aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/lib/action_view/helpers/url_helper.rb
Commit message (Collapse)AuthorAgeFilesLines
* s/escape_once/html_escape/, since html safety is the contract that now says ↵Xavier Noria2010-06-301-14/+17
| | | | whether something has to be escaped
* url_for no longer escapes HTML, the :escape option is also goneXavier Noria2010-06-301-16/+5
| | | | Rationale: url_for is just a path/URL generator, it is the responsability of the caller to escape conveniently HTML needs it, JavaScript needs different escaping, a text mail needs no escaping at all, etc.
* Restores the escaping of urls generated from hashes. [#4765 state:resolved]Andrew White2010-06-281-1/+1
| | | | | | | | | | | | | | HTML specifications recommend the escaping of urls in web pages, which url_for does by default for string urls and consquently urls generated by path helpers as these return strings. Hashes passed to url_for are not escaped by default and this commit reverses this default so that they are escaped. Undoes the changes of this commit: http://github.com/rails/rails/commit/1b3195b63ca44f0a70b61b75fcf4991cb2fbb944 Signed-off-by: José Valim <jose.valim@gmail.com>
* Action View is now titled.Rizwan Reza2010-06-211-1/+1
|
* Added titles and description.Rizwan Reza2010-06-161-0/+1
|
* Merge branch 'master' of github.com:rails/railswycats2010-04-261-1/+1
|\
| * HWIA symbolize_keys now returns a hash so no need to do this anymoreSantiago Pastorino2010-04-221-1/+1
| | | | | | | | Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
* | Allow :remote => false to be passed to link_toNicolas Sanguinetti2010-04-221-3/+1
|/ | | | | | | And add tests for `button_to` and `form_tag` which currently behave as expected, so we avoid a regression. Signed-off-by: wycats <wycats@gmail.com>
* url_for now works with HashWithIndifferentAccess ht jay [#4391 state:committed]Santiago Pastorino2010-04-211-1/+1
| | | | Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
* mail_to with :encode => :javascript now outputs safe htmlSam Elliott2010-04-161-1/+1
| | | | Signed-off-by: Carl Lerche <carllerche@mac.com>
* Consistently use lowercase instead of camelCase for all JS class names in RailsDavid Heinemeier Hansson2010-04-081-5/+5
|
* * Change the object used in routing constraints to be an instance ofwycats2010-04-031-1/+6
| | | | | | | | | | | ActionDispatch::Request rather than Rack::Request. * Changed ActionDispatch::Request#method to return a String, to be compatible with the Rack::Request superclass. * Changed ActionDispatch::Request#method to return the original method in the case of methodoverride and #request_method not to, to be compatible with Rack::Request
* Refactored url_for in AV to have its own instances of the helpers instead of ↵wycats2010-04-031-15/+37
| | | | proxying back to the controller. This potentially allows for more standalone usage of AV. It also kicked up a lot of dust in the tests, which were mocking out controllers to get this behavior. By moving it to the view, it made a lot of the tests more standalone (a win)
* Merge branch 'master' into docrailswycats2010-03-261-3/+9
|\
| * Remove data-url support from url_helper [#4236 state:resolved]Denis Odorcic2010-03-211-2/+0
| | | | | | | | Signed-off-by: José Valim <jose.valim@gmail.com>
| * Fix missing requirewycats2010-03-161-0/+1
| |
| * Do not always include the named URL helpers into AC::Base and AV::Base.Carl Lerche2010-03-161-0/+7
| |
| * Fix link_to with blockJeremy Kemper2010-03-151-1/+1
| |
* | Merge remote branch 'mainstream/master'Pratik Naik2010-03-151-1/+1
|\|
| * Making escaped things more readableSantiago Pastorino2010-03-141-1/+1
| |
* | Merge remote branch 'mainstream/master'Pratik Naik2010-03-121-13/+10
|\| | | | | | | | | | | | | Conflicts: activerecord/lib/active_record/base.rb railties/lib/rails/configuration.rb railties/lib/rails/log_subscriber.rb
| * Tweak the semantic of various URL related methods of ActionDispatch::RequestCarlhuda2010-03-031-2/+3
| |
| * Use ActionDispatch::Routing everywhereMartin Schürrer2010-02-211-1/+1
| |
| * Require persisted? in ActiveModel::Lint and remove new_record? and ↵José Valim2010-02-211-1/+1
| | | | | | | | destroyed? methods. ActionPack does not care if the resource is new or if it was destroyed, it cares only if it's persisted somewhere or not.
| * Remove empty line and trailing hash, breaks documentation generationDirkjan Bussink2010-02-191-2/+0
| | | | | | | | Signed-off-by: Yehuda Katz <yehudakatz@YK.local>
| * Explicit html_escape removed when not neededSantiago Pastorino and José Ignacio Costa2010-02-141-1/+1
| | | | | | | | Signed-off-by: Yehuda Katz <yehudakatz@YK.local>
| * html_escape mail_to when encode javascript and not hexSantiago Pastorino and José Ignacio Costa2010-02-141-5/+3
| | | | | | | | Signed-off-by: Yehuda Katz <yehudakatz@YK.local>
| * content_tag should escape its inputBruno Michel2010-02-141-1/+1
| | | | | | | | Signed-off-by: Yehuda Katz <yehudakatz@YK.local>
* | Updated documentation for block helpers in url_helper.rbJeroen van Dijk2010-03-121-1/+1
|/
* For performance reasons, you can no longer call html_safe! on Strings. ↵Yehuda Katz2010-01-311-4/+4
| | | | | | | | | | | | Instead, all Strings are always not html_safe?. Instead, you can get a SafeBuffer from a String by calling #html_safe, which will SafeBuffer.new(self). * Additionally, instead of doing concat("</form>".html_safe), you can do safe_concat("</form>"), which will skip both the flag set, and the flag check. * For the first pass, I converted virtually all #html_safe!s to #html_safe, and the tests pass. A further optimization would be to try to use #safe_concat as much as possible, reducing the performance impact if we know up front that a String is safe.
