diff options
Diffstat (limited to 'railties/guides')
-rw-r--r-- | railties/guides/source/3_0_release_notes.textile | 42 | ||||
-rw-r--r-- | railties/guides/source/action_mailer_basics.textile | 8 | ||||
-rw-r--r-- | railties/guides/source/action_view_overview.textile | 2 | ||||
-rw-r--r-- | railties/guides/source/active_record_validations_callbacks.textile | 151 | ||||
-rw-r--r-- | railties/guides/source/active_support_core_extensions.textile | 14 | ||||
-rw-r--r-- | railties/guides/source/asset_pipeline.textile | 29 | ||||
-rw-r--r-- | railties/guides/source/configuring.textile | 2 | ||||
-rw-r--r-- | railties/guides/source/form_helpers.textile | 2 | ||||
-rw-r--r-- | railties/guides/source/getting_started.textile | 2 | ||||
-rw-r--r-- | railties/guides/source/plugins.textile | 41 | ||||
-rw-r--r-- | railties/guides/source/routing.textile | 2 | ||||
-rw-r--r-- | railties/guides/source/ruby_on_rails_guides_guidelines.textile | 4 | ||||
-rw-r--r-- | railties/guides/source/security.textile | 10 |
13 files changed, 161 insertions, 148 deletions
diff --git a/railties/guides/source/3_0_release_notes.textile b/railties/guides/source/3_0_release_notes.textile index f75b245ed8..fbb684978a 100644 --- a/railties/guides/source/3_0_release_notes.textile +++ b/railties/guides/source/3_0_release_notes.textile @@ -61,7 +61,7 @@ h4. Upgrade Process To help with the upgrade process, a plugin named "Rails Upgrade":http://github.com/jm/rails_upgrade has been created to automate part of it. -Simply install the plugin, then run +rake rails:upgrade:check+ to check your app for pieces that need to be updated (with links to information on how to update them). It also offers a task to generate a +Gemfile+ based on your current +config.gem+ calls and a task to generate a new routes file from your current one. To get the plugin, simply run the following: +Simply install the plugin, then run +rake rails:upgrade:check+ to check your app for pieces that need to be updated (with links to information on how to update them). It also offers a task to generate a +Gemfile+ based on your current +config.gem+ calls and a task to generate a new routes file from your current one. To get the plugin, simply run the following: <shell> $ ruby script/plugin install git://github.com/jm/rails_upgrade.git @@ -69,7 +69,7 @@ $ ruby script/plugin install git://github.com/jm/rails_upgrade.git You can see an example of how that works at "Rails Upgrade is now an Official Plugin":http://omgbloglol.com/post/364624593/rails-upgrade-is-now-an-official-plugin -Aside from Rails Upgrade tool, if you need more help, there are people on IRC and "rubyonrails-talk":http://groups.google.com/group/rubyonrails-talk that are probably doing the same thing, possibly hitting the same issues. Be sure to blog your own experiences when upgrading so others can benefit from your knowledge! +Aside from Rails Upgrade tool, if you need more help, there are people on IRC and "rubyonrails-talk":http://groups.google.com/group/rubyonrails-talk that are probably doing the same thing, possibly hitting the same issues. Be sure to blog your own experiences when upgrading so others can benefit from your knowledge! More information - "The Path to Rails 3: Approaching the upgrade":http://omgbloglol.com/post/353978923/the-path-to-rails-3-approaching-the-upgrade @@ -113,42 +113,42 @@ Railties was updated to provide a consistent plugin API for the entire Rails fra h4. All Rails core components are decoupled -With the merge of Merb and Rails, one of the big jobs was to remove the tight coupling between Rails core components. This has now been achieved, and all Rails core components are now using the same API that you can use for developing plugins. This means any plugin you make, or any core component replacement (like DataMapper or Sequel) can access all the functionality that the Rails core components have access to and extend and enhance at will. +With the merge of Merb and Rails, one of the big jobs was to remove the tight coupling between Rails core components. This has now been achieved, and all Rails core components are now using the same API that you can use for developing plugins. This means any plugin you make, or any core component replacement (like DataMapper or Sequel) can access all the functionality that the Rails core components have access to and extend and enhance at will. More information: - "The Great Decoupling":http://yehudakatz.com/2009/07/19/rails-3-the-great-decoupling/ h4. Active Model Abstraction -Part of decoupling the core components was extracting all ties to Active Record from Action Pack. This has now been completed. All new ORM plugins now just need to implement Active Model interfaces to work seamlessly with Action Pack. +Part of decoupling the core components was extracting all ties to Active Record from Action Pack. This has now been completed. All new ORM plugins now just need to implement Active Model interfaces to work seamlessly with Action Pack. More information: - "Make Any Ruby Object Feel Like ActiveRecord":http://yehudakatz.com/2010/01/10/activemodel-make-any-ruby-object-feel-like-activerecord/ h4. Controller Abstraction -Another big part of decoupling the core components was creating a base superclass that is separated from the notions of HTTP in order to handle rendering of views etc. This creation of +AbstractController+ allowed +ActionController+ and +ActionMailer+ to be greatly simplified with common code removed from all these libraries and put into Abstract Controller. +Another big part of decoupling the core components was creating a base superclass that is separated from the notions of HTTP in order to handle rendering of views etc. This creation of +AbstractController+ allowed +ActionController+ and +ActionMailer+ to be greatly simplified with common code removed from all these libraries and put into Abstract Controller. More Information: - "Rails Edge Architecture":http://yehudakatz.com/2009/06/11/rails-edge-architecture/ h4. Arel Integration -"Arel":http://github.com/brynary/arel (or Active Relation) has been taken on as the underpinnings of Active Record and is now required for Rails. Arel provides an SQL abstraction that simplifies out Active Record and provides the underpinnings for the relation functionality in Active Record. +"Arel":http://github.com/brynary/arel (or Active Relation) has been taken on as the underpinnings of Active Record and is now required for Rails. Arel provides an SQL abstraction that simplifies out Active Record and provides the underpinnings for the relation functionality in Active Record. More information: - "Why I wrote Arel":http://magicscalingsprinkles.wordpress.com/2010/01/28/why-i-wrote-arel/. h4. Mail Extraction -Action Mailer ever since its beginnings has had monkey patches, pre parsers and even delivery and receiver agents, all in addition to having TMail vendored in the source tree. Version 3 changes that with all email message related functionality abstracted out to the "Mail":http://github.com/mikel/mail gem. This again reduces code duplication and helps create definable boundaries between Action Mailer and the email parser. +Action Mailer ever since its beginnings has had monkey patches, pre parsers and even delivery and receiver agents, all in addition