| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Signed-off-by: Michael Koziarski <michael@koziarski.com>
|
| |
|
|
|
|
| |
Signed-off-by: José Valim <jose.valim@gmail.com>
|
| |
|
| |
|
|
|
|
|
|
| |
[#3259 state:resolved]
Signed-off-by: Eloy Duran <eloy.de.enige@gmail.com>
|
| |
|
|
|
|
| |
Signed-off-by: Joshua Peek <josh@joshpeek.com>
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ActionView::Helpers::UrlHelper#url_for used to escape the URLs it generated by
default. This was most commonly seen when generating a path with multiple
query parameters, e.g.
url_for(:controller => :foo, :action => :bar, :this => 123, :that => 456)
would return
http://example.com/foo/bar?that=456&this=123
escaping an ampersand that shouldn't be escaped. This is both wrong and
inconsistent with the behavior of ActionController#url_for, and is changed.
Signed-off-by: Michael Koziarski <michael@koziarski.com>
|
|
|
|
|
|
|
| |
By using config rather than hardcoded constants, we can evolve the
configuration system over time (we'd just need to update the config
method with more robust capabilities and all consumers would get
the capabilities with no code changes)
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This consists of:
* String#html_safe! a method to mark a string as 'safe'
* ActionView::SafeBuffer a string subclass which escapes anything unsafe which is concatenated to it
* Calls to String#html_safe! throughout the rails helpers
* a 'raw' helper which lets you concatenate trusted HTML from non-safety-aware sources (e.g. presantized strings in the DB)
* New ERB implementation based on erubis which uses a SafeBuffer instead of a String
Hat tip to Django for the inspiration.
|
| |
|
|
|
|
|
|
|
| |
days return '2 days'.
Signed-off-by: Michael Koziarski <michael@koziarski.com>
[#3266 state:committed]
|
|
|
|
|
|
|
| |
about depending upon how many months have elapsed
Signed-off-by: Michael Koziarski <michael@koziarski.com>
[#3106 state:committed]
|
| |
|
| |
|
|
|
|
|
|
| |
collection to be used. [#2648 state:resolved]
Signed-off-by: Eloy Duran <eloy.de.enige@gmail.com>
|
|
|
|
| |
Addresses CVE-2009-3009
|
|
|
|
|
|
| |
stylesheet_link_tag sources unless the :cache or :concat options are given. [#2738 state:resolved]
Signed-off-by: Joshua Peek <josh@joshpeek.com>
|
|
|
|
|
|
| |
[#2252 state:committed]
Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
|
|
|
|
|
|
|
|
| |
Broke CI.
[#2252 state:open]
This reverts commit adedf72821a5623227ce91e6b298838e692477e4.
|
|
|
|
|
|
| |
[#2252 state:committed]
Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* request.formats is much simpler now
* For XHRs or Accept headers with a single item, we use the Accept header
* For other requests, we use params[:format] or fallback to HTML
* This is primarily to work around the fact that browsers provide completely
broken Accept headers, so we have to whitelist the few cases we can
specifically isolate and treat other requests as coming from the browser
* For APIs, we can support single-item Accept headers, which disambiguates
from the browsers
* Requests to an action that only has an XML template from the browser will
no longer find the template. This worked previously because most browsers
provide a catch-all */*, but this was mostly accidental behavior. If you
want to serve XML, either use the :xml format in links, or explicitly
specify the XML template: render "template.xml".
|
|
|
|
|
|
| |
[#1249 state:committed]
Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
|
|
|
|
|
|
| |
state:resolved]
Signed-off-by: Pratik Naik <pratiknaik@gmail.com>
|
|
|
|
|
|
| |
[#2660 status:resolved]
Signed-off-by: José Valim <jose.valim@gmail.com>
|
|
|
|
| |
Signed-off-by: Pratik Naik <pratiknaik@gmail.com>
|
| |
|
|
|
|
|
|
| |
Additionally, actually test that the atom_feed helper works with :xml as an option.
[#1836 state:committed]
|
|
|
|
|
|
|
|
| |
actual behavior
[#3016 state:committed]
Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
|
|
|
|
|
|
|
|
|
|
| |
[rizwanreza, Nick Quaranto]
Example:
content_tag('p', "limelight", :class => ["song", "play"])
# => <p class="song play">limelight</p>
Signed-off-by: Pratik Naik <pratiknaik@gmail.com>
|
|
|
|
| |
Signed-off-by: Pratik Naik <pratiknaik@gmail.com>
|
|
|
|
|
| |
Signed-off-by: José Valim <jose.valim@gmail.com>
Signed-off-by: Pratik Naik <pratiknaik@gmail.com>
|
|
|
|
| |
Signed-off-by: José Valim <jose.valim@gmail.com>
|
|
|
|
| |
Signed-off-by: Pratik Naik <pratiknaik@gmail.com>
|
|
|
|
| |
define_method() is not supported
|
| |
|
|
|
|
|
|
| |
or ".css" onto external urls [#1664 state:resolved]
Signed-off-by: Pratik Naik <pratiknaik@gmail.com>
|
|
|
|
|
|
| |
to the specs. Added all boolean attributes listed in the XHTML 1.0 specs (http://www.w3.org/TR/xhtml1/guidelines.html) and HTML 5 specs (http://www.whatwg.org/specs/web-apps/current-work). HTML 5 boolean attribute rendering was broken in commit 1e2d7229602f467cfdc0ef606b5ef8a5566a1501 / [#2864 state:resolved].
Signed-off-by: Yehuda Katz <wycats@gmail.com>
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|