diff options
Diffstat (limited to 'railties/guides/source')
| -rw-r--r-- | railties/guides/source/action_view_overview.textile | 2 | ||||
| -rw-r--r-- | railties/guides/source/active_support_core_extensions.textile | 6 | ||||
| -rw-r--r-- | railties/guides/source/contribute.textile | 2 | ||||
| -rw-r--r-- | railties/guides/source/credits.html.erb | 30 | ||||
| -rw-r--r-- | railties/guides/source/debugging_rails_applications.textile | 3 | ||||
| -rw-r--r-- | railties/guides/source/form_helpers.textile | 2 | ||||
| -rw-r--r-- | railties/guides/source/getting_started.textile | 1 | ||||
| -rw-r--r-- | railties/guides/source/layout.html.erb | 12 | ||||
| -rw-r--r-- | railties/guides/source/layouts_and_rendering.textile | 5 | ||||
| -rw-r--r-- | railties/guides/source/performance_testing.textile | 8 | ||||
| -rw-r--r-- | railties/guides/source/plugins.textile | 29 | ||||
| -rw-r--r-- | railties/guides/source/routing.textile | 6 | ||||
| -rw-r--r-- | railties/guides/source/security.textile | 10 | ||||
| -rw-r--r-- | railties/guides/source/testing.textile | 3 |
14 files changed, 65 insertions, 54 deletions
diff --git a/railties/guides/source/action_view_overview.textile b/railties/guides/source/action_view_overview.textile index 2fa89bb4c2..842a8408ad 100644 --- a/railties/guides/source/action_view_overview.textile +++ b/railties/guides/source/action_view_overview.textile @@ -1414,7 +1414,7 @@ Replaces the inner HTML of the DOM element with the given id. page.replace_html 'person-45', :partial => 'person', :object => @person </ruby> -h5. select +h5(#prototype-select). select Returns a collection reference by finding it through a CSS pattern in the DOM. diff --git a/railties/guides/source/active_support_core_extensions.textile b/railties/guides/source/active_support_core_extensions.textile index a8410a8dd2..b41b16b728 100644 --- a/railties/guides/source/active_support_core_extensions.textile +++ b/railties/guides/source/active_support_core_extensions.textile @@ -866,7 +866,7 @@ WARNING: Note that in that case +parent+ returns +Object+. NOTE: Defined in +active_support/core_ext/module/introspection.rb+. -h5. +parents+ +h5(#module-parents). +parents+ The method +parents+ calls +parent+ on the receiver and upwards until +Object+ is reached. The chain is returned in an array, from bottom to top: @@ -2191,9 +2191,9 @@ NOTE: Defined in +active_support/core_ext/array/grouping.rb+. h3. Extensions to +Hash+ -h4. Conversions +h4(#hash-conversions). Conversions -h5. +to_xml+ +h5(#hash-to-xml). +to_xml+ The method +to_xml+ returns a string containing an XML representation of its receiver: diff --git a/railties/guides/source/contribute.textile b/railties/guides/source/contribute.textile index 1203e38a4e..8c64df5362 100644 --- a/railties/guides/source/contribute.textile +++ b/railties/guides/source/contribute.textile @@ -9,7 +9,7 @@ h3. How to Contribute? * We have an open commit policy: anyone is welcome to contribute, but you'll need to ask for commit access. * PM lifo at "GitHub":http://github.com asking for "docrails":http://github.com/lifo/docrails/tree/master commit access. * Guides are written in Textile, and reside at railties/guides/source in the docrails project. -* All images are in the railties/guides/images directory. +* Assets are stored in the +railties/guides/assets+ directory. * Sample format : "Active Record Associations":http://github.com/lifo/docrails/blob/3e56a3832415476fdd1cb963980d0ae390ac1ed3/railties/guides/source/association_basics.textile * Sample output : "Active Record Associations":association_basics.html * You can build the Guides during testing by running +rake generate_guides+ in the +railties+ directory. diff --git a/railties/guides/source/credits.html.erb b/railties/guides/source/credits.html.erb index e026628e6a..9851702df9 100644 --- a/railties/guides/source/credits.html.erb +++ b/railties/guides/source/credits.html.erb @@ -8,53 +8,59 @@ <h3 class="section">Rails Documentation Team</h3> <%= author('Mike Gunderloy', 'mgunderloy') do %> - <p>Mike Gunderloy is a consultant with <a href="http://www.actionrails.com">ActionRails</a>. He brings 25 years of experience in a variety of languages to bear on his current work with Rails. His near-daily links and other blogging can be found at <a href="http://afreshcup.com">A Fresh Cup</a> and he <a href="http://twitter.com/MikeG1">twitters</a> too much.