to having TMail vendored in the source tree. Version 3 changes that with all email message related functionality abstracted out to the "Mail":http://github.com/mikel/mail gem. This again reduces code duplication and helps create definable boundaries between Action Mailer and the email parser. More information: - "New Action Mailer API in Rails 3":http://lindsaar.net/2010/1/26/new-actionmailer-api-in-rails-3 h3. Documentation -The documentation in the Rails tree is being updated with all the API changes, additionally, the "Rails Edge Guides":http://edgeguides.rubyonrails.org/ are being updated one by one to reflect the changes in Rails 3.0. The guides at "guides.rubyonrails.org":http://guides.rubyonrails.org/ however will continue to contain only the stable version of Rails (at this point, version 2.3.5, until 3.0 is released). +The documentation in the Rails tree is being updated with all the API changes, additionally, the "Rails Edge Guides":http://edgeguides.rubyonrails.org/ are being updated one by one to reflect the changes in Rails 3.0. The guides at "guides.rubyonrails.org":http://guides.rubyonrails.org/ however will continue to contain only the stable version of Rails (at this point, version 2.3.5, until 3.0 is released). More Information: - "Rails Documentation Projects":http://weblog.rubyonrails.org/2009/1/15/rails-documentation-projects. @@ -157,7 +157,7 @@ h3. Internationalization A large amount of work has been done with I18n support in Rails 3, including the latest "I18n":http://github.com/svenfuchs/i18n gem supplying many speed improvements. -* I18n for any object - I18n behavior can be added to any object by including <tt>ActiveModel::Translation</tt> and <tt>ActiveModel::Validations</tt>. There is also an <tt>errors.messages</tt> fallback for translations. +* I18n for any object - I18n behavior can be added to any object by including <tt>ActiveModel::Translation</tt> and <tt>ActiveModel::Validations</tt>. There is also an <tt>errors.messages</tt> fallback for translations. * Attributes can have default translations. * Form Submit Tags automatically pull the correct status (Create or Update) depending on the object status, and so pull the correct translation. * Labels with I18n also now work by just passing the attribute name. @@ -173,7 +173,7 @@ With the decoupling of the main Rails frameworks, Railties got a huge overhaul s * Anything under <tt>Rails.root/app</tt> is now added to the load path, so you can make <tt>app/observers/user_observer.rb</tt> and Rails will load it without any modifications. * Rails 3.0 now provides a <tt>Rails.config</tt> object, which provides a central repository of all sorts of Rails wide configuration options. -Application generation has received extra flags allowing you to skip the installation of test-unit, Active Record, Prototype and Git. Also a new <tt>--dev</tt> flag has been added which sets the application up with the +Gemfile+ pointing to your Rails checkout (which is determined by the path to the +rails+ binary). See <tt>rails --help</tt> for more info. +Application generation has received extra flags allowing you to skip the installation of test-unit, Active Record, Prototype and Git. Also a new <tt>--dev</tt> flag has been added which sets the application up with the +Gemfile+ pointing to your Rails checkout (which is determined by the path to the +rails+ binary). See <tt>rails --help</tt> for more info. Railties generators got a huge amount of attention in Rails 3.0, basically: @@ -215,7 +215,7 @@ There have been significant internal and external changes in Action Pack. h4. Abstract Controller -Abstract Controller pulls out the generic parts of Action Controller into a reusable module that any library can use to render templates, render partials, helpers, translations, logging, any part of the request response cycle. This abstraction allowed <tt>ActionMailer::Base</tt> to now just inherit from +AbstractController+ and just wrap the Rails DSL onto the Mail gem. +Abstract Controller pulls out the generic parts of Action Controller into a reusable module that any library can use to render templates, render partials, helpers, translations, logging, any part of the request response cycle. This abstraction allowed <tt>ActionMailer::Base</tt> to now just inherit from +AbstractController+ and just wrap the Rails DSL onto the Mail gem. It also provided an opportunity to clean up Action Controller, abstracting out what could to simplify the code. @@ -231,7 +231,7 @@ h4. Action Controller * The <tt>session_store</tt> was configured in <tt>ActionController::Base.session</tt>, and that is now moved to <tt>Rails.application.config.session_store</tt>. Defaults are set up in <tt>config/initializers/session_store.rb</tt>. * <tt>cookies.secure</tt> allowing you to set encrypted values in cookies with <tt>cookie.secure[:key] => value</tt>. * <tt>cookies.permanent</tt> allowing you to set permanent values in the cookie hash <tt>cookie.permanent[:key] => value</tt> that raise exceptions on signed values if verification failures. -* You can now pass <tt>:notice => 'This is a flash message'</tt> or <tt>:alert => 'Something went wrong'</tt> to the <tt>format</tt> call inside a +respond_to+ block. The <tt>flash[]</tt> hash still works as previously. +* You can now pass <tt>:notice => 'This is a flash message'</tt> or <tt>:alert => 'Something went wrong'</tt> to the <tt>format</tt> call inside a +respond_to+ block. The <tt>flash[]</tt> hash still works as previously. * <tt>respond_with</tt> method has now been added to your controllers simplifying the venerable +format+ blocks. * <tt>ActionController::Responder</tt> added allowing you flexibility in how your responses get generated. @@ -298,9 +298,9 @@ h4. Action View h5. Unobtrusive JavaScript -Major re-write was done in the Action View helpers, implementing Unobtrusive JavaScript (UJS) hooks and removing the old inline AJAX commands. This enables Rails to use any compliant UJS driver to implement the UJS hooks in the helpers. +Major re-write was done in the Action View helpers, implementing Unobtrusive JavaScript (UJS) hooks and removing the old inline AJAX commands. This enables Rails to use any compliant UJS driver to implement the UJS hooks in the helpers. -What this means is that all previous <tt>remote_<method></tt> helpers have been removed from Rails core and put into the "Prototype Legacy Helper":http://github.com/rails/prototype_legacy_helper. To get UJS hooks into your HTML, you now pass <tt>:remote => true</tt> instead. For example: +What this means is that all previous <tt>remote_<method></tt> helpers have been removed from Rails core and put into the "Prototype Legacy Helper":http://github.com/rails/prototype_legacy_helper. To get UJS hooks into your HTML, you now pass <tt>:remote => true</tt> instead. For example: <ruby> form_for @post, :remote => true @@ -341,12 +341,12 @@ h5. Other Changes h3. Active Model -Active Model is new in Rails 3.0. It provides an abstraction layer for any ORM libraries to use to interact with Rails by implementing an Active Model interface. +Active Model is new in Rails 3.0. It provides an abstraction layer for any ORM libraries to use to interact with Rails by implementing an Active Model interface. h4. ORM Abstraction and