| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
| |
not "ActiveRecord"
|
|
|
|
|
|
|
|
|
|
|
|
| |
Instead, all Strings are always not html_safe?. Instead, you can get a SafeBuffer from a String by calling #html_safe, which will SafeBuffer.new(self).
* Additionally, instead of doing concat("</form>".html_safe), you can do
safe_concat("</form>"), which will skip both the flag set, and the flag
check.
* For the first pass, I converted virtually all #html_safe!s to #html_safe,
and the tests pass. A further optimization would be to try to use
#safe_concat as much as possible, reducing the performance impact if
we know up front that a String is safe.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This consists of:
* String#html_safe! a method to mark a string as 'safe'
* ActionView::SafeBuffer a string subclass which escapes anything unsafe which is concatenated to it
* Calls to String#html_safe! throughout the rails helpers
* a 'raw' helper which lets you concatenate trusted HTML from non-safety-aware sources (e.g. presantized strings in the DB)
* New ERB implementation based on erubis which uses a SafeBuffer instead of a String
Hat tip to Django for the inspiration.
|
| |
|
| |
|
|
|
|
| |
ActionView can be used standalone
|
| |
|
| |
|
|
|
|
| |
Signed-off-by: Pratik Naik <pratiknaik@gmail.com>
|
|
|
|
|
|
| |
Signed-off-by: Michael Koziarski <michael@koziarski.com>
[#166 state:resolved]
|
|
|
|
| |
Signed-off-by: Pratik Naik <pratiknaik@gmail.com>
|
|
|
|
|
|
| |
out with custom implementations. Closes #10129. [rick]
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8213 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
|
|
Changed SanitizeHelper#sanitize to only allow the custom attributes and tags when specified in the call [DHH]
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7825 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
|