| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
| |
Thanks to Marek Labos & Nethemba
CVE-2012-3465
|
|
|
|
| |
CVE-2012-3463
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
Closes #7215
Conflicts:
actionpack/test/template/erb_util_test.rb
actionpack/test/template/form_tag_helper_test.rb
actionpack/test/template/text_helper_test.rb
actionpack/test/template/url_helper_test.rb
activesupport/lib/active_support/core_ext/string/output_safety.rb
|
| |
|
|
|
|
| |
This reverts commit 9dc57fe9c4807fc0ad4b1590a931891d9faa3164.
|
|
|
|
|
|
|
| |
This reverts commit 1aff7725c7a04cde202cca906208560a55409e6a.
Conflicts:
actionpack/CHANGELOG.md
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
option"
Revert "Deprecate `:disable_with` in favor of `'data-disable-with'` option for `button_to` and `submit_tag` helpers."
This reverts commit fc092a9cba5fceec38358072e50e09250cf58840.
This reverts commit e9051e20aeb2c666db06b6217954737665878db7.
This reverts commit d47d6e7eda3aa3e6aa28d0c17ac6801234bb97d1.
This reverts commit 21141e777bdce8534e3755c8de7268324b3d8714.
|
|
|
|
| |
[ci skip]
|
|
|
|
| |
This file uses mattr_accessor.
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
| |
There are some Action Pack tests for regressions from 3.1 that require
a later version of Journey to pass so bump to the current version.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Optional segments with a root scope need to have the leading slash
outside of the parentheses, otherwise the generated url will be empty.
However if the route has non-optional elements then the leading slash
needs to remain inside the parentheses otherwise the generated url
will have two leading slashes, e.g:
Blog::Application.routes.draw do
get '/(:category)', :to => 'posts#index', :as => :root
get '/(:category)/author/:name', :to => 'posts#author', :as => :author
end
$ rake routes
root GET /(:category)(.:format) posts#index
author GET (/:category)/author/:name(.:format) posts#author
This change adds support for optional segments that contain a slash,
allowing support for urls like /page/2 for the root path, e.g:
Blog::Application.routes.draw do
get '/(page/:page)', :to => 'posts#index', :as => :root
end
$ rake routes
root GET /(page/:page)(.:format) posts#index
Fixes #7073
(cherry picked from commit d8745decaf59aad32aa2f09abdba99b8d0e48b31)
|
|
|
|
|
|
|
|
|
| |
When a select tag is created for a field with errors, and that select
tag has :prompt or :include_blank options, then the inserted first
option will errantly have a <div class="field_with_errors"> wrapping
it.
See https://github.com/rails/rails/issues/7017
|
| |
|
|
|
|
|
|
|
|
|
|
| |
instead of line continuations. While I'm at it, wrap long comment lines consistently.
Conflicts:
actionpack/lib/action_view/helpers/number_helper.rb
There was just one conflict related to the addition of the :format
option to number_to_percentage.
|
|\
| |
| | |
Logger in metal backport for 3.2
|
| |
| |
| |
| | |
ActionController::Metal controller.
|
| | |
|
| | |
|
|/
|
|
| |
Respect absolute paths in compute_source_path.
|
| |
|
|
|
|
| |
AbstractController::Callbacks
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
Apparently asset_environment should not be invoked if it's not needed.
This fixes broken build by getting back to the code more similar to the
version changed here: 5b0a891
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
After the fix done in 39f9f02a, there are cases that will not work
correctly. If you have file with "2 extensions", like foo.min.js and you
reference the file without extension, like:
javascript_include_tag "foo.min"
it will fail because sprockets finds foo.min.js with foo.min argument.
This commit fixes this case and will get the right file even when
referrencing it without extension.
(closes #6598)
|
|
|
|
|
|
|
|
|
| |
dangerous especially with Rack::Cache), it should only be loaded when the flash method is called"
This reverts commits e3069c64b2c5ddc7a5789b55b8efd4902d9e9729 and 2b2983d76fd11efc219273036a612f47cfaa5bfa.
Reason: This add a non-backward compatible change in the way that flash
works now (swept in every request).
|
|
|
|
|
| |
This test is needed to avoid regressions in the way that flash works
now (swept in every request).
|
|
|
|
|
|
|
|
|
|
|
|
| |
This deprecation applies to:
`button_to`
`button_tag`
`image_submit_tag`
`link_to`
`submit_tag`
As :confirm is an UI specific option is better to use the data attributes,
teaching users about unobtrusive JavaScript and how Rails works with it.
|
|
|
|
|
| |
Similarly to 6525002, this allows to use routes helpers for mounted
helpers, but this time in ActionView::TestCase
|
|\
| |
| | |
Correct the use of to_model in polymorphic routing
|
| | |
|
| | |
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In integration tests, you might want to use helpers from engines that
you mounted in your application. It's not hard to add it by yourself,
but it's unneeded boilerplate. mounted_helpers are now included by
default. That means that given engine mounted like:
mount Foo::Engine => "/foo", :as => "foo"
you will be able to use paths from this engine in tests this way:
foo.root_path #=> "/foo"
(closes #6573)
|
| |
|
| |
|
| |
|
|\
| |
| |
| |
| |
| | |
* 3-2-stable-sec:
Strip [nil] from parameters hash. Thanks to Ben Murphy for reporting this!
predicate builder should not recurse for determining where columns. Thanks to Ben Murphy for reporting this
|
| |
| |
| |
| |
| |
| | |
Thanks to Ben Murphy for reporting this!
CVE-2012-2660
|
|/ |
|