</p> + Mike Gunderloy is a consultant with <a href="http://www.actionrails.com">ActionRails</a>. He brings 25 years of experience in a variety of languages to bear on his current work with Rails. His near-daily links and other blogging can be found at <a href="http://afreshcup.com">A Fresh Cup</a> and he <a href="http://twitter.com/MikeG1">twitters</a> too much. <% end %> <%= author('Pratik Naik', 'lifo') do %> - <p>Pratik Naik is a Ruby on Rails consultant with <a href="http://www.actionrails.com">ActionRails</a> and also a member of the <a href="http://rubyonrails.org/core">Rails core team</a>. He maintains a blog at <a href="http://m.onkey.org">has_many :bugs, :through => :rails</a> and has an active <a href="http://twitter.com/lifo">twitter account</a>.</p> + Pratik Naik is a Ruby on Rails consultant with <a href="http://www.actionrails.com">ActionRails</a> and also a member of the <a href="http://rubyonrails.org/core">Rails core team</a>. He maintains a blog at <a href="http://m.onkey.org">has_many :bugs, :through => :rails</a> and has an active <a href="http://twitter.com/lifo">twitter account</a>. <% end %> <%= author('Xavier Noria', 'fxn', 'fxn.png') do %> - <p>Xavier has been into Rails since 2005, he is currently a Rails consultant. Xavier is Rails committer and enjoys combining his passion for Rails and his past life as a proofreader of math textbooks. Oh, he also <a href="http://twitter.com/fxn">tweets</a> and can be found everywhere as "fxn".</p> + Xavier has been into Rails since 2005, he is currently a Rails consultant. Xavier is Rails committer and enjoys combining his passion for Rails and his past life as a proofreader of math textbooks. Oh, he also <a href="http://twitter.com/fxn">tweets</a> and can be found everywhere as "fxn". <% end %> <h3 class="section">Rails Guides Designers</h3> <%= author('Jason Zimdars', 'jz') do %> - <p>Jason Zimdars is an experienced creative director and web designer who has lead UI and UX design for numerous websites and web applications. You can see more of his design and writing at <a href="http://www.thinkcage.com/">Thinkcage.com</a> or follow him on <a href="http://twitter.com/JZ">Twitter</a>.</p> + Jason Zimdars is an experienced creative director and web designer who has lead UI and UX design for numerous websites and web applications. You can see more of his design and writing at <a href="http://www.thinkcage.com/">Thinkcage.com</a> or follow him on <a href="http://twitter.com/JZ">Twitter</a>. <% end %> <h3 class="section">Rails Guides Authors</h3> <%= author('Frederick Cheung', 'fcheung') do %> - <p>Frederick Cheung is Chief Wizard at Texperts where he has been using Rails since 2006. He is based in Cambridge (UK) and when not consuming fine ales he blogs at <a href="http://www.spacevatican.org">spacevatican.org</a>.</p> + Frederick Cheung is Chief Wizard at Texperts where he has been using Rails since 2006. He is based in Cambridge (UK) and when not consuming fine ales he blogs at <a href="http://www.spacevatican.org">spacevatican.org</a>. <% end %> <%= author('Tore Darell', 'toretore') do %> - <p>Tore Darell is an independent developer based in Menton, France who specialises in cruft-free web applications using Ruby, Rails and unobtrusive JavaScript. His home on the internet is his blog <a href="http://tore.darell.no">Sneaky Abstractions</a>.</p> + Tore Darell is an independent developer based in Menton, France who specialises in cruft-free web applications using Ruby, Rails and unobtrusive JavaScript. His home on the internet is his blog <a href="http://tore.darell.no">Sneaky Abstractions</a>. <% end %> <%= author('Jeff Dean', 'zilkey') do %> - <p>Jeff Dean is a software engineer with <a href="http://pivotallabs.com">Pivotal Labs</a>.