aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/lib/action_view
Commit message (Collapse)AuthorAgeFilesLines
* Double assign locals to avoid unused variables warningAndrew White2016-11-021-1/+2
|
* Fix File.exists? deprecation warnings in Action PackAndrew White2016-11-021-1/+1
|
* adds a couple of missing requiresXavier Noria2016-08-222-0/+3
|
* Remove dead code and ensure values are strings before calling gsubMike Virata-Stone2016-08-111-2/+1
|
* Merge branch '3-2-22-3' into 3-2-stableAaron Patterson2016-08-111-0/+1
|\ | | | | | | | | | | * 3-2-22-3: bumping version Include missing module in tag_helper
| * Include missing module in tag_helperCarlos Antonio da Silva2016-08-111-0/+1
| | | | | | | | | | | | | | | | | | Since 6857415187810f1289068a448268264d0cf0844f we are using #safe_join to join the content when an Array is given, so we must include the dependent module here to make sure it's available when this module is used alone. This was making Simple Form tests to fail with current master due to the missing dependency.
* | Merge branch '3-2-22-3' into 3-2-stableAaron Patterson2016-08-111-4/+11
|\| | | | | | | | | | | * 3-2-22-3: bumping version ensure tag/content_tag escapes " in attribute vals
| * ensure tag/content_tag escapes " in attribute valsAndrew Carpenter2016-08-101-4/+11
| | | | | | | | | | | | Many helpers mark content as HTML-safe without escaping double quotes -- including `sanitize`. Regardless of whether or not the attribute values are HTML-escaped, we want to be sure they don't include double quotes, as that can cause XSS issues. For example: `content_tag(:div, "foo", title: sanitize('" onmouseover="alert(1);//'))` CVE-2016-6316
* | Require hash_with_indifferent_access before using itRafael Mendonça França2016-03-081-0/+2
|/
* Don't allow render(params) in view/controllerArthur Neves2016-02-291-0/+5
| | | | | | | | | | | | | | | `render(params)` is dangerous and could be a vector for attackers. Don't allow calls to render passing params on views or controllers. On a controller or view, we should not allow something like `render params[:id]` or `render params`. That could be problematic, because an attacker could pass input that could lead to a remote code execution attack. This patch is also compatible when using strong parameters. CVE-2016-2098
* Complete work on 3.2 for render_data_leak patch.Arthur Neves2016-02-296-25/+49
| | | | | | | | | | | | | | | | | | Render could leak access to external files before this patch. A previous patch(CVE-2016-0752), attempted to fix this. However the tests were miss-placed outside the TestCase subclass, so they were not running. We should allow :file to be outside rails root, but anything else must be inside the rails view directory. The implementation has changed a bit though. Now the patch is more similar with the 4.x series patches. Now `render 'foo/bar'`, will add a special key in the options hash, and not use the :file one, so when we look up that file, we don't set the fallbacks, and only lookup a template, to constraint the folders that can be accessed. CVE-2016-2097
* Use Ruby 1.8 compat syntax in actionpack/lib/action_view/template/resolver.rb.Josef Šimánek2016-01-261-1/+1
| | | | closes GH-23248
* allow :file to be outside rails root, but anything else must be inside the ↵Aaron Patterson2016-01-221-0/+17
| | | | | | | | | | rails view directory Conflicts: actionpack/test/controller/render_test.rb actionview/lib/action_view/template/resolver.rb CVE-2016-0752
* blacklist test-unit's @internal_data ivarAman Gupta2015-01-021-0/+1
|
* Feature detect based on Ruby version.Aaron Patterson2014-05-181-1/+1
| | | | | | | I didn't want to do this, FNM_EXTGLOB is defined on 2.1.x, but Dir.glob returns the wrong value on Ruby less than 2.2.0. Checking for a case-insensitive FS seems too hard, so just check Ruby version Checking for a case-insensitive FS seems too hard, so just check Ruby version.
