aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/lib
diff options
context:
space:
mode:
Diffstat (limited to 'actionpack/lib')
-rw-r--r--actionpack/lib/action_dispatch/middleware/cookies.rb45
-rw-r--r--actionpack/lib/action_view/helpers/text_helper.rb8
2 files changed, 43 insertions, 10 deletions
diff --git a/actionpack/lib/action_dispatch/middleware/cookies.rb b/actionpack/lib/action_dispatch/middleware/cookies.rb
index 87e8dd5010..d69ba39728 100644
--- a/actionpack/lib/action_dispatch/middleware/cookies.rb
+++ b/actionpack/lib/action_dispatch/middleware/cookies.rb
@@ -45,7 +45,16 @@ module ActionDispatch
# * <tt>:value</tt> - The cookie's value or list of values (as an array).
# * <tt>:path</tt> - The path for which this cookie applies. Defaults to the root
# of the application.
- # * <tt>:domain</tt> - The domain for which this cookie applies.
+ # * <tt>:domain</tt> - The domain for which this cookie applies so you can
+ # restrict to the domain level. If you use a schema like www.example.com
+ # and want to share session with user.example.com set <tt>:domain</tt>
+ # to <tt>:all</tt>. Make sure to specify the <tt>:domain</tt> option with
+ # <tt>:all</tt> again when deleting keys.
+ #
+ # :domain => nil # Does not sets cookie domain. (default)
+ # :domain => :all # Allow the cookie for the top most level
+ # domain and subdomains.
+ #
# * <tt>:expires</tt> - The time at which this cookie expires, as a Time object.
# * <tt>:secure</tt> - Whether this cookie is a only transmitted to HTTPS servers.
# Default is +false+.
@@ -54,22 +63,34 @@ module ActionDispatch
class Cookies
HTTP_HEADER = "Set-Cookie".freeze
TOKEN_KEY = "action_dispatch.secret_token".freeze
-
+
# Raised when storing more than 4K of session data.
class CookieOverflow < StandardError; end
class CookieJar < Hash #:nodoc:
+
+ # This regular expression is used to split the levels of a domain
+ # So www.example.co.uk gives:
+ # $1 => www.
+ # $2 => example
+ # $3 => co.uk
+ DOMAIN_REGEXP = /^(.*\.)*(.*)\.(...|...\...|....|..\...|..)$/
+
def self.build(request)
secret = request.env[TOKEN_KEY]
- new(secret).tap do |hash|
+ host = request.env["HTTP_HOST"]
+
+ new(secret, host).tap do |hash|
hash.update(request.cookies)
end
end
- def initialize(secret=nil)
+ def initialize(secret = nil, host = nil)
@secret = secret
@set_cookies = {}
@delete_cookies = {}
+ @host = host
+
super()
end
@@ -78,6 +99,15 @@ module ActionDispatch
super(name.to_s)
end
+ def handle_options(options) #:nodoc:
+ options[:path] ||= "/"
+
+ if options[:domain] == :all
+ @host =~ DOMAIN_REGEXP
+ options[:domain] = ".#{$2}.#{$3}"
+ end
+ end
+
# Sets the cookie named +name+. The second argument may be the very cookie
# value, or a hash of options as documented above.
def []=(key, options)
@@ -91,7 +121,8 @@ module ActionDispatch
value = super(key.to_s, value)
- options[:path] ||= "/"
+ handle_options(options)
+
@set_cookies[key] = options
@delete_cookies.delete(key)
value
@@ -102,7 +133,9 @@ module ActionDispatch
# an options hash to delete cookies with extra data such as a <tt>:path</tt>.
def delete(key, options = {})
options.symbolize_keys!
- options[:path] ||= "/"
+
+ handle_options(options)
+
value = super(key.to_s)
@delete_cookies[key] = options
value
diff --git a/actionpack/lib/action_view/helpers/text_helper.rb b/actionpack/lib/action_view/helpers/text_helper.rb
index a06073ce66..700c0b9e3b 100644
--- a/actionpack/lib/action_view/helpers/text_helper.rb
+++ b/actionpack/lib/action_view/helpers/text_helper.rb
@@ -74,7 +74,7 @@ module ActionView
options.reverse_merge!(:length => 30)
- text = sanitize(text) unless text.html_safe? || options[:safe]
+ text = h(text) unless text.html_safe? || options[:safe]
text.truncate(options.delete(:length), options) if text
end
@@ -106,7 +106,7 @@ module ActionView
end
options.reverse_merge!(:highlighter => '<strong class="highlight">\1</strong>')
- text = sanitize(text) unless text.html_safe? || options[:safe]
+ text = h(text) unless text.html_safe? || options[:safe]
if text.blank? || phrases.blank?
text
else
@@ -244,7 +244,7 @@ module ActionView
def simple_format(text, html_options={}, options={})
text = '' if text.nil?
start_tag = tag('p', html_options, true)
- text = sanitize(text) unless text.html_safe? || options[:safe]
+ text = h(text) unless text.html_safe? || options[:safe]
text.gsub!(/\r\n?/, "\n") # \r\n and \r -> \n
text.gsub!(/\n\n+/, "</p>\n\n#{start_tag}") # 2+ newline -> paragraph
text.gsub!(/([^\n]\n)(?=[^\n])/, '\1<br />') # 1 newline -> br
@@ -503,7 +503,7 @@ module ActionView
text.html_safe
else
display_text = (block_given?) ? yield(text) : text
- display_text = sanitize(display_text) unless options[:safe]
+ display_text = h(display_text) unless options[:safe]
mail_to text, display_text, html_options
end
end