# frozen_string_literal: true require "cgi" require "action_view/helpers/content_exfiltration_prevention_helper" require "action_view/helpers/url_helper" require "action_view/helpers/text_helper" require "active_support/core_ext/string/output_safety" require "active_support/core_ext/module/attribute_accessors" module ActionView module Helpers # :nodoc: # = Action View Form Tag \Helpers # # Provides a number of methods for creating form tags that don't rely on an Active Record object assigned to the template like # FormHelper does. Instead, you provide the names and values manually. # # NOTE: The HTML options disabled, readonly, and multiple can all be treated as booleans. So specifying # disabled: true will give disabled="disabled". module FormTagHelper extend ActiveSupport::Concern include UrlHelper include TextHelper include ContentExfiltrationPreventionHelper mattr_accessor :embed_authenticity_token_in_remote_forms self.embed_authenticity_token_in_remote_forms = nil mattr_accessor :default_enforce_utf8, default: true # Starts a form tag that points the action to a URL configured with url_for_options just like # ActionController::Base#url_for. The method for the form defaults to POST. # # ==== Options # * :multipart - If set to true, the enctype is set to "multipart/form-data". # * :method - The method to use when submitting the form, usually either "get" or "post". # If "patch", "put", "delete", or another verb is used, a hidden input with name _method # is added to simulate the verb over post. # * :authenticity_token - Authenticity token to use in the form. Use only if you need to # pass custom authenticity token string, or to not add authenticity_token field at all # (by passing false). Remote forms may omit the embedded authenticity token # by setting config.action_view.embed_authenticity_token_in_remote_forms = false. # This is helpful when you're fragment-caching the form. Remote forms get the # authenticity token from the meta tag, so embedding is unnecessary unless you # support browsers without JavaScript. # * :remote - If set to true, will allow the Unobtrusive JavaScript drivers to control the # submit behavior. By default this behavior is an ajax submit. # * :enforce_utf8 - If set to false, a hidden input with name utf8 is not output. # * Any other key creates standard HTML attributes for the tag. # # ==== Examples # form_tag('/posts') # # =>
# # form_tag('/posts/1', method: :put) # # => ... ... # # form_tag('/upload', multipart: true) # # => # # <%= form_tag('/posts') do -%> #
<%= submit_tag 'Save' %>
# <% end -%> # # =>
# # <%= form_tag('/posts', remote: true) %> # # =>
# # form_tag(false, method: :get) # # => # # form_tag('http://far.away.com/form', authenticity_token: false) # # form without authenticity token # # form_tag('http://far.away.com/form', authenticity_token: "cf50faa3fe97702ca1ae") # # form with custom authenticity token # def form_tag(url_for_options = {}, options = {}, &block) html_options = html_options_for_form(url_for_options, options) if block_given? form_tag_with_body(html_options, capture(&block)) else form_tag_html(html_options) end end # Generate an HTML id attribute value for the given name and # field combination # # Return the value generated by the FormBuilder for the given # attribute name. # # <%= label_tag :post, :title %> # <%= text_field_tag :post, :title, aria: { describedby: field_id(:post, :title, :error) } %> # <%= tag.span("is blank", id: field_id(:post, :title, :error) %> # # In the example above, the element built by # the call to text_field_tag declares an # aria-describedby attribute referencing the # element, sharing a common id root (post_title, in this # case). def field_id(object_name, method_name, *suffixes, index: nil, namespace: nil) if object_name.respond_to?(:model_name) object_name = object_name.model_name.singular end sanitized_object_name = object_name.to_s.gsub(/\]\[|[^-a-zA-Z0-9:.]