| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
| |
ActionDispatch::Head was removed in favor of Rack::Head. But Rack::Head
does not convert GET requests to HEAD requests so we need to do
checking for HEAD requests ourselves.
|
|
|
|
|
|
| |
Removes support for :encode, :replace_at, and :replace_dot
options from the mail_to helper. Support for these options
has been extracted to the 'actionview-encoded_mail_to' gem.
|
| |
|
|
|
|
|
| |
* Uses the Ruby 1.9 hash syntax
* Avoid escaping " inside string using the %{} syntax
|
|
|
|
|
| |
Accept either :remote or 'remote' in both the html_options and
(url_)options hash arguments to link_to.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
ActionDispatch::Routing::UrlFor was always required in UrlHelpers. This
was changed by splitting previous implementation of UrlHelper into 2
modules: ActionView::Helpers::UrlHelper and
ActionView::Routing::UrlHelper. The former one keeps only basic
implementation of url_for. The latter adds features that allow to use
routes and is only required when url_helpers or mounted_helpers are
required.
|
| |
|
|
|
|
|
| |
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
Closes #7215
|
| |
|
| |
|
|
|
|
|
|
|
|
|
| |
This applies to the following helpers:
`button_to`
`button_tag`
`image_submit_tag`
`link_to`
`submit_tag`
|
|
|
|
| |
Add some tests for link_to with blocks and escaping content.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Make possible to use a block in button_to helper if button text is hard
to fit into the name parameter, e.g.:
<%= button_to [:make_happy, @user] do %>
Make happy <strong><%= @user.name %></strong>
<% end %>
# => "<form method="post" action="/users/1/make_happy" class="button_to">
# <div>
# <button type="submit">
# Make happy <strong>Name</strong>
# </button>
# </div>
# </form>"
|
|
|
|
|
|
|
|
|
| |
option from `submit_tag`, `button_tag` and `button_to` helpers.""
Finally remove `:disable_with` but use `:data => { :disable_with => ... }`
in examples to show off a better API (which looks nicer in Ruby 1.9)
This reverts commit a5c38a9c087e33d36397afc496be7c8e01b37ef0.
|
|
|
|
|
|
|
|
|
|
| |
`submit_tag`, `button_tag` and `button_to` helpers."
`disable_with:` is much easier to type than `"data-disable-with" =>`,
and the fact it uses "data-disable-with" => is an implementation concern,
it should not affect the public API.
This reverts commit 683fc4db00f496e5225928afb4d4e932e0fcdc48.
|
|
|
|
| |
`submit_tag`, `button_tag` and `button_to` helpers.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the current router DSL, using the +match+ DSL
method will match all verbs for the path to the
specified endpoint.
In the vast majority of cases, people are
currently using +match+ when they actually mean
+get+. This introduces security implications.
This commit disallows calling +match+ without
an HTTP verb constraint by default. To explicitly
match all verbs, this commit also adds a
:via => :all option to +match+.
Closes #5964
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
be in its method
|
| |
|
| |
|
|
|
|
| |
uninitialized instance variables
|
| |
|
|
|
|
|
|
| |
inadvertently causing javascript errors.
This fixes CVE-2011-0446
|
| |
|
|
|
|
| |
Signed-off-by: Santiago Pastorino <santiago@wyeworks.com>
|
|
|
|
|
|
|
| |
Also remove a duplicate test_link_to_unless assertion and add .html_safe to the
remaining one.
Signed-off-by: Santiago Pastorino <santiago@wyeworks.com>
|
| |
|
|
|
|
|
|
| |
[#4993 state:committed]
Signed-off-by: Santiago Pastorino <santiago@wyeworks.com>
|
|
|
|
| |
rendering.
|
| |
|
| |
|
|
|
|
| |
Signed-off-by: José Valim <jose.valim@gmail.com>
|
|
|
|
| |
's/[ \t]*$//' -i {} \;)
|
|
|
|
| |
instead of Hash
|
|
|
|
| |
Signed-off-by: José Valim <jose.valim@gmail.com>
|
|
|
|
|
|
| |
also added a cosmetic change to test_link_tag_with_query_and_no_name
Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
|
|
|
|
| |
whether something has to be escaped
|
|
|
|
| |
Rationale: url_for is just a path/URL generator, it is the responsability of the caller to escape conveniently HTML needs it, JavaScript needs different escaping, a text mail needs no escaping at all, etc.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
HTML specifications recommend the escaping of urls in web pages,
which url_for does by default for string urls and consquently
urls generated by path helpers as these return strings.
Hashes passed to url_for are not escaped by default and this
commit reverses this default so that they are escaped.
Undoes the changes of this commit:
http://github.com/rails/rails/commit/1b3195b63ca44f0a70b61b75fcf4991cb2fbb944
Signed-off-by: José Valim <jose.valim@gmail.com>
|
|
|
|
|
|
| |
:controller and :action may appear in the generated url [#4326 state:resolved]
Signed-off-by: José Valim <jose.valim@gmail.com>
|
|
|
|
|
|
|
| |
And add tests for `button_to` and `form_tag` which currently behave as
expected, so we avoid a regression.
Signed-off-by: wycats <wycats@gmail.com>
|