aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/test/template/url_helper_test.rb
Commit message (Collapse)AuthorAgeFilesLines
* Don't use `html_escape` to test the escapingRafael Mendonça França2012-08-051-1/+1
|
* html_escape should escape single quotesSantiago Pastorino2012-07-311-9/+9
| | | | | https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content Closes #7215
* Add back `:disable_with` and change deprecation horizon to 4.1Carlos Galdino + Rafael Mendonça França2012-07-211-1/+26
|
* Add back `:confirm` and change deprecation horizon to 4.1Carlos Galdino + Rafael Mendonça França2012-07-211-0/+58
|
* Remove `:confirm` in favor of `:data => { :confirm => 'Text' }` optionCarlos Galdino2012-07-181-7/+7
| | | | | | | | | This applies to the following helpers: `button_to` `button_tag` `image_submit_tag` `link_to` `submit_tag`
* Simplify link_to using content_tagCarlos Antonio da Silva2012-05-311-0/+20
| | | | Add some tests for link_to with blocks and escaping content.
* accept a block in button_to helperSergey Nartimov2012-05-301-0/+7
| | | | | | | | | | | | | | | | Make possible to use a block in button_to helper if button text is hard to fit into the name parameter, e.g.: <%= button_to [:make_happy, @user] do %> Make happy <strong><%= @user.name %></strong> <% end %> # => "<form method="post" action="/users/1/make_happy" class="button_to"> # <div> # <button type="submit"> # Make happy <strong>Name</strong> # </button> # </div> # </form>"
* Revert "Revert "Remove `:disable_with` in favor of `'data-disable-with'` ↵José Valim2012-05-151-15/+1
| | | | | | | | | option from `submit_tag`, `button_tag` and `button_to` helpers."" Finally remove `:disable_with` but use `:data => { :disable_with => ... }` in examples to show off a better API (which looks nicer in Ruby 1.9) This reverts commit a5c38a9c087e33d36397afc496be7c8e01b37ef0.
* Revert "Remove `:disable_with` in favor of `'data-disable-with'` option from ↵José Valim2012-05-151-1/+15
| | | | | | | | | | `submit_tag`, `button_tag` and `button_to` helpers." `disable_with:` is much easier to type than `"data-disable-with" =>`, and the fact it uses "data-disable-with" => is an implementation concern, it should not affect the public API. This reverts commit 683fc4db00f496e5225928afb4d4e932e0fcdc48.
* Remove `:disable_with` in favor of `'data-disable-with'` option from ↵Carlos Galdino + Rafael Mendonça França2012-05-141-15/+1
| | | | `submit_tag`, `button_tag` and `button_to` helpers.
* Remove default match without specified methodJose and Yehuda2012-04-241-9/+9
| | | | | | | | | | | | | | | | In the current router DSL, using the +match+ DSL method will match all verbs for the path to the specified endpoint. In the vast majority of cases, people are currently using +match+ when they actually mean +get+. This introduces security implications. This commit disallows calling +match+ without an HTTP verb constraint by default. To explicitly match all verbs, this commit also adds a :via => :all option to +match+. Closes #5964
* default_url_options does not receive one argument anymoreRafael Mendonça França2012-04-081-1/+1
|
* Remove unnecessary in HTML 5 type attribute with default valueAndrey A.I. Sitnik2012-04-051-4/+4
|
* removed unnecessary codeganesh2012-02-091-1/+0
|
* Change OrderedHash with array options to simple hash usageCarlos Antonio da Silva2012-01-251-8/+8
|
* Refactor button_to helper to use token_tag methodRafael Mendonça França2012-01-191-3/+24
|
* Remove rescue_action from compatibility module and testsCarlos Antonio da Silva2012-01-171-9/+1
|
* Make button_to helper support "form" option which is the form attributes.Wen-Tien Chang2011-09-291-0/+4
|
* current_page? returns false for non-GET requestsAlexey Vakhov2011-09-021-2/+8
|
* Fix a wrong assertion on url_helper_test, and refactor `html_safe` test to ↵Prem Sichanugrist2011-07-171-2/+6
| | | | be in its method
* Adds a test to check link_to with method & rel optionsJosh2011-06-211-0/+7
|
* Define ActiveSupport#to_param as to_str - closes #1663Andrew White2011-06-121-0/+8
|
* Prepare the context in URLHelperTest so that there are no required ↵wycats2011-05-221-0/+2
| | | | uninitialized instance variables
* Remove dependency from _template.José Valim2011-05-011-1/+1
|
* Be sure to javascript_escape the email address to prevent apostrophes ↵Michael Koziarski2011-02-081-4/+5
| | | | | | inadvertently causing javascript errors. This fixes CVE-2011-0446
* add test to check class is being escaped in form_classSantiago Pastorino2011-02-011-0/+4
|
* Allow customization of form class for button_toAndrei Bocan2011-02-011-0/+4
| | | | Signed-off-by: Santiago Pastorino <santiago@wyeworks.com>
* Make sure capture's output gets html_escaped [#5545 state:resolved]Jeff Kreeftmeijer2010-11-021-6/+1
| | | | | | | Also remove a duplicate test_link_to_unless assertion and add .html_safe to the remaining one. Signed-off-by: Santiago Pastorino <santiago@wyeworks.com>
* Allow generated url helpers to be overriden [#5243 state:resolved]Andrew White2010-10-261-0/+18
|
* data-disable-with in button_to helperPaco Guzman2010-10-111-0/+21
| | | | | | [#4993 state:committed] Signed-off-by: Santiago Pastorino <santiago@wyeworks.com>
* Clean up unused methods from AV::Base and pass in the template object on ↵José Valim2010-10-101-1/+1
| | | | rendering.
* delete repeated codeAaron Patterson2010-10-011-18/+0
|
* Removed deprecated RouteSet API, still many tests failPiotr Sarnacki2010-09-051-3/+2
|
* Removing unnecessary codeThiago Pradi2010-09-021-7/+0
| | | | Signed-off-by: José Valim <jose.valim@gmail.com>
* Deletes trailing whitespaces (over text files only find * -type f -exec sed ↵Santiago Pastorino2010-08-141-2/+2
| | | | 's/[ \t]*$//' -i {} \;)
* These tests are trusting in the order of the elements so use OrderedHash ↵Santiago Pastorino2010-07-211-13/+9
| | | | instead of Hash
* Refactor recall parameter normalization [#5021 state:resolved]Andrew White2010-07-031-2/+27
| | | | Signed-off-by: José Valim <jose.valim@gmail.com>
* We are trying to test that & escapes here not that &amp; is being escaped, ↵Santiago Pastorino2010-06-291-3/+2
| | | | | | also added a cosmetic change to test_link_tag_with_query_and_no_name Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
* s/escape_once/html_escape/, since html safety is the contract that now says ↵Xavier Noria2010-06-301-2/+2
| | | | whether something has to be escaped
* url_for no longer escapes HTML, the :escape option is also goneXavier Noria2010-06-301-16/+4
| | | | Rationale: url_for is just a path/URL generator, it is the responsability of the caller to escape conveniently HTML needs it, JavaScript needs different escaping, a text mail needs no escaping at all, etc.
* Restores the escaping of urls generated from hashes. [#4765 state:resolved]Andrew White2010-06-281-8/+4
| | | | | | | | | | | | | | HTML specifications recommend the escaping of urls in web pages, which url_for does by default for string urls and consquently urls generated by path helpers as these return strings. Hashes passed to url_for are not escaped by default and this commit reverses this default so that they are escaped. Undoes the changes of this commit: http://github.com/rails/rails/commit/1b3195b63ca44f0a70b61b75fcf4991cb2fbb944 Signed-off-by: José Valim <jose.valim@gmail.com>
* Normalize recall params when the route is not a standard route otherwise ↵Andrew White2010-06-271-0/+22
| | | | | | :controller and :action may appear in the generated url [#4326 state:resolved] Signed-off-by: José Valim <jose.valim@gmail.com>
* Allow :remote => false to be passed to link_toNicolas Sanguinetti2010-04-221-0/+14
| | | | | | | And add tests for `button_to` and `form_tag` which currently behave as expected, so we avoid a regression. Signed-off-by: wycats <wycats@gmail.com>
* params already has a setted controller and action hereSantiago Pastorino2010-04-211-1/+0
| | | | Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
* url_for now works with HashWithIndifferentAccess ht jay [#4391 state:committed]Santiago Pastorino2010-04-211-0/+10
| | | | Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
* mail_to with :encode => :javascript now outputs safe htmlSam Elliott2010-04-161-2/+6
| | | | Signed-off-by: Carl Lerche <carllerche@mac.com>
* Consistently use lowercase instead of camelCase for all JS class names in RailsDavid Heinemeier Hansson2010-04-081-10/+10
|
* Refactored url_for in AV to have its own instances of the helpers instead of ↵wycats2010-04-031-215/+204
| | | | proxying back to the controller. This potentially allows for more standalone usage of AV. It also kicked up a lot of dust in the tests, which were mocking out controllers to get this behavior. By moving it to the view, it made a lot of the tests more standalone (a win)
* Fix link_to with blockJeremy Kemper2010-03-151-4/+1
|
* Get rid of the instance-level URL rewriterwycats2010-03-091-2/+0
|