/, "_").delete_suffix("_") sanitized_method_name = method_name.to_s.delete_suffix("?") [ namespace, sanitized_object_name.presence, (index unless sanitized_object_name.empty?), sanitized_method_name, *suffixes, ].tap(&:compact!).join("_") end # Generate an HTML name attribute value for the given name and # field combination # # Return the value generated by the FormBuilder for the given # attribute name. # # <%= text_field_tag :post, :title, name: field_name(:post, :title, :subtitle) %> # <%# => # # <%= text_field_tag :post, :tag, name: field_name(:post, :tag, multiple: true) %> # <%# => # def field_name(object_name, method_name, *method_names, multiple: false, index: nil) names = method_names.map! { |name| "[#{name}]" }.join # a little duplication to construct fewer strings case when object_name.blank? "#{method_name}#{names}#{multiple ? "[]" : ""}" when index "#{object_name}[#{index}][#{method_name}]#{names}#{multiple ? "[]" : ""}" else "#{object_name}[#{method_name}]#{names}#{multiple ? "[]" : ""}" end end # Creates a dropdown selection box, or if the :multiple option is set to true, a multiple # choice selection box. # # Helpers::FormOptions can be used to create common select boxes such as countries, time zones, or # associated records. option_tags is a string containing the option tags for the select box. # # ==== Options # * :multiple - If set to true, the selection will allow multiple choices. # * :disabled - If set to true, the user will not be able to use this input. # * :include_blank - If set to true, an empty option will be created. If set to a string, the string will be used as the option's content and the value will be empty. # * :prompt - Create a prompt option with blank value and the text asking user to select something. # * Any other key creates standard HTML attributes for the tag. # # ==== Examples # select_tag "people", options_from_collection_for_select(@people, "id", "name") # # # # select_tag "people", options_from_collection_for_select(@people, "id", "name", "1") # # # # select_tag "people", raw("") # # => # # select_tag "count", raw("") # # => # # select_tag "colors", raw(""), multiple: true # # => # # select_tag "locations", raw("") # # => # # select_tag "access", raw(""), multiple: true, class: 'form_input', id: 'unique_id' # # => # # select_tag "people", options_from_collection_for_select(@people, "id", "name"), include_blank: true # # => # # select_tag "people", options_from_collection_for_select(@people, "id", "name"), include_blank: "All" # # => # # select_tag "people", options_from_collection_for_select(@people, "id", "name"), prompt: "Select something" # # => # # select_tag "destination", raw(""), disabled: true # # => # # select_tag "credit_card", options_for_select([ "VISA", "MasterCard" ], "MasterCard") # # => def select_tag(name, option_tags = nil, options = {}) option_tags ||= "" html_name = (options[:multiple] == true && !name.end_with?("[]")) ? "#{name}[]" : name if options.include?(:include_blank) include_blank = options[:include_blank] options = options.except(:include_blank) options_for_blank_options_tag = { value: "" } if include_blank == true include_blank = "" options_for_blank_options_tag[:label] = " " end if include_blank option_tags = content_tag("option", include_blank, options_for_blank_options_tag).safe_concat(option_tags) end end if prompt = options.delete(:prompt) option_tags = content_tag("option", prompt, value: "").safe_concat(option_tags) end content_tag "select", option_tags, { "name" => html_name, "id" => sanitize_to_id(name) }.update(options.stringify_keys) end # Creates a standard text field; use these text fields to input smaller chunks of text like a username # or a search query. # # ==== Options # * :disabled - If set to true, the user will not be able to use this input. # * :size - The number of visible characters that will fit in the input. # * :maxlength - The maximum number of characters that the browser will allow the user to enter. # * :placeholder - The text contained in the field by default which is removed when the field receives focus. # If set to true, use the translation found in the current I18n locale # (through helpers.placeholder..). # * Any other key creates standard HTML attributes for the tag. # # ==== Examples # text_field_tag 'name' # # => # # text_field_tag 'query', 'Enter your search query here' # # => # # text_field_tag 'search', nil, placeholder: 'Enter search term...' # # => # # text_field_tag 'request', nil, class: 'special_input' # # => # # text_field_tag 'address', '', size: 75 # # => # # text_field_tag 'zip', nil, maxlength: 5 # # => # # text_field_tag 'payment_amount', '$0.00', disabled: true # # => # # text_field_tag 'ip', '0.0.0.0', maxlength: 15, size: 20, class: "ip-input" # # => def text_field_tag(name, value = nil, options = {}) tag :input, { "type" => "text", "name" => name, "id" => sanitize_to_id(name), "value" => value }.update(options.stringify_keys) end # Creates a label element. Accepts a block. # # ==== Options # * Creates standard HTML attributes for the tag. # # ==== Examples # label_tag 'name' # # => # # label_tag 'name', 'Your name' # # => # # label_tag 'name', nil, class: 'small_label' # # => def label_tag(name = nil, content_or_options = nil, options = nil, &block) if block_given? && content_or_options.is_a?