Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | Complete work on 3.2 for render_data_leak patch. | Arthur Neves | 2016-02-29 | 1 | -1/+1 |
| | | | | | | | | | | | | | | | | | | Render could leak access to external files before this patch. A previous patch(CVE-2016-0752), attempted to fix this. However the tests were miss-placed outside the TestCase subclass, so they were not running. We should allow :file to be outside rails root, but anything else must be inside the rails view directory. The implementation has changed a bit though. Now the patch is more similar with the 4.x series patches. Now `render 'foo/bar'`, will add a special key in the options hash, and not use the :file one, so when we look up that file, we don't set the fallbacks, and only lookup a template, to constraint the folders that can be accessed. CVE-2016-2097 | ||||
* | fix issue #11605 | Kassio Borges | 2013-08-24 | 1 | -6/+0 |
| | |||||
* | Common behavior with adding formats to lookup_context for TemplateRenderer ↵ | Dmitry Vorotilin | 2013-04-02 | 1 | -0/+6 |
| | | | | and PartialRenderer | ||||
* | format lookup for partials is derived from the format in which the template ↵ | Santiago Pastorino | 2012-02-22 | 1 | -1/+1 |
| | | | | | | is being rendered Closes #5025 part 2 | ||||
* | Using #extract_details in PartialRenderer, too! | Nick Sutterer | 2011-09-23 | 1 | -2/+0 |
| | |||||
* | Allow both sym and array for details options in #render. using ↵ | Nick Sutterer | 2011-09-23 | 1 | -1/+12 |
| | | | | LC#registered_details to extract options. | ||||
* | Deprecate passing the template handler in the template name. | José Valim | 2011-09-22 | 1 | -1/+1 |
| | | | | | | For example, calling hello.erb is now deprecated. Since Rails 3.0 passing the handler had no effect whatsover. This commit simply deprecates such cases so we can clean up the code in later releases. | ||||
* | Get rid of update_details in favor of passing details to find_template. | José Valim | 2011-09-22 | 1 | -10/+6 |
| | |||||
* | no @controller dependency in Renderers. | Nick Sutterer | 2011-05-04 | 1 | -2/+1 |
| | |||||
* | Remove view dependency from AV::Renderer. | José Valim | 2011-05-01 | 1 | -2/+2 |
| | |||||
* | Start abstracting the renderer. | José Valim | 2011-05-01 | 1 | -2/+2 |
| | |||||
* | extract formats_regexp as a method | Santiago Pastorino | 2010-10-16 | 1 | -2/+5 |
| | |||||
* | There's no need now to expose lookup_context as an external API | Santiago Pastorino | 2010-10-16 | 1 | -3/+1 |
| | |||||
* | Delegate freeze_formats to lookup_context | Santiago Pastorino | 2010-10-16 | 1 | -2/+2 |
| | |||||
* | Remove the :vew attr_reader from ActionView::AbstractRenderer [#5819 ↵ | Jeff Kreeftmeijer | 2010-10-16 | 1 | -1/+1 |
| | | | | | | state:resolved] Signed-off-by: Santiago Pastorino <santiago@wyeworks.com> | ||||
* | Add support to render :once. | José Valim | 2010-10-10 | 1 | -6/+6 |
| | | | | This will be used internally by sprockets to ensure requires are executed just once. | ||||
* | Clean up the house before moving in the new furniture. | José Valim | 2010-10-10 | 1 | -0/+36 |
This commit moves all the template rendering logic that was hanging around AV::Base to renderer objects. |