</p> + Jeff Dean is a software engineer with <a href="http://pivotallabs.com">Pivotal Labs</a>. <% end %> <%= author('Cássio Marques', 'cmarques') do %> - <p>Cássio Marques is a Brazilian software developer working with different programming languages such as Ruby, JavaScript, CPP and Java, as an independent consultant. He blogs at <a href="http://cassiomarques.wordpress.com">/* CODIFICANDO */</a>, which is mainly written in Portuguese, but will soon get a new section for posts with English translation. + Cássio Marques is a Brazilian software developer working with different programming languages such as Ruby, JavaScript, CPP and Java, as an independent consultant. He blogs at <a href="http://cassiomarques.wordpress.com">/* CODIFICANDO */</a>, which is mainly written in Portuguese, but will soon get a new section for posts with English translation. <% end %> <%= author('James Miller', 'bensie') do %> - <p>James Miller is a software developer for <a href="http://www.jk-tech.com">JK Tech</a> in San Diego, CA. Find me on GitHub, Gmail, Twitter, and Freenode as "bensie".</p> + James Miller is a software developer for <a href="http://www.jk-tech.com">JK Tech</a> in San Diego, CA. Find me on GitHub, Gmail, Twitter, and Freenode as "bensie". <% end %> <%= author('Emilio Tagua', 'miloops') do %> - <p>Emilio Tagua —a.k.a. miloops— is an Argentinian entrepreneur, developer, open source contributor and Rails evangelist. Cofounder of <a href="http://eventioz.com">Eventioz</a>. He has been using Rails since 2006 and contributing since early 2008. Can be found at gmail, twitter, freenode, everywhere as "miloops".</p> + Emilio Tagua —a.k.a. miloops— is an Argentinian entrepreneur, developer, open source contributor and Rails evangelist. Cofounder of <a href="http://eventioz.com">Eventioz</a>. He has been using Rails since 2006 and contributing since early 2008. Can be found at gmail, twitter, freenode, everywhere as "miloops". <% end %> <%= author('Heiko Webers', 'hawe') do %> - <p>Heiko Webers is the founder of <a href="http://www.bauland42.de">bauland42</a>, a German web application security consulting and development company focused on Ruby on Rails. He blogs at the <a href="http://www.rorsecurity.info">Ruby on Rails Security Project</a>. After 10 years of desktop application development, Heiko has rarely looked back.</p> + Heiko Webers is the founder of <a href="http://www.bauland42.de">bauland42</a>, a German web application security consulting and development company focused on Ruby on Rails. He blogs at the <a href="http://www.rorsecurity.info">Ruby on Rails Security Project</a>. After 10 years of desktop application development, Heiko has rarely looked back. <% end %> <%= author('Mikel Lindsaar', 'raasdnil') do %> - <p>Mikel Lindsaar has been working with Rails since 2006 and is the author of the Ruby Mail gem and core contributor (he helped re-write Action Mailer's API). Mikel has a <a href="http://lindsaar.net/">blog</a> and <a href="http://twitter.com/raasdnil">tweets</a>. + Mikel Lindsaar has been working with Rails since 2006 and is the author of the Ruby Mail gem and core contributor (he helped re-write Action Mailer's API). Mikel has a <a href="http://lindsaar.net/">blog</a> and <a href="http://twitter.com/raasdnil">tweets</a>. +<% end %> + +<h3 class="section">Rails Guides Reviewers</h3> + +<%= author('Jaime Iniesta', 'jaimeiniesta', 'jaimeiniesta.jpg') do %> + Jaime Iniesta works as a Ruby on Rails freelance developer since 2005. He's a member of <a href="http://www.prorubyteam.com">ProRuby</a>, co-founder of the <a href="http://srug.org">Spanish Ruby Users Group</a>, member of <a href="http://spainrb.org">Spain.rb</a>, and organizer of <a href="http://conferenciarails.org">Conferencia Rails</a> and <a href="http://euruko2009.org">EuRuKo 2009</a>. Jaime has a <a href="http://jaimeiniesta.com">blog</a> and <a href="http://twitter.com/jaimeiniesta">tweets</a>. <% end %> diff --git a/railties/guides/source/debugging_rails_applications.textile b/railties/guides/source/debugging_rails_applications.textile index cd0098d686..3eddf1a2b1 100644 --- a/railties/guides/source/debugging_rails_applications.textile +++ b/railties/guides/source/debugging_rails_applications.textile @@ -286,7 +286,7 @@ condition down finish list ps save thread var continue edit frame method putl set tmate where </shell> -TIP: To view the help menu for any command use +help <command-name>+ in active debug mode. For example: _+help var+_ +TIP: To view the help menu for any command use +help <command-name>+ in active debug mode. For example: _+help var+_ The next command to learn is one of the most useful: +list+. You can also abbreviate ruby-debug commands by supplying just enough letters to