(Hash) options = content_or_options = content_or_options.stringify_keys else options ||= {} options = options.stringify_keys end options["for"] = sanitize_to_id(name) unless name.blank? || options.has_key?("for") content_tag :label, content_or_options || name.to_s.humanize, options, &block end # Creates a hidden form input field used to transmit data that would be lost due to HTTP's statelessness or # data that should be hidden from the user. # # ==== Options # * Creates standard HTML attributes for the tag. # # ==== Examples # hidden_field_tag 'tags_list' # # => # # hidden_field_tag 'token', 'VUBJKB23UIVI1UU1VOBVI@' # # => # # hidden_field_tag 'collected_input', '', onchange: "alert('Input collected!')" # # => def hidden_field_tag(name, value = nil, options = {}) text_field_tag(name, value, options.merge(type: :hidden, autocomplete: "off")) end # Creates a file upload field. If you are using file uploads then you will also need # to set the multipart option for the form tag: # # <%= form_tag '/upload', multipart: true do %> # <%= file_field_tag "file" %> # <%= submit_tag %> # <% end %> # # The specified URL will then be passed a File object containing the selected file, or if the field # was left blank, a StringIO object. # # ==== Options # * Creates standard HTML attributes for the tag. # * :disabled - If set to true, the user will not be able to use this input. # * :multiple - If set to true, *in most updated browsers* the user will be allowed to select multiple files. # * :accept - If set to one or multiple mime-types, the user will be suggested a filter when choosing a file. You still need to set up model validations. # # ==== Examples # file_field_tag 'attachment' # # => # # file_field_tag 'avatar', class: 'profile_input' # # => # # file_field_tag 'picture', disabled: true # # => # # file_field_tag 'resume', value: '~/resume.doc' # # => # # file_field_tag 'user_pic', accept: 'image/png,image/gif,image/jpeg' # # => # # file_field_tag 'file', accept: 'text/html', class: 'upload', value: 'index.html' # # => def file_field_tag(name, options = {}) text_field_tag(name, nil, convert_direct_upload_option_to_url(options.merge(type: :file))) end # Creates a password field, a masked text field that will hide the users input behind a mask character. # # ==== Options # * :disabled - If set to true, the user will not be able to use this input. # * :size - The number of visible characters that will fit in the input. # * :maxlength - The maximum number of characters that the browser will allow the user to enter. # * Any other key creates standard HTML attributes for the tag. # # ==== Examples # password_field_tag 'pass' # # => # # password_field_tag 'secret', 'Your secret here' # # => # # password_field_tag 'masked', nil, class: 'masked_input_field' # # => # # password_field_tag 'token', '', size: 15 # # => # # password_field_tag 'key', nil, maxlength: 16 # # => # # password_field_tag 'confirm_pass', nil, disabled: true # # => # # password_field_tag 'pin', '1234', maxlength: 4, size: 6, class: "pin_input" # # => def password_field_tag(name = "password", value = nil, options = {}) text_field_tag(name, value, options.merge(type: :password)) end # Creates a text input area; use a textarea for longer text inputs such as blog posts or descriptions. # # ==== Options # * :size - A string specifying the dimensions (columns by rows) of the textarea (e.g., "25x10"). # * :rows - Specify the number of rows in the textarea # * :cols - Specify the number of columns in the textarea # * :disabled - If set to true, the user will not be able to use this input. # * :escape - By default, the contents of the text input are HTML escaped. # If you need unescaped contents, set this to false. # * Any other key creates standard HTML attributes for the tag. # # ==== Examples # text_area_tag 'post' # # => # # text_area_tag 'bio', @user.bio # # => # # text_area_tag 'body', nil, rows: 10, cols: 25 # # => # # text_area_tag 'body', nil, size: "25x10" # # => # # text_area_tag 'description', "Description goes here.", disabled: true # # => # # text_area_tag 'comment', nil, class: 'comment_input' # # => def text_area_tag(name, content = nil, options = {}) options = options.stringify_keys if size = options.delete("size") options["cols"], options["rows"] = size.split("x") if size.respond_to?