aboutsummaryrefslogtreecommitdiffstats
path: root/actionview/app/assets/javascripts/rails-ujs/utils
Commit message (Collapse)AuthorAgeFilesLines
* Make JS views rendered work with content security policyyuuji.yaginuma2018-04-201-1/+1
| | | | | | | | As of now, `HTMLElement.nonce` seems to work only in Chrome. So, it should not be used now. https://developer.mozilla.org/en-US/docs/Web/API/HTMLElement/nonce#Browser_compatibility Fixes #32577.
* Pass HTML responses as plain-text in rails-ujsRaymond Zhou2018-03-191-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Running HTML responses through `DOMParser#parseFromString` results in complete `HTMLDocument` instances with