| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
| |
The previous implementation of this functionality could be accidentally
subverted by instantiating a raw Rack::Request before the first Rails::Request
was constructed.
Fixes CVE-2013-6417
|
|
|
|
|
|
|
|
|
| |
i18n doesn't depend on active support which means it can't use our html_safe
code to do its escaping when generating the spans. Rather than try to sanitize
the output from i18n, just revert to our old behaviour of rescuing the error
and constructing the tag ourselves.
Fixes: CVE-2013-4491
|
|
|
|
|
|
|
|
|
|
| |
The previous behavior equated the sanitize option for simple_format with the
escape option of content_tag, however these are two distinct concepts.
This fixes CVE-2013-6416
Conflicts:
actionview/lib/action_view/helpers/text_helper.rb
|
|
|
|
|
|
| |
Previously the unit values were trusted leading to potential XSS vulnerabilities.
Fixes: CVE-2013-6415
|
|
|
|
| |
CVE-2013-6414
|
|\ |
|
| |\
| | |
| | |
| | |
| | | |
Add regression test for IpSpoofAttackError issue
Closes #10780
|
| | |
| | |
| | |
| | | |
See #10780
|
| | | |
|
| | | |
|
| | | |
|
| |\ \
| | | |
| | | | |
Remove deprecated cattr_* requires
|
| | | | |
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Also wrap surrounding text to 80 chars.
[ci skip] Closes #13132
|
| | | | |
|
| | | | |
|
| | | | |
|
| | | | |
|
|\ \ \ \
| |/ / /
|/| | |
| | | |
| | | |
| | | |
| | | | |
Refactor and clean up number helpers
Conflicts:
activesupport/lib/active_support/number_helper.rb
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Due to the overall complexity of each method individually as well as the
global shared private module methods, this pulls each helper into it's
own converter class inheriting from a generic `NumberBuilder` class.
* The `NumberBuilder` class contains the private methods needed for each helper
method an eliminates the need for special definition of specialized private
module methods.
* The `ActiveSupport::NumberHelper::DEFAULTS` constant has been moved
into the `NumberBuilder` class because the `NumberBuilder` is the only
class which needs access to it.
* For each of the builders, the `#convert` method is broken down to
smaller parts and extracted into private methods for clarity of purpose.
* Most of the mutation that once was necessary has now been eliminated.
* Several of the mathematical operations for percentage, delimited, and
rounded have been moved into private methods to ease readability and
clarity.
* Internationalization is still a bit crufty, and definitely could be
improved, but it is functional and a bit easier to follow.
The following helpers were extracted into their respective classes.
* `#number_to_percentage` -> `NumberToPercentageConverter`
* `#number_to_delimited` -> `NumberToDelimitedConverter`
* `#number_to_phone` -> `NumberToPhoneConverter`
* `#number_to_currency` -> `NumberToCurrencyConverter`
* `#number_to_rounded` -> `NumberToRoundedConverter`
* `#number_to_human_size` -> `NumberToHumanSizeConverter`
* `#number_to_human` -> `NumberToHumanConverter`
|
| |/ /
|/| | |
|
|\ \ \
| | | |
| | | | |
Unify cattr and mattr accessors declarations
|
| | | | |
|
| | | | |
|
| | | |
| | | |
| | | |
| | | | |
[ci skip]
|
| | | |
| | | |
| | | |
| | | | |
[ci skip]
|
| | | |
| | | |
| | | |
| | | | |
[ci skip]
|
| | | |
| | | |
| | | |
| | | |
| | | | |
Conflicts:
guides/source/4_1_release_notes.md
|
|/ / /
| | |
| | |
| | | |
We need to fix this test
|
| | | |
|
|\ \ \
| | | |
| | | | |
added missing require to active_support/tagged_logging
|
|/ / /
| | |
| | | |
we’re using .delegate and should require it.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This behavior is documented in our guides (http://edgeguides.rubyonrails.org/action_mailer_basics.html#action-mailer-callbacks)
but was broken in the past. This commit short curcuits
the `mail` method if:
1. mail() was previously called
2. no headers are passed
3. no block is passed
Closes #13090.
/cc @pixeltrix
|
|\ \ \
| | | |
| | | | |
Typo and grammatical fixes [ci skip]
|
| | | | |
|
|\ \ \ \
| | | | |
| | | | | |
Fix `rake test` description in the guides [ci skip]
|
| | | | |
| | | | |
| | | | |
| | | | | |
[ci skip]
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Missing partial folder/_partial instead of folder/partial.
Closes #13002.
|
|\ \ \ \ \
| | | | | |
| | | | | | |
Move Rack::Cache after ActionDispatch::Static in the middleware stack
|
| | | | | | |
|
| | | | | |
| | | | | |
| | | | | | |
he or she => they
|
| | | | | | |
|
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
A path redirect may contain any and all parts of a url which have different
escaping rules for each part. This commit tries to escape each part correctly
by splitting the string into three chunks - path (which may also include a host),
query and fragment; then it applies the correct escape pattern to each part.
Whilst using `URI.parse` would be better, unfortunately the possible presence
of %{name} parameters in the path redirect string prevents us from using it so
we have to use a regular expression instead.
Fixes #13110.
|
|\ \ \ \ \ \
| | | | | | |
| | | | | | | |
Removing some gender sensitive object pronouns
|
| | | | | | | |
|
| | | | | | | |
|
|/ / / / / / |
|
|\ \ \ \ \ \
| | | | | | |
| | | | | | | |
Use gender - neutral pronouns in security guide.
|
|/ / / / / /
| | | | | |
| | | | | |
| | | | | | |
related #49ff20d9b164693ed7fee880b69cc14b141678b3
|
|\ \ \ \ \ \
| | | | | | |
| | | | | | | |
Use .railsrc while creating new plugin if available. Fixes #10700
|