Action Pack Interface -Part of decoupling the core components was extracting all ties to Active Record from Action Pack. This has now been completed. All new ORM plugins now just need to implement Active Model interfaces to work seamlessly with Action Pack. +Part of decoupling the core components was extracting all ties to Active Record from Action Pack. This has now been completed. All new ORM plugins now just need to implement Active Model interfaces to work seamlessly with Action Pack. More Information: - "Make Any Ruby Object Feel Like ActiveRecord":http://yehudakatz.com/2010/01/10/activemodel-make-any-ruby-object-feel-like-activerecord/ @@ -410,12 +410,12 @@ More Information: h3. Active Record -Active Record received a lot of attention in Rails 3.0, including abstraction into Active Model, a full update to the Query interface using Arel, validation updates and many enhancements and fixes. All of the Rails 2.x API will be usable through a compatibility layer that will be supported until version 3.1. +Active Record received a lot of attention in Rails 3.0, including abstraction into Active Model, a full update to the Query interface using Arel, validation updates and many enhancements and fixes. All of the Rails 2.x API will be usable through a compatibility layer that will be supported until version 3.1. h4. Query Interface -Active Record, through the use of Arel, now returns relations on its core methods. The existing API in Rails 2.3.x is still supported and will not be deprecated until Rails 3.1 and not removed until Rails 3.2, however, the new API provides the following new methods that all return relations allowing them to be chained together: +Active Record, through the use of Arel, now returns relations on its core methods. The existing API in Rails 2.3.x is still supported and will not be deprecated until Rails 3.1 and not removed until Rails 3.2, however, the new API provides the following new methods that all return relations allowing them to be chained together: * <tt>where</tt> - provides conditions on the relation, what gets returned. * <tt>select</tt> - choose what attributes of the models you wish to have returned from the database. @@ -502,7 +502,7 @@ Deprecations: h3. Active Support -A large effort was made in Active Support to make it cherry pickable, that is, you no longer have to require the entire Active Support library to get pieces of it. This allows the various core components of Rails to run slimmer. +A large effort was made in Active Support to make it cherry pickable, that is, you no longer have to require the entire Active Support library to get pieces of it. This allows the various core components of Rails to run slimmer. These are the main changes in Active Support: @@ -559,7 +559,7 @@ The following methods have been removed because they are no longer used in the f h3. Action Mailer -Action Mailer has been given a new API with TMail being replaced out with the new "Mail":http://github.com/mikel/mail as the Email library. Action Mailer itself has been given an almost complete re-write with pretty much every line of code touched. The result is that Action Mailer now simply inherits from Abstract Controller and wraps the Mail gem in a Rails DSL. This reduces the amount of code and duplication of other libraries in Action Mailer considerably. +Action Mailer has been given a new API with TMail being replaced out with the new "Mail":http://github.com/mikel/mail as the Email library. Action Mailer itself has been given an almost complete re-write with pretty much every line of code touched. The result is that Action Mailer now simply inherits from Abstract Controller and wraps the Mail gem in a Rails DSL. This reduces the amount of code and duplication of other libraries in Action Mailer considerably. * All mailers are now in <tt>app/mailers</tt> by default. * Can now send email using new API with three methods: +attachments+, +headers+ and +mail+. @@ -589,7 +589,7 @@ More Information: h3. Credits -See the "full list of contributors to Rails":http://contributors.rubyonrails.org/ for the many people who spent many hours making Rails 3. Kudos to all of them. +See the "full list of contributors to Rails":http://contributors.rubyonrails.org/ for the many people who spent many hours making Rails 3. Kudos to all of them. Rails 3.0 Release Notes were compiled by "Mikel Lindsaar":http://lindsaar.net. diff --git a/railties/guides/source/action_mailer_basics.textile b/railties/guides/source/action_mailer_basics.textile index a6ff8f877d..e1ff49cd60 100644 --- a/railties/guides/source/action_mailer_basics.textile +++ b/railties/guides/source/action_mailer_basics.textile @@ -104,7 +104,7 @@ When you call the +mail+ method now, Action Mailer will detect the two templates h5. Wire It Up So That the System Sends the Email When a User Signs Up -There are several ways to do this, some people create Rails Observers to fire off emails, others do it inside of the User Model. However, in Rails 3, mailers are really just another way to render a view. Instead of rendering a view and sending out the HTTP protocol, they are just sending it out through the Email protocols instead. Due to this, it makes sense to just have your controller tell the mailer to send an email when a user is successfully created. +There are several ways to do this, some people create Rails Observers to fire off emails, others do it inside of the User Model. However, in Rails 3, mailers are really just another way to render a view. Instead of rendering a view and sending out the HTTP protocol, they are just sending it out through the Email protocols instead. Due to this, it makes sense to just have your controller tell the mailer to send an email when a user is successfully created. Setting this up is painfully simple. @@ -293,7 +293,7 @@ class UserMailer < ActionMailer::Base end </ruby> -Will render 'another_template.text.erb' and 'another_template.html.erb'. The render command is the same one used inside of Action Controller, so you can use all the same options, such as <tt>:text</tt> etc. +Will render 'another_template.text.erb' and 'another_template.html.erb'. The render command is the same one used inside of Action Controller, so you can use all the same options, such as <tt>:text</tt> etc. h4. Action Mailer Layouts @@ -363,7 +363,7 @@ h4. Sending Multipart Emails Action Mailer will automatically send multipart emails if you have different templates for the same action. So, for our UserMailer example, if you have +welcome_email.text.erb+ and +welcome_email.html.erb+ in +app/views/user_mailer+, Action Mailer will automatically send a multipart email with the HTML and text versions setup as different parts. -The order of the parts getting inserted is determined by the <tt>:parts_order</tt> inside of the <tt>ActionMailer::Base.default</tt> method. If you want to explicitly alter the order, you can either change the <tt>:parts_order</tt> or explicitly render the parts in a different order: +The order of the parts getting inserted is determined by the <tt>:parts_order</tt> inside of the <tt>ActionMailer::Base.default</tt> method. If you want to explicitly alter the order, you can either change the <tt>:parts_order</tt> or explicitly render the parts in a different order: <ruby> class