aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/test/template
Commit message (Collapse)AuthorAgeFilesLines
* Remove duplicate prompt key from optionsAndrew White2016-11-021-1/+1
|
* Fix failing tests on 3-2-stable branch:Johnny Shields2016-09-151-2/+2
| | | | | | | | - Set sudo: false in .travis.yml which uses latest travis engine and fixes some failing specs - Use older version of gems in Gemfile if RUBY_VERSION < '1.9.3' (no change to .gemspec) - Fix two cases of hash rockets in tests (required for Ruby 1.8.7) - Skip failing test "test_ensure_that_migration_tasks_work_with_mountable_option" which breaks due to Bundler no longer accepting the default generated .gemspec format. - Skip railties specs on Ruby 1.8.7 (mark as an allowed failure.)
* Remove dead code and ensure values are strings before calling gsubMike Virata-Stone2016-08-111-0/+8
|
* ensure tag/content_tag escapes " in attribute valsAndrew Carpenter2016-08-101-0/+10
| | | | | | Many helpers mark content as HTML-safe without escaping double quotes -- including `sanitize`. Regardless of whether or not the attribute values are HTML-escaped, we want to be sure they don't include double quotes, as that can cause XSS issues. For example: `content_tag(:div, "foo", title: sanitize('" onmouseover="alert(1);//'))` CVE-2016-6316
* Don't allow render(params) in view/controllerArthur Neves2016-02-291-0/+27
| | | | | | | | | | | | | | | `render(params)` is dangerous and could be a vector for attackers. Don't allow calls to render passing params on views or controllers. On a controller or view, we should not allow something like `render params[:id]` or `render params`. That could be problematic, because an attacker could pass input that could lead to a remote code execution attack. This patch is also compatible when using strong parameters. CVE-2016-2098
* allow :file to be outside rails root, but anything else must be inside the ↵Aaron Patterson2016-01-221-0/+7
| | | | | | | | | | rails view directory Conflicts: actionpack/test/controller/render_test.rb actionview/lib/action_view/template/resolver.rb CVE-2016-0752
* add parens to fix warningAman Gupta2015-01-051-1/+1
|
* fix regex caseAman Gupta2015-01-021-1/+1
|
* convert another incompatible assert_raise invocationAman Gupta2015-01-021-1/+2
|
* switch to minitest and test-unit compatible assert_raise syntaxKouhei Sutou2015-01-021-1/+2
|
* Merge branch '3-2-17' into 3-2-stableRafael Mendonça França2014-02-182-0/+68
|\ | | | | | | | | Conflicts: actionpack/CHANGELOG.md
| * Use the reference for the mime type to get the formatRafael Mendonça França2014-02-181-0/+17
| | | | | | | | | | | | | | | | Before we were calling to_sym in the mime type, even when it is unknown what can cause denial of service since symbols are not removed by the garbage collector. Fixes: CVE-2014-0082
| * Escape format, negative_format and units options of number helpersRafael Mendonça França2014-02-181-0/+51
| | | | | | | | | | | | | | Previously the values of these options were trusted leading to potential XSS vulnerabilities. Fixes: CVE-2014-0081
* | Merge pull request #13183 from sorah/never_ignore_i18n_translate_raise_optionCarlos Antonio da Silva2013-12-041-0/+6
| | | | | | | | | | | | | | Escalate missing error when :raise is true in translate helper, fix regression introduced by security fix. Conflicts: actionpack/CHANGELOG.md
* | Fix documentation of number_to_currency helperRafael Mendonça França2013-12-041-1/+1
| | | | | | | | | | | | Now users have to explicit mark the unit as safe if they trust it. Closes #13161
* | repair a test broken by the number_to_currency XSS fixTobias Kraze2013-12-041-4/+4
|/
* Stop using i18n's built in HTML error handling.Michael Koziarski2013-12-021-1/+1
| | | | | | | | | | | | | | i18n doesn't depend on active support which means it can't use our html_safe code to do its escaping when generating the spans. Rather than try to sanitize the output from i18n, just revert to our old behaviour of rescuing the error and constructing the tag ourselves. Fixes: CVE-2013-4491 Conflicts: actionpack/lib/action_view/helpers/translation_helper.rb Backport: 50afd8eec9d088ad5a2d41f00a05520d5b78a6a0
* Escape the unit value provided to number_to_currencyMichael Koziarski2013-12-021-3/+4
| | | | | | Fixes CVE-2013-6415 Previously the values were trusted blindly allowing for potential XSS attacks.
