Commit message (Collapse) | Author | Age | Files | Lines | ||
---|---|---|---|---|---|---|
... | ||||||
* | Make encodings work with Erubis and 1.9 again | Yehuda Katz | 2009-10-16 | 1 | -3/+5 | |
| | ||||||
* | Fix a bug where templates with locales were not being sorted correctly | Yehuda Katz | 2009-10-16 | 1 | -1/+1 | |
| | ||||||
* | Merge branch 'master' into orchestra | Jeremy Kemper | 2009-10-15 | 1 | -1/+10 | |
|\ | ||||||
| * | Change config implementation in AV slightly | Yehuda Katz | 2009-10-15 | 1 | -1/+10 | |
| | | ||||||
* | | Renamed Orchestra to Notifications once again [#3321 state:resolved] | José Valim | 2009-10-15 | 1 | -1/+1 | |
| | | ||||||
* | | Unify benchmark APIs. | José Valim | 2009-10-15 | 2 | -56/+4 | |
| | | ||||||
* | | Update Orchestra instrumentations and move part of logging to Orchestra. | José Valim | 2009-10-15 | 1 | -1/+1 | |
| | | ||||||
* | | Revert "Rename Orchestra to Notifications [#3321 state:resolved]" | José Valim | 2009-10-15 | 1 | -1/+1 | |
|/ | | | | This reverts commit 8cbf825425dc8ad3770881ea4e100b9023c69ce2. | |||||
* | Make this less brittle and work on 1.8 | Yehuda Katz | 2009-10-15 | 1 | -9/+9 | |
| | ||||||
* | Make the erubis implementation easier for plugins to change. | Michael Koziarski | 2009-10-15 | 1 | -1/+4 | |
| | ||||||
* | Add a read-only method which plugin authors can use to determine if xss ↵ | Michael Koziarski | 2009-10-15 | 1 | -0/+5 | |
| | | | | | | | escaping. This doesn't provide a way to turn off the escaping, but alternative template engine authors can figure out what their default should be by calling this. Avoids a messy version + plugin check. | |||||
* | Rename Orchestra to Notifications [#3321 state:resolved] | Joshua Peek | 2009-10-14 | 1 | -1/+1 | |
| | ||||||
* | Make sure non-escaped urls aren't considered safe | Michael Koziarski | 2009-10-15 | 1 | -1/+1 | |
| | ||||||
* | Use ERB::Util.h over CGI.escapeHTML as the former is safety aware and the ↵ | Michael Koziarski | 2009-10-15 | 1 | -1/+1 | |
| | | | | latter isn't | |||||
* | ActionView.url_for doesn't escape by default | Phil Darnowsky | 2009-10-15 | 1 | -1/+1 | |
| | | | | | | | | | | | | | | | | | ActionView::Helpers::UrlHelper#url_for used to escape the URLs it generated by default. This was most commonly seen when generating a path with multiple query parameters, e.g. url_for(:controller => :foo, :action => :bar, :this => 123, :that => 456) would return http://example.com/foo/bar?that=456&this=123 escaping an ampersand that shouldn't be escaped. This is both wrong and inconsistent with the behavior of ActionController#url_for, and is changed. Signed-off-by: Michael Koziarski <michael@koziarski.com> | |||||
* | Start adding configuration to ActionView instead of using constants. | Yehuda Katz | 2009-10-14 | 2 | -13/+17 | |
| | | | | | | | By using config rather than hardcoded constants, we can evolve the configuration system over time (we'd just need to update the config method with more robust capabilities and all consumers would get the capabilities with no code changes) | |||||
* | Fix a bug where render :text could not handle yield :symbol. Fixes guides ↵ | Yehuda Katz | 2009-10-10 | 1 | -9/+13 | |
| | | | | generation | |||||
* | Fix issue with standalone ActionView | Yehuda Katz | 2009-10-09 | 1 | -1/+4 | |
| | ||||||
* | Get rid of constant name usage for stack trace help in favor of overriding ↵ | Yehuda Katz | 2009-10-09 | 1 | -9/+9 | |
| | | | | #inspect and .name. | |||||
* | Finish porting over the initializers to the app object and fix all the tests | Carl Lerche | 2009-10-08 | 1 | -2/+5 | |
| | ||||||
* | API change: content_tag_for outputs prefixed class name | Joshua Peek | 2009-10-08 | 1 | -3/+3 | |
| | ||||||
* | Fix warning spew for 1.9 | Carl Lerche | 2009-10-08 | 1 | -1/+5 | |
| | ||||||
* | error procs have to be safe too | Michael Koziarski | 2009-10-08 | 1 | -1/+1 | |
| | ||||||
* | Switch to on-by-default XSS escaping for rails. | Michael Koziarski | 2009-10-08 | 19 | -32/+112 | |
| | | | | | | | | | | | | This consists of: * String#html_safe! a method to mark a string as 'safe' * ActionView::SafeBuffer a string subclass which escapes anything unsafe which is concatenated to it * Calls to String#html_safe! throughout the rails helpers * a 'raw' helper which lets you concatenate trusted HTML from non-safety-aware sources (e.g. presantized strings in the DB) * New ERB implementation based on erubis which uses a SafeBuffer instead of a String Hat tip to Django for the inspiration. | |||||
* | Not calling a private method anymore | Yehuda Katz | 2009-10-07 | 1 | -2/+5 | |
| | ||||||
* | Fix warning spew | Yehuda Katz | 2009-10-06 | 1 | -1/+3 | |
| | ||||||
* | NumberHelper depends on big decimal extensions | Joshua Peek | 2009-10-03 | 1 | -0/+1 | |
| | ||||||
* | Ported the new ActionView::TestCase from 2-3-stable to master [#3260 | Erik Ostrom | 2009-09-28 | 2 | -25/+101 | |
| | | | | | | | | | | | | | | | | | state:resolved] The test case now mimicks the template environment more closely, so it's possible to use render, load helper dependencies. This also fixes assert_select, and similar assertions. Because view tests and helpers generally don't render full templates assert_select looks first in rendered and then in output_buffer to find the rendered output. Additional `master'-only changes: Made the Action Pack Rakefile run the ActionView::TestCase tests, and made ActionView::Rendering#_render_text always return a string. Signed-off-by: Joshua Peek <josh@joshpeek.com> | |||||
* | Introduce :almost keyword for distance_of_time_in_words. Make 1.75 days - 2 ↵ | John Trupiano | 2009-09-28 | 2 | -10/+22 | |
| | | | | | | | days return '2 days'. Signed-off-by: Michael Koziarski <michael@koziarski.com> [#3266 state:committed] | |||||
* | Enhancing distance_of_time_in_words to prefix year output with over and ↵ | Jay Pignata | 2009-09-28 | 1 | -4/+7 | |
| | | | | | | | about depending upon how many months have elapsed Signed-off-by: Michael Koziarski <michael@koziarski.com> [#3106 state:committed] | |||||
* | Restore split between require-time and runtime load path mungery. Simplifies ↵ | Jeremy Kemper | 2009-09-24 | 1 | -1/+1 | |
| | | | | vendor requires. | |||||
* | Clean up log output for rendered templates | Joshua Peek | 2009-09-24 | 4 | -67/+87 | |
| | ||||||
* | Instrument process_action, render and sql. | José Valim | 2009-09-20 | 1 | -2/+4 | |
| | ||||||
* | Remove unused code in ActionView. | José Valim | 2009-09-15 | 3 | -130/+0 | |
| | | | | Signed-off-by: Yehuda Katz <wycats@gmail.com> | |||||
* | Rollback AS bundler work and improve activation of vendored dependencies | Joshua Peek | 2009-09-13 | 1 | -1/+1 | |
| | ||||||
* | AV::UrlHelper depends on Array#second | Joshua Peek | 2009-09-13 | 1 | -0/+1 | |
| | ||||||
* | Don't force test suite to use bundler | Joshua Peek | 2009-09-13 | 1 | -0/+1 | |
| | ||||||
* | Allow fields_for on a nested_attributes association to accept an explicit ↵ | Andrew France | 2009-09-12 | 1 | -7/+19 | |
| | | | | | | collection to be used. [#2648 state:resolved] Signed-off-by: Eloy Duran <eloy.de.enige@gmail.com> | |||||
* | Clean tag attributes before passing through the escape_once logic. | Michael Koziarski | 2009-09-04 | 1 | -1/+1 | |
| | | | | Addresses CVE-2009-3009 | |||||
* | Replace :formats => ["*/*"] with the default formats set | Yehuda Katz + Carl Lerche | 2009-09-03 | 1 | -0/+2 | |
| | ||||||
* | Don't raise exceptions for missing javascript_include_tag or ↵ | Sam Pohlenz | 2009-09-03 | 1 | -2/+6 | |
| | | | | | | stylesheet_link_tag sources unless the :cache or :concat options are given. [#2738 state:resolved] Signed-off-by: Joshua Peek <josh@joshpeek.com> | |||||
* | Refactor ActionView::Resolver | Yehuda Katz + Carl Lerche | 2009-09-03 | 1 | -77/+95 | |
| | ||||||
* | Fix the */* with Net::HTTP bug [#3100 state:resolved] | Yehuda Katz + Carl Lerche | 2009-09-01 | 1 | -22/+9 | |
| | ||||||
* | Remove some old cruft | Yehuda Katz | 2009-08-27 | 1 | -3/+0 | |
| | ||||||
* | Add a default parameter for Resolver#initialize | Carl Lerche | 2009-08-26 | 1 | -1/+1 | |
| | ||||||
* | I18n: use I18n for select helpers' prompt text | Akira Matsuda | 2009-08-26 | 2 | -1/+6 | |
| | | | | | | [#2252 state:committed] Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net> | |||||
* | Revert "I18n: use I18n for select helpers' prompt text" | Jeremy Kemper | 2009-08-26 | 2 | -6/+1 | |
| | | | | | | | | Broke CI. [#2252 state:open] This reverts commit adedf72821a5623227ce91e6b298838e692477e4. | |||||
* | I18n: use I18n for select helpers' prompt text | Akira Matsuda | 2009-08-26 | 2 | -1/+6 | |
| | | | | | | [#2252 state:committed] Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net> | |||||
* | Fixes ActionMailer regression [#3059 state:resolved] | Yehuda Katz | 2009-08-15 | 1 | -1/+1 | |
| | ||||||
* | Got tests to pass with some more changes. | Yehuda Katz | 2009-08-15 | 3 | -4/+16 | |
| | | | | | | | | | | | | | | | | * request.formats is much simpler now * For XHRs or Accept headers with a single item, we use the Accept header * For other requests, we use params[:format] or fallback to HTML * This is primarily to work around the fact that browsers provide completely broken Accept headers, so we have to whitelist the few cases we can specifically isolate and treat other requests as coming from the browser * For APIs, we can support single-item Accept headers, which disambiguates from the browsers * Requests to an action that only has an XML template from the browser will no longer find the template. This worked previously because most browsers provide a catch-all */*, but this was mostly accidental behavior. If you want to serve XML, either use the :xml format in links, or explicitly specify the XML template: render "template.xml". |