UserMailer < ActionMailer::Base @@ -419,7 +419,7 @@ class UserMailer < ActionMailer::Base ) if email.has_attachments? - for attachment in email.attachments + email.attachments.each do |attachment| page.attachments.create({ :file => attachment, :description => email.subject diff --git a/railties/guides/source/action_view_overview.textile b/railties/guides/source/action_view_overview.textile index 2b2c197f46..b064851312 100644 --- a/railties/guides/source/action_view_overview.textile +++ b/railties/guides/source/action_view_overview.textile @@ -615,7 +615,7 @@ atom_feed do |feed| feed.title("Posts Index") feed.updated((@posts.first.created_at)) - for post in @posts + @posts.each do |post| feed.entry(post) do |entry| entry.title(post.title) entry.content(post.body, :type => 'html') diff --git a/railties/guides/source/active_record_validations_callbacks.textile b/railties/guides/source/active_record_validations_callbacks.textile index 19bd4ad0f1..9f59397d7d 100644 --- a/railties/guides/source/active_record_validations_callbacks.textile +++ b/railties/guides/source/active_record_validations_callbacks.textile @@ -165,23 +165,23 @@ Each helper accepts an arbitrary number of attribute names, so with a single lin All of them accept the +:on+ and +:message+ options, which define when the validation should be run and what message should be added to the +errors+ collection if it fails, respectively. The +:on+ option takes one of the values +:save+ (the default), +:create+ or +:update+. There is a default error message for each one of the validation helpers. These messages are used when the +:message+ option isn't specified. Let's take a look at each one of the available helpers. -h4. +validates_acceptance_of+ +h4. +acceptance+ Validates that a checkbox on the user interface was checked when a form was submitted. This is typically used when the user needs to agree to your application's terms of service, confirm reading some text, or any similar concept. This validation is very specific to web applications and this 'acceptance' does not need to be recorded anywhere in your database (if you don't have a field for it, the helper will just create a virtual attribute). <ruby> class Person < ActiveRecord::Base - validates_acceptance_of :terms_of_service + validates :terms_of_service, :acceptance => true end </ruby> -The default error message for +validates_acceptance_of+ is "_must be accepted_". +The default error message for this helper is "_must be accepted_". -+validates_acceptance_of+ can receive an +:accept+ option, which determines the value that will be considered acceptance. It defaults to "1", but you can change this. +It can receive an +:accept+ option, which determines the value that will be considered acceptance. It defaults to "1" and can be easily changed. <ruby> class Person < ActiveRecord::Base - validates_acceptance_of :terms_of_service, :accept => 'yes' + validates :terms_of_service, :acceptance => true, :accept => 'yes' end </ruby> @@ -202,13 +202,13 @@ CAUTION: Don't use +validates_associated+ on both ends of your associations. The The default error message for +validates_associated+ is "_is invalid_". Note that each associated object will contain its own +errors+ collection; errors do not bubble up to the calling model. -h4. +validates_confirmation_of+ +h4. +confirmation+ You should use this helper when you have two text fields that should receive exactly the same content. For example, you may want to confirm an email address or a password. This validation creates a virtual attribute whose name is the name of the field that has to be confirmed with "_confirmation" appended. <ruby> class Person < ActiveRecord::Base - validates_confirmation_of :email + validates :email, :confirmation => true end </ruby> @@ -219,70 +219,70 @@ In your view template you could use something like <%= text_field :person, :email_confirmation %> </erb> -This check is performed only if +email_confirmation+ is not +nil+. To require confirmation, make sure to add a presence check for the confirmation attribute (we'll take a look at +validates_presence_of+ later on this guide): +This check is performed only if +email_confirmation+ is not +nil+. To require confirmation, make sure to add a presence check for the confirmation attribute (we'll take a look at +presence+ later on this guide): <ruby> class Person < ActiveRecord::Base - validates_confirmation_of :email - validates_presence_of :email_confirmation + validates :email, :confirmation => true + validates :email_confirmation, :presence => true end </ruby> -The default error message for +validates_confirmation_of+ is "_doesn't match confirmation_". +The default error message for this helper is "_doesn't match confirmation_". -h4. +validates_exclusion_of+ +h4. +exclusion+ This helper validates that the attributes' values are not included in a given set. In fact, this set can be any enumerable object. <ruby> class Account < ActiveRecord::Base - validates_exclusion_of :subdomain, :in => %w(www us ca jp), - :message => "Subdomain %{value} is reserved." + validates :subdomain, :exclusion => { :in => %w(www us ca jp), + :message => "Subdomain %{value} is reserved." } end </ruby> -The +validates_exclusion_of+ helper has an option +:in+ that receives the set of values that will not be accepted for the validated attributes. The +:in+ option has an alias called +:within+ that you can use for the same purpose, if you'd like to. This example uses the +:message+ option to show how you can include the attribute's value. +The +exclusion+ helper has an option +:in+ that receives the set of values that will not be accepted for the validated attributes. The +:in+ option has an alias called +:within+ that you can use for the same purpose, if you'd like to. This example uses the +:message+ option to show how you can include the attribute's value. -The default error message for +validates_exclusion_of+ is "_is reserved_". +The default error message is "_is reserved_". -h4. +validates_format_of+ +h4. +format+ This helper validates the attributes' values by testing whether they match a given regular expression, which is specified using the +:with+ option. <ruby> class Product < ActiveRecord::Base - validates_format_of :legacy_code, :with => /\A[a-zA-Z]+\z/, - :message => "Only letters allowed" + validates :legacy_code, :format => { :with => /\A[a-zA-Z]+\z/, + :message => "Only letters allowed" } end </ruby> -The default error message for +validates_format_of+ is "_is invalid_". +The default error message is "_is invalid_". -h4. +validates_inclusion_of+ +h4. +inclusion+ This helper validates that the attributes' values are included in a given set. In fact, this set can be any enumerable object. <ruby> class Coffee < ActiveRecord::Base - validates_inclusion_of :size, :in => %w(small medium large), - :message => "%{value} is not a valid size" + validates :size, :inclusion => { :in => %w(small medium large), + :message => "%{value} is not a valid size" } end </ruby> -The +validates_inclusion_of+ helper has an option +:in+ that receives the set of values that will be accepted. The +:in+ option has an alias called +:within+ that you can use for the same purpose, if you'd like to. The previous example uses the +:message+ option to show how you can include the