* fix issue #11605Kassio Borges2013-08-241-10/+7
|
* Merge pull request #10971 from dtaniwaki/escape_link_to_unlessRafael Mendonça França2013-06-241-0/+5
| | | | Always escape the result of link_to_unless method
* Compare host scheme using case-insensitive regexpRafael Mendonça França2013-06-161-10/+30
| | | | | | | | | | | | | | | | | | Before: image_tag("HTTP://google.com") # => "<img alt=\"Google\" src=\"/assets/HTTP://google.com\" />" image_tag("http://google.com") # => "<img alt=\"Google\" src=\"http://google.com\" />" After: image_tag("HTTP://google.com") # => "<img alt=\"Google\" src=\"HTTP://google.com\" />" image_tag("http://google.com") # => "<img alt=\"Google\" src=\"http://google.com\" />" Backport of #10969
* So not make Fixnum#/ private on Ruby verions less than 1.9.3Rafael Mendonça França2013-05-101-4/+3
| | | | In those version to_date call Fixnum#/, what will cause a failure
* Merging in fix from #8222Ben Tucker2013-05-061-0/+5
|
* Fix explicit names on multiple file fieldsRyan McGeary2013-04-051-0/+10
| | | | | | | | If a file field tag is passed the multiple option, it is turned into an array field (appending "[]"), but if the file field is passed an explicit name as an option, leave the name alone (do not append "[]"). Fixes #9830
* Fix typo in view nameCarlos Antonio da Silva2013-04-031-1/+1
| | | | Introduced in 2c22376fe04b89e8f34620139720b85a85ce3428
* Common behavior with adding formats to lookup_context for TemplateRenderer ↵Dmitry Vorotilin2013-04-021-0/+10
| | | | and PartialRenderer
* Fix test to Ruby 1.8Rafael Mendonça França2013-03-211-1/+1
| | | | Pathname doesn't respond to to_path
* Fixed assets loading performance in 3.2.13Fred Wu2013-03-201-0/+9
| | | | | The PR #8756 uses Sprockets for resolving files that already exists on disk, for those files their extensions don't need to be rewritten. Fixes #9803
* Backport #9347 to rails 3.2hoffm2013-03-191-0/+5
|
* fix protocol checking in sanitization [CVE-2013-1857]Aaron Patterson2013-03-151-0/+10
| | | | | Conflicts: actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
* fix incorrect ^$ usage leading to XSS in sanitize_css [CVE-2013-1855]Charlie Somerville2013-03-151-0/+5
|
* Merge pull request #9616 from exviva/multiple_select_name_double_square_bracketsCarlos Antonio da Silva2013-03-121-0/+8
| | | | | | | | | | | | | | | | | | | Fix incorrectly appended square brackets to a multiple select box Before: select(:category, [], {}, {:multiple => true, :name => "post[category][]"}) # => <select name="post[category][][]" ...> After: select(:category, [], {}, {:multiple => true, :name => "post[category][]"}) # => <select name="post[category][]" ...> Conflicts: actionpack/CHANGELOG.md actionpack/lib/action_view/helpers/tags/base.rb actionpack/test/template/form_options_helper_test.rb
* Ruby 2 compat. CGI.escapeHTML has changed the way it escapes apostrophes a ↵Jeremy Kemper2013-02-241-1/+1
| | | | few times, so fix up the test to work with however it chooses to escape.
* Ruby 2.0.0 defaults source encoding to utf-8 so we need to specifically tag ↵Aaron Patterson2013-02-241-0/+1
| | | | this file with us-ascii
* Merge pull request #8756 from causes/js_include_tag_fixGuillermo Iguaran2013-01-101-0/+7
|\ | | | | Fix javascript_include_tag when no js runtime is available
| * Fix javascript_include_tag when no js runtime is availableNoah Silas2013-01-071-0/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In a production environment where the assets have been precompiled, we don't want an assets compile step to happen on the application server at all. To ensure this, a js runtime may not be available on the app servers. In this environment, pages using javascript_include_tag for assets with non-standard or chained extensions were throwing 500 errors. For instance, `javascript_include_tag('jquery.min')` would blow up. Sprockets was attempting to build the assets being included during the rewrite_extension step (responsible for appending a '.js' extension to assets being included by the basename rather than a fully qualified name). This was happening as a step to resolve #6310, which required checking for the presence of an asset with a non-standard extension before appending the extension. We can check for the presence of an asset without invoking the asset build step by using Sprockets' resolve method, which will search for the base file without building it (and is the method that find_asset uses internally to get the path to the asset before attempting to build it). When rewriting the extension on an asset, these are the steps: - If the source does not have an extension, assume that the default extension is desired and append it. - If there is an extension and it doesn't match the default extension, check to see if a file with the precise name specified exists amongst the assets; if it is present, do not append the default extension. (This is the step that resolves #6310).
