aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/lib/action_view/helpers
Commit message (Collapse)AuthorAgeFilesLines
* Include missing module in tag_helperCarlos Antonio da Silva2016-08-111-0/+1
| | | | | | | | | Since 6857415187810f1289068a448268264d0cf0844f we are using #safe_join to join the content when an Array is given, so we must include the dependent module here to make sure it's available when this module is used alone. This was making Simple Form tests to fail with current master due to the missing dependency.
* ensure tag/content_tag escapes " in attribute valsAndrew Carpenter2016-08-101-4/+11
| | | | | | Many helpers mark content as HTML-safe without escaping double quotes -- including `sanitize`. Regardless of whether or not the attribute values are HTML-escaped, we want to be sure they don't include double quotes, as that can cause XSS issues. For example: `content_tag(:div, "foo", title: sanitize('" onmouseover="alert(1);//'))` CVE-2016-6316
* Merge branch '3-2-17' into 3-2-stableRafael Mendonça França2014-02-181-1/+13
|\ | | | | | | | | Conflicts: actionpack/CHANGELOG.md
| * Escape format, negative_format and units options of number helpersRafael Mendonça França2014-02-181-1/+13
| | | | | | | | | | | | | | Previously the values of these options were trusted leading to potential XSS vulnerabilities. Fixes: CVE-2014-0081
* | Merge pull request #13183 from sorah/never_ignore_i18n_translate_raise_optionCarlos Antonio da Silva2013-12-041-1/+9
| | | | | | | | | | | | | | Escalate missing error when :raise is true in translate helper, fix regression introduced by security fix. Conflicts: actionpack/CHANGELOG.md
* | Fix documentation of number_to_currency helperRafael Mendonça França2013-12-041-4/+4
|/ | | | | | Now users have to explicit mark the unit as safe if they trust it. Closes #13161
* Stop using i18n's built in HTML error handling.Michael Koziarski2013-12-021-13/+8
| | | | | | | | | | | | | | i18n doesn't depend on active support which means it can't use our html_safe code to do its escaping when generating the spans. Rather than try to sanitize the output from i18n, just revert to our old behaviour of rescuing the error and constructing the tag ourselves. Fixes: CVE-2013-4491 Conflicts: actionpack/lib/action_view/helpers/translation_helper.rb Backport: 50afd8eec9d088ad5a2d41f00a05520d5b78a6a0
* Escape the unit value provided to number_to_currencyMichael Koziarski2013-12-021-1/+1
| | | | | | Fixes CVE-2013-6415 Previously the values were trusted blindly allowing for potential XSS attacks.
* Merge pull request #10971 from dtaniwaki/escape_link_to_unlessRafael Mendonça França2013-06-241-1/+1
| | | | Always escape the result of link_to_unless method
* Merging in fix from #8222Ben Tucker2013-05-061-1/+1
|
* Fix explicit names on multiple file fieldsRyan McGeary2013-04-051-8/+7
| | | | | | | | If a file field tag is passed the multiple option, it is turned into an array field (appending "[]"), but if the file field is passed an explicit name as an option, leave the name alone (do not append "[]"). Fixes #9830
* Backport #9347 to rails 3.2hoffm2013-03-191-1/+1
|
* do not freeze NumberHelper defaults.Yves Senn2013-03-181-2/+2
| | | | Closes #9767.
* Merge pull request #9616 from exviva/multiple_select_name_double_square_bracketsCarlos Antonio da Silva2013-03-091-1/+1
| | | | | | | | | | | | | | | | | | | Fix incorrectly appended square brackets to a multiple select box Before: select(:category, [], {}, {:multiple => true, :name => "post[category][]"}) # => <select name="post[category][][]" ...> After: select(:category, [], {}, {:multiple => true, :name => "post[category][]"}) # => <select name="post[category][]" ...> Conflicts: actionpack/CHANGELOG.md actionpack/lib/action_view/helpers/tags/base.rb actionpack/test/template/form_options_helper_test.rb
* Change tabs to spaces in form options helper [ci skip]Carlos Antonio da Silva2013-02-211-2/+2
|
* Add another NumberHelper missing dependencyRodrigo Rosenfeld Rosas2013-01-291-0/+1
| | | | | Another missing dependency, now affecting #number_to_percentage. It depends on reverse_merge.