attribute's value. +The +inclusion+ helper has an option +:in+ that receives the set of values that will be accepted. The +:in+ option has an alias called +:within+ that you can use for the same purpose, if you'd like to. The previous example uses the +:message+ option to show how you can include the attribute's value. -The default error message for +validates_inclusion_of+ is "_is not included in the list_". +The default error message for this helper is "_is not included in the list_". -h4. +validates_length_of+ +h4. +length+ This helper validates the length of the attributes' values. It provides a variety of options, so you can specify length constraints in different ways: <ruby> class Person < ActiveRecord::Base - validates_length_of :name, :minimum => 2 - validates_length_of :bio, :maximum => 500 - validates_length_of :password, :in => 6..20 - validates_length_of :registration_number, :is => 6 + validates :name, :length => { :minimum => 2 } + validates :bio, :length => { :maximum => 500 } + validates :password, :length => { :in => 6..20 } + validates :registration_number, :length => { :is => 6 } end </ruby> @@ -297,8 +297,8 @@ The default error messages depend on the type of length validation being perform <ruby> class Person < ActiveRecord::Base - validates_length_of :bio, :maximum => 1000, - :too_long => "%{count} characters is the maximum allowed" + validates :bio, :length => { :maximum => 1000, + :too_long => "%{count} characters is the maximum allowed" } end </ruby> @@ -306,20 +306,21 @@ This helper counts characters by default, but you can split the value in a diffe <ruby> class Essay < ActiveRecord::Base - validates_length_of :content, + validates :content, :length => { :minimum => 300, :maximum => 400, :tokenizer => lambda { |str| str.scan(/\w+/) }, :too_short => "must have at least %{count} words", :too_long => "must have at most %{count} words" + } end </ruby> -Note that the default error messages are plural (e.g., "is too short (minimum is %{count} characters)"). For this reason, when +:minimum+ is 1 you should provide a personalized message or use +validates_presence_of+ instead. When +:in+ or +:within+ have a lower limit of 1, you should either provide a personalized message or call +validates_presence_of+ prior to +validates_length_of+. +Note that the default error messages are plural (e.g., "is too short (minimum is %{count} characters)"). For this reason, when +:minimum+ is 1 you should provide a personalized message or use +validates_presence_of+ instead. When +:in+ or +:within+ have a lower limit of 1, you should either provide a personalized message or call +presence+ prior to +length+. -The +validates_size_of+ helper is an alias for +validates_length_of+. +The +size+ helper is an alias for +length+. -h4. +validates_numericality_of+ +h4. +numericality+ This helper validates that your attributes have only numeric values. By default, it will match an optional sign followed by an integral or floating point number. To specify that only integral numbers are allowed set +:only_integer+ to true. @@ -335,12 +336,12 @@ WARNING. Note that the regular expression above allows a trailing newline charac <ruby> class Player < ActiveRecord::Base - validates_numericality_of :points - validates_numericality_of :games_played, :only_integer => true + validates :points, :numericality => true + validates :games_played, :numericality => true, :only_integer => true end </ruby> -Besides +:only_integer+, the +validates_numericality_of+ helper also accepts the following options to add constraints to acceptable values: +Besides +:only_integer+, this helper also accepts the following options to add constraints to acceptable values: * +:greater_than+ - Specifies the value must be greater than the supplied value. The default error message for this option is "_must be greater than %{count}_". * +:greater_than_or_equal_to+ - Specifies the value must be greater than or equal to the supplied value. The default error message for this option is "_must be greater than or equal to %{count}_". @@ -350,9 +351,9 @@ Besides +:only_integer+, the +validates_numericality_of+ helper also accepts the * +:odd+ - Specifies the value must be an odd number if set to true. The default error message for this option is "_must be odd_". * +:even+ - Specifies the value must be an even number if set to true. The default error message for this option is "_must be even_". -The default error message for +validates_numericality_of+ is "_is not a number_". +The default error message is "_is not a number_". -h4. +validates_presence_of+ +h4. +presence+ This helper validates that the specified attributes are not empty. It uses the +blank?+ method to check if the value is either +nil+ or a blank string, that is, a string that is either empty or consists of whitespace. @@ -367,21 +368,21 @@ If you want to be sure that an association is present, you'll need to test wheth <ruby> class LineItem < ActiveRecord::Base belongs_to :order - validates_presence_of :order_id + validates :order_id, :presence => true end </ruby> -Since +false.blank?+ is true, if you want to validate the presence of a boolean field you should use +validates_inclusion_of :field_name, :in => [true, false]+. +Since +false.blank?+ is true, if you want to validate the presence of a boolean field you should use <tt>validates :field_name, :inclusion => { :in => [true, false] }</tt>. -The default error message for +validates_presence_of+ is "_can't be empty_". +The default error message is "_can't be empty_". -h4. +validates_uniqueness_of+ +h4. +uniqueness+ This helper validates that the attribute's value is unique right before the object gets saved. It does not create a uniqueness constraint in the database, so it may happen that two different database connections create two records with the same value for a column that you intend to be unique. To avoid that, you must create a unique index in your database. <ruby> class Account < ActiveRecord::Base - validates_uniqueness_of :email + validates :email, :uniqueness => true end </ruby> @@ -391,7 +392,7 @@ There is a +:scope+ option that you can use to specify other attributes that are <ruby> class Holiday < ActiveRecord::Base - validates_uniqueness_of :name, :scope => :year, + validates :name, :uniqueness => true, :scope => :year, :message => "should happen once per year" end </ruby> @@ -400,13 +401,13 @@ There is also a +:case_sensitive+ option that you can use to define whether the <ruby> class Person < ActiveRecord::Base - validates_uniqueness_of :name, :case_sensitive => false + validates :name, :uniqueness => true, :case_sensitive => false end </ruby> WARNING. Note that some databases are configured to perform case-insensitive searches anyway. -The default error message for +validates_uniqueness_of+ is "_has already been taken_". +The default error message is "_has already been taken_". h4. +validates_with+ @@ -470,8 +471,8 @@ The +:allow_nil+ option skips the validation when the value being validated is + <ruby> class Coffee < ActiveRecord::Base - validates_inclusion_of :size, :in => %w(small medium large), - :message => "%{value} is not a valid size", :allow_nil => true + validates :size, :inclusion => { :in => %w(small medium large), + :message => "%{value} is not a valid