diff options
Diffstat (limited to 'actionpack/CHANGELOG.md')
-rw-r--r-- | actionpack/CHANGELOG.md | 196 |
1 files changed, 181 insertions, 15 deletions
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md index 89c92730cd..516fcbe62f 100644 --- a/actionpack/CHANGELOG.md +++ b/actionpack/CHANGELOG.md @@ -1,5 +1,112 @@ ## Rails 4.0.0 (unreleased) ## +* Add Request#formats=(extensions) that lets you set multiple formats directly in a prioritized order *DHH* + + Example of using this for custom iphone views with an HTML fallback: + + class ApplicationController < ActionController::Base + before_filter :adjust_format_for_iphone_with_html_fallback + + private + def adjust_format_for_iphone_with_html_fallback + request.formats = [ :iphone, :html ] if request.env["HTTP_USER_AGENT"][/iPhone/] + end + end + + +* Add Routing Concerns to declare common routes that can be reused inside + others resources and routes. + + Code before: + + resources :messages do + resources :comments + end + + resources :posts do + resources :comments + resources :images, only: :index + end + + Code after: + + concern :commentable do + resources :comments + end + + concern :image_attachable do + resources :images, only: :index + end + + resources :messages, concerns: :commentable + + resources :posts, concerns: [:commentable, :image_attachable] + + *DHH + Rafael Mendonça França* + +* Add start_hour and end_hour options to the select_hour helper. *Evan Tann* + +* Raises an ArgumentError when the first argument in `form_for` contain `nil` + or is empty. + + *Richard Schneeman* + +* Add 'X-Frame-Options' => 'SAMEORIGIN' and + 'X-XSS-Protection' => '1; mode=block' + as default headers. + + *Egor Homakov* + +* Allow data attributes to be set as a first-level option for form_for, so you can write `form_for @record, data: { behavior: 'autosave' }` instead of `form_for @record, html: { data: { behavior: 'autosave' } }` *DHH* + +* Deprecate `button_to_function` and `link_to_function` helpers. + + We recommend the use of Unobtrusive JavaScript instead. For example: + + link_to "Greeting", "#", :class => "nav_link" + + $(function() { + $('.nav_link').click(function() { + // Some complex code + + return false; + }); + }); + + or + + link_to "Greeting", '#', onclick: "alert('Hello world!'); return false", class: "nav_link" + + for simple cases. + + *Rafael Mendonça França* + +* `javascript_include_tag :all` will now not include `application.js` if the file does not exists. *Prem Sichanugrist* + +* Send an empty response body when call `head` with status between 100 and 199, 204, 205 or 304. + + *Armand du Plessis* + +* Fixed issue with where Digest authentication would not work behind a proxy. *Arthur Smith* + +* Added ActionController::Live. Mix it in to your controller and you can + stream data to the client live. For example: + + class FooController < ActionController::Base + include ActionController::Live + + def index + 100.times { + # Client will see this as it's written + response.stream.write "hello world\n" + sleep 1 + } + response.stream.close + end + end + +* Remove ActionDispatch::Head middleware in favor of Rack::Head. *Santiago Pastorino* + * Deprecate `:confirm` in favor of `:data => { :confirm => "Text" }` option for `button_to`, `button_tag`, `image_submit_tag`, `link_to` and `submit_tag` helpers. *Carlos Galdino + Rafael Mendonça França* @@ -120,8 +227,6 @@ * Replace `include_seconds` boolean argument with `:include_seconds => true` option in `distance_of_time_in_words` and `time_ago_in_words` signature. *Dmitriy Kiriyenko* -* Remove `button_to_function` and `link_to_function` helpers. *Rafael Mendonça França* - * Make current object and counter (when it applies) variables accessible when rendering templates with :object / :collection. *Carlos Antonio da Silva* @@ -207,13 +312,13 @@ * Add `collection_check_boxes` form helper, similar to `collection_select`: Example: - collection_check_boxes :post, :author_ids, Author.all, :id, :name - # Outputs something like: - <input