distinguish them from other commands, so you can also use +l+ for the +list+ command. @@ -704,6 +704,7 @@ h3. Changelog "Lighthouse ticket":http://rails.lighthouseapp.com/projects/16213-rails-guides/tickets/5 +* April 4, 2010: Fixed document to validate XHTML 1.0 Strict. "Jaime Iniesta":credits.html#jaimeiniesta * November 3, 2008: Accepted for publication. Added RJS, memory leaks and plugins chapters by "Emilio Tagua":credits.html#miloops * October 19, 2008: Copy editing pass by "Mike Gunderloy":credits.html#mgunderloy * September 16, 2008: initial version by "Emilio Tagua":credits.html#miloops diff --git a/railties/guides/source/form_helpers.textile b/railties/guides/source/form_helpers.textile index d33bb4b4ff..fe0f8f1ac9 100644 --- a/railties/guides/source/form_helpers.textile +++ b/railties/guides/source/form_helpers.textile @@ -501,7 +501,7 @@ Date.civil(params[:start_date][:year].to_i, params[:start_date][:month].to_i, pa The +:prefix+ option is the key used to retrieve the hash of date components from the +params+ hash. Here it was set to +start_date+, if omitted it will default to +date+. -h4. Model Object Helpers +h4(#select-model-object-helpers). Model Object Helpers +select_date+ does not work well with forms that update or create Active Record objects as Active Record expects each element of the +params+ hash to correspond to one attribute. The model object helpers for dates and times submit parameters with special names, when Active Record sees parameters with such names it knows they must be combined with the other parameters and given to a constructor appropriate to the column type. For example: diff --git a/railties/guides/source/getting_started.textile b/railties/guides/source/getting_started.textile index 9cc96f8205..9669f7f155 100644 --- a/railties/guides/source/getting_started.textile +++ b/railties/guides/source/getting_started.textile @@ -1432,6 +1432,7 @@ h3. Changelog "Lighthouse ticket":http://rails.lighthouseapp.com/projects/16213-rails-guides/tickets/2 +* April 1, 2010: Fixed document to validate XHTML 1.0 Strict. "Jaime Iniesta":credits.html#jaimeiniesta * February 8, 2010: Full re-write for Rails 3.0-beta, added helpers and before_filters, refactored code by "Mikel Lindsaar":credits:html#raasdnil * January 24, 2010: Re-write for Rails 3.0 by "Mikel Lindsaar":credits:html#raasdnil * July 18, 2009: Minor cleanup in anticipation of Rails 2.3.3 by "Mike Gunderloy":credits.html#mgunderloy diff --git a/railties/guides/source/layout.html.erb b/railties/guides/source/layout.html.erb index 9819db1f89..b280101d25 100644 --- a/railties/guides/source/layout.html.erb +++ b/railties/guides/source/layout.html.erb @@ -7,13 +7,13 @@ <title><%= yield(:page_title) || 'Ruby on Rails guides' %></title> -<link rel="stylesheet" type="text/css" href="files/stylesheets/style.css" /> -<link rel="stylesheet" type="text/css" href="files/stylesheets/syntax.css" /> -<link rel="stylesheet" type="text/css" href="files/stylesheets/print.css" media="print" /> +<link rel="stylesheet" type="text/css" href="stylesheets/style.css" /> +<link rel="stylesheet" type="text/css" href="stylesheets/syntax.css" /> +<link rel="stylesheet" type="text/css" href="stylesheets/print.css" media="print" /> -<script type="text/javascript" src="files/javascripts/guides.js"></script> -<script type="text/javascript" src="files/javascripts/code_highlighter.js"></script> -<script type="text/javascript" src="files/javascripts/highlighters.js"></script> +<script type="text/javascript" src="javascripts/guides.js"></script> +<script type="text/javascript" src="javascripts/code_highlighter.js"></script> +<script type="text/javascript" src="javascripts/highlighters.js"></script> </head> <body class="guide"> diff --git a/railties/guides/source/layouts_and_rendering.textile b/railties/guides/source/layouts_and_rendering.textile index 2cb98e9ee6..d9781fc966 100644 --- a/railties/guides/source/layouts_and_rendering.textile +++ b/railties/guides/source/layouts_and_rendering.textile @@ -510,7 +510,7 @@ def show end </ruby> -Make sure you use +and return+ and not +&& return+ because while the former will work, the latter will not due to operator precedence in the Ruby Language. +Make sure you use +and return+ and not +&& return+ because while the former will