size" }, :allow_nil => true end </ruby> @@ -483,10 +484,10 @@ The +:allow_blank+ option is similar to the +:allow_nil+ option. This option wil <ruby> class Topic < ActiveRecord::Base - validates_length_of :title, :is => 5, :allow_blank => true + validates :title, :length => { :is => 5 }, :allow_blank => true end -Topic.create("title" => "").valid? # => true +Topic.create("title" => "").valid? # => true Topic.create("title" => nil).valid? # => true </ruby> @@ -503,10 +504,10 @@ The +:on+ option lets you specify when the validation should happen. The default <ruby> class Person < ActiveRecord::Base # it will be possible to update email with a duplicated value - validates_uniqueness_of :email, :on => :create + validates :email, :uniqueness => true, :on => :create # it will be possible to create the record with a non-numerical age - validates_numericality_of :age, :on => :update + validates :age, :numericality => true, :on => :update # the default (validates on both create and update) validates :name, :presence => true, :on => :save @@ -523,7 +524,7 @@ You can associate the +:if+ and +:unless+ options with a symbol corresponding to <ruby> class Order < ActiveRecord::Base - validates_presence_of :card_number, :if => :paid_with_card? + validates :card_number, :presence => true, :if => :paid_with_card? def paid_with_card? payment_type == "card" @@ -537,7 +538,7 @@ You can also use a string that will be evaluated using +eval+ and needs to conta <ruby> class Person < ActiveRecord::Base - validates_presence_of :surname, :if => "name.nil?" + validates :surname, :presence => true, :if => "name.nil?" end </ruby> @@ -547,7 +548,7 @@ Finally, it's possible to associate +:if+ and +:unless+ with a +Proc+ object whi <ruby> class Account < ActiveRecord::Base - validates_confirmation_of :password, + validates :password, :confirmation => true, :unless => Proc.new { |a| a.password.blank? } end </ruby> @@ -559,8 +560,8 @@ Sometimes it is useful to have multiple validations use one condition, it can be <ruby> class User < ActiveRecord::Base with_options :if => :is_admin? do |admin| - admin.validates_length_of :password, :minimum => 10 - admin.validates_presence_of :email + admin.validates :password, :length => { :minimum => 10 } + admin.validates :email, :presence => true end end </ruby> @@ -597,7 +598,7 @@ You can even create your own validation helpers and reuse them in several differ <ruby> ActiveRecord::Base.class_eval do def self.validates_as_choice(attr_name, n, options={}) - validates_inclusion_of attr_name, {:in => 1..n}.merge(options) + validates attr_name, :inclusion => { {:in => 1..n}.merge(options) } end end </ruby> @@ -622,8 +623,7 @@ Returns an OrderedHash with all errors. Each key is the attribute name and the v <ruby> class Person < ActiveRecord::Base - validates :name, :presence => true - validates_length_of :name, :minimum => 3 + validates :name, :presence => true, :length => { :minimum => 3 } end person = Person.new @@ -642,8 +642,7 @@ h4(#working_with_validation_errors-errors-2). +errors[]+ <ruby> class Person < ActiveRecord::Base - validates :name, :presence => true - validates_length_of :name, :minimum => 3 + validates :name, :presence => true, :length => { :minimum => 3 } end person = Person.new(:name => "John Doe") @@ -718,8 +717,7 @@ The +clear+ method is used when you intentionally want to clear all the messages <ruby> class Person < ActiveRecord::Base - validates :name, :presence => true - validates_length_of :name, :minimum => 3 + validates :name, :presence => true, :length => { :minimum => 3 } end person = Person.new @@ -742,9 +740,7 @@ The +size+ method returns the total number of error messages for the object. <ruby> class Person < ActiveRecord::Base - validates :name, :presence => true - validates_length_of :name, :minimum => 3 - validates_presence_of :email + validates :name, :presence => true, :length => { :minimum => 3 } end person = Person.new @@ -765,13 +761,14 @@ h4. Installing as a plugin $ rails plugin install git://github.com/joelmoss/dynamic_form.git </shell> -h4 Installing as a Gem -Add this line on your Gemfile: +h4. Installing as a Gem + +Add this line in your Gemfile: <ruby> gem "dynamic_form" </ruby> -Now you will have access to these two methods in your view templates: +Now you will have access to these two methods in your view templates. h4. +error_messages+ and +error_messages_for+ @@ -779,8 +776,8 @@ When creating a form with the +form_for+ helper, you can use the +error_messages <ruby> class Product < ActiveRecord::Base - validates_presence_of :description, :value - validates_numericality_of :value, :allow_nil => true + validates :description, :value, :presence => true + validates :value, :numericality => true, :allow_nil => true end </ruby> @@ -878,7 +875,7 @@ In order to use the available callbacks, you need to register them. You can do t <ruby> class User < ActiveRecord::Base - validates_presence_of :login, :email + validates :login, :email, :presence => true before_validation :ensure_login_has_a_value @@ -895,7 +892,7 @@ The macro-style class methods can also receive a block. Consider using this styl <ruby> class User < ActiveRecord::Base - validates_presence_of :login, :email + validates :login, :email, :presence => true before_create do |user| user.name = user.login.capitalize if user.name.blank? diff --git a/railties/guides/source/active_support_core_extensions.textile b/railties/guides/source/active_support_core_extensions.textile index 66869b4eeb..43aa6dfbbb 100644 --- a/railties/guides/source/active_support_core_extensions.textile +++ b/railties/guides/source/active_support_core_extensions.textile @@ -436,20 +436,6 @@ end NOTE: Defined in +active_support/core_ext/kernel/reporting.rb+. -h4. +require_library_or_gem+ - -The convenience method +require_library_or_gem+ tries to load its argument with a regular +require+ first. If it fails loads +rubygems+ and tries again. - -If the first attempt is a failure and +rubygems+ can't be loaded the method raises +LoadError+. A +LoadError+ is also raised if +rubygems+ is available but the argument is not loadable as a gem. - -For example, that's the way the MySQL adapter loads the MySQL library: - -<ruby> -require_library_or_gem('mysql') -</ruby> - -NOTE: Defined in +active_support/core_ext/kernel/requires.rb+. - h4. +in?+ The predicate +in?+ tests if an object is included in another object. An +ArgumentError+ exception will be raised if the argument passed does not respond to +include?