| Commit message (Collapse) | Author | Age | Files | Lines |
|\ |
|
| |
| |
| |
| |
| |
| | |
Thanks to Marek Labos & Nethemba
CVE-2012-3465
|
| |
| |
| |
| | |
CVE-2012-3463
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
Closes #7215
Conflicts:
actionpack/test/template/erb_util_test.rb
actionpack/test/template/form_tag_helper_test.rb
actionpack/test/template/text_helper_test.rb
actionpack/test/template/url_helper_test.rb
activesupport/lib/active_support/core_ext/string/output_safety.rb
|
| |
| |
| |
| |
| |
| | |
Rails were including 'application.js' to the pack when using
`javascript_include_tag :all` even there's no application.js in the
public directory.
|
| |
| |
| |
| |
| |
| |
| |
| | |
brainopia/support_for_magic_domain_on_all_stores"
This reverts commit 393c652cf63875f2728c04d47b34b2d6ae908186.
This commit was supposed to fix a bug but it add more failures.
|
| |
| |
| |
| | |
Support cookie jar options for all cookie stores
|
|/
|
|
|
|
|
|
|
|
|
|
| |
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
Closes #7215
Conflicts:
actionpack/test/template/erb_util_test.rb
actionpack/test/template/form_tag_helper_test.rb
actionpack/test/template/text_helper_test.rb
actionpack/test/template/url_helper_test.rb
activesupport/lib/active_support/core_ext/string/output_safety.rb
|
|
|
|
| |
This reverts commit 9dc57fe9c4807fc0ad4b1590a931891d9faa3164.
|
|
|
|
|
|
|
| |
This reverts commit 1aff7725c7a04cde202cca906208560a55409e6a.
Conflicts:
actionpack/CHANGELOG.md
|
|
|
|
|
|
|
|
|
|
|
| |
option"
Revert "Deprecate `:disable_with` in favor of `'data-disable-with'` option for `button_to` and `submit_tag` helpers."
This reverts commit fc092a9cba5fceec38358072e50e09250cf58840.
This reverts commit e9051e20aeb2c666db06b6217954737665878db7.
This reverts commit d47d6e7eda3aa3e6aa28d0c17ac6801234bb97d1.
This reverts commit 21141e777bdce8534e3755c8de7268324b3d8714.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Optional segments with a root scope need to have the leading slash
outside of the parentheses, otherwise the generated url will be empty.
However if the route has non-optional elements then the leading slash
needs to remain inside the parentheses otherwise the generated url
will have two leading slashes, e.g:
Blog::Application.routes.draw do
get '/(:category)', :to => 'posts#index', :as => :root
get '/(:category)/author/:name', :to => 'posts#author', :as => :author
end
$ rake routes
root GET /(:category)(.:format) posts#index
author GET (/:category)/author/:name(.:format) posts#author
This change adds support for optional segments that contain a slash,
allowing support for urls like /page/2 for the root path, e.g:
Blog::Application.routes.draw do
get '/(page/:page)', :to => 'posts#index', :as => :root
end
$ rake routes
root GET /(page/:page)(.:format) posts#index
Fixes #7073
(cherry picked from commit d8745decaf59aad32aa2f09abdba99b8d0e48b31)
|
|
|
|
|
|
|
|
|
| |
When a select tag is created for a field with errors, and that select
tag has :prompt or :include_blank options, then the inserted first
option will errantly have a <div class="field_with_errors"> wrapping
it.
See https://github.com/rails/rails/issues/7017
|
| |
|
|\
| |
| | |
Logger in metal backport for 3.2
|
| |
| |
| |
| | |
ActionController::Metal controller.
|
| | |
|
|/
|
|
| |
Respect absolute paths in compute_source_path.
|
| |
|
|
|
|
| |
AbstractController::Callbacks
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
After the fix done in 39f9f02a, there are cases that will not work
correctly. If you have file with "2 extensions", like foo.min.js and you
reference the file without extension, like:
javascript_include_tag "foo.min"
it will fail because sprockets finds foo.min.js with foo.min argument.
This commit fixes this case and will get the right file even when
referrencing it without extension.
(closes #6598)
|
|
|
|
|
| |
This test is needed to avoid regressions in the way that flash works
now (swept in every request).
|
|
|
|
|
|
|
|
|
|
|
|
| |
This deprecation applies to:
`button_to`
`button_tag`
`image_submit_tag`
`link_to`
`submit_tag`
As :confirm is an UI specific option is better to use the data attributes,
teaching users about unobtrusive JavaScript and how Rails works with it.
|
|
|
|
|
| |
Similarly to 6525002, this allows to use routes helpers for mounted
helpers, but this time in ActionView::TestCase
|
|\
| |
| | |
Correct the use of to_model in polymorphic routing
|
| | |
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In integration tests, you might want to use helpers from engines that
you mounted in your application. It's not hard to add it by yourself,
but it's unneeded boilerplate. mounted_helpers are now included by
default. That means that given engine mounted like:
mount Foo::Engine => "/foo", :as => "foo"
you will be able to use paths from this engine in tests this way:
foo.root_path #=> "/foo"
(closes #6573)
|
|
|
|
|
|
| |
Thanks to Ben Murphy for reporting this!
CVE-2012-2660
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We should lookup if asset without appended extension exists.
When sprockets are disabled the asset tag helpers incorporate
this logic. When sprockets are enabled we should have the same
logic.
For example, we have style.ext file in app/assets/stylesheets and
we use stylesheet_link_tag in the layout. In this case we should
have /assets/style.ext instead of /assets/style.ext.css in the
output.
Closes #6310
|
| |
|
|
|
|
|
|
|
| |
`excerpt` text helper uses `:radius`, not `line_width` (that is used by
`word_wrap` helper).
Also cleanup some whitespaces.
|
|
|
|
| |
Render img tag with empty src if empty string is passed to image_tag.
|
| |
|
| |
|
| |
|
|
|
|
| |
`button_to` and `submit_tag` helpers.
|
| |
|
|
|
|
| |
Support data: url scheme
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit improves the handling of default_url_options in integration
tests by making behave closer to how a real application operates.
Specifically the following issues have been addressed:
* Options specified in routes.rb are used (fixes #546)
* Options specified in controllers are used
* Request parameters are recalled correctly
* Tests can override default_url_options directly
|
|\
| |
| | |
Make sure that javascript_include_tag/stylesheet_link_tag methods don't consider duplicated assets
|
| |
| |
| |
| | |
sprockets/helpers/rails_helper.rb discard duplicated assets
|
| |
| |
| |
| | |
when using the :head method/shortcut
|
|/
|
|
| |
The role option identifies which parameters are accessible and should be wrapped. The default role is :default.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A callable object passed as a constraint for a route may access the request
parameters as part of its check. This causes the combined parameters hash
to be cached in the environment hash. If the constraint fails then any subsequent
access of the request parameters will be against that stale hash.
To fix this we delete the cache after every call to `matches?`. This may have a
negative performance impact if the contraint wraps a large number of routes as the
parameters hash is built by merging GET, POST and path parameters.
Fixes #2510.
(cherry picked from commit 56030506563352944fed12a6bb4793bb2462094b)
|
| |
|
| |
|
| |
|