aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/test/controller/new_base
Commit message (Collapse)AuthorAgeFilesLines
* Complete work on 3.2 for render_data_leak patch.Arthur Neves2016-02-291-49/+0
| | | | | | | | | | | | | | | | | | Render could leak access to external files before this patch. A previous patch(CVE-2016-0752), attempted to fix this. However the tests were miss-placed outside the TestCase subclass, so they were not running. We should allow :file to be outside rails root, but anything else must be inside the rails view directory. The implementation has changed a bit though. Now the patch is more similar with the 4.x series patches. Now `render 'foo/bar'`, will add a special key in the options hash, and not use the :file one, so when we look up that file, we don't set the fallbacks, and only lookup a template, to constraint the folders that can be accessed. CVE-2016-2097
* allow :file to be outside rails root, but anything else must be inside the ↵Aaron Patterson2016-01-221-4/+14
| | | | | | | | | | rails view directory Conflicts: actionpack/test/controller/render_test.rb actionview/lib/action_view/template/resolver.rb CVE-2016-0752
* Only accept actions without File::SEPARATOR in the name.Rafael Mendonça França2014-05-051-1/+16
| | | | | | This will avoid directory traversal in implicit render. Fixes: CVE-2014-0130
* Use 1.8 hash styleCarlos Antonio da Silva2012-12-031-1/+1
|
* Override <%== to always behave as literal text rather than toggling based on ↵Jeremy Kemper2012-12-031-2/+8
| | | | | | | whether escaping is enabled. Fixes that existing plaintext email templates using <%== unexpectedly flipped to *escaping* HTML when #8235 was merged. Conflicts: actionpack/test/template/template_test.rb
* html_escape should escape single quotesSantiago Pastorino2012-08-021-1/+1
| | | | | | | | | | | | https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content Closes #7215 Conflicts: actionpack/test/template/erb_util_test.rb actionpack/test/template/form_tag_helper_test.rb actionpack/test/template/text_helper_test.rb actionpack/test/template/url_helper_test.rb activesupport/lib/active_support/core_ext/string/output_safety.rb
* Show detailed exceptions no longer returns true if the request is local in ↵José Valim2011-12-161-0/+6
| | | | production.
* Fix another regression related to the layout optimization.José Valim2011-12-081-1/+25
|
* Fix a regression and also fix broken test.José Valim2011-12-081-5/+5
|
* A test case to ensure that AC::Metal#response_body= always wraps the given ↵Akira Matsuda2011-11-101-0/+6
| | | | value in an Array in both Ruby 1.8 and 1.9 (refs #3581)
* Deprecate passing the template handler in the template name.José Valim2011-09-221-5/+5
| | | | | | For example, calling hello.erb is now deprecated. Since Rails 3.0 passing the handler had no effect whatsover. This commit simply deprecates such cases so we can clean up the code in later releases.
* Get rid of update_details in favor of passing details to find_template.José Valim2011-09-222-8/+8
|
* Remove stream at the class level.José Valim2011-07-061-1/+1
| | | | | | This is because only template rendering works with streaming. Setting it at the class level was also changing the behavior of JSON and XML responses, closes #1337.
* Corrected some typos and American vs. Queen's English issuesLee Reilly2011-05-291-2/+2
|
* Revert to old semantics, use available_action? instead of action_method?.José Valim2011-05-061-4/+4
|
* Tidy up pending TODOs after discussion with Mr. Gatoz (@wycats).José Valim2011-05-011-7/+7
|
* log errors when an exception happens when streaming.José Valim2011-05-011-0/+13
|
* Add a test for rendering from the controller context.José Valim2011-05-011-0/+54
|
* Do not stream on HTTP/1.0.José Valim2011-04-191-0/+8
|
* Output a redirect to the 500 page if something happens when streaming.José Valim2011-04-191-1/+23
| | | | | | Currently, we output: "><script type="text/javascript">window.location = "/500.html"</script></html>
* Test explicit skip.José Valim2011-04-181-1/+10
|
* Just define the controller if fibers are defined.José Valim2011-04-181-2/+2
|
* Body... wanna *stream* my body? Body... such a thrill my body!José Valim2011-04-181-0/+62
| | | | | Added stream as class level method to make it explicit when to stream. Render also accepts :stream as option.
* switch to using comments to comment thingsAaron Patterson2011-04-151-2/+1
|
* render :once, YAGNI.José Valim2011-04-151-86/+0
|
* removes the RJS template handlerXavier Noria2011-04-132-15/+10
|
* removes support for render :updateXavier Noria2011-04-131-71/+0
|
* Implicit actions named not_implemented can be renderedSantiago Pastorino2011-04-021-2/+11
|
* Make action_method? public and change implicit rendering to override it instead.José Valim2011-03-301-0/+5
|
* Use Mime::Type references.José Valim2011-02-081-0/+9
|
* cleaning up some warnings on 1.9.3Aaron Patterson2011-02-071-1/+1
|
* Speed up template inheritance and remove template inheritance optionwycats2010-12-261-12/+0
|
* all tests passartemave2010-12-261-4/+4
|
* #948 make template inheritance optionalartemave2010-12-261-0/+11
|
* #948 template_inheritanceartemave2010-12-262-2/+66
|
* realigns a series of hash arrowsXavier Noria2010-11-211-10/+10
|
* Added support for Erubis <%== tagJan Maurits Faber2010-11-081-0/+10
| | | | | | | <%== x %> is syntactic sugar for <%= raw(x) %> Signed-off-by: Michael Koziarski <michael@koziarski.com> [#5918 status:committed]
* Fix problems trying to functional test AC::Metal controllersSantiago Pastorino2010-11-061-0/+7
| | | | [#5393 state:committed]
* Remove :cache => true on lookup templates initialization.José Valim2010-10-141-10/+1
|
* render :once should consider the current controller prefix.José Valim2010-10-141-7/+30
|
* Use identifiers for template equality.José Valim2010-10-101-9/+8
|
* Add support to render :once.José Valim2010-10-101-0/+73
| | | | This will be used internally by sprockets to ensure requires are executed just once.
* Fix a few bugs when trying to use Head standalonewycats2010-10-101-0/+15
|
* Allow cache to be temporarily disabled through lookup_context.José Valim2010-10-071-1/+12
|
* render :template => 'foo/bar.json' now works as it should.José Valim2010-10-072-3/+29
|
* Move ETag and ConditionalGet logic from AD::Response to the middleware stack.José Valim2010-10-031-46/+0
|
* added block arguments to ActionController::Metal#useCollin Miller2010-09-121-0/+22
| | | | | | | | | | | Useful for cases such as warden, where a block configuration is taken. class SomeController < ApplicationController use RailsWarden::Manager do |manager| manager.default_strategies :facebook_oauth manager.failure_app = SomeController.action(:authorize) end end
* Fixed routes to use new API in a few more actionpack testsPiotr Sarnacki2010-09-054-17/+47
|
* Removed deprecated RouteSet API, still many tests failPiotr Sarnacki2010-09-051-0/+3
|
* Deletes trailing whitespaces (over text files only find * -type f -exec sed ↵Santiago Pastorino2010-08-147-25/+25
| | | | 's/[ \t]*$//' -i {} \;)