Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | Don't allow render(params) in view/controller | Arthur Neves | 2016-02-29 | 1 | -0/+5 |
| | | | | | | | | | | | | | | | `render(params)` is dangerous and could be a vector for attackers. Don't allow calls to render passing params on views or controllers. On a controller or view, we should not allow something like `render params[:id]` or `render params`. That could be problematic, because an attacker could pass input that could lead to a remote code execution attack. This patch is also compatible when using strong parameters. CVE-2016-2098 | ||||
* | no @controller dependency in Renderers. | Nick Sutterer | 2011-05-04 | 1 | -7/+6 |
| | |||||
* | Add a shared entry point for AV and AC render which can be used as extension ↵ | José Valim | 2011-05-03 | 1 | -0/+9 |
| | | | | in the future. | ||||
* | Introduce view renderer. | José Valim | 2011-05-01 | 1 | -23/+10 |
| | |||||
* | Remove view dependency from AV::Renderer. | José Valim | 2011-05-01 | 1 | -29/+17 |
| | |||||
* | Remove more dependencies from the view. | José Valim | 2011-05-01 | 1 | -0/+1 |
| | |||||
* | Start abstracting the renderer. | José Valim | 2011-05-01 | 1 | -0/+70 |