately exclude text nodes).
[nokogiri@1.16.0]: https://nokogiri.org/CHANGELOG.html?h=pattern
[DocumentFragment#deconstruct]: https://nokogiri.org/rdoc/Nokogiri/XML/DocumentFragment.html?h=deconstruct#method-i-deconstruct
To assert the expected number of queries are made, Rails internally uses
`assert_queries` and `assert_no_queries`. These assertions can be
useful in applications as well.
By extracting these assertions to a module, the assertions can be
included where required.
These assertions are added to `ActiveSupport::TestCase` when
ActiveRecord is defined.
ActiveStorage, ActionView and ActionText are using this module now as
well, instead of duplicating the implementation.
The internal ActiveRecord::TestCase, used for testing ActiveRecord,
implements these assertions as well. However, these are slighlty more
advanced/complex and use the SQLCounter class. To keep things simple,
for now this implementation isn't used.
Add guidance to the Association Basics and `.belongs_to` method
documentation to encourage the renaming of a model's Ruby class to
coincide with updates to the existing data in the database.
Since Action Text and Active Storage rely on polymorphic associations,
add similar warnings to their guides.
Co-authored-by: Petrik de Heus <petrik@deheus.net>
Co-authored-by: Stephen Hanson <s.hanson5@gmail.com>
Co-authored-by: zzak <zzakscott@gmail.com>
Follow-up to [#50252][]
Similar to the reliance on a `FormBuilder` in the helper methods
documentation examples, the template test coverage for `#rich_text_area`
relied on invocations through a `FormBuilder` instance.
This commit adds explicit coverage for calling the `#rich_text_area`
helper method directly with both an `object_name` and `method_name`
positional arguments.
[#50252]: https://github.com/rails/rails/pull/50252
The API documentation for the `rich_text_area` Action View helper
demonstrates how to invoke the helper through a `FormBuilder` instance,
instead of through the `ActionView::Base` instance.
This commit removes the `form.` prefix, and includes examples of calling
the method with an `object_name` positional argument.
actiontext.js is compiled as ESM bundle instead of UMD bundle.
This leads to issues when trying to use ActionText with sprockets because the ESM bundle declares variables like they are scoped to the file but sprockets will see them as scoped globally.
This is a problem, in particular, if you want to mix actiontext with
turbo-rails.
The problem got introduced in https://github.com/rails/rails/pull/46447.
I traced valid compilation back to
https://github.com/rails/rails/pull/42895.
This commit mimic changes made in
https://github.com/rails/rails/pull/42895 to ActiveStorage:
Retains app/assets/javascripts/actiontext.js as a UMD package for backwards compatibility with
bundling in the asset pipeline, but also adds app/assets/javascripts/actiontext.esm.js for use
with ESM via importmap in the browser.
This adds `linguist-generated` and `linguist-vendored` attributes where
appropriate to suppress the files in diffs and exclude the files from
the project's language stats on GitHub.
See https://github.com/github/linguist for more information.
Remove the option `config.public_file_server.enabled` from the generators for all environments, as the value is the same in all environments.
Co-authored-by: Jonathan Hefner <jonathan@hefner.pro>
Add documentation for `ActionText::RichText#to_s` and
`ActionText::Content#to_s` that demonstrates Action Text's ability to
sanitize and scrub its content.
Co-authored-by: Mike Dalessio <mike.dalessio@gmail.com>
Co-authored-by: Petrik de Heus <petrik@deheus.net>
Follow-up to #47137.
Since `config.public_file_server.enabled` is true by default, this
commit changes the `config/environments/production.rb` template to
present the setting as an opt-out.
When Trix was [updated][1] from 1.3.1 to 2.0.4, the ESM bundle of 2.0.4
was used instead of the UMD bundle (the vendored 1.3.1 file used the
UMD bundle). This leads to issues when trying to use Trix with sprockets
because the ESM bundle declares variables like they are scoped to the
file but sprockets will see them as scoped globally.
This commit fixes the issue by replacing the Trix ESM bundle with the
UMD bundle (and upgrades it from 2.0.4 to 2.0.7). Additionally, a Rake
task has been added similar to one previously [added][2] to the guides
for automatic vendoring using Importmap::Packager.
[1]: fab1b522cd
[2]: a42863f514
Sean Doyle