work, the latter will not due to operator precedence in the Ruby Language. Note that the implicit render done by ActionController detects if +render+ has been called, and thus avoids this error. Therefore, the following will work without errors: @@ -747,7 +747,7 @@ You can even use dynamic paths such as +cache/#{current_site}/main/display+. h5. Linking to CSS Files with +stylesheet_link_tag+ -The +stylesheet_link_tag+ helper returns an HTML +<link>+ tag for each source provided. Rails looks in +public/stylesheets+ for these files by default, but you can specify a full path relative to the document root, or a URL, if you prefer. For example, to include +public/stylesheets/main.cs+: +The +stylesheet_link_tag+ helper returns an HTML +<link>+ tag for each source provided. Rails looks in +public/stylesheets+ for these files by default, but you can specify a full path relative to the document root, or a URL, if you prefer. For example, to include +public/stylesheets/main.cs+: <erb> <%= stylesheet_link_tag "main" %> @@ -1197,6 +1197,7 @@ h3. Changelog "Lighthouse ticket":http://rails.lighthouseapp.com/projects/16213-rails-guides/tickets/15 +* April 4, 2010: Fixed document to validate XHTML 1.0 Strict. "Jaime Iniesta":credits.html#jaimeiniesta * January 25, 2010: Rails 3.0 Update by "Mikel Lindsaar":credits.html#raasdnil * December 27, 2008: Merge patch from Rodrigo Rosenfeld Rosas covering subtemplates * December 27, 2008: Information on new rendering defaults by "Mike Gunderloy":credits.html#mgunderloy diff --git a/railties/guides/source/performance_testing.textile b/railties/guides/source/performance_testing.textile index 5c760a5966..f74b68b0ef 100644 --- a/railties/guides/source/performance_testing.textile +++ b/railties/guides/source/performance_testing.textile @@ -213,11 +213,11 @@ h4. Understanding the Output Performance tests generate different outputs inside +tmp/performance+ directory depending on their mode and metric. -h5. Benchmarking +h5(#output-benchmarking). Benchmarking In benchmarking mode, performance tests generate two types of outputs: -h6. Command Line +h6(#output-command-line). Command Line This is the primary form of output in benchmarking mode. Example: @@ -258,7 +258,7 @@ measurement,created_at,app,rails,ruby,platform 0.00771250000000012,2009-01-09T15:46:03Z,,2.3.0.master.859e150,ruby-1.8.6.110,i686-darwin9.0.0 </shell> -h5. Profiling +h5(#output-profiling). Profiling In profiling mode, you can choose from four types of output. @@ -330,7 +330,7 @@ h5. Apply the Patch h5. Configure and Install -The following will install ruby in your home directory's +/rubygc+ directory. Make sure to replace +<homedir>+ with a full patch to your actual home directory. +The following will install ruby in your home directory's +/rubygc+ directory. Make sure to replace +<homedir>+ with a full patch to your actual home directory. <shell> [lifo@null ruby-version]$ ./configure --prefix=/<homedir>/rubygc diff --git a/railties/guides/source/plugins.textile b/railties/guides/source/plugins.textile index 2db421aa91..74c8ee2df9 100644 --- a/railties/guides/source/plugins.textile +++ b/railties/guides/source/plugins.textile @@ -35,14 +35,14 @@ h4. Create the Basic Application The examples in this guide require that you have a working rails application. To create a simple rails app execute: -<pre> +<shell> gem install rails rails yaffle_guide cd yaffle_guide rails generate scaffold bird name:string rake db:migrate rails server -</pre> +</shell> Then navigate to http://localhost:3000/birds. Make sure you have a functioning rails app before continuing. @@ -56,22 +56,22 @@ Rails ships with a plugin generator which creates a basic plugin skeleton. Pass This creates a plugin in 'vendor/plugins' including an 'init.rb' and 'README' as well as standard 'lib', 'task', and 'test' directories. Examples: -<pre> +<shell> rails generate plugin yaffle rails generate plugin yaffle --with-generator -</pre> +</shell> To get more detailed help on the plugin generator, type +rails generate plugin+. Later on this guide will describe how to work with generators, so go ahead and generate your plugin with the +--with-generator+ option now: -<pre> +<shell> rails generate plugin yaffle --with-generator -</pre> +</shell> You should see the following output: -<pre> +<shell> create vendor/plugins/yaffle/lib create vendor/plugins/yaffle/tasks create vendor/plugins/yaffle/test @@ -89,20 +89,20 @@ create vendor/plugins/yaffle/generators/yaffle create vendor/plugins/yaffle/generators/yaffle/templates create vendor/plugins/yaffle/generators/yaffle/yaffle_generator.rb create vendor/plugins/yaffle/generators/yaffle/USAGE -</pre> +</shell> h4. Organize Your Files To make it easy to organize your files and to make the plugin more compatible with GemPlugins, start out by altering your file system to look like this: -<pre> +<shell> |-- lib | |-- yaffle | `-- yaffle.rb `-- rails | `-- init.rb -</pre> +</shell> *vendor/plugins/yaffle/init.rb* @@ -124,7 +124,7 @@ h4. Test Setup *vendor/plugins/yaffle/test/database.yml:* -<pre> +<yaml> sqlite: :adapter: sqlite :dbfile: vendor/plugins/yaffle/test/yaffle_plugin.sqlite.db @@ -146,7 +146,7 @@ mysql: :username: root :password: password :database: yaffle_plugin_test -</pre> +</yaml> For this guide you'll need 2 tables/models, Hickwalls and Wickwalls, so add the following: @@ -239,10 +239,10 @@ end To run this, go to the plugin directory and run +rake+: -<pre> +<shell> cd vendor/plugins/yaffle rake -</pre> +</shell> You should see output like: @@ -1511,4 +1511,5 @@ h3. Changelog "Lighthouse ticket":http://rails.lighthouseapp.com/projects/16213/tickets/32-update-plugins-guide +* April 4, 2010: Fixed document to validate XHTML 1.0 Strict. "Jaime Iniesta":credits.html#jaimeiniesta * November 17, 2008: Major revision by Jeff Dean diff --git a/railties/guides/source/routing.textile b/railties/guides/source/routing.textile index 6625412684..0cf8c45761 100644 --- a/railties/guides/source/routing.textile +++ b/railties/guides/source/routing.textile @@ -65,7 +65,7 @@ RESTful routes take advantage of the built-in REST orientation of Rails to wrap resources :books </ruby> -h4. Named Routes +h4(#quick-tour-named-routes). Named Routes Named routes give you very readable links in your code, as well as handling incoming requests. Here's a typical named route: @@ -91,7 +91,7 @@ resources :assemblies do end </ruby> -h4. Regular Routes +h4(#quick-tour-regular-routes). Regular Routes In many applications, you'll also see non-RESTful routing, which explicitly connects the parts of a URL to a particular action. For example, @@ -400,7 +400,7 @@ In addition to the routes for magazines, this declaration will also create route This will also create routing helpers such as +magazine_ads_url+ and +edit_magazine_ad_path+. -h5. Using +:name_prefix+ +h5(#nested-name-prefix). Using +:name_prefix+ The +:name_prefix+ option overrides the automatically-generated prefix in nested route helpers. For example, diff --git a/railties/guides/source/security.textile b/railties/guides/source/security.textile index b62ff8cb38..1ddf094d18 100644 --- a/railties/guides/source/security.textile +++ b/railties/guides/source/security.textile @@ -611,7 +611,7 @@ h4. SQL Injection -- _Thanks to clever methods, this is hardly a problem in most Rails applications. However, this is a very devastating and common attack in web applications, so it is important to understand the problem._ -h5. Introduction +h5(#sql-injection-introduction). Introduction SQL injection attacks aim at influencing database queries by manipulating web application parameters. A popular goal of SQL injection attacks is to bypass authorization. Another goal is to carry out data manipulation or reading arbitrary data. Here is an example of how not to use user input data in a query: @@ -668,7 +668,7 @@ The result won't be a list of projects (because there is no project with an empt Also, the second query renames some columns with the AS statement so that the web application displays the values from the user table. Be sure to update your Rails "to at least 2.1.1":http://www.rorsecurity.info/2008/09/08/sql-injection-issue-in-limit-and-offset-parameter/. -h5. Countermeasures +h5(#sql-injection-countermeasures). Countermeasures Ruby on Rails has a built in filter for special SQL characters, which will escape ' , " , NULL character and line breaks. <em class="highlight">Using +Model.find(id)+ or +Model.find_by_some thing(something)+ automatically applies this countermeasure</em>. But in SQL fragments, especially <em class="highlight">in conditions fragments (+:conditions => "..."