| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
whether something has to be escaped
|
|
|
|
| |
Rationale: url_for is just a path/URL generator, it is the responsability of the caller to escape conveniently HTML needs it, JavaScript needs different escaping, a text mail needs no escaping at all, etc.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Specify accept-charset on all forms. All recent browsers,
as well as IE5+, will use the encoding specified for form
parameters
* Unfortunately, IE5+ will not look at accept-charset unless
at least one character in the form's values is not in the
page's charset. Since the user can override the default
charset (which Rails sets to UTF-8), we provide a hidden
input containing a unicode character, forcing IE to look
at the accept-charset.
* Now that the vast majority of web input is UTF-8, we set
the inbound parameters to UTF-8. This will eliminate many
cases of incompatible encodings between ASCII-8BIT and
UTF-8.
* You can safely ignore params[:_snowman_]
TODO:
* Validate inbound text to confirm it is UTF-8
* Combine the whole_form implementations in form_helper_test
and form_tag_helper_test
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
Signed-off-by: José Valim <jose.valim@gmail.com>
|
|
|
|
| |
path_to_image in rdoc
|
| |
|
| |
|
|\ |
|
| |
| |
| |
| | |
url, number, etc) (Closes #3646) [Stephen Celis]
|
|/ |
|
|
|
|
| |
to select tag. Be sure to join the tag yourself and mark them .html_safe
|
| |
|
|\
| |
| |
| |
| |
| |
| | |
Conflicts:
activerecord/lib/active_record/base.rb
railties/lib/rails/configuration.rb
railties/lib/rails/log_subscriber.rb
|
| | |
|
| |
| |
| |
| | |
Signed-off-by: Yehuda Katz <yehudakatz@YK.local>
|
|/ |
|
|
|
|
|
|
| |
[#3856 state:committed]
Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
|
|
|
|
|
|
| |
consistency [#1792 status:resolved]
Signed-off-by: José Valim <jose.valim@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Instead, all Strings are always not html_safe?. Instead, you can get a SafeBuffer from a String by calling #html_safe, which will SafeBuffer.new(self).
* Additionally, instead of doing concat("</form>".html_safe), you can do
safe_concat("</form>"), which will skip both the flag set, and the flag
check.
* For the first pass, I converted virtually all #html_safe!s to #html_safe,
and the tests pass. A further optimization would be to try to use
#safe_concat as much as possible, reducing the performance impact if
we know up front that a String is safe.
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
such as :confirm in a unobtrusive manor
Signed-off-by: Joshua Peek <josh@joshpeek.com>
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit 3aa1ea1ae4baa4a03d03644e798eeb98a4745785, reversing
changes made to 2c12a71378d2146c822acb389b00b866f6420ff5.
Conflicts:
actionpack/lib/action_view/helpers/javascript_helper.rb
actionpack/lib/action_view/helpers/url_helper.rb
actionpack/test/template/url_helper_test.rb
|
|
|
|
| |
image_submit_tag output data attributes for things like :confirm, :method, :popup, and :disable_with
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This consists of:
* String#html_safe! a method to mark a string as 'safe'
* ActionView::SafeBuffer a string subclass which escapes anything unsafe which is concatenated to it
* Calls to String#html_safe! throughout the rails helpers
* a 'raw' helper which lets you concatenate trusted HTML from non-safety-aware sources (e.g. presantized strings in the DB)
* New ERB implementation based on erubis which uses a SafeBuffer instead of a String
Hat tip to Django for the inspiration.
|
|
|
|
|
| |
Signed-off-by: José Valim <jose.valim@gmail.com>
Signed-off-by: Pratik Naik <pratiknaik@gmail.com>
|
|
|
|
| |
Signed-off-by: José Valim <jose.valim@gmail.com>
|
|
|
|
|
|
| |
the form authenticity token is set to display:inline [#2846 state:resolved]
Signed-off-by: Yehuda Katz + Carl Lerche <ykatz+clerche@engineyard.com>
|
|
|
|
|
| |
Signed-off-by: Michael Koziarski <michael@koziarski.com>
[#2015 state:committed]
|
|
|
|
|
|
| |
text_area_tag('item[description]') should return: <textarea id="item_description" name="item[description]"></textarea> instead of: <textarea id="item[description]" name="item[description]"></textarea> The old id was causing HTML validation failures.
Signed-off-by: Michael Koziarski <michael@koziarski.com>
|
|
|
| |
TODO: Come up with the minimal core and remove all of these
|
|
|
|
| |
Signed-off-by: Michael Koziarski <michael@koziarski.com>
|
| |
|
|
|
|
| |
Signed-off-by: Joshua Peek <josh@joshpeek.com>
|
|
|
|
|
|
| |
brackets [#1238 state:committed]
Signed-off-by: David Heinemeier Hansson <david@loudthinking.com>
|
|
|
|
|
|
| |
state:resolved]
Signed-off-by: Pratik Naik <pratiknaik@gmail.com>
|
|
|
|
|
| |
Signed-off-by: Michael Koziarski <michael@koziarski.com>
[#1116 state:committed]
|
|
|
|
| |
Signed-off-by: David Heinemeier Hansson <david@loudthinking.com>
|
|
|
|
|
|
| |
of the submit button to the params if the :disable_with option is used [status:committed #633]
Signed-off-by: David Heinemeier Hansson <david@loudthinking.com>
|
| |
|
|
|
|
| |
Signed-off-by: Pratik Naik <pratiknaik@gmail.com>
|
|
|
|
|
|
| |
state:resolved]
Signed-off-by: Pratik Naik <pratiknaik@gmail.com>
|