aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/lib/action_view
Commit message (Collapse)AuthorAgeFilesLines
* Merge branch '3-2-17' into 3-2-stableRafael Mendonça França2014-02-182-2/+14
|\ | | | | | | | | Conflicts: actionpack/CHANGELOG.md
| * Use the reference for the mime type to get the formatRafael Mendonça França2014-02-181-1/+1
| | | | | | | | | | | | | | | | Before we were calling to_sym in the mime type, even when it is unknown what can cause denial of service since symbols are not removed by the garbage collector. Fixes: CVE-2014-0082
| * Escape format, negative_format and units options of number helpersRafael Mendonça França2014-02-181-1/+13
| | | | | | | | | | | | | | Previously the values of these options were trusted leading to potential XSS vulnerabilities. Fixes: CVE-2014-0081
* | Merge pull request #13183 from sorah/never_ignore_i18n_translate_raise_optionCarlos Antonio da Silva2013-12-041-1/+9
| | | | | | | | | | | | | | Escalate missing error when :raise is true in translate helper, fix regression introduced by security fix. Conflicts: actionpack/CHANGELOG.md
* | Fix documentation of number_to_currency helperRafael Mendonça França2013-12-041-4/+4
|/ | | | | | Now users have to explicit mark the unit as safe if they trust it. Closes #13161
* Stop using i18n's built in HTML error handling.Michael Koziarski2013-12-021-13/+8
| | | | | | | | | | | | | | i18n doesn't depend on active support which means it can't use our html_safe code to do its escaping when generating the spans. Rather than try to sanitize the output from i18n, just revert to our old behaviour of rescuing the error and constructing the tag ourselves. Fixes: CVE-2013-4491 Conflicts: actionpack/lib/action_view/helpers/translation_helper.rb Backport: 50afd8eec9d088ad5a2d41f00a05520d5b78a6a0
* Escape the unit value provided to number_to_currencyMichael Koziarski2013-12-021-1/+1
| | | | | | Fixes CVE-2013-6415 Previously the values were trusted blindly allowing for potential XSS attacks.
* Only use valid mime type symbols as cache keysAaron Patterson2013-11-301-0/+7
| | | | CVE-2013-6414
* fix issue #11605Kassio Borges2013-08-244-16/+4
|
* Merge pull request #10971 from dtaniwaki/escape_link_to_unlessRafael Mendonça França2013-06-241-1/+1
| | | | Always escape the result of link_to_unless method
* Compare host scheme using case-insensitive regexpRafael Mendonça França2013-06-161-1/+1
| | | | | | | | | | | | | | | | | | Before: image_tag("HTTP://google.com") # => "<img alt=\"Google\" src=\"/assets/HTTP://google.com\" />" image_tag("http://google.com") # => "<img alt=\"Google\" src=\"http://google.com\" />" After: image_tag("HTTP://google.com") # => "<img alt=\"Google\" src=\"HTTP://google.com\" />" image_tag("http://google.com") # => "<img alt=\"Google\" src=\"http://google.com\" />" Backport of #10969
* Merging in fix from #8222Ben Tucker2013-05-061-1/+1
|
* Fix explicit names on multiple file fieldsRyan McGeary2013-04-051-8/+7
| | | | | | | | If a file field tag is passed the multiple option, it is turned into an array field (appending "[]"), but if the file field is passed an explicit name as an option, leave the name alone (do not append "[]"). Fixes #9830
* Common behavior with adding formats to lookup_context for TemplateRenderer ↵Dmitry Vorotilin2013-04-024-4/+16
| | | | and PartialRenderer
* Backport #9347 to rails 3.2hoffm2013-03-191-1/+1
|
* do not freeze NumberHelper defaults.Yves Senn2013-03-181-2/+2
| | | | Closes #9767.
* Extract hardcoded lists to Redo::RestaurantsListJuan Barreneche2013-03-141-1/+7
|
* Merge pull request #9616 from exviva/multiple_select_name_double_square_bracketsCarlos Antonio da Silva2013-03-091-1/+1
| | | | | | | | | | | | | | | | | | | Fix incorrectly appended square brackets to a multiple select box Before: select(:category, [], {}, {:multiple => true, :name => "post[category][]"}) # => <select name="post[category][][]" ...> After: select(:category, [], {}, {:multiple => true, :name => "post[category][]"}) # => <select name="post[category][]" ...> Conflicts: actionpack/CHANGELOG.md actionpack/lib/action_view/helpers/tags/base.rb actionpack/test/template/form_options_helper_test.rb
* Change tabs to spaces in form options helper [ci skip]Carlos Antonio da Silva2013-02-211-2/+2
|
* Add another NumberHelper missing dependencyRodrigo Rosenfeld Rosas2013-01-291-0/+1
| | | | | Another missing dependency, now affecting #number_to_percentage. It depends on reverse_merge.
