| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
CVE-2015-7579 says rails-html-sanitizer 1.0.2 has XSS vulnerability.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Erubi offers the following advantages for Rails:
* Works with ruby's --enable-frozen-string-literal option
* Has 88% smaller memory footprint
* Does no freedom patching (Erubis adds a method to Kernel)
* Has simpler internals (1 file, <150 lines of code)
* Has an open development model (Erubis doesn't have a
public source control repository or bug tracker)
* Is not dead (Erubis hasn't been updated since 2011)
Erubi is a simplified fork of Erubis that contains just the
parts that are generally needed (which includes the parts
that Rails uses). The only intentional difference in
behavior is that it does not include support for <%=== tags
for debug output. That could be added to the ActionView ERB
handler if it is desired.
The Erubis template handler remains in a deprecated state
so that code that accesses it directly does not break. It
can be removed after Rails 5.1.
|
|
|
|
|
| |
The current code base is not uniform. After some discussion,
we have chosen to go with double quotes by default.
|
|
|
|
| |
Resolves #24924.
|
| |
|
|
|
|
| |
References https://github.com/rails/homepage/issues/46.
|
|
|
|
| |
and fix the grammar in the ruby_version_check.rb user message.
|
|\
| |
| | |
Let strip_tags leave HTML escaping to Rails.
|
| |
| |
| |
| | |
Prevents double escaping errors, such as "&" becoming "&amp;".
|
|/
|
|
| |
This is a follow-up to #19257
|
|
|
|
|
| |
Stems from [this comment](https://github.com/rails/rails/pull/18203#issuecomment-68138096) by @robin850
and by the blog post http://weblog.rubyonrails.org/2014/12/19/Rails-4-2-final
|
|
|
|
|
|
|
|
|
| |
[This article](http://weblog.rubyonrails.org/2014/8/20/Rails-4-2-beta1/#maintenance-consequences-and-rails-5-0) states that:
> Rails 5.0 is in most likelihood going to target Ruby 2.2.
Before the exact minimum version is fully decided, @arthurnn [suggests](https://github.com/rails/rails/pull/17830#issuecomment-64940383)
that **at least** version 2.1.0 **must** be required by the `gemspec` files.
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
| |
- Default to Rails::DeprecatedSanitizer in ActionView::Helpers::SanitizeHelper.
- Add upgrade notes.
- Add sanitizer to new applications Gemfiles.
- Remove 'rails-dom-testing' as a dependency.
|
| |
|
|
|
|
|
|
| |
Implemented ActionView: FullSanitizer, LinkSanitizer and WhiteListSanitizer in sanitizers.rb.
Deprecated protocol_separator and bad_tags.
Added new tests in sanitizers_test.rb and reimplemented assert_dom_equal with Loofah.
|
|
|
|
| |
Allowing us to get 3.2.x versions if needed.
|
| |
|
| |
|
|
|
|
|
|
|
| |
This reverts commit 70d6e16fbad75b89dd1798ed697e7732b8606fa3, reversing
changes made to ea4db3bc078fb3093ecdddffdf4f2f4ff3e1e8f9.
Seems to be a code merge done by mistake.
|
| |
|
|
|
|
| |
ActionView still relies on ActionPack in some of the tests.
|
|
This commit creates structure for Action View gem and is first of a
series of commits extracting Action View from Action Pack.
|