* UJS documentation.Stefan Penner2010-01-311-25/+30
|
* data-remote needs to be on the form and not the submit when using button_to ↵Erik St. Martin2010-01-311-1/+3
| | | | :remote=>true
* Add rel=nofollow on non get remote linksJoshua Peek2010-01-301-1/+1
|
* Generate UJS code for :disable_withJoshua Peek2010-01-301-4/+0
|
* updating link_to and button_to to support :remote => true and other options ↵Erik St. Martin2010-01-301-31/+46
| | | | | | such as :confirm in a unobtrusive manor Signed-off-by: Joshua Peek <josh@joshpeek.com>
* Revert "Merge branch 'rails/master' into ujs"Joshua Peek2010-01-301-0/+45
| | | | | | | | | | | This reverts commit 3aa1ea1ae4baa4a03d03644e798eeb98a4745785, reversing changes made to 2c12a71378d2146c822acb389b00b866f6420ff5. Conflicts: actionpack/lib/action_view/helpers/javascript_helper.rb actionpack/lib/action_view/helpers/url_helper.rb actionpack/test/template/url_helper_test.rb
* Deprecate link_to :popupJoshua Peek2010-01-291-16/+2
|
* making non remote versions of link_to, button_to, submit_tag and ↵Erik St. Martin2010-01-271-52/+2
| | | | image_submit_tag output data attributes for things like :confirm, :method, :popup, and :disable_with
* Make @controller an internal ivar in the viewJoshua Peek2010-01-221-6/+6
|
* From now on, parameters defined in default_url_options can be absent from ↵José Valim2010-01-071-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | named routes. This allows the following setup to work: # app/controllers/application_controller.rb class ApplicationController def default_url_options(options=nil) { :locale => I18n.locale } end end # From your views and controllers: I18n.locale #=> :en users_url #=> "/en/users" users_url(:pl) #=> "/pl/users" user_url(1) #=> "/en/users/1" user_url(:pl, 1) #=> "/pl/users/1" user_url(1, :locale => :pl) #=> "/pl/users/1" If you provide all expected parameters, it still works as previously. But if any parameter is missing, it tries to assign all possible ones with the hash returned in default_url_options or the one passed straight to the named route method. Beware that default_url_options in ApplicationController is not shared with ActionMailer, so you are required to always give the locale in your email views.
* Remove CGI.escape in function of Rack::Mount.escapeJosé Valim2010-01-061-4/+4
|
* Make sure non-escaped urls aren't considered safeMichael Koziarski2009-10-151-1/+1
|
* ActionView.url_for doesn't escape by defaultPhil Darnowsky2009-10-151-1/+1
| | | | | | | | | | | | | | | | | ActionView::Helpers::UrlHelper#url_for used to escape the URLs it generated by default. This was most commonly seen when generating a path with multiple query parameters, e.g. url_for(:controller => :foo, :action => :bar, :this => 123, :that => 456) would return http://example.com/foo/bar?that=456&amp;this=123 escaping an ampersand that shouldn't be escaped. This is both wrong and inconsistent with the behavior of ActionController#url_for, and is changed. Signed-off-by: Michael Koziarski <michael@koziarski.com>
* Switch to on-by-default XSS escaping for rails.Michael Koziarski2009-10-081-5/+5
| | | | | | | | | | | | This consists of: * String#html_safe! a method to mark a string as 'safe' * ActionView::SafeBuffer a string subclass which escapes anything unsafe which is concatenated to it * Calls to String#html_safe! throughout the rails helpers * a 'raw' helper which lets you concatenate trusted HTML from non-safety-aware sources (e.g. presantized strings in the DB) * New ERB implementation based on erubis which uses a SafeBuffer instead of a String Hat tip to Django for the inspiration.
* AV::UrlHelper depends on Array#secondJoshua Peek2009-09-131-0/+1
|
* Make sure link_to generates the form with the specified :href if any [#2254 ↵Max Lapshin2009-08-101-1/+1
| | | | | | state:resolved] Signed-off-by: Pratik Naik <pratiknaik@gmail.com>
* Merge docrailsPratik Naik2009-07-251-49/+48
|
* Uses Hash#symbolize_keysJeremy Kemper2009-06-081-0/+1
|
* ActionPack components should no longer have undeclared dependencies.Yehuda Katz + Carl Lerche2009-06-081-3/+3
| | | | | | | * Tests can be run in isolation * Dependencies added * A few tests modified to avoid depending on AS deps not depended on my files they were testing
* Fix a syntax error in current_page?() that was prevent matches against URL's ↵chris finne2009-02-051-2/+25
| | | | | | with multiple query parameters [#1868 state:committed] Signed-off-by: David Heinemeier Hansson <david@loudthinking.com>