aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/test/template/erb_util_test.rb
Commit message (Collapse)AuthorAgeFilesLines
* &#39 dates back to SGML when &#x27 was introduced in HTML 4.0Kalys Osmonov2012-09-091-1/+1
|
* removes usage of Object#in? from the code base (the method remains defined ↵Xavier Noria2012-08-061-1/+1
| | | | | | | | | | | | | | | | | | | by Active Support) Selecting which key extensions to include in active_support/rails made apparent the systematic usage of Object#in? in the code base. After some discussion in https://github.com/rails/rails/commit/5ea6b0df9a36d033f21b52049426257a4637028d we decided to remove it and use plain Ruby, which seems enough for this particular idiom. In this commit the refactor has been made case by case. Sometimes include? is the natural alternative, others a simple || is the way you actually spell the condition in your head, others a case statement seems more appropriate. I have chosen the one I liked the most in each case.
* load active_support/core_ext/object/inclusion in active_support/railsXavier Noria2012-08-021-1/+0
|
* html_escape should escape single quotesSantiago Pastorino2012-07-311-6/+6
| | | | | https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content Closes #7215
* Move escape_once logic to ERB::Util, where it belongs toCarlos Antonio da Silva2012-02-011-0/+14
| | | | | | All the logic is based on the HTML_ESCAPE constant available in ERB::Util, so it seems more logic to have the entire method there and just delegate the helper to use it.
* AP tests should inherit from AS::TestCaseAaron Patterson2012-01-051-1/+1
|
* ensuring that json_escape returns html safe strings when passed an html safe ↵Aaron Patterson2011-06-091-0/+10
| | | | string
* Using Object#in? and Object#either? in various placesPrem Sichanugrist2011-04-111-1/+2
| | | | There're a lot of places in Rails source code which make a lot of sense to switching to Object#in? or Object#either? instead of using [].include?.
* Deletes trailing whitespaces (over text files only find * -type f -exec sed ↵Santiago Pastorino2010-08-141-1/+1
| | | | 's/[ \t]*$//' -i {} \;)
* fisting codes so it will parse [#4430 state:resolved]Aaron Patterson2010-04-171-2/+2
| | | | Signed-off-by: wycats <wycats@gmail.com>
* For performance reasons, you can no longer call html_safe! on Strings. ↵Yehuda Katz2010-01-311-1/+1
| | | | | | | | | | | | Instead, all Strings are always not html_safe?. Instead, you can get a SafeBuffer from a String by calling #html_safe, which will SafeBuffer.new(self). * Additionally, instead of doing concat("</form>".html_safe), you can do safe_concat("</form>"), which will skip both the flag set, and the flag check. * For the first pass, I converted virtually all #html_safe!s to #html_safe, and the tests pass. A further optimization would be to try to use #safe_concat as much as possible, reducing the performance impact if we know up front that a String is safe.
* Switch to on-by-default XSS escaping for rails.Michael Koziarski2009-10-081-0/+12
| | | | | | | | | | | | This consists of: * String#html_safe! a method to mark a string as 'safe' * ActionView::SafeBuffer a string subclass which escapes anything unsafe which is concatenated to it * Calls to String#html_safe! throughout the rails helpers * a 'raw' helper which lets you concatenate trusted HTML from non-safety-aware sources (e.g. presantized strings in the DB) * New ERB implementation based on erubis which uses a SafeBuffer instead of a String Hat tip to Django for the inspiration.
* ActionPack components should no longer have undeclared dependencies.Yehuda Katz + Carl Lerche2009-06-081-1/+1
| | | | | | | * Tests can be run in isolation * Dependencies added * A few tests modified to avoid depending on AS deps not depended on my files they were testing
* add json_escape ERB util to escape html entities in json strings that are ↵Rick Olson2008-04-081-13/+9
| | | | | | output in HTML pages. [rick] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@9241 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
* require abstract_unit directly since test is in load pathJeremy Kemper2008-01-051-29/+1
| | | | git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8564 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
* Add tests for html_escape, and remove an unneeded backslash (closes #10511) ↵David Heinemeier Hansson2007-12-161-0/+56
[fxn] git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8422 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
generated by cgit v1.2.3 (git 2.25.1) at 2025-01-03 23:21:05 +0000