| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
whether escaping is enabled. Fixes that existing plaintext email templates using <%== unexpectedly flipped to *escaping* HTML when #8235 was merged.
|
|
|
|
| |
Introduced in 4a4de567b45ff28035419bc2d92f9b206e3c0a66.
|
|
|
|
|
|
|
|
|
|
|
| |
This is a list of mime types where template text is not html escaped
by default. It prevents `Jack & Joe` from rendering as
`Jack & Joe` for the whitelisted mime types. The default whitelist
contains text/plain.
This follows a whitelist approach where plain text templates are
not escaped, and all the others (json, xml) are. The mime type is
assumed to be set by the abstract controller.
|
|
|
|
| |
this file with us-ascii
|
| |
|
|
|
|
|
| |
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
Closes #7215
|
|
|
|
| |
Fixes #2394
|
| |
|
| |
|
|
|
|
| |
minor
|
| |
|
| |
|
|
|
|
| |
encodings
|
|
|
|
| |
This reverts commit 10773f94eae0dacf10e2ed0c28f6bb73805c2521.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This test is affected by a bug in Ruby 1.9.3p0 and trunk:
http://redmine.ruby-lang.org/issues/5564
Given we cannot fix it for ourselves, it is better to skip for now so
that we will easily see if further failures are introduced.
Jon Leighton is monitoring the bug report and will revert this when a
suitable solution is found (either a new Ruby release or a generic
workaround).
If you are using 1.9.3 in your app and have templates that are not in
UTF-8, you should add a workaround early on in the boot process. For
example, if your templates are Shift_JIS encoded, then add the
following in an initializer:
Encoding::Converter.new('Shift_JIS', 'UTF-8')
|
|
|
|
|
|
| |
ActionView::Template, we get to see the actual underlying error rather than a NoMethodError.
This shows an encoding bug on Ruby 1.9.3.
|
|
|
|
| |
This reverts commit 115e80dccc65c3ed9a9750649d9ca4ea2a7e64f1.
|
|
|
|
|
|
| |
This will make sure `render :inline` is working.
Closes #1633
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
Signed-off-by: José Valim <jose.valim@gmail.com>
|
| |
|
| |
|
|
|
|
| |
rendering.
|
|
|
|
| |
template handler.
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
This means that templates does not need to store its source anymore, allowing us to reduce the ammount of memory taken by our Rails processes. Naively speaking, if your app/views contains 2MB of files, each of your processes (after being hit by a bunch of requests) will take 2MB less of memory after this commit.
This is extremely important for the upcoming features. Since Rails will also render CSS and JS files, their source won't be stored as well allowing us to decrease the ammount of memory taken.
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
* Default Encoding.default_internal to UTF-8
* Eliminated the use of file-wide magic comments to coerce code evaluated inside the file
* Read templates as BINARY, use default_external or template-wide magic comments
inside the Template to set the initial encoding
* This means that template handlers in Ruby 1.9 will receive Strings encoded
in default_internal (UTF-8 by default)
* Create a better Exception for encoding issues, and use it when the template
source has bytes that are not compatible with the specified encoding
* Allow template handlers to opt-into handling BINARY. If they do so, they
need to do some of their own manual encoding work
* Added a "Configuration Gotchas" section to the intro Rails Guide instructing
users to use UTF-8 for everything
* Use config.encoding= in Ruby 1.8, and raise if a value that is an invalid
$KCODE value is used
Also:
* Fixed a few tests that were assert() rather than assert_equal() and
were caught by Minitest requiring a String for the message
* Fixed a test where an assert_select was misformed, also caught by
Minitest being more restrictive
* Fixed a test where a Rack response was returning a String rather
than an Enumerable
|