* Add NumberHelper missing dependencyRodrigo Rosenfeld Rosas2013-01-291-0/+1
| | | symbolize_keys depends on hash/keys AS core extension
* Do not call fields_for from form_for, to avoid instantiating two buildersCarlos Antonio da Silva2013-01-061-8/+6
| | | | | | Conflicts: actionpack/lib/action_view/helpers/form_helper.rb actionpack/test/template/form_helper_test.rb
* Merge pull request #8719 from pcasaretto/fix-actionview-doc-typoCarlos Antonio da Silva2013-01-031-1/+1
| | | | Fix typo on form_tag_helper.rb [ci skip]
* fix block.arity raise nil error when not given a block to "content_tag_for"jasl2013-01-021-1/+3
|
* Make distance_of_time_in_words work with DateTime offsetsAndrew White2012-12-041-2/+3
| | | | | | | | | | | | | | | Because DateTime#to_time returns self when it has a non-zero offset and subtracting two DateTime instances returns a Rational then the distance_of_time_in_words methods outputs an incorrect value. This is fixed in master because we can rely on Ruby 1.9.3's implementation of to_time but it can't be fixed on Ruby 1.8.7 as there is no way to map the DateTime to a Time with a non-zero offset. We can workaround the problem by casting to Float before doing the subtraction in the distance_of_time_in_words method. Closes #8390
* Make output of distance_of_time_in_words consistentAndrew White2012-12-041-2/+2
| | | | | | | | | | This commit fixes the output of distance_of_time_in_words when using integer or duration arguments. Previously a distance of more than 30 seconds would be output as 'Less than 1 minute' when using integer arguments and '1 minute' when using two Time instances more than 30 seconds apart. Cherry picked from 5fdd4cd9e47be972f146a8a17a74c8f4700e2ac0
* Add i18n scope to disance_of_time_in_words.Steve Klabnik2012-11-261-3/+7
| | | | This is a backport of rails/rails#7997.
* [ci skip] Correct examples for form_tag helper.DawidJanczak2012-11-141-2/+2
|
* Merge pull request #8108 from Casecommons/fix-multiple-and-index-in-instance-tagRafael Mendonça França2012-11-081-1/+3
| | | | | | | Support :multiple option on input tags that also have :index Conflicts: actionpack/lib/action_view/helpers/tags/base.rb actionpack/lib/action_view/helpers/tags/collection_check_boxes.rb
* Accept :remote as symbol in link_to optionsRiley2012-10-061-1/+3
| | | | | Accept either :remote or 'remote' in both the html_options and (url_)options hash arguments to link_to.
* correct handling of date selects when using both disabled and discard optionsVasiliy Ermolovich2012-08-251-2/+5
| | | | | | | | | | | | we should take disabled option not only from `html_options` hash but from `options` hash too like `build_select` method does it. So datetime_select("post", "updated_at", { :discard_minute => true }, { :disabled => true }) datetime_select("post", "updated_at", :discard_minute => true , :disabled => true) both these variants work now closes #7431
* Merge pull request #7410 from sandeepravi/default_options_helper_valueRafael Mendonça França2012-08-211-0/+1
| | | | | | option_tags coerced to "" instead of nil Closes #7404
* Merge branch '3-2-8' into 3-2-stableSantiago Pastorino2012-08-092-3/+3
|\
| * Do not mark strip_tags result as html_safeSantiago Pastorino2012-08-091-1/+1
| | | | | | | | | | | | Thanks to Marek Labos & Nethemba CVE-2012-3465
| * escape select_tag :prompt valuesSantiago Pastorino2012-08-091-2/+2
| | | | | | | | CVE-2012-3463
* | Rearrange example output of javascript_include_tagPrem Sichanugrist2012-08-061-2/+2
| |
* | Do not include application.js if it doesn't existsPrem Sichanugrist2012-08-061-5/+6
|/ | | | | | Rails were including 'application.js' to the pack when using `javascript_include_tag :all` even there's no application.js in the public directory.