* feature detect for FNM_EXTGLOB for older Ruby. Fixes #15053Aaron Patterson2014-05-101-5/+21
|
* use fnmatch to test for case insensitive file systemsAaron Patterson2014-05-091-4/+2
| | | | | | this is due to: https://bugs.ruby-lang.org/issues/5994
* Merge branch '3-2-17' into 3-2-stableRafael Mendonça França2014-02-182-2/+14
|\ | | | | | | | | Conflicts: actionpack/CHANGELOG.md
| * Use the reference for the mime type to get the formatRafael Mendonça França2014-02-181-1/+1
| | | | | | | | | | | | | | | | Before we were calling to_sym in the mime type, even when it is unknown what can cause denial of service since symbols are not removed by the garbage collector. Fixes: CVE-2014-0082
| * Escape format, negative_format and units options of number helpersRafael Mendonça França2014-02-181-1/+13
| | | | | | | | | | | | | | Previously the values of these options were trusted leading to potential XSS vulnerabilities. Fixes: CVE-2014-0081
* | Merge pull request #13183 from sorah/never_ignore_i18n_translate_raise_optionCarlos Antonio da Silva2013-12-041-1/+9
| | | | | | | | | | | | | | Escalate missing error when :raise is true in translate helper, fix regression introduced by security fix. Conflicts: actionpack/CHANGELOG.md
* | Fix documentation of number_to_currency helperRafael Mendonça França2013-12-041-4/+4
|/ | | | | | Now users have to explicit mark the unit as safe if they trust it. Closes #13161
* Stop using i18n's built in HTML error handling.Michael Koziarski2013-12-021-13/+8
| | | | | | | | | | | | | | i18n doesn't depend on active support which means it can't use our html_safe code to do its escaping when generating the spans. Rather than try to sanitize the output from i18n, just revert to our old behaviour of rescuing the error and constructing the tag ourselves. Fixes: CVE-2013-4491 Conflicts: actionpack/lib/action_view/helpers/translation_helper.rb Backport: 50afd8eec9d088ad5a2d41f00a05520d5b78a6a0
* Escape the unit value provided to number_to_currencyMichael Koziarski2013-12-021-1/+1
| | | | | | Fixes CVE-2013-6415 Previously the values were trusted blindly allowing for potential XSS attacks.
* Only use valid mime type symbols as cache keysAaron Patterson2013-11-301-0/+7
| | | | CVE-2013-6414
* fix issue #11605Kassio Borges2013-08-244-16/+4
|
* Merge pull request #10971 from dtaniwaki/escape_link_to_unlessRafael Mendonça França2013-06-241-1/+1
| | | | Always escape the result of link_to_unless method
* Compare host scheme using case-insensitive regexpRafael Mendonça França2013-06-161-1/+1
| | | | | | | | | | | | | | | | | | Before: image_tag("HTTP://google.com") # => "<img alt=\"Google\" src=\"/assets/HTTP://google.com\" />" image_tag("http://google.com") # => "<img alt=\"Google\" src=\"http://google.com\" />" After: image_tag("HTTP://google.com") # => "<img alt=\"Google\" src=\"HTTP://google.com\" />" image_tag("http://google.com") # => "<img alt=\"Google\" src=\"http://google.com\" />" Backport of #10969
* Merging in fix from #8222Ben Tucker2013-05-061-1/+1
|
* Fix explicit names on multiple file fieldsRyan McGeary2013-04-051-8/+7
| | | | | | | | If a file field tag is passed the multiple option, it is turned into an array field (appending "[]"), but if the file field is passed an explicit name as an option, leave the name alone (do not append "[]"). Fixes #9830
* Common behavior with adding formats to lookup_context for TemplateRenderer ↵Dmitry Vorotilin2013-04-024-4/+16
| | | | and PartialRenderer
* Backport #9347 to rails 3.2hoffm2013-03-191-1/+1
|
* do not freeze NumberHelper defaults.Yves Senn2013-03-181-2/+2
| | | | Closes #9767.
* Extract hardcoded lists to Redo::RestaurantsListJuan Barreneche2013-03-141-1/+7
|
* Merge pull request #9616 from exviva/multiple_select_name_double_square_bracketsCarlos Antonio da Silva2013-03-091-1/+1
| | | | | | | | | | | | | | | | | | | Fix incorrectly appended square brackets to a multiple select box Before: select(:category, [], {}, {:multiple => true, :name => "post[category][]"}) # => <select name="post[category][][]" ...> After: select(:category, [], {}, {:multiple => true, :name => "post[category][]"}) # => <select name="post[category][]" ...> Conflicts: actionpack/CHANGELOG.md actionpack/lib/action_view/helpers/tags/base.rb actionpack/test/template/form_options_helper_test.rb
* Change tabs to spaces in form options helper [ci skip]Carlos Antonio da Silva2013-02-211-2/+2
|
* Add another NumberHelper missing dependencyRodrigo Rosenfeld Rosas2013-01-291-0/+1
| | | | | Another missing dependency, now affecting #number_to_percentage. It depends on reverse_merge.