+), the +connection.execute()+ or +Model.find_by_sql()+ methods, it has to be applied manually</em>. @@ -760,7 +760,7 @@ http://www.cbsnews.com/stories/2002/02/15/weather_local/main501644.shtml?zipcode <script src=http://www.securitylab.ru/test/sc.js></script><!-- </plain> -h6. Countermeasures +h6(#html-injection-countermeasures). Countermeasures _(highlight)It is very important to filter malicious input, but it is also important to escape the output of the web application_. @@ -850,7 +850,7 @@ In the end, he got a 4 KB worm, which he injected into his profile page. The "moz-binding":http://www.securiteam.com/securitynews/5LP051FHPE.html CSS property proved to be another way to introduce JavaScript in CSS in Gecko-based browsers (Firefox, for example). -h5. Countermeasures +h5(#css-injection-countermeasures). Countermeasures This example, again, showed that a blacklist filter is never complete. However, as custom CSS in web applications is a quite rare feature, I am not aware of a whitelist CSS filter. _(highlight)If you want to allow custom colours or images, you can allow the user to choose them and build the CSS in the web application_. Use Rails' +sanitize()+ method as a model for a whitelist CSS filter, if you really need one. @@ -879,7 +879,7 @@ RedCloth.new("<a href='javascript:alert(1)'>hello</a>", [:filter_html]).to_html # => "<p><a href="javascript:alert(1)">hello</a></p>" </ruby> -h5. Countermeasures +h5(#textile-injection-countermeasures). Countermeasures It is recommended to _(highlight)use RedCloth in combination with a whitelist input filter_, as described in the countermeasures against XSS section. diff --git a/railties/guides/source/testing.textile b/railties/guides/source/testing.textile index ac9fb4276e..b1eee0ccb9 100644 --- a/railties/guides/source/testing.textile +++ b/railties/guides/source/testing.textile @@ -411,7 +411,7 @@ NOTE: +assert_valid(record)+ has been deprecated. Please use +assert(record.vali |_.Assertion |_.Purpose| |+assert_valid(record)+ |Ensures that the passed record is valid by Active Record standards and returns any error messages if it is not.| |+assert_difference(expressions, difference = 1, message = nil) {...}+ |Test numeric difference between the return value of an expression as a result of what is evaluated in the yielded block.| -|+assert_no_difference(expressions, message = nil, &block)+ |Asserts that the numeric result of evaluating an expression is not changed before and after invoking the passed in block.| +|+assert_no_difference(expressions, message = nil, &block)+ |Asserts that the numeric result of evaluating an expression is not changed before and after invoking the passed in block.| |+assert_recognizes(expected_options, path, extras={}, message=nil)+ |Asserts that the routing of the given path was handled correctly and that the parsed options (given in the expected_options hash) match path. Basically, it asserts that Rails recognizes the route given by expected_options.| |+assert_generates(expected_path, options, defaults={}, extras = {}, message=nil)+ |Asserts that the provided options can be used to generate the provided path. This is the inverse of assert_recognizes. The extras parameter is used to tell the request the names and values of additional request parameters that would be in a query string. The message parameter allows you to specify a custom error message for assertion failures.| |+assert_response(type, message = nil)+ |Asserts that the response comes with a specific status code. You can specify +:success+ to indicate 200, +:redirect+ to indicate 300-399, +:missing+ to indicate 404, or +:error+ to match the 500-599 range| @@ -940,6 +940,7 @@ h3. Changelog "Lighthouse ticket":http://rails.lighthouseapp.com/projects/16213-rails-guides/tickets/8 +* April 4, 2010: Fixed document to validate XHTML 1.0 Strict. "Jaime Iniesta":credits.html#jaimeiniesta * November 13, 2008: Revised based on feedback from Pratik Naik by "Akshay Surve":credits.html#asurve (not yet approved for publication) * October 14, 2008: Edit and formatting pass by "Mike Gunderloy":credits.html#mgunderloy (not yet approved for publication) * October 12, 2008: First draft by "Akshay Surve":credits.html#asurve (not yet approved for publication) |