| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
| |
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
Closes #7215
|
| |
|
|
| |
will work
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
responses.
Processing controller actions in a separate thread allows us to work
around the rack api - we can allow the user to set status and headers,
then block until the first bytes are written. As soon as the first
bytes are written, the main thread can return the status, headers, and
(essentially) a queue for the body.
|
| | |
|
| |
|
|
| |
object
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
When someone sends malformed authorization header, like:
Authorization: Token foobar
given token should be just ignored and resource should not be authorized,
instead of raising error. Before this patch controller would return 401 header
only for well formed tokens, like:
Authorization: Token token=foobar
and would return 500 in former case.
|
| |
|
|
|
| |
minitest/spec provides `describe`, so deprecate the rails version and
have people use the superclass version
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Assuming the type ":touch", Collector.new was calling
send(:touch), which instead of triggering method_missing
and generating a new collector method, actually
invoked the private method `touch` inherited from
Object.
By generating the method for each mime type as it
is registered, the private methods on Object can
never be reached by `send`, because the `Collector`
will have them before `send` is called on it.
To do this, a callback mechanism was added to Mime::Type
This allows someone to add a callback for whenever
a new mime type is registered. The callback then
gets called with the new mime as a parameter.
This is then used in AbstractController::Collector
to generate new collector methods after each mime
is registered.
|
| |\
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* master:
Add documentation for inheritance_column method
Use ArgumentError vs. RuntimeError, which is more precise.
CSV fixtures aren't supported by default anymore, update generated test_helper.rb to reflect that
fix quoting for ActiveSupport::Duration instances
Add few information on the field types
Add the options method to action_controller testcase.
|
| | |
| |
| |
| | |
Signed-off-by: François de Metz <francois@stormz.me>
|
| |/ |
|
| |
|
|
|
| |
Deprecate usage of filter object with #before and #after
methods as around callback
|
| |\
| |
| | |
Don't paramify ActionDispatch::Http::UploadedFile in tests
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
To test uploading a file without using fixture_file_upload, a posted
ActionDispatch::Http::UploadedFile should not be paramified (just like
Rack::Test::UploadedFile).
(Rack::Test::UploadedFile and ActionDispatch::Http::UploadedFile don't
share the same API, tempfile is not accessible on
Rack::Test::UploadedFile as discussed in
https://github.com/brynary/rack-test/issues/30)
|
| |/
|
|
|
| |
1. Change in test name as already defined.
2. ambiguous first argument; put parentheses or
even spaces
|
| |\
| |
| |
| | |
Added test for case when view doesn't have logger method when using
ActionController::Metal controller.
|
| | |
| |
| |
| | |
ActionController::Metal controller.
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are several aspects to this commit, that don't well fit into broken down
commits, so they are detailed here:
* When a user uses response.headers['Cache-Control'] = some_value, then the
documented convention in ConditionalGet is not adhered to, in this case,
response.cache_control is ignored due to `return if
self[CACHE_CONTROL].present?`
* When a middleware sets cache-control headers that would clobber, they're
converted to symbols directly, without underscores. This would lead to bugs.
* Items that would live in :extras if set through expires_in, are placed
directly in the @cache_control hash, and not respected in many cases
(somewhat adhering to the aforementioned documentation).
* Although quite useless, any directive named 'extras' would be ignored.
The general convention applied is that expires_* take precedence, but no longer
overwrite everything and expires_* are ALWAYS applied, even if the header is
set.
I am still unhappy about the contents of this commit, and the code in general.
Ideally it should be refactored to no longer use :extras. I'd likely recommend
expanding @cache_control into a class, and giving it the power to handle the
merge in a more efficient fashion. Such a commit would be a larger change that
could have additional semantic changes for other libraries unless they utilize
expires_in in very standard ways.
|
| | |
|
| | |
|
| |
|
|
|
| |
This middleware is only for Public Exceptions.
This follows bd8c0b8a
|
| | |
|
| |
|
|
| |
Module#methods are Symbols in Ruby >= 1.9
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In integration tests, you might want to use helpers from engines that
you mounted in your application. It's not hard to add it by yourself,
but it's unneeded boilerplate. mounted_helpers are now included by
default. That means that given engine mounted like:
mount Foo::Engine => "/foo", :as => "foo"
you will be able to use paths from this engine in tests this way:
foo.root_path #=> "/foo"
(closes #6573)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Prior to this patch the existing .force_ssl method handles both defining
the filter and handling the logic for performing the redirect.
With this patch the logic for redirecting to the HTTPS protocol is
separated from the filter logic that determines if a redirect should
occur. By separating the two levels of behavior, an instance method
for ActionController (i.e. #force_ssl_redirect) is exposed and available
for more granular SSL enforcement.
Cleaned up indentation.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When more than one directory for helpers is provided to a controller, it
should preserver the order of directories. Given 2 paths:
MyController.helpers_paths = ["dir1/helpers", "dir2/helpers"]
helpers from dir1 should be loaded first. Before this commit, all
helpers were mixed and then sorted alphabetically, which essentially
would require to rename helpers to get desired order.
This is a problem especially for engines, where you would like to be
able to predict accurately which engine helpers will load first.
(closes #6496)
|
| |\
| |
| | |
When a route references a missing controller, raise ActionController::RoutingError with clearer message
|
| | |
| |
| |
| | |
ActionController::RoutingError with a clearer message
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Although no recognized formats use non-ASCII characters, sometimes they
can be included in the :format parameter because of invalid URLS. To
prevent encoding incompatibility errors we need to escape them before
passing the path to URI.unescape.
Closes #4379
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Before this change, assert_recognizes, assert_generates, and
assert_routing raised ActionController::RoutingError when they failed to
recognize the route.
This commit changes them to raise Assertion instead. This aligns with
convention for logical failures, and supports reporting tools that care
about the difference between logical failures and errors e.g. the
summary at the end of a test run.
- Fixes #5899
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This commit improves the handling of default_url_options in integration
tests by making behave closer to how a real application operates.
Specifically the following issues have been addressed:
* Options specified in routes.rb are used (fixes #546)
* Options specified in controllers are used
* Request parameters are recalled correctly
* Tests can override default_url_options directly
|
| | |
| |
| |
| | |
when using the :head method/shortcut
|
| |\ \
| | |
| | | |
Minor test improvement
|
| | | |
| | |
| | |
| | | |
directive, just for clarity sake.
|
| | | |
| | |
| | |
| | | |
renders 406 :not_acceptable
|
