diff options
Diffstat (limited to 'actionpack/lib')
-rw-r--r-- | actionpack/lib/action_dispatch/middleware/cookies.rb | 45 | ||||
-rw-r--r-- | actionpack/lib/action_view/helpers/text_helper.rb | 8 |
2 files changed, 43 insertions, 10 deletions
diff --git a/actionpack/lib/action_dispatch/middleware/cookies.rb b/actionpack/lib/action_dispatch/middleware/cookies.rb index 87e8dd5010..d69ba39728 100644 --- a/actionpack/lib/action_dispatch/middleware/cookies.rb +++ b/actionpack/lib/action_dispatch/middleware/cookies.rb @@ -45,7 +45,16 @@ module ActionDispatch # * <tt>:value</tt> - The cookie's value or list of values (as an array). # * <tt>:path</tt> - The path for which this cookie applies. Defaults to the root # of the application. - # * <tt>:domain</tt> - The domain for which this cookie applies. + # * <tt>:domain</tt> - The domain for which this cookie applies so you can + # restrict to the domain level. If you use a schema like www.example.com + # and want to share session with user.example.com set <tt>:domain</tt> + # to <tt>:all</tt>. Make sure to specify the <tt>:domain</tt> option with + # <tt>:all</tt> again when deleting keys. + # + # :domain => nil # Does not sets cookie domain. (default) + # :domain => :all # Allow the cookie for the top most level + # domain and subdomains. + # # * <tt>:expires</tt> - The time at which this cookie expires, as a Time object. # * <tt>:secure</tt> - Whether this cookie is a only transmitted to HTTPS servers. # Default is +false+. @@ -54,22 +63,34 @@ module ActionDispatch class Cookies HTTP_HEADER = "Set-Cookie".freeze TOKEN_KEY = "action_dispatch.secret_token".freeze - + # Raised when storing more than 4K of session data. class CookieOverflow < StandardError; end class CookieJar < Hash #:nodoc: + + # This regular expression is used to split the levels of a domain + # So www.example.co.uk gives: + # $1 => www. + # $2 => example + # $3 => co.uk + DOMAIN_REGEXP = /^(.*\.)*(.*)\.(...|...\...|....|..\...|..)$/ + def self.build(request) secret = request.env[TOKEN_KEY] - new(secret).tap do |hash| + host = request.env["HTTP_HOST"] + + new(secret, host).tap do |hash| hash.update(request.cookies) end end - def initialize(secret=nil) + def initialize(secret = nil, host = nil) @secret = secret @set_cookies = {} @delete_cookies = {} + @host = host + super() end @@ -78,6 +99,15 @@ module ActionDispatch super(name.to_s) end + def handle_options(options) #:nodoc: + options[:path] ||= "/" + + if options[:domain] == :all + @host =~ DOMAIN_REGEXP + options[:domain] = ".#{$2}.#{$3}" + end + end + # Sets the cookie named +name+. The second argument may be the very cookie # value, or a hash of options as documented above. def []=(key, options) @@ -91,7 +121,8 @@ module ActionDispatch value = super(key.to_s, value) - options[:path] ||= "/" + handle_options(options) + @set_cookies[key] = options @delete_cookies.delete(key) value @@ -102,7 +133,9 @@ module ActionDispatch # an options hash to delete cookies with extra data such as a <tt>:path</tt>. def delete(key, options = {}) options.symbolize_keys! - options[:path] ||= "/" + + handle_options(options) + value = super(key.to_s) @delete_cookies[key] = options value diff --git a/actionpack/lib/action_view/helpers/text_helper.rb b/actionpack/lib/action_view/helpers/text_helper.rb index a06073ce66..700c0b9e3b 100644 --- a/actionpack/lib/action_view/helpers/text_helper.rb +++ b/actionpack/lib/action_view/helpers/text_helper.rb @@ -74,7 +74,7 @@ module ActionView options.reverse_merge!(:length => 30) - text = sanitize(text) unless text.html_safe? || options[:safe] + text = h(text) unless text.html_safe? || options[:safe] text.truncate(options.delete(:length), options) if text end @@ -106,7 +106,7 @@ module ActionView end options.reverse_merge!(:highlighter => '<strong class="highlight">\1</strong>') - text = sanitize(text) unless text.html_safe? || options[:safe] + text = h(text) unless text.html_safe? || options[:safe] if text.blank? || phrases.blank? text else @@ -244,7 +244,7 @@ module ActionView def simple_format(text, html_options={}, options={}) text = '' if text.nil? start_tag = tag('p', html_options, true) - text = sanitize(text) unless text.html_safe? || options[:safe] + text = h(text) unless text.html_safe? || options[:safe] text.gsub!(/\r\n?/, "\n") # \r\n and \r -> \n text.gsub!(/\n\n+/, "</p>\n\n#{start_tag}") # 2+ newline -> paragraph text.gsub!(/([^\n]\n)(?=[^\n])/, '\1<br />') # 1 newline -> br @@ -503,7 +503,7 @@ module ActionView text.html_safe else display_text = (block_given?) ? yield(text) : text - display_text = sanitize(display_text) unless options[:safe] + display_text = h(display_text) unless options[:safe] mail_to text, display_text, html_options end end |