(:split) end escape = options.delete("escape") { true } content = ERB::Util.html_escape(content) if escape content_tag :textarea, content.to_s.html_safe, { "name" => name, "id" => sanitize_to_id(name) }.update(options) end ## # :call-seq: # check_box_tag(name, options = {}) # check_box_tag(name, value, options = {}) # check_box_tag(name, value, checked, options = {}) # # Creates a check box form input tag. # # ==== Options # * :value - The value of the input. Defaults to "1". # * :checked - If set to true, the checkbox will be checked by default. # * :disabled - If set to true, the user will not be able to use this input. # * Any other key creates standard HTML options for the tag. # # ==== Examples # check_box_tag 'accept' # # => # # check_box_tag 'rock', 'rock music' # # => # # check_box_tag 'receive_email', 'yes', true # # => # # check_box_tag 'tos', 'yes', false, class: 'accept_tos' # # => # # check_box_tag 'eula', 'accepted', false, disabled: true # # => def check_box_tag(name, *args) if args.length >= 4 raise ArgumentError, "wrong number of arguments (given #{args.length + 1}, expected 1..4)" end options = args.extract_options! value, checked = args.empty? ? ["1", false] : [*args, false] html_options = { "type" => "checkbox", "name" => name, "id" => sanitize_to_id(name), "value" => value }.update(options.stringify_keys) html_options["checked"] = "checked" if checked tag :input, html_options end ## # :call-seq: # radio_button_tag(name, value, options = {}) # radio_button_tag(name, value, checked, options = {}) # # Creates a radio button; use groups of radio buttons named the same to allow users to # select from a group of options. # # ==== Options # * :checked - If set to true, the radio button will be selected by default. # * :disabled - If set to true, the user will not be able to use this input. # * Any other key creates standard HTML options for the tag. # # ==== Examples # radio_button_tag 'favorite_color', 'maroon' # # => # # radio_button_tag 'receive_updates', 'no', true # # => # # radio_button_tag 'time_slot', "3:00 p.m.", false, disabled: true # # => # # radio_button_tag 'color', "green", true, class: "color_input" # # => def radio_button_tag(name, value, *args) if args.length >= 3 raise ArgumentError, "wrong number of arguments (given #{args.length + 2}, expected 2..4)" end options = args.extract_options! checked = args.empty? ? false : args.first html_options = { "type" => "radio", "name" => name, "id" => "#{sanitize_to_id(name)}_#{sanitize_to_id(value)}", "value" => value }.update(options.stringify_keys) html_options["checked"] = "checked" if checked tag :input, html_options end # Creates a submit button with the text value as the caption. # # ==== Options # * :data - This option can be used to add custom data attributes. # * :disabled - If true, the user will not be able to use this input. # * Any other key creates standard HTML options for the tag. # # ==== Examples # submit_tag # # => # # submit_tag "Edit this article" # # => # # submit_tag "Save edits", disabled: true # # => # # submit_tag nil, class: "form_submit" # # => # # submit_tag "Edit", class: "edit_button" # # => # # ==== Deprecated: \Rails UJS attributes # # Prior to \Rails 7, \Rails shipped with the JavaScript library called @rails/ujs on by default. Following \Rails 7, # this library is no longer on by default. This library integrated with the following options: # # * confirm: 'question?' - If present the unobtrusive JavaScript # drivers will provide a prompt with the question specified. If the user accepts, # the form is processed normally, otherwise no action is taken. # * :disable_with - Value of this parameter will be used as the value for a # disabled version of the submit button when the form is submitted. This feature is # provided by the unobtrusive JavaScript driver. To disable this feature for a single submit tag # pass :data => { disable_with: false } Defaults to value attribute. # # submit_tag "Complete sale", data: { disable_with: "Submitting..." } # # => # # submit_tag "Save", data: { confirm: "Are you sure?" } # # => # def submit_tag(value = "Save changes", options = {}) options = options.deep_stringify_keys tag_options = { "type" => "submit", "name" => "commit", "value" => value }.update(options) set_default_disable_with value, tag_options tag :input, tag_options end # Creates a