| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
| |
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
Closes #7215
|
|
|
|
|
| |
1. Change in test name as already defined.
2. ambiguous first argument; put parentheses or
even spaces
|
|\
| |
| |
| | |
Added test for case when view doesn't have logger method when using
ActionController::Metal controller.
|
| |
| |
| |
| | |
ActionController::Metal controller.
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are several aspects to this commit, that don't well fit into broken down
commits, so they are detailed here:
* When a user uses response.headers['Cache-Control'] = some_value, then the
documented convention in ConditionalGet is not adhered to, in this case,
response.cache_control is ignored due to `return if
self[CACHE_CONTROL].present?`
* When a middleware sets cache-control headers that would clobber, they're
converted to symbols directly, without underscores. This would lead to bugs.
* Items that would live in :extras if set through expires_in, are placed
directly in the @cache_control hash, and not respected in many cases
(somewhat adhering to the aforementioned documentation).
* Although quite useless, any directive named 'extras' would be ignored.
The general convention applied is that expires_* take precedence, but no longer
overwrite everything and expires_* are ALWAYS applied, even if the header is
set.
I am still unhappy about the contents of this commit, and the code in general.
Ideally it should be refactored to no longer use :extras. I'd likely recommend
expanding @cache_control into a class, and giving it the power to handle the
merge in a more efficient fashion. Such a commit would be a larger change that
could have additional semantic changes for other libraries unless they utilize
expires_in in very standard ways.
|
|
|
|
| |
when using the :head method/shortcut
|
|\
| |
| | |
Minor test improvement
|
| |
| |
| |
| | |
directive, just for clarity sake.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
In the current router DSL, using the +match+ DSL
method will match all verbs for the path to the
specified endpoint.
In the vast majority of cases, people are
currently using +match+ when they actually mean
+get+. This introduces security implications.
This commit disallows calling +match+ without
an HTTP verb constraint by default. To explicitly
match all verbs, this commit also adds a
:via => :all option to +match+.
Closes #5964
|
| |
| |
| |
| | |
Closes #5632
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Previously `rendered_format` was set only based on mime types
passed in Accept header, which was wrong if first type from
Accept was different than rendered partial. The fix is to simply
move setting rendered_format to the place where template
is available and grab format from the template. If it fails
we can fallback to formats passed by Accept header.
|
| |
| |
| |
| | |
Fix for #5440
|
|/ |
|
|\
| |
| | |
Ensure Date header on expires_in
|
| | |
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* Do not reopen AV::Base to define default form builder
Inside the load hook we are already in AV::Base context.
* Do not pass the given block to the form builder
The block is evaluated in fields_for context using capture, with the
builder as argument. This means we do not need to give the block to the
FormBuilder itself.
|
| | |
|
| | |
|
| |
| |
| |
| | |
minor
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| | |
fresh_when/stale? conditional get methods from Action Pack"
Needless indirection with no added value.
This reverts commit 535853e83b9092078035a5abb2aa242fba815c05.
|
| |
| |
| |
| | |
fresh_when/stale? conditional get methods from Action Pack
|
|/ |
|
|
|
|
|
|
| |
For example, calling hello.erb is now deprecated. Since Rails 3.0
passing the handler had no effect whatsover. This commit simply
deprecates such cases so we can clean up the code in later releases.
|
| |
|
| |
|
| |
|
|
|
|
| |
fix issues/1951
|
|
|
|
|
| |
https://github.com/rails/rails/issues/1951
Namespaced model partial_path is wrong in namespaced controllers
|
| |
|
| |
|
|
|
|
|
|
| |
filesystems.
This fixes CVE-2011-0449
|
| |
|
| |
|
| |
|
|
|
|
| |
Initialize ivar.
|
|
|
|
| |
and avoiding capitalize. [#5636 state:resolved]
|
| |
|
|
|
|
| |
better default failure messages - let's use them
|
|
|
|
| |
's/[ \t]*$//' -i {} \;)
|
|
|
|
|
|
| |
[#4784 state:resolved]
Signed-off-by: José Valim <jose.valim@gmail.com>
|
|
|
|
| |
not "ActiveRecord"
|
|
|
|
| |
This reverts commit ade756fe42423033bae8e5aea8f58782f7a6c517.
|
|
|
|
| |
This reverts commits af0d1a88157942c6e6398dbf73891cff1e152405 and 64d109e3539ad600f58536d3ecabd2f87b67fd1c.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Default Encoding.default_internal to UTF-8
* Eliminated the use of file-wide magic comments to coerce code evaluated inside the file
* Read templates as BINARY, use default_external or template-wide magic comments
inside the Template to set the initial encoding
* This means that template handlers in Ruby 1.9 will receive Strings encoded
in default_internal (UTF-8 by default)
* Create a better Exception for encoding issues, and use it when the template
source has bytes that are not compatible with the specified encoding
* Allow template handlers to opt-into handling BINARY. If they do so, they
need to do some of their own manual encoding work
* Added a "Configuration Gotchas" section to the intro Rails Guide instructing
users to use UTF-8 for everything
* Use config.encoding= in Ruby 1.8, and raise if a value that is an invalid
$KCODE value is used
Also:
* Fixed a few tests that were assert() rather than assert_equal() and
were caught by Minitest requiring a String for the message
* Fixed a test where an assert_select was misformed, also caught by
Minitest being more restrictive
* Fixed a test where a Rack response was returning a String rather
than an Enumerable
|
|
|
|
| |
Signed-off-by: José Valim <jose.valim@gmail.com>
|
|
|
|
| |
Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
|