* Add NumberHelper missing dependencyRodrigo Rosenfeld Rosas2013-01-291-0/+1
| | | symbolize_keys depends on hash/keys AS core extension
* Do not call fields_for from form_for, to avoid instantiating two buildersCarlos Antonio da Silva2013-01-061-8/+6
| | | | | | Conflicts: actionpack/lib/action_view/helpers/form_helper.rb actionpack/test/template/form_helper_test.rb
* Merge pull request #8719 from pcasaretto/fix-actionview-doc-typoCarlos Antonio da Silva2013-01-031-1/+1
| | | | Fix typo on form_tag_helper.rb [ci skip]
* fix block.arity raise nil error when not given a block to "content_tag_for"jasl2013-01-021-1/+3
|
* Make distance_of_time_in_words work with DateTime offsetsAndrew White2012-12-041-2/+3
| | | | | | | | | | | | | | | Because DateTime#to_time returns self when it has a non-zero offset and subtracting two DateTime instances returns a Rational then the distance_of_time_in_words methods outputs an incorrect value. This is fixed in master because we can rely on Ruby 1.9.3's implementation of to_time but it can't be fixed on Ruby 1.8.7 as there is no way to map the DateTime to a Time with a non-zero offset. We can workaround the problem by casting to Float before doing the subtraction in the distance_of_time_in_words method. Closes #8390
* Make output of distance_of_time_in_words consistentAndrew White2012-12-041-2/+2
| | | | | | | | | | This commit fixes the output of distance_of_time_in_words when using integer or duration arguments. Previously a distance of more than 30 seconds would be output as 'Less than 1 minute' when using integer arguments and '1 minute' when using two Time instances more than 30 seconds apart. Cherry picked from 5fdd4cd9e47be972f146a8a17a74c8f4700e2ac0
* Override <%== to always behave as literal text rather than toggling based on ↵Jeremy Kemper2012-12-031-0/+11
| | | | | | | whether escaping is enabled. Fixes that existing plaintext email templates using <%== unexpectedly flipped to *escaping* HTML when #8235 was merged. Conflicts: actionpack/test/template/template_test.rb
* Merge pull request #8402 from ↵Rafael Mendonça França2012-12-021-1/+1
| | | | | | | | | senny/8376_descriptive_error_message_for_partial_layout_true More descriptive error when rendering a partial with `:layout => true` Conflicts: actionpack/CHANGELOG.md actionpack/lib/action_view/renderer/partial_renderer.rb
* Add i18n scope to disance_of_time_in_words.Steve Klabnik2012-11-261-3/+7
| | | | This is a backport of rails/rails#7997.
* Merge pull request #8235 from tilsammans/dont_escape_actionmailer_when_plaintextJosé Valim2012-11-161-0/+5
| | | | | | | | Introduce `ActionView::Template::Handlers::ERB.escape_whitelist` Conflicts: actionpack/CHANGELOG.md actionpack/test/template/template_test.rb
* [ci skip] Correct examples for form_tag helper.DawidJanczak2012-11-141-2/+2
|
* Merge pull request #8108 from Casecommons/fix-multiple-and-index-in-instance-tagRafael Mendonça França2012-11-081-1/+3
| | | | | | | Support :multiple option on input tags that also have :index Conflicts: actionpack/lib/action_view/helpers/tags/base.rb actionpack/lib/action_view/helpers/tags/collection_check_boxes.rb
* Revert "Merge pull request #7797 from ↵Rafael Mendonça França2012-10-301-3/+3
| | | | | | | | | | | | | | | | | senny/7459_prefix_tempalte_assertion_variables" This reverts commit 2bad605873b5b720d77ae6388a995827ab7fe705. Conflicts: actionpack/CHANGELOG.md Reason: This added a regression related with shoulda-matchers, since it is expecting the instance variable @layouts See https://github.com/thoughtbot/shoulda-matchers/blob/9e1188eea68c47d9a56ce6280e45027da6187ab1/lib/shoulda/matchers/action_controller/render_with_layout_matcher.rb#L74 This will introduce back #7459 but this stable release will be backward compatible. Related with #8068.
