| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
whether something has to be escaped
|
|
|
|
| |
Rationale: url_for is just a path/URL generator, it is the responsability of the caller to escape conveniently HTML needs it, JavaScript needs different escaping, a text mail needs no escaping at all, etc.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
HTML specifications recommend the escaping of urls in web pages,
which url_for does by default for string urls and consquently
urls generated by path helpers as these return strings.
Hashes passed to url_for are not escaped by default and this
commit reverses this default so that they are escaped.
Undoes the changes of this commit:
http://github.com/rails/rails/commit/1b3195b63ca44f0a70b61b75fcf4991cb2fbb944
Signed-off-by: José Valim <jose.valim@gmail.com>
|
| |
|
| |
|
|\ |
|
| |
| |
| |
| | |
Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
|
|/
|
|
|
|
|
| |
And add tests for `button_to` and `form_tag` which currently behave as
expected, so we avoid a regression.
Signed-off-by: wycats <wycats@gmail.com>
|
|
|
|
| |
Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
|
|
|
|
| |
Signed-off-by: Carl Lerche <carllerche@mac.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
ActionDispatch::Request rather than Rack::Request.
* Changed ActionDispatch::Request#method to return a String, to be
compatible with the Rack::Request superclass.
* Changed ActionDispatch::Request#method to return the original
method in the case of methodoverride and #request_method not to,
to be compatible with Rack::Request
|
|
|
|
| |
proxying back to the controller. This potentially allows for more standalone usage of AV. It also kicked up a lot of dust in the tests, which were mocking out controllers to get this behavior. By moving it to the view, it made a lot of the tests more standalone (a win)
|
|\ |
|
| |
| |
| |
| | |
Signed-off-by: José Valim <jose.valim@gmail.com>
|
| | |
|
| | |
|
| | |
|
|\| |
|
| | |
|
|\|
| |
| |
| |
| |
| |
| | |
Conflicts:
activerecord/lib/active_record/base.rb
railties/lib/rails/configuration.rb
railties/lib/rails/log_subscriber.rb
|
| | |
|
| | |
|
| |
| |
| |
| | |
destroyed? methods. ActionPack does not care if the resource is new or if it was destroyed, it cares only if it's persisted somewhere or not.
|
| |
| |
| |
| | |
Signed-off-by: Yehuda Katz <yehudakatz@YK.local>
|
| |
| |
| |
| | |
Signed-off-by: Yehuda Katz <yehudakatz@YK.local>
|
| |
| |
| |
| | |
Signed-off-by: Yehuda Katz <yehudakatz@YK.local>
|
| |
| |
| |
| | |
Signed-off-by: Yehuda Katz <yehudakatz@YK.local>
|
|/ |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Instead, all Strings are always not html_safe?. Instead, you can get a SafeBuffer from a String by calling #html_safe, which will SafeBuffer.new(self).
* Additionally, instead of doing concat("</form>".html_safe), you can do
safe_concat("</form>"), which will skip both the flag set, and the flag
check.
* For the first pass, I converted virtually all #html_safe!s to #html_safe,
and the tests pass. A further optimization would be to try to use
#safe_concat as much as possible, reducing the performance impact if
we know up front that a String is safe.
|
| |
|
|
|
|
| |
:remote=>true
|
| |
|
| |
|
|
|
|
|
|
| |
such as :confirm in a unobtrusive manor
Signed-off-by: Joshua Peek <josh@joshpeek.com>
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit 3aa1ea1ae4baa4a03d03644e798eeb98a4745785, reversing
changes made to 2c12a71378d2146c822acb389b00b866f6420ff5.
Conflicts:
actionpack/lib/action_view/helpers/javascript_helper.rb
actionpack/lib/action_view/helpers/url_helper.rb
actionpack/test/template/url_helper_test.rb
|
| |
|
|
|
|
| |
image_submit_tag output data attributes for things like :confirm, :method, :popup, and :disable_with
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
named routes.
This allows the following setup to work:
# app/controllers/application_controller.rb
class ApplicationController
def default_url_options(options=nil)
{ :locale => I18n.locale }
end
end
# From your views and controllers:
I18n.locale #=> :en
users_url #=> "/en/users"
users_url(:pl) #=> "/pl/users"
user_url(1) #=> "/en/users/1"
user_url(:pl, 1) #=> "/pl/users/1"
user_url(1, :locale => :pl) #=> "/pl/users/1"
If you provide all expected parameters, it still works as previously.
But if any parameter is missing, it tries to assign all possible ones
with the hash returned in default_url_options or the one passed straight
to the named route method.
Beware that default_url_options in ApplicationController is not shared
with ActionMailer, so you are required to always give the locale in your
email views.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ActionView::Helpers::UrlHelper#url_for used to escape the URLs it generated by
default. This was most commonly seen when generating a path with multiple
query parameters, e.g.
url_for(:controller => :foo, :action => :bar, :this => 123, :that => 456)
would return
http://example.com/foo/bar?that=456&this=123
escaping an ampersand that shouldn't be escaped. This is both wrong and
inconsistent with the behavior of ActionController#url_for, and is changed.
Signed-off-by: Michael Koziarski <michael@koziarski.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This consists of:
* String#html_safe! a method to mark a string as 'safe'
* ActionView::SafeBuffer a string subclass which escapes anything unsafe which is concatenated to it
* Calls to String#html_safe! throughout the rails helpers
* a 'raw' helper which lets you concatenate trusted HTML from non-safety-aware sources (e.g. presantized strings in the DB)
* New ERB implementation based on erubis which uses a SafeBuffer instead of a String
Hat tip to Django for the inspiration.
|
| |
|
|
|
|
|
|
| |
state:resolved]
Signed-off-by: Pratik Naik <pratiknaik@gmail.com>
|
| |
|
| |
|
|
|
|
|
|
|
| |
* Tests can be run in isolation
* Dependencies added
* A few tests modified to avoid depending on AS deps
not depended on my files they were testing
|
|
|
|
|
|
| |
with multiple query parameters [#1868 state:committed]
Signed-off-by: David Heinemeier Hansson <david@loudthinking.com>
|