+. diff --git a/railties/guides/source/asset_pipeline.textile b/railties/guides/source/asset_pipeline.textile new file mode 100644 index 0000000000..9ea1aa9e01 --- /dev/null +++ b/railties/guides/source/asset_pipeline.textile @@ -0,0 +1,29 @@ +h2. Asset Pipeline + +This guide will cover the ideology of the asset pipeline introduced in Rails 3.1. +By referring to this guide you will be able to: + +* Properly organize your application assets +* Understand the benefits of the asset pipline +* Adding a preproccessor to the pipeline +* Package assets with your plugin + +endprologue. + +h3. What Is The Asset Pipeline? + +h4. Why Should I Use it? + +h3. How to Use the Asset Pipeline + +h4. Asset Organization + +h4. Default Files Loaded + +h4. Directives + +h4. Stacking Preproccessors + +h3. Packaging Assets with Your Plugin + +h3. More on Sprockets diff --git a/railties/guides/source/configuring.textile b/railties/guides/source/configuring.textile index fbe3d46367..135c849ec3 100644 --- a/railties/guides/source/configuring.textile +++ b/railties/guides/source/configuring.textile @@ -414,7 +414,7 @@ Rails has 5 initialization events which can be hooked into (listed in order that * +to_prepare+: Run after the initializers are ran for all Railties (including the application itself), but before eager loading and the middleware stack is built. -* +before_eager_load+: This is run directly before eager loading occurs, which is the default behaviour for the _production_ environment and not for the +development+ enviroment. +* +before_eager_load+: This is run directly before eager loading occurs, which is the default behaviour for the _production_ environment and not for the +development+ environment. * +after_initialize+: Run directly after the initialization of the application, but before the application initializers are run. diff --git a/railties/guides/source/form_helpers.textile b/railties/guides/source/form_helpers.textile index a63245acec..4134c9f8ed 100644 --- a/railties/guides/source/form_helpers.textile +++ b/railties/guides/source/form_helpers.textile @@ -712,7 +712,7 @@ You might want to render a form with a set of edit fields for each of a person's <erb> <%= form_for @person do |person_form| %> <%= person_form.text_field :name %> - <% for address in @person.addresses %> + <% @person.addresses.each do |address| %> <%= person_form.fields_for address, :index => address do |address_form|%> <%= address_form.text_field :city %> <% end %> diff --git a/railties/guides/source/getting_started.textile b/railties/guides/source/getting_started.textile index 1c66115d44..8a9086f416 100644 --- a/railties/guides/source/getting_started.textile +++ b/railties/guides/source/getting_started.textile @@ -544,7 +544,7 @@ This view iterates over the contents of the +@posts+ array to display content an * +link_to+ builds a hyperlink to a particular destination * +edit_post_path+ and +new_post_path+ are helpers that Rails provides as part of RESTful routing. You'll see a variety of these helpers for the different actions that the controller includes. -NOTE. In previous versions of Rails, you had to use +<%=h post.name %>+ so that any HTML would be escaped before being inserted into the page. In Rails 3.0, this is now the default. To get unescaped HTML, you now use +<%= raw post.name %>+. +NOTE. In previous versions of Rails, you had to use +<%=h post.name %>+ so that any HTML would be escaped before being inserted into the page. In Rails 3.0, this is now the default. To get unescaped HTML, you now use +<%= raw post.name %>+. TIP: For more details on the rendering process, see "Layouts and Rendering in Rails":layouts_and_rendering.html. diff --git a/railties/guides/source/plugins.textile b/railties/guides/source/plugins.textile index d486e8ade3..2eb71e49c4 100644 --- a/railties/guides/source/plugins.textile +++ b/railties/guides/source/plugins.textile @@ -25,33 +25,36 @@ endprologue. h3. Setup -h4. Generating the Plugin Skeleton +Before you continue, take a moment to decide if your new plugin will be potentially shared across different Rails applications. -Rails currently ships with a generator to generate a plugin within a Rails application. Help text is available that will explain -how this generator works. +* If your plugin is specific to your application, your new plugin will be a _vendored plugin_. +* If you think your plugin may be used across applications, build it as a _gemified plugin_. + +h4. Either generate a vendored plugin... + +Use the +rails generate plugin+ command in your Rails root directory + to create a new plugin that will live in the +vendor/plugins+ + directory. See usage and options by asking for help: <shell> -$ rails generate plugin --help +$ rails generate plugin new --help </shell> -This generator places the plugin into the vendor/plugins directory. +h4. Or generate a gemified plugin. -Vendored plugins are useful for quickly prototyping your plugin but current thinking in the Rails community is shifting towards -packaging plugins as gems, especially with the inclusion of Bundler as the Rails dependency manager. -Packaging a plugin as a gem may be overkill for any plugins that will not be shared across projects but doing so from the start makes it easier to share the plugin going forward without adding too much additional overhead during development. +Writing your Rails plugin as a gem, rather than as a vendored plugin, + lets you share your plugin across different rails applications using + RubyGems and Bundler. -Rails 3.1 will ship with a plugin generator that will default to setting up a plugin -as a gem. This tutorial will begin to bridge that gap by demonstrating how to create a gem based plugin using the -"Enginex gem":http://www.github.com/josevalim/enginex. +Rails 3.1 ships with a +rails plugin new+ command which creates a + skeleton for developing any kind of Rails extension with the ability + to run integration tests using a dummy Rails application. See usage + and options by asking for help: <shell> -$ gem install enginex -$ enginex --help -$ enginex yaffle +$ rails plugin --help </shell> -This command will create a new directory named "yaffle" within the current directory. - h3. Testing your newly generated plugin You can navigate to the directory that contains the plugin, run the +bundle install+ command @@ -319,7 +322,7 @@ When you run +rake+ you should see the tests all pass: h4. Add an Instance Method -This plugin will add a method named 'squawk' to any Active Record objects that call 'acts_as_yaffle'. The 'squawk' +This plugin will add a method named 'squawk' to any Active Record objects that call 'acts_as_yaffle'. The 'squawk' method will simply set the value of one of the fields in the database. To start out, write a failing test that shows the behavior you'd like: @@ -387,9 +390,7 @@ Run +rake+ one final time and you should see: 7 tests, 7 assertions, 0 failures, 0 errors, 0 skips </shell> -NOTE: The use of +write_attribute+ to write to the field in model is just one example of how a plugin can -interact with the model, and will not always be the right method to use. For example, you could also -use +send("#{self.class.yaffle_text_field}=", string.to_squawk)+. +NOTE: The use of +write_attribute+ to write to the field in model is just one example of how a plugin can interact with the model, and will not always be the right method to use. For example, you could also use <tt>send("#{self.class.yaffle_text_field}=", string.to_squawk)</tt>. h3. Generators diff --git a/railties/guides/source/routing.textile b/railties/guides/source/routing.textile index 99fdcee68a..08615bed4e 100644 --- a/railties/guides/source/routing.textile +++ b/railties/guides/source/routing.textile @@ -880,7 +880,7 @@ h3. Changelog * April 10, 2010: Updated guide to remove outdated and superfluous information, and to provide information about new features, by "Yehuda Katz":http://www.yehudakatz.com * April 2, 2010: Updated guide to match new Routing DSL in Rails 3, by "Rizwan Reza":http://www.rizwanreza.com/ -* Febuary 1, 2010: Modifies the routing documentation to match new