* Revert "Deprecate link_to_function and button_to_function helpers"Rafael Mendonça França2012-08-011-4/+0
| | | | This reverts commit 9dc57fe9c4807fc0ad4b1590a931891d9faa3164.
* Revert "Deprecate `:mouseover` options for `image_tag` helper."Rafael Mendonça França2012-08-011-2/+0
| | | | | | | This reverts commit 1aff7725c7a04cde202cca906208560a55409e6a. Conflicts: actionpack/CHANGELOG.md
* Revert "Deprecate `:confirm` in favor of `:data => { :confirm => 'Text' }` ↵Rafael Mendonça França2012-08-013-29/+9
| | | | | | | | | | | option" Revert "Deprecate `:disable_with` in favor of `'data-disable-with'` option for `button_to` and `submit_tag` helpers." This reverts commit fc092a9cba5fceec38358072e50e09250cf58840. This reverts commit e9051e20aeb2c666db06b6217954737665878db7. This reverts commit d47d6e7eda3aa3e6aa28d0c17ac6801234bb97d1. This reverts commit 21141e777bdce8534e3755c8de7268324b3d8714.
* Fixed bug creating invalid HTML in select optionsRusty Geldmacher2012-07-101-5/+5
| | | | | | | | | When a select tag is created for a field with errors, and that select tag has :prompt or :include_blank options, then the inserted first option will errantly have a <div class="field_with_errors"> wrapping it. See https://github.com/rails/rails/issues/7017
* Fix NumberHelper options wrapping to prevent verbatim blocks being rendered ↵Mark J. Titorenko2012-07-021-90/+159
| | | | | | | | | | instead of line continuations. While I'm at it, wrap long comment lines consistently. Conflicts: actionpack/lib/action_view/helpers/number_helper.rb There was just one conflict related to the addition of the :format option to number_to_percentage.
* ActionController::Metal doesn't have logger method, check it and then delegateDmitry Vorotilin2012-06-161-2/+4
|
* Deprecate `:confirm` in favor of `:data => { :confirm => 'Text' }` optionCarlos Galdino2012-06-052-2/+13
| | | | | | | | | | | | This deprecation applies to: `button_to` `button_tag` `image_submit_tag` `link_to` `submit_tag` As :confirm is an UI specific option is better to use the data attributes, teaching users about unobtrusive JavaScript and how Rails works with it.
* Fixed tag_helper data-attribute bug with BigDecimalsBodacious2012-05-201-1/+1
|
* Use right option for excerpt text helper in tests, fix buildCarlos Antonio da Silva2012-05-191-2/+2
| | | | | | | `excerpt` text helper uses `:radius`, not `line_width` (that is used by `word_wrap` helper). Also cleanup some whitespaces.
* Merge pull request #5020 from KL-7/fix-blank-image_tag-sourceJosé Valim2012-05-181-2/+2
| | | | Render img tag with empty src if empty string is passed to image_tag.
* Deprecate old APIs for highlight, excerpt and word_wrapJeremy Walker2012-05-181-0/+9
|
* Deprecate `:disable_with` for `button_tag` tooCarlos Galdino + Rafael Mendonça França2012-05-142-2/+4
|
* Fix typoCarlos Galdino + Rafael Mendonça França2012-05-141-1/+1
|
* Deprecate `:disable_with` in favor of `'data-disable-with'` option for ↵Carlos Galdino + Rafael Mendonça França2012-05-142-6/+13
| | | | `button_to` and `submit_tag` helpers.
* Deprecate `:mouseover` options for `image_tag` helper.Rafael Mendonça França2012-05-131-0/+2
|
* Merge pull request #3237 from sakuro/data-url-schemeRafael Mendonça França2012-05-131-1/+1
| | | | Support data: url scheme
* Deprecate link_to_function and button_to_function helpersRafael Mendonça França2012-04-301-0/+4
|
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-08 02:46:43 +0000