button element that defines a submit button, # reset button or a generic button which can be used in # JavaScript, for example. You can use the button tag as a regular # submit tag but it isn't supported in legacy browsers. However, # the button tag does allow for richer labels such as images and emphasis, # so this helper will also accept a block. By default, it will create # a button tag with type submit, if type is not given. # # ==== Options # * :data - This option can be used to add custom data attributes. # * :disabled - If true, the user will not be able to # use this input. # * Any other key creates standard HTML options for the tag. # # ==== Examples # button_tag # # => # # button_tag 'Reset', type: 'reset' # # => # # button_tag 'Button', type: 'button' # # => # # button_tag 'Reset', type: 'reset', disabled: true # # => # # button_tag(type: 'button') do # content_tag(:strong, 'Ask me!') # end # # => # # ==== Deprecated: \Rails UJS attributes # # Prior to \Rails 7, \Rails shipped with a JavaScript library called @rails/ujs on by default. Following \Rails 7, # this library is no longer on by default. This library integrated with the following options: # # * confirm: 'question?' - If present, the # unobtrusive JavaScript drivers will provide a prompt with # the question specified. If the user accepts, the form is # processed normally, otherwise no action is taken. # * :disable_with - Value of this parameter will be # used as the value for a disabled version of the submit # button when the form is submitted. This feature is provided # by the unobtrusive JavaScript driver. # # button_tag "Save", data: { confirm: "Are you sure?" } # # => # # button_tag "Checkout", data: { disable_with: "Please wait..." } # # => # def button_tag(content_or_options = nil, options = nil, &block) if content_or_options.is_a? Hash options = content_or_options else options ||= {} end options = { "name" => "button", "type" => "submit" }.merge!(options.stringify_keys) if block_given? content_tag :button, options, &block else content_tag :button, content_or_options || "Button", options end end # Displays an image which when clicked will submit the form. # # source is passed to AssetTagHelper#path_to_image # # ==== Options # * :data - This option can be used to add custom data attributes. # * :disabled - If set to true, the user will not be able to use this input. # * Any other key creates standard HTML options for the tag. # # ==== Data attributes # # * confirm: 'question?' - This will add a JavaScript confirm # prompt with the question specified. If the user accepts, the form is # processed normally, otherwise no action is taken. # # ==== Examples # image_submit_tag("login.png") # # => # # image_submit_tag("purchase.png", disabled: true) # # => # # image_submit_tag("search.png", class: 'search_button', alt: 'Find') # # => # # image_submit_tag("agree.png", disabled: true, class: "agree_disagree_button") # # => # # image_submit_tag("save.png", data: { confirm: "Are you sure?" }) # # => def image_submit_tag(source, options = {}) options = options.stringify_keys src = path_to_image(source, skip_pipeline: options.delete("skip_pipeline")) tag :input, { "type" => "image", "src" => src }.update(options) end # Creates a field set for grouping HTML form elements. # # legend will become the fieldset's title (optional as per W3C). # options accept the same values as tag. # # ==== Examples # <%= field_set_tag do %> #

<%= text_field_tag 'name' %>

# <% end %> # # =>

# # <%= field_set_tag 'Your details' do %> #

<%= text_field_tag 'name' %>

# <% end %> # # =>
Your details

# # <%= field_set_tag nil, class: 'format' do %> #

<%= text_field_tag 'name' %>

# <% end %> # # =>

def field_set_tag(legend = nil, options = nil, &block) output = tag(:fieldset, options, true) output.safe_concat(content_tag("legend", legend)) unless legend.blank? output.concat(capture(&block)) if block_given? output.safe_concat("") end # Creates a text field of type "color". # # ==== Options # # Supports the same options as #text_field_tag. # # ==== Examples # # color_field_tag 'name' # # => # # color_field_tag 'color', '#DEF726' # # => # # color_field_tag 'color', nil, class: 'special_input' # # => # # color_field_tag 'color', '#DEF726', class: 'special_input', disabled: true # # => def color_field_tag(name, value = nil, options = {}) text_field_tag(name, value, options.merge(type: :color)) end # Creates a text field of type "search". # # ==== Options # # Supports