| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
| |
This commit moves all the template rendering logic that was hanging around AV::Base to renderer objects.
|
| |
|
| |
|
|
|
|
| |
Signed-off-by: José Valim <jose.valim@gmail.com>
|
| |
|
|
|
|
| |
Signed-off-by: wycats <wycats@gmail.com>
|
|
|
|
| |
Rationale: url_for is just a path/URL generator, it is the responsability of the caller to escape conveniently HTML needs it, JavaScript needs different escaping, a text mail needs no escaping at all, etc.
|
| |
|
|
|
|
| |
Signed-off-by: José Valim <jose.valim@gmail.com>
|
| |
|
| |
|
| |
|
|\ |
|
| |
| |
| |
| | |
that they shouldn't be further modified.
|
| |
| |
| |
| | |
ActionController::Base#template since it is no longer needed.
|
| |
| |
| |
| | |
warnings are in dependencies.
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* The approach is to compile <% %> into a method call that checks whether
the value returned from a block is a String. If it is, it concats to the buffer and
prints a deprecation warning.
* <%= %> uses exactly the same logic to compile the template, which first checks
to see whether it's compiling a block.
* This should have no impact on other uses of block in templates. For instance, in
<% [1,2,3].each do |i| %><%= i %><% end %>, the call to each returns an Array,
not a String, so the result is not concatenated
* In two cases (#capture and #cache), a String can be returned that should *never*
be concatenated. We have temporarily created a String subclass called NonConcattingString
which behaves (and is serialized) identically to String, but is not concatenated
by the code that handles deprecated <% %> block helpers. Once we remove support
for <% %> block helpers, we can remove NonConcattingString.
|
|\| |
|
| |
| |
| |
| | |
controller (so plugins and/or controllers can overwrite just one method).
|
|\|
| |
| |
| |
| |
| |
| | |
Conflicts:
activerecord/lib/active_record/base.rb
railties/lib/rails/configuration.rb
railties/lib/rails/log_subscriber.rb
|
| |
| |
| |
| | |
lookup.
|
| |
| |
| |
| | |
plugins) can override details_for_render in their controllers and add appropriate additional details. Now if only they could *do* something with those details...
|
| | |
|
|/ |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Instead, all Strings are always not html_safe?. Instead, you can get a SafeBuffer from a String by calling #html_safe, which will SafeBuffer.new(self).
* Additionally, instead of doing concat("</form>".html_safe), you can do
safe_concat("</form>"), which will skip both the flag set, and the flag
check.
* For the first pass, I converted virtually all #html_safe!s to #html_safe,
and the tests pass. A further optimization would be to try to use
#safe_concat as much as possible, reducing the performance impact if
we know up front that a String is safe.
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
plugin
|
|
|
|
| |
plugin
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit 3aa1ea1ae4baa4a03d03644e798eeb98a4745785, reversing
changes made to 2c12a71378d2146c822acb389b00b866f6420ff5.
Conflicts:
actionpack/lib/action_view/helpers/javascript_helper.rb
actionpack/lib/action_view/helpers/url_helper.rb
actionpack/test/template/url_helper_test.rb
|
|
|
|
| |
should know as little as possible about individual frameworks
|
|
|
|
| |
Modified tests that extended with PrototypeHelper to now extend using AjaxHelper. AjaxHelper is now included by default in view helper
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This consists of:
* String#html_safe! a method to mark a string as 'safe'
* ActionView::SafeBuffer a string subclass which escapes anything unsafe which is concatenated to it
* Calls to String#html_safe! throughout the rails helpers
* a 'raw' helper which lets you concatenate trusted HTML from non-safety-aware sources (e.g. presantized strings in the DB)
* New ERB implementation based on erubis which uses a SafeBuffer instead of a String
Hat tip to Django for the inspiration.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* request.formats is much simpler now
* For XHRs or Accept headers with a single item, we use the Accept header
* For other requests, we use params[:format] or fallback to HTML
* This is primarily to work around the fact that browsers provide completely
broken Accept headers, so we have to whitelist the few cases we can
specifically isolate and treat other requests as coming from the browser
* For APIs, we can support single-item Accept headers, which disambiguates
from the browsers
* Requests to an action that only has an XML template from the browser will
no longer find the template. This worked previously because most browsers
provide a catch-all */*, but this was mostly accidental behavior. If you
want to serve XML, either use the :xml format in links, or explicitly
specify the XML template: render "template.xml".
|
| |
|
| |
|
|
|
| |
TODO: Come up with the minimal core and remove all of these
|
| |
|
|
|
|
| |
reference stack instead of sticking it in the options hash
|
| |
|
| |
|
| |
|