id="post_author_ids_1" name="post[author_ids][]" type="checkbox" value="1" /> - <label for="post_author_ids_1">D. Heinemeier Hansson</label> - <input id="post_author_ids_2" name="post[author_ids][]" type="checkbox" value="2" /> - <label for="post_author_ids_2">D. Thomas</label> - <input name="post[author_ids][]" type="hidden" value="" /> + collection_check_boxes :post, :author_ids, Author.all, :id, :name + # Outputs something like: + <input id="post_author_ids_1" name="post[author_ids][]" type="checkbox" value="1" /> + <label for="post_author_ids_1">D. Heinemeier Hansson</label> + <input id="post_author_ids_2" name="post[author_ids][]" type="checkbox" value="2" /> + <label for="post_author_ids_2">D. Thomas</label> + <input name="post[author_ids][]" type="hidden" value="" /> The label/check_box pairs can be customized with a block. @@ -222,12 +327,12 @@ * Add `collection_radio_buttons` form helper, similar to `collection_select`: Example: - collection_radio_buttons :post, :author_id, Author.all, :id, :name - # Outputs something like: - <input id="post_author_id_1" name="post[author_id]" type="radio" value="1" /> - <label for="post_author_id_1">D. Heinemeier Hansson</label> - <input id="post_author_id_2" name="post[author_id]" type="radio" value="2" /> - <label for="post_author_id_2">D. Thomas</label> + collection_radio_buttons :post, :author_id, Author.all, :id, :name + # Outputs something like: + <input id="post_author_id_1" name="post[author_id]" type="radio" value="1" /> + <label for="post_author_id_1">D. Heinemeier Hansson</label> + <input id="post_author_id_2" name="post[author_id]" type="radio" value="2" /> + <label for="post_author_id_2">D. Thomas</label> The label/radio_button pairs can be customized with a block. @@ -271,6 +376,67 @@ HTML5 `mark` element. *Brian Cardarella* +## Rails 3.2.8 (Aug 9, 2012) ## + +* There is an XSS vulnerability in the strip_tags helper in Ruby on Rails, the + helper doesn't correctly handle malformed html. As a result an attacker can + execute arbitrary javascript through the use of specially crafted malformed + html. + + *Marek from Nethemba (www.nethemba.com) & Santiago Pastorino* + +* When a "prompt" value is supplied to the `select_tag` helper, the "prompt" value is not escaped. + If untrusted data is not escaped, and is supplied as the prompt value, there is a potential for XSS attacks. + Vulnerable code will look something like this: + select_tag("name", options, :prompt => UNTRUSTED_INPUT) + + *Santiago Pastorino* + +* Reverted the deprecation of `:confirm`. *Rafael Mendonça França* + +* Reverted the deprecation of `:disable_with`. *Rafael Mendonça França* + +* Reverted the deprecation of `:mouseover` option to `image_tag`. *Rafael Mendonça França* + +* Reverted the deprecation of `button_to_function` and `link_to_function` helpers. + + *Rafael Mendonça França* + + +## Rails 3.2.7 (Jul 26, 2012) ## + +* Do not convert digest auth strings to symbols. CVE-2012-3424 + +* Bump Journey requirements to 1.0.4 + +* Add support for optional root segments containing slashes + +* Fixed bug creating invalid HTML in select options + +* Show in log correct wrapped keys + +* Fix NumberHelper options wrapping to prevent verbatim blocks being rendered instead of line continuations. + +* ActionController::Metal doesn't have logger method, check it and then delegate + +* ActionController::Caching depends on RackDelegation and AbstractController::Callbacks + + +## Rails 3.2.6 (Jun 12, 2012) ## + +* nil is removed from array parameter values + + CVE-2012-2694 + +* Deprecate `:confirm` in favor of `':data => { :confirm => "Text" }'` option for `button_to`, `button_tag`, `image_submit_tag`, `link_to` and `submit_tag` helpers. + + *Carlos Galdino* + +* Allow to use mounted_helpers (helpers for accessing mounted engines) in ActionView::TestCase. *Piotr Sarnacki* + +* Include mounted_helpers (helpers for accessing mounted engines) in ActionDispatch::IntegrationTest by default. *Piotr Sarnacki* + + ## Rails 3.2.5 (Jun 1, 2012) ## * No changes. |