- Bug fix
- Set display to none on generated forms
- Warn for maps with atom keys
-
Enhancements
- Support deeply nested class lists
- Implement Phoenix.HTML.Safe for URI
- Implement Phoenix.HTML.FormData for Map
-
Bug fix
- Generate unique IDs for checkboxes based on the value
- Use artificial button click instead of
form.submit
in JavaScript to trigger all relevant events - Fix a bug where nil/false/true attributes in
aria
/data
/phx
would emit empty or literal values, such as"true"
and"false"
. This release aligns them with all other attributes so bothnil
andfalse
emit nothing.true
emits the attribute with no value.
-
Deprecations
Phoenix.HTML.Tag.attributes_escape/1
is deprecated in favor ofPhoenix.HTML.attributes_escape/1
- Enhancements
- Raise if the
id
attribute is set to a number. This is actually an invalid value according to the HTML spec and it can lead to problematic client behaviour, especially in LiveView and other client frameworks. - Allow
phx
attributes to be nested, similar toaria
anddata
attributes - Allow hidden fields in forms to be a list of values
- Raise if the
- Bug fix
- Do not submit data-method links if default has been prevented
- Deprecations
- Deprecate
~E
andPhoenix.HTML.Tag.attributes_escape/1
- Remove deprecated
Phoenix.HTML.Link.link/1
- Deprecate
- Bug fix
- Ensure
class={@class}
in HEEx templates and:class
attribute incontent_tag
are properly escaped against XSS
- Ensure
- Bug fix
- Fix sorting of attributes in
tag
/content_tag
- Fix sorting of attributes in
- Enhancements
- Support maps on
Phoenix.HTML.Tag.attributes_escape/1
- Support maps on
- Enhancements
- Add
Phoenix.HTML.Tag.csrf_input_tag/2
- Add
-
Enhancements
- Allow extra html attributes on the
:prompt
option inselect
- Make
Plug
an optional dependency - Prefix form id on inputs when it is given to
form_for/3
- Allow
%URI{}
to be passed tolink/2
andbutton/2
as:to
- Expose
Phoenix.HTML.Tag.csrf_token_value/1
- Add
Phoenix.HTML.Tag.attributes_escape/1
- Allow extra html attributes on the
-
Bug fixes
- Honor the
form
attribute when creating hidden checkbox input - Use
to_iso8601
as the standard implementation for safe dates and times
- Honor the
-
Deprecations
form_for
without an anonymous function has been deprecated. v3.0 has deprecated the usage, v3.1 will emit warnings, and v3.2 will fully remove the functionality
-
Backwards incompatible changes
- Strings given as attributes keys in
tag
andcontent_tag
are now emitted as is (without being dasherized) and are also HTML escaped - Prefix form id on inputs when it is given to
form_for/3
- By default dates and times will format to the
to_iso8601
functions provided by their implementation - Do not include
csrf-param
andmethod-param
in generatedcsrf_meta_tag
- Remove deprecated
escape_javascript
in favor ofjavascript_escape
- Remove deprecated
field_value
in favor ofinput_value
- Remove deprecated
field_name
in favor ofinput_name
- Remove deprecated
field_id
in favor ofinput_id
- Strings given as attributes keys in
- Bug fixes
- Fix warnings on Elixir v1.12
- Deprecations
- Deprecate
Phoenix
-specific assigns:view_module
and:view_template
- Deprecate
-
Enhancements
- Add
Phoenix.HTML.Form.options_for_select/2
- Add
Phoenix.HTML.Form.inputs_for/3
- Add
-
Bug fixes
- Disable hidden input for disabled checkboxes
- Enhancements
- Remove enforce_utf8 workaround on forms as it is no longer required by browser
- Remove support tuple-based date/time with microseconds calendar types
- Allow strings as first element in
content_tag
- Add
:srcset
support toimg_tag
- Allow
inputs_for
to skip hidden fields
- Bug fixes
- Fix invalid :line in Elixir v1.10.0
-
Enhancements
- Add atom support to FormData
-
Bug fixes
- Keep proper line numbers on .eex templates for proper coverage
- Bug fixes
- Stop event propagation when confirm dialog is canceled
-
Enhancements
- Allow safe content to be given to label
- Also escale template literals in
javascript_escape/1
-
Bug fixes
- Fix deprecation warnings to point to the correct alternative
-
Enhancements
- Require Elixir v1.5+ for more efficient template compilation/rendering
- Add
Phoenix.HTML.Engine.encode_to_iodata!/1
- Add
Phoenix.HTML.Form.form_for/3
that works without an anonymous function
-
Deprecations
- Deprecate
Phoenix.HTML.escape_javascript/1
in favor ofPhoenix.HTML.javascript_escape/1
for consistency
- Deprecate
-
Enhancements
- Configurable and extendable data-confirm behaviour
- Allow data-confirm with submit buttons
- Support ISO 8601 formatted strings for date and time values
-
Bug fixes
- Provide a default id of the field name for
@conn
based forms
- Provide a default id of the field name for
-
Enhancements
- Support custom precision on time input
-
Bug fixes
- Do not raise when
:
is part of a path on link/button attributes
- Do not raise when
-
Enhancements
- Add
label/1
- Copy the target attribute of the link in the generated JS form
- Add
-
Bug fixes
- Support any value that is html escapable in
radio_button
- Support any value that is html escapable in
-
Enhancements
- Add date, datetime-local and time input types
- Enable string keys to be usable with forms
- Support carriage return in
text_to_html
- Add support for HTML5 boolean attributes to
content_tag
andtag
- Improve performance by relying on
html_safe_to_iodata/1
