| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
| |
|
|
|
|
| |
This reverts commit 8cbf825425dc8ad3770881ea4e100b9023c69ce2.
|
| |
|
| |
|
|
|
|
|
|
|
| |
escaping.
This doesn't provide a way to turn off the escaping, but alternative template engine authors
can figure out what their default should be by calling this. Avoids a messy version + plugin check.
|
| |
|
| |
|
|
|
|
| |
latter isn't
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ActionView::Helpers::UrlHelper#url_for used to escape the URLs it generated by
default. This was most commonly seen when generating a path with multiple
query parameters, e.g.
url_for(:controller => :foo, :action => :bar, :this => 123, :that => 456)
would return
http://example.com/foo/bar?that=456&this=123
escaping an ampersand that shouldn't be escaped. This is both wrong and
inconsistent with the behavior of ActionController#url_for, and is changed.
Signed-off-by: Michael Koziarski <michael@koziarski.com>
|
|
|
|
|
|
|
| |
By using config rather than hardcoded constants, we can evolve the
configuration system over time (we'd just need to update the config
method with more robust capabilities and all consumers would get
the capabilities with no code changes)
|
|
|
|
| |
generation
|
| |
|
|
|
|
| |
#inspect and .name.
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This consists of:
* String#html_safe! a method to mark a string as 'safe'
* ActionView::SafeBuffer a string subclass which escapes anything unsafe which is concatenated to it
* Calls to String#html_safe! throughout the rails helpers
* a 'raw' helper which lets you concatenate trusted HTML from non-safety-aware sources (e.g. presantized strings in the DB)
* New ERB implementation based on erubis which uses a SafeBuffer instead of a String
Hat tip to Django for the inspiration.
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
state:resolved]
The test case now mimicks the template environment more closely, so it's
possible to use render, load helper dependencies.
This also fixes assert_select, and similar assertions. Because view tests
and helpers generally don't render full templates assert_select looks
first in rendered and then in output_buffer to find the rendered output.
Additional `master'-only changes: Made the Action Pack Rakefile run the
ActionView::TestCase tests, and made ActionView::Rendering#_render_text
always return a string.
Signed-off-by: Joshua Peek <josh@joshpeek.com>
|
|
|
|
|
|
|
| |
days return '2 days'.
Signed-off-by: Michael Koziarski <michael@koziarski.com>
[#3266 state:committed]
|
|
|
|
|
|
|
| |
about depending upon how many months have elapsed
Signed-off-by: Michael Koziarski <michael@koziarski.com>
[#3106 state:committed]
|
|
|
|
| |
vendor requires.
|
| |
|
| |
|
|
|
|
| |
Signed-off-by: Yehuda Katz <wycats@gmail.com>
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
collection to be used. [#2648 state:resolved]
Signed-off-by: Eloy Duran <eloy.de.enige@gmail.com>
|
|
|
|
| |
Addresses CVE-2009-3009
|
| |
|
|
|
|
|
|
| |
stylesheet_link_tag sources unless the :cache or :concat options are given. [#2738 state:resolved]
Signed-off-by: Joshua Peek <josh@joshpeek.com>
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
[#2252 state:committed]
Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
|
|
|
|
|
|
|
|
| |
Broke CI.
[#2252 state:open]
This reverts commit adedf72821a5623227ce91e6b298838e692477e4.
|
|
|
|
|
|
| |
[#2252 state:committed]
Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* request.formats is much simpler now
* For XHRs or Accept headers with a single item, we use the Accept header
* For other requests, we use params[:format] or fallback to HTML
* This is primarily to work around the fact that browsers provide completely
broken Accept headers, so we have to whitelist the few cases we can
specifically isolate and treat other requests as coming from the browser
* For APIs, we can support single-item Accept headers, which disambiguates
from the browsers
* Requests to an action that only has an XML template from the browser will
no longer find the template. This worked previously because most browsers
provide a catch-all */*, but this was mostly accidental behavior. If you
want to serve XML, either use the :xml format in links, or explicitly
specify the XML template: render "template.xml".
|
|
|
|
| |
architecture is kind of messy. Next: CLEAN UP.
|
|
|
|
|
|
|
|
| |
* only one of partial_name or :as will be available as a local
* `object` is removed
* Simplify _layout_for in most cases.
* Remove <% render :partial do |args| %>
* <% render :partial do %> still works fine
|
|
|
|
|
|
|
|
|
|
| |
* Call _evaluate_assigns_and_ivars at the two entry points so we don't have to
do a check at every render.
* Make template.render viable without having to go through a wrapper method
* Remove old TemplateHandler#render(template, local_assigns) path so we don't have
to set self.template every time we render a template.
* Move Template rescuing code to Template#render so it gets caught every time.
* Pull in some tests from Pratik that test render @object in ActionView
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Move #set_cookie and #delete_cookie inline to optimize. These optimizations should
almost certainly be sent back upstream to Rack. The optimization involves using
an ivar for cookies instead of indexing into the headers each time.
* Was able to use a bare Hash for headers now that cookies have their own joining
semantics (some code assumed that the raw cookies were an Array).
* Cache blankness of body on body=
* Improve expand_cache_key for Arrays of a single element (common in our case)
* Use a simple layout condition check unless conditions are used
* Cache visible actions
* Lazily load the UrlRewriter
* Make etag an ivar that is set on prepare!
|
| |
|