| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
`render nothing: true` or rendering a `nil` body no longer add a single
space to the response body.
The old behavior was added as a workaround for a bug in an early version of
Safari, where the HTTP headers are not returned correctly if the response
body has a 0-length. This is been fixed since and the workaround is no
longer necessary.
Use `render body: ' '` if the old behavior is desired.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
| |
This will avoid directory traversal in implicit render.
Fixes: CVE-2014-0130
Conflicts:
actionpack/lib/abstract_controller/base.rb
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
`render :body` should just not set the `Content-Type` header. By
removing the header, it breaks the compatibility with other parts.
After this commit, `render :body` will returns `text/html` content type,
sets by default from `ActionDispatch::Response`, and it will preserve
the overridden content type if you override it.
Fixes #14197, #14238
This partially reverts commit 3047376870d4a7adc7ff15c3cb4852e073c8f1da.
|
|
|
|
|
|
|
|
|
| |
This is an option for to HTML content with a content type of
`text/html`. This rendering option calls `ERB::Util.html_escape`
internally to escape unsafe HTML string, so you will have to mark your
string as html safe if you have any HTML tag in it.
Please see #12374 for more detail.
|
|
|
|
|
|
|
|
| |
This is as an option to render content with a content type of
`text/plain`. This is the preferred option if you are planning to render
a plain text content.
Please see #12374 for more detail.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is an option for sending a raw content back to browser. Note that
this rendering option will unset the default content type and does not
include "Content-Type" header back in the response.
You should only use this option if you are expecting the "Content-Type"
header to not be set. More information on "Content-Type" header can be
found on RFC 2616, section 7.2.1.
Please see #12374 for more detail.
|
|
|
|
|
|
| |
Previous behaviour was MRI-dependent, now we're making sure the message
is correctly shown: something that can be relyied upon across every
Ruby implementation.
|
|
|
|
| |
see: 9b0ac0bc74569db460f87ea6888b3847be0ff5be
|
| |
|
|
|
|
|
|
|
| |
This reverts commit 70d6e16fbad75b89dd1798ed697e7732b8606fa3, reversing
changes made to ea4db3bc078fb3093ecdddffdf4f2f4ff3e1e8f9.
Seems to be a code merge done by mistake.
|
|
|
|
| |
see: 9b0ac0bc74569db460f87ea6888b3847be0ff5be
|
| |
|
| |
|
|
|
|
| |
whether escaping is enabled. Fixes that existing plaintext email templates using <%== unexpectedly flipped to *escaping* HTML when #8235 was merged.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
single check.
Rails includes a single character body to a head(:no_content) response to work around an old Safari bug where headers were ignored if no body sent.
This patch brings the behavior slightly closer to spec if :no_content/204 is explicity requested via a head only response.
Status comparison done on symbolic and numeric values
Not returning any content when responding with head and limited to a status code that explicitly states no content will be returned - 100..199, 204, 205, 304.
|
|
|
|
|
| |
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
Closes #7215
|
|
|
|
|
| |
minitest/spec provides `describe`, so deprecate the rails version and
have people use the superclass version
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the current router DSL, using the +match+ DSL
method will match all verbs for the path to the
specified endpoint.
In the vast majority of cases, people are
currently using +match+ when they actually mean
+get+. This introduces security implications.
This commit disallows calling +match+ without
an HTTP verb constraint by default. To explicitly
match all verbs, this commit also adds a
:via => :all option to +match+.
Closes #5964
|
| |
|
|
|
|
| |
minor
|
| |
|
|
|
|
| |
production.
|
| |
|
| |
|
|
|
|
| |
value in an Array in both Ruby 1.8 and 1.9 (refs #3581)
|
|
|
|
|
|
| |
For example, calling hello.erb is now deprecated. Since Rails 3.0
passing the handler had no effect whatsover. This commit simply
deprecates such cases so we can clean up the code in later releases.
|
| |
|
|
|
|
|
|
| |
This is because only template rendering works with streaming.
Setting it at the class level was also changing the behavior
of JSON and XML responses, closes #1337.
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
Currently, we output:
"><script type="text/javascript">window.location = "/500.html"</script></html>
|
| |
|
| |
|
|
|
|
|
| |
Added stream as class level method to make it explicit when to stream.
Render also accepts :stream as option.
|
| |
|
| |
|