the same options as #text_field_tag. # # ==== Examples # # search_field_tag 'name' # # => # # search_field_tag 'search', 'Enter your search query here' # # => # # search_field_tag 'search', nil, class: 'special_input' # # => # # search_field_tag 'search', 'Enter your search query here', class: 'special_input', disabled: true # # => def search_field_tag(name, value = nil, options = {}) text_field_tag(name, value, options.merge(type: :search)) end # Creates a text field of type "tel". # # ==== Options # # Supports the same options as #text_field_tag. # # ==== Examples # # telephone_field_tag 'name' # # => # # telephone_field_tag 'tel', '0123456789' # # => # # telephone_field_tag 'tel', nil, class: 'special_input' # # => # # telephone_field_tag 'tel', '0123456789', class: 'special_input', disabled: true # # => def telephone_field_tag(name, value = nil, options = {}) text_field_tag(name, value, options.merge(type: :tel)) end alias phone_field_tag telephone_field_tag # Creates a text field of type "date". # # ==== Options # # Supports the same options as #text_field_tag. # # ==== Examples # # date_field_tag 'name' # # => # # date_field_tag 'date', '01/01/2014' # # => # # date_field_tag 'date', nil, class: 'special_input' # # => # # date_field_tag 'date', '01/01/2014', class: 'special_input', disabled: true # # => def date_field_tag(name, value = nil, options = {}) text_field_tag(name, value, options.merge(type: :date)) end # Creates a text field of type "time". # # ==== Options # # Supports the same options as #text_field_tag. Additionally, supports: # # * :min - The minimum acceptable value. # * :max - The maximum acceptable value. # * :step - The acceptable value granularity. # * :include_seconds - Include seconds and ms in the output timestamp format (true by default). def time_field_tag(name, value = nil, options = {}) text_field_tag(name, value, options.merge(type: :time)) end # Creates a text field of type "datetime-local". # # ==== Options # # Supports the same options as #text_field_tag. Additionally, supports: # # * :min - The minimum acceptable value. # * :max - The maximum acceptable value. # * :step - The acceptable value granularity. # * :include_seconds - Include seconds in the output timestamp format (true by default). def datetime_field_tag(name, value = nil, options = {}) text_field_tag(name, value, options.merge(type: "datetime-local")) end alias datetime_local_field_tag datetime_field_tag # Creates a text field of type "month". # # ==== Options # # Supports the same options as #text_field_tag. Additionally, supports: # # * :min - The minimum acceptable value. # * :max - The maximum acceptable value. # * :step - The acceptable value granularity. def month_field_tag(name, value = nil, options = {}) text_field_tag(name, value, options.merge(type: :month)) end # Creates a text field of type "week". # # ==== Options # # Supports the same options as #text_field_tag. Additionally, supports: # # * :min - The minimum acceptable value. # * :max - The maximum acceptable value. # * :step - The acceptable value granularity. def week_field_tag(name, value = nil, options = {}) text_field_tag(name, value, options.merge(type: :week)) end # Creates a text field of type "url". # # ==== Options # # Supports the same options as #text_field_tag. # # ==== Examples # # url_field_tag 'name' # # => # # url_field_tag 'url', 'http://rubyonrails.org' # # => # # url_field_tag 'url', nil, class: 'special_input' # # => # # url_field_tag 'url', 'http://rubyonrails.org', class: 'special_input', disabled: true # # => def url_field_tag(name, value = nil, options = {}) text_field_tag(name, value, options.merge(type: :url)) end # Creates a text field of type "email". # # ==== Options # # Supports the same options as #text_field_tag. # # ==== Examples # # email_field_tag 'name' # # => # # email_field_tag 'email', 'email@example.com' # # => # # email_field_tag 'email', nil, class: 'special_input' # # => # # email_field_tag 'email', 'email@example.com', class: 'special_input', disabled: true # # => def email_field_tag(name, value = nil, options = {}) text_field_tag(name, value, options.merge(type: :email)) end # Creates a number field. # # ==== Options # # Supports the same options as #text_field_tag. Additionally, supports: # # * :min - The minimum acceptable value. # * :max - The maximum acceptable value. # * :in - A range specifying the :min and # :max values. # * :within - Same as :in. # * :step - The acceptable value granularity. # # ==== Examples # # number_field_tag 'quantity' # # => # # number_field_tag 'quantity', '1' # # => # # number_field_tag 'quantity', nil, class: 'special_input' # # => # # number_field_tag 'quantity', nil, min: 1 # # => # # number_field_tag 'quantity', nil, max: 9 # # => # # number_field_tag 'quantity', nil, in: 1...10 # # => # # number_field_tag 'quantity', nil, within: 1...10 # # => # # number_field_tag 'quantity', nil, min: 1, max: 10 # # => # # number_field_tag 'quantity', nil, min: 1, max: 10, step: 2 # # => # # number_field_tag 'quantity', '1', class: 'special_input', disabled: true # # => def number_field_tag(name, value = nil, options = {}) options = options.stringify_keys options["type"] ||= "number" if range = options.delete("in") || options.delete("within") options.update("min" => range.min, "max" => range.max) end text_field_tag(name, value, options) end # Creates a range form element. # # ==== Options # # Supports the same options as #number_field_tag. def range_field_tag(name, value = nil, options = {}) number_field_tag(name, value, options.merge(type: :range)) end # Creates the hidden UTF-8 enforcer tag. Override this method in a helper # to customize the tag. def utf8_enforcer_tag # Use raw HTML to ensure the value is written as an HTML entity; it # needs to be the right character regardless of which encoding the # browser infers. ''.html_safe end private def html_options_for_form(url_for_options, options) options.stringify_keys.tap do |html_options| html_options["enctype"] = "multipart/form-data" if html_options.delete("multipart") # The following URL is unescaped, this is just a hash of options, and it is the # responsibility of the caller to escape all the values. if url_for_options == false || html_options["action"] == false html_options.delete("action") else html_options["action"] = url_for(url_for_options) end html_options["accept-charset"] = "UTF-8" html_options["data-remote"] = true if html_options.delete("remote") if html_options["data-remote"] && embed_authenticity_token_in_remote_forms == false && html_options["authenticity_token"].blank? # The authenticity token is taken from the meta tag in this case html_options["authenticity_token"] = false elsif html_options["authenticity_token"] == true # Include the default authenticity_token, which is only generated when its set to nil, # but we needed the true value to override the default of no authenticity_token on data-remote. html_options["authenticity_token"] = nil end end end def extra_tags_for_form(html_options) authenticity_token = html_options.delete("authenticity_token") method = html_options.delete("method").to_s.downcase method_tag = \ case method when "get" html_options["method"] = "get" "" when "post", "" html_options["method"] = "post" token_tag(authenticity_token, form_options: { action: html_options["action"], method: "post" }) else html_options["method"] = "post" method_tag(method) + token_tag(authenticity_token, form_options: { action: html_options["action"], method: method }) end if html_options.delete("enforce_utf8") { default_enforce_utf8 } utf8_enforcer_tag + method_tag else method_tag end end def form_tag_html(html_options) extra_tags = extra_tags_for_form(html_options) html = tag(:form, html_options, true) + extra_tags prevent_content_exfiltration(html) end def form_tag_with_body(html_options, content) output = form_tag_html(html_options) output << content.to_s if content output.safe_concat("") end # see http://www.w3.org/TR/html4/types.html#type-name def sanitize_to_id(name) name.to_s.delete("]").tr("^-a-zA-Z0-9:.", "_") end def set_default_disable_with(value, tag_options) data = tag_options.fetch("data", {}) if tag_options["data-disable-with"] == false || data["disable_with"] == false data.delete("disable_with") elsif ActionView::Base.automatically_disable_submit_tag disable_with_text = tag_options["data-disable-with"] disable_with_text ||= data["disable_with"] disable_with_text ||= value.to_s.clone tag_options.deep_merge!("data" => { "disable_with" => disable_with_text }) end tag_options.delete("data-disable-with") end def convert_direct_upload_option_to_url(options) return options unless options.delete(:direct_upload) if respond_to?(:rails_direct_uploads_url) options["data-direct-upload-url"] = rails_direct_uploads_url elsif respond_to?(:main_app) && main_app.respond_to?(:rails_direct_uploads_url) options["data-direct-upload-url"] = main_app.rails_direct_uploads_url end options end end end end