- Protect against CSRF tokens leaking across hosts when the POST URL is dynamic
- Require
to
attribute in links and buttons to explicitly pass protocols as a separate option for safety reasons
-
Bug fixes
- Guarantee
input_name/2
always returns strings - Improve handling of uncommon whitespace and null in
escape_javascript
- Escape value attribute so it is never treated as a boolean
- Guarantee
-
Backwards incompatible changes
- The :csrf_token_generator configuration in the Phoenix.HTML app no longer works due to the improved security mechanisms
- Enhancements
- Do not require the :as option in form_for
- Bug fixes
- Fix formatting of days in datetime_builder
-
Enhancements
- Allow specifying a custom CSRF token generator
-
Bug fixes
- Do not submit
method: :get
in buttons as "post"
- Do not submit
- Bug fixes
- Traverse DOM elements up when handling data-method
- Bug fixes
- Only generate CSRF token if necessary
-
Enhancements
- Support custom attributes in options in select
-
Bug fixes
- Accept non-binary values in textarea's content
- Allow nested forms on the javascript side. This means
link
andbutton
no longer generate a child form such as the:form
option has no effect and "data-submit=parent" is no longer supported. Instead "data-to" and "data-method" are set on the entities and the form is generated on the javascript side of things
- Bug fixes
- Once again support any name for atom forms
- Bug fixes
- Always read from
form.params
and then from:selected
inselect
andmultiple_select
before falling back toinput_value/2
- Always read from
- Bug fixes
- Implement proper
input_value/3
callback
- Implement proper
- Enhancements
- Add
img_tag/2
helper toPhoenix.HTML.Tag
- Submit nearest form even if not direct descendent
- Use more iodata for
tag/2
andcontent_tag/3
- Add
input_value/3
,input_id/2
andinput_name/2
as a unified API around the input (alongsideinput_type/3
andinput_validations/2
)
- Add
- Enhancements
- Add
csrf_meta_tag/0
helper toPhoenix.HTML.Tag
- Allow passing a
do:
option toPhoenix.HTML.Link.button/2
- Add
- Enhancements
- Render button tags for form submits and in the
button/2
function - Allow
submit/2
andbutton/2
to receivedo
blocks - Support the
:multiple
option infile_input/3
- Remove previously deprecated and unused
model
field
- Render button tags for form submits and in the
-
Enhancements
- Remove warnings on v1.4
-
Bug fixes
- Ensure some contents are properly escaped as an integer
- Ensure JavaScript data-submit events bubble up until it finds the proper parent
-
Enhancements
- Raise helpful error when using invalid iodata
- Inline date/time API with Elixir v1.3 Calendar types
- Add
:insert_brs
option totext_to_html/2
- Run on Erlang 19 without warnings
-
Client-side changes
- Use event delegation in
phoenix_html.js
- Drop IE8 support on
phoenix_html.js
- Use event delegation in
-
Backwards incompatible changes
:min
,:sec
option inPhoenix.HTML.Form
(datetime_select/3
andtime_select/3
) are no longer supported. Use:minute
or:second
instead.
- Bug fixes
- Ensure multipart files work with inputs_for
- Enhancements
- Introduce
form.data
field instead ofform.model
. Currently those values are kept in sync then the form is built butform.model
will be deprecated in the long term
- Introduce
-
Enhancements
- Add
rel=nofollow
auto generation for non-get links - Introduce
:selected
option forselect
andmultiple_select
- Add
-
Bug fixes
- Fix safe engine incorrectly marking safe code as unsafe when last expression is
<% ... %>
- Fix safe engine incorrectly marking safe code as unsafe when last expression is
- Enhancements
- Add
escape_javascript/1
- Add helpful error message when using unknown
@inner
assign - Add
Phoenix.HTML.Format.text_to_html/2
- Add
- Bug fix
- Allow the
:name
to be given in forms. For this, using:name
to configure the underlying input name prefix has been deprecated in favor of:as
- Allow the
- Bug fix
- Do not include values in
password_input/3
- Do not include values in
- Enhancements
- Allow nil in
raw/1
- Allow block options in
label/3
- Introduce
:skip_deleted
ininputs_for/4
- Allow nil in
- Enhancements
- Add an index field to forms to be used by
inputs_for/4
collections
- Add an index field to forms to be used by
- Bug fix
- Include web directory in Hex package
- Enhancements
-
No longer generate onclick attributes.
The main motivation for this is to provide support for Content Security Policy, which recommends disabling all inline scripts in a page.
We took the opportunity to also add support for data-confirm in
link/2
.
-
- Enhancements
- Support
input_type/2
andinput_validations/2
as reflection mechanisms
- Support
- Enhancements
- Add
Phoenix.HTML.Form.inputs_for/4
support - Add multiple select support
- Add reset input
- Infer default text context for labels
- Add
- Bug fix
- Ensure nil parameters are not discarded when rendering input
- Enhancements
- Add
label/3
for generating a label tag within a form
- Add
- Enhancements
- Allow do/end syntax with
link/2
- Raise on missing assigns
- Allow do/end syntax with
- Bug fixes
- Avoid variable clash in Phoenix.HTML engine buffers
- Enhancements
- Provides an EEx engine with HTML safe rendering
- Provides a
Phoenix.HTML.Safe
protocol - Provides a
Phoenix.HTML.FormData
protocol - Provides functions for generating tags, links and form builders in a safe way