* | Fixes issue where duplicate assets can be required with sprockets.jejacks0n2013-01-101-0/+5
| | | | | | | | | | - addresses the problem by calling flatten on asset array before calling uniq. - adds note to CHANGELOG.
* | Do not call fields_for from form_for, to avoid instantiating two buildersCarlos Antonio da Silva2013-01-061-1/+13
|/ | | | | | Conflicts: actionpack/lib/action_view/helpers/form_helper.rb actionpack/test/template/form_helper_test.rb
* fix block.arity raise nil error when not given a block to "content_tag_for"jasl2013-01-021-0/+8
|
* Make distance_of_time_in_words work with DateTime offsetsAndrew White2012-12-041-0/+10
| | | | | | | | | | | | | | | Because DateTime#to_time returns self when it has a non-zero offset and subtracting two DateTime instances returns a Rational then the distance_of_time_in_words methods outputs an incorrect value. This is fixed in master because we can rely on Ruby 1.9.3's implementation of to_time but it can't be fixed on Ruby 1.8.7 as there is no way to map the DateTime to a Time with a non-zero offset. We can workaround the problem by casting to Float before doing the subtraction in the distance_of_time_in_words method. Closes #8390
* Make output of distance_of_time_in_words consistentAndrew White2012-12-041-2/+19
| | | | | | | | | | This commit fixes the output of distance_of_time_in_words when using integer or duration arguments. Previously a distance of more than 30 seconds would be output as 'Less than 1 minute' when using integer arguments and '1 minute' when using two Time instances more than 30 seconds apart. Cherry picked from 5fdd4cd9e47be972f146a8a17a74c8f4700e2ac0
* Override <%== to always behave as literal text rather than toggling based on ↵Jeremy Kemper2012-12-031-2/+2
| | | | | | | whether escaping is enabled. Fixes that existing plaintext email templates using <%== unexpectedly flipped to *escaping* HTML when #8235 was merged. Conflicts: actionpack/test/template/template_test.rb
* Merge pull request #8402 from ↵Rafael Mendonça França2012-12-021-1/+6
| | | | | | | | | senny/8376_descriptive_error_message_for_partial_layout_true More descriptive error when rendering a partial with `:layout => true` Conflicts: actionpack/CHANGELOG.md actionpack/lib/action_view/renderer/partial_renderer.rb
* Add i18n scope to disance_of_time_in_words.Steve Klabnik2012-11-261-3/+12
| | | | This is a backport of rails/rails#7997.
* Merge pull request #8235 from tilsammans/dont_escape_actionmailer_when_plaintextJosé Valim2012-11-161-1/+15
| | | | | | | | Introduce `ActionView::Template::Handlers::ERB.escape_whitelist` Conflicts: actionpack/CHANGELOG.md actionpack/test/template/template_test.rb
* Update mocha version to 0.13.0 and change requiresCarlos Antonio da Silva2012-11-132-3/+3
|
* Merge pull request #8108 from Casecommons/fix-multiple-and-index-in-instance-tagRafael Mendonça França2012-11-081-0/+13
| | | | | | | Support :multiple option on input tags that also have :index Conflicts: actionpack/lib/action_view/helpers/tags/base.rb actionpack/lib/action_view/helpers/tags/collection_check_boxes.rb
* Accept :remote as symbol in link_to optionsRiley2012-10-061-0/+7
| | | | | Accept either :remote or 'remote' in both the html_options and (url_)options hash arguments to link_to.
* Revert "Revert "Respect `config.digest = false` for `asset_path`""Rafael Mendonça França2012-09-201-0/+8
| | | | | | This reverts commit 54f55746a70a7091341e84236498203118a7fbb4. Reason: the last commit fixed the failing case
* Revert "Respect `config.digest = false` for `asset_path`"Rafael Mendonça França2012-09-201-8/+0
| | | | | | | | | | | | This reverts commit 1ac19c11792a745cd654f02dfaed8e93f95b3c70. Conflicts: actionpack/CHANGELOG.md Reason: This is causing failures in the railties build. See http://travis-ci.org/#!/rails/rails/jobs/2491787 Related with #7672