* Add NumberHelper missing dependencyRodrigo Rosenfeld Rosas2013-01-291-0/+1
| | | symbolize_keys depends on hash/keys AS core extension
* Do not call fields_for from form_for, to avoid instantiating two buildersCarlos Antonio da Silva2013-01-061-8/+6
| | | | | | Conflicts: actionpack/lib/action_view/helpers/form_helper.rb actionpack/test/template/form_helper_test.rb
* Merge pull request #8719 from pcasaretto/fix-actionview-doc-typoCarlos Antonio da Silva2013-01-031-1/+1
| | | | Fix typo on form_tag_helper.rb [ci skip]
* fix block.arity raise nil error when not given a block to "content_tag_for"jasl2013-01-021-1/+3
|
* Make distance_of_time_in_words work with DateTime offsetsAndrew White2012-12-041-2/+3
| | | | | | | | | | | | | | | Because DateTime#to_time returns self when it has a non-zero offset and subtracting two DateTime instances returns a Rational then the distance_of_time_in_words methods outputs an incorrect value. This is fixed in master because we can rely on Ruby 1.9.3's implementation of to_time but it can't be fixed on Ruby 1.8.7 as there is no way to map the DateTime to a Time with a non-zero offset. We can workaround the problem by casting to Float before doing the subtraction in the distance_of_time_in_words method. Closes #8390
* Make output of distance_of_time_in_words consistentAndrew White2012-12-041-2/+2
| | | | | | | | | | This commit fixes the output of distance_of_time_in_words when using integer or duration arguments. Previously a distance of more than 30 seconds would be output as 'Less than 1 minute' when using integer arguments and '1 minute' when using two Time instances more than 30 seconds apart. Cherry picked from 5fdd4cd9e47be972f146a8a17a74c8f4700e2ac0
* Override <%== to always behave as literal text rather than toggling based on ↵Jeremy Kemper2012-12-031-0/+11
| | | | | | | whether escaping is enabled. Fixes that existing plaintext email templates using <%== unexpectedly flipped to *escaping* HTML when #8235 was merged. Conflicts: actionpack/test/template/template_test.rb
* Merge pull request #8402 from ↵Rafael Mendonça França2012-12-021-1/+1
| | | | | | | | | senny/8376_descriptive_error_message_for_partial_layout_true More descriptive error when rendering a partial with `:layout => true` Conflicts: actionpack/CHANGELOG.md actionpack/lib/action_view/renderer/partial_renderer.rb
* Add i18n scope to disance_of_time_in_words.Steve Klabnik2012-11-261-3/+7
| | | | This is a backport of rails/rails#7997.
* Merge pull request #8235 from tilsammans/dont_escape_actionmailer_when_plaintextJosé Valim2012-11-161-0/+5
| | | | | | | | Introduce `ActionView::Template::Handlers::ERB.escape_whitelist` Conflicts: actionpack/CHANGELOG.md actionpack/test/template/template_test.rb
* [ci skip] Correct examples for form_tag helper.DawidJanczak2012-11-141-2/+2
|
* Merge pull request #8108 from Casecommons/fix-multiple-and-index-in-instance-tagRafael Mendonça França2012-11-081-1/+3
| | | | | | | Support :multiple option on input tags that also have :index Conflicts: actionpack/lib/action_view/helpers/tags/base.rb actionpack/lib/action_view/helpers/tags/collection_check_boxes.rb
* Revert "Merge pull request #7797 from ↵Rafael Mendonça França2012-10-301-3/+3
| | | | | | | | | | | | | | | | | senny/7459_prefix_tempalte_assertion_variables" This reverts commit 2bad605873b5b720d77ae6388a995827ab7fe705. Conflicts: actionpack/CHANGELOG.md Reason: This added a regression related with shoulda-matchers, since it is expecting the instance variable @layouts See https://github.com/thoughtbot/shoulda-matchers/blob/9e1188eea68c47d9a56ce6280e45027da6187ab1/lib/shoulda/matchers/action_controller/render_with_layout_matcher.rb#L74 This will introduce back #7459 but this stable release will be backward compatible. Related with #8068.
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-05 03:35:52 +0000