Use public_send in value_for_collection

Avoid exposing private methods in view's helpers. Fixes https://github.com/rails/rails/issues/33546

Use public_send in value_for_collection
Avoid exposing private methods in view's helpers. Fixes https://github.com/rails/rails/issues/33546
87b6e6aa · Ana María Martínez Gómez · Ana María Martínez Gómez · b9807eb5 · 87b6e6aa · 87b6e6aa
隐藏空白更改
内联并排

Showing with 11 addition and 1 deletion

actionview/CHANGELOG.md actionview/CHANGELOG.md +10 -0

actionview/lib/action_view/helpers/form_options_helper.rb actionview/lib/action_view/helpers/form_options_helper.rb +1 -1

未找到文件。
--- a/actionview/CHANGELOG.md
+++ b/actionview/CHANGELOG.md
+*  Stop exposing public methods in view's helpers.
+
+   For example, in methods like `options_from_collection_for_select`,
+   it was possible to call private methods from the objects used.
+
+   See [#33546](https://github.com/rails/rails/issues/33546) for details.
+
+   *[Ana María Martínez Gómez](https://github.com/Ana06)*  
+
+
 *   Fix issue with `button_to`'s `to_form_params`

    `button_to` was throwing exception when invoked with `params` hash that

--- a/actionview/lib/action_view/helpers/form_options_helper.rb
+++ b/actionview/lib/action_view/helpers/form_options_helper.rb
@@ -802,7 +802,7 @@ def extract_values_from_collection(collection, value_method, selected)
        end

        def value_for_collection(item, value)
-          value.respond_to?(:call) ? value.call(item) : item.send(value)
+          value.respond_to?(:call) ? value.call(item) : item.public_send(value)
        end

        def prompt_text(prompt)