routing DSL in Rails 3, by Prem Sichanugrist +* February 1, 2010: Modifies the routing documentation to match new routing DSL in Rails 3, by Prem Sichanugrist * October 4, 2008: Added additional detail on specifying verbs for resource member/collection routes, by "Mike Gunderloy":credits.html#mgunderloy * September 23, 2008: Added section on namespaced controllers and routing, by "Mike Gunderloy":credits.html#mgunderloy * September 10, 2008: initial version by "Mike Gunderloy":credits.html#mgunderloy diff --git a/railties/guides/source/ruby_on_rails_guides_guidelines.textile b/railties/guides/source/ruby_on_rails_guides_guidelines.textile index 26a5a4c3c9..9ae360a73b 100644 --- a/railties/guides/source/ruby_on_rails_guides_guidelines.textile +++ b/railties/guides/source/ruby_on_rails_guides_guidelines.textile @@ -62,10 +62,10 @@ To force process of all the guides, pass +ALL=1+. It is also recommended that you work with +WARNINGS=1+. This detects duplicate IDs and warns about broken internal links. -If you want to generate guides in languages other than English, you can keep them in a separate directory under +source+ (eg. <tt>source/es</tt>) and use the +LANGUAGE+ environment variable: +If you want to generate guides in languages other than English, you can keep them in a separate directory under +source+ (eg. <tt>source/es</tt>) and use the +GUIDES_LANGUAGE+ environment variable: <plain> -rake generate_guides LANGUAGE=es +rake generate_guides GUIDES_LANGUAGE=es </plain> h3. HTML Validation diff --git a/railties/guides/source/security.textile b/railties/guides/source/security.textile index e0ccc7a6e6..412ded1d0b 100644 --- a/railties/guides/source/security.textile +++ b/railties/guides/source/security.textile @@ -386,7 +386,7 @@ params[:user] # => {:name => “ow3ned”, :admin => true} So if you create a new user using mass-assignment, it may be too easy to become an administrator. -Note that this vulnerability is not restricted to database columns. Any setter method, unless explicitly protected, is accessible via the <tt>attributes=</tt> method. In fact, this vulnerability is extended even further with the introduction of nested mass assignment (and nested object forms) in Rails 2.3+. The +accepts_nested_attributes_for+ declaration provides us the ability to extend mass assignment to model associations (+has_many+, +has_one+, +has_and_belongs_to_many+). For example: +Note that this vulnerability is not restricted to database columns. Any setter method, unless explicitly protected, is accessible via the <tt>attributes=</tt> method. In fact, this vulnerability is extended even further with the introduction of nested mass assignment (and nested object forms) in Rails 2.3+. The +accepts_nested_attributes_for+ declaration provides us the ability to extend mass assignment to model associations (+has_many+, +has_one+, +has_and_belongs_to_many+). For example: <ruby> class Person < ActiveRecord::Base @@ -469,7 +469,7 @@ A more paranoid technique to protect your whole project would be to enforce that config.active_record.whitelist_attributes = true </ruby> -This will create an empty whitelist of attributes available for mass-assignment for all models in your app. As such, your models will need to explicitly whitelist or blacklist accessible parameters by using an +attr_accessible+ or +attr_protected+ declaration. This technique is best applied at the start of a new project. However, for an existing project with a thorough set of functional tests, it should be straightforward and relatively quick to use this application config option; run your tests, and expose each attribute (via +attr_accessible+ or +attr_protected+) as dictated by your failing tests. +This will create an empty whitelist of attributes available for mass-assignment for all models in your app. As such, your models will need to explicitly whitelist or blacklist accessible parameters by using an +attr_accessible+ or +attr_protected+ declaration. This technique is best applied at the start of a new project. However, for an existing project with a thorough set of functional tests, it should be straightforward and relatively quick to use this application config option; run your tests, and expose each attribute (via +attr_accessible+ or +attr_protected+) as dictated by your failing tests. h3. User Management @@ -540,7 +540,7 @@ Most bots are really dumb, they crawl the web and put their spam into every form Here are some ideas how to hide honeypot fields by JavaScript and/or CSS: * position the fields off of the visible area of the page -* make the elements very small or colour them the same as the background of the page +* make the elements very small or color them the same as the background of the page * leave the fields displayed, but tell humans to leave them blank The most simple negative CAPTCHA is one hidden honeypot field. On the server side, you will check the value of the field: If it contains any text, it must be a bot. Then, you can either ignore the post or return a positive result, but not saving the post to the database. This way the bot will be satisfied and moves on. You can do this with annoying users, too. @@ -567,7 +567,7 @@ h4. Good Passwords -- _Do you find it hard to remember all your passwords? Don't write them down, but use the initial letters of each word in an easy to remember sentence._ -Bruce Schneier, a security technologist, "has analysed":http://www.schneier.com/blog/archives/2006/12/realworld_passw.html 34,000 real-world user names and passwords from the MySpace phishing attack mentioned <a href="#examples-from-the-underground">below</a>. It turns out that most of the passwords are quite easy to crack. The 20 most common passwords are: +Bruce Schneier, a security technologist, "has analyzed":http://www.schneier.com/blog/archives/2006/12/realworld_passw.html 34,000 real-world user names and passwords from the MySpace phishing attack mentioned <a href="#examples-from-the-underground">below</a>. It turns out that most of the passwords are quite easy to crack. The 20 most common passwords are: password1, abc123, myspace1, password, blink182, qwerty1, ****you, 123abc, baseball1, football1, 123456, soccer, monkey1, liverpool1, princess1, jordan23, slipknot1, superman1, iloveyou1, and monkey. @@ -885,7 +885,7 @@ The "moz-binding":http://www.securiteam.com/securitynews/5LP051FHPE.html CSS pro h5(#css-injection-countermeasures). Countermeasures -This example, again, showed that a blacklist filter is never complete. However, as custom CSS in web applications is a quite rare feature, I am not aware of a whitelist CSS filter. _(highlight)If you want to allow custom colours or images, you can allow the user to choose them and build the CSS in the web application_. Use Rails' +sanitize()+ method as a model for a whitelist CSS filter, if you really need one. +This example, again, showed that a blacklist filter is never complete. However, as custom CSS in web applications is a quite rare feature, I am not aware of a whitelist CSS filter. _(highlight)If you want to allow custom colors or images, you can allow the user to choose them and build the CSS in the web application_. Use Rails' +sanitize()+ method as a model for a whitelist CSS filter, if you really need one. h4. Textile Injection |