* Accept :remote as symbol in link_to optionsRiley2012-10-061-1/+3
| | | | | Accept either :remote or 'remote' in both the html_options and (url_)options hash arguments to link_to.
* Merge pull request #7797 from senny/7459_prefix_tempalte_assertion_variablesRafael Mendonça França2012-10-011-3/+3
| | | | | | | | | prefix TemplateAssertions ivars. Closes #7459 Conflicts: actionpack/lib/action_controller/test_case.rb actionpack/lib/action_view/test_case.rb
* correct handling of date selects when using both disabled and discard optionsVasiliy Ermolovich2012-08-251-2/+5
| | | | | | | | | | | | we should take disabled option not only from `html_options` hash but from `options` hash too like `build_select` method does it. So datetime_select("post", "updated_at", { :discard_minute => true }, { :disabled => true }) datetime_select("post", "updated_at", :discard_minute => true , :disabled => true) both these variants work now closes #7431
* Merge pull request #7410 from sandeepravi/default_options_helper_valueRafael Mendonça França2012-08-211-0/+1
| | | | | | option_tags coerced to "" instead of nil Closes #7404
* Merge branch '3-2-8' into 3-2-stableSantiago Pastorino2012-08-092-3/+3
|\
| * Do not mark strip_tags result as html_safeSantiago Pastorino2012-08-091-1/+1
| | | | | | | | | | | | Thanks to Marek Labos & Nethemba CVE-2012-3465
| * escape select_tag :prompt valuesSantiago Pastorino2012-08-091-2/+2
| | | | | | | | CVE-2012-3463
* | Rearrange example output of javascript_include_tagPrem Sichanugrist2012-08-061-2/+2
| |
* | Do not include application.js if it doesn't existsPrem Sichanugrist2012-08-061-5/+6
|/ | | | | | Rails were including 'application.js' to the pack when using `javascript_include_tag :all` even there's no application.js in the public directory.
* Revert "Deprecate link_to_function and button_to_function helpers"Rafael Mendonça França2012-08-011-4/+0
| | | | This reverts commit 9dc57fe9c4807fc0ad4b1590a931891d9faa3164.
* Revert "Deprecate `:mouseover` options for `image_tag` helper."Rafael Mendonça França2012-08-011-2/+0
| | | | | | | This reverts commit 1aff7725c7a04cde202cca906208560a55409e6a. Conflicts: actionpack/CHANGELOG.md
* Revert "Deprecate `:confirm` in favor of `:data => { :confirm => 'Text' }` ↵Rafael Mendonça França2012-08-013-29/+9
| | | | | | | | | | | option" Revert "Deprecate `:disable_with` in favor of `'data-disable-with'` option for `button_to` and `submit_tag` helpers." This reverts commit fc092a9cba5fceec38358072e50e09250cf58840. This reverts commit e9051e20aeb2c666db06b6217954737665878db7. This reverts commit d47d6e7eda3aa3e6aa28d0c17ac6801234bb97d1. This reverts commit 21141e777bdce8534e3755c8de7268324b3d8714.
* Fixed bug creating invalid HTML in select optionsRusty Geldmacher2012-07-101-5/+5
| | | | | | | | | When a select tag is created for a field with errors, and that select tag has :prompt or :include_blank options, then the inserted first option will errantly have a <div class="field_with_errors"> wrapping it. See https://github.com/rails/rails/issues/7017
* Fix NumberHelper options wrapping to prevent verbatim blocks being rendered ↵Mark J. Titorenko2012-07-021-90/+159
| | | | | | | | | | instead of line continuations. While I'm at it, wrap long comment lines consistently. Conflicts: actionpack/lib/action_view/helpers/number_helper.rb There was just one conflict related to the addition of the :format option to number_to_percentage.
* Merge pull request #6649 from route/logger_in_metal_3_2Carlos Antonio da Silva2012-06-181-2/+4
|\ | | | | Logger in metal backport for 3.2
| * ActionController::Metal doesn't have logger method, check it and then delegateDmitry Vorotilin2012-06-161-2/+4
| |
* | Merge pull request #6752 from steveklabnik/fix_5680Rafael Mendonça França2012-06-161-1/+7
|/ | | | Respect absolute paths in compute_source_path.
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-27 14:27:14 +0000