Remove wrapping div with inline styles for hidden form fields.

We are dropping HTML 4.01 and XHTML strict compliance since input
tags directly inside a form are valid HTML5, and the absense of
inline styles help in validating for Content Security Policy.

actionview/CHANGELOG.md

+*   Remove wrapping div with inline styles for hidden form fields.
+
+    We are dropping HTML 4.01 and XHTML strict compliance since input tags directly
+    inside a form are valid HTML5, and the absense of inline styles help in validating
+    for Content Security Policy.
+
+    *Joost Baaij*
+
 *   `date_select` helper with option `with_css_classes: true` does not overwrite other classes.
 
     *Izumi Wong-Horiuchi*

actionview/lib/action_view/helpers/form_tag_helper.rb

@@ -726,9 +726,11 @@ def extra_tags_for_form(html_options)
               method_tag(method) + token_tag(authenticity_token)
           end
 
-          enforce_utf8 = html_options.delete("enforce_utf8") { true }
-          tags = (enforce_utf8 ? utf8_enforcer_tag : ''.html_safe) << method_tag
-          content_tag(:div, tags, :style => 'display:none')
+          if html_options.delete("enforce_utf8") { true }
+            utf8_enforcer_tag + method_tag
+          else
+            method_tag
+          end
         end
 
         def form_tag_html(html_options)

actionview/test/activerecord/form_helper_activerecord_test.rb

@@ -59,12 +59,13 @@ def test_nested_fields_for_with_child_index_option_override_on_a_nested_attribut
   protected
 
   def hidden_fields(method = nil)
-    txt =  %{<div style="display:none">}
-    txt << %{<input name="utf8" type="hidden" value="&#x2713;" />}
+    txt = %{<input name="utf8" type="hidden" value="&#x2713;" />}
+
     if method && !%w(get post).include?(method.to_s)
       txt << %{<input name="_method" type="hidden" value="#{method}" />}
     end
-    txt << %{</div>}
+
+    txt
   end
 
   def form_text(action = "/", id = nil, html_class = nil, remote = nil, multipart = nil, method = nil)
@@ -88,4 +89,4 @@ def whole_form(action = "/", id = nil, html_class = nil, options = nil)
 
     form_text(action, id, html_class, remote, multipart, method) + hidden_fields(method) + contents + "</form>"
   end
-end
\ No newline at end of file
+end

actionview/test/template/form_helper_test.rb

@@ -3020,12 +3020,13 @@ def test_form_for_only_instantiates_builder_once
   protected
 
   def hidden_fields(method = nil)
-    txt =  %{<div style="display:none">}
-    txt << %{<input name="utf8" type="hidden" value="&#x2713;" />}
+    txt = %{<input name="utf8" type="hidden" value="&#x2713;" />}
+
     if method && !%w(get post).include?(method.to_s)
       txt << %{<input name="_method" type="hidden" value="#{method}" />}
     end
-    txt << %{</div>}
+
+    txt
   end
 
   def form_text(action = "/", id = nil, html_class = nil, remote = nil, multipart = nil, method = nil)

actionview/test/template/form_tag_helper_test.rb

@@ -14,12 +14,15 @@ def hidden_fields(options = {})
     method = options[:method]
     enforce_utf8 = options.fetch(:enforce_utf8, true)
 
-    txt =  %{<div style="display:none">}
-    txt << %{<input name="utf8" type="hidden" value="&#x2713;" />} if enforce_utf8
-    if method && !%w(get post).include?(method.to_s)
-      txt << %{<input name="_method" type="hidden" value="#{method}" />}
+    ''.tap do |txt|
+      if enforce_utf8
+        txt << %{<input name="utf8" type="hidden" value="&#x2713;" />}
+      end
+
+      if method && !%w(get post).include?(method.to_s)
+        txt << %{<input name="_method" type="hidden" value="#{method}" />}
+      end
     end
-    txt << %{</div>}
   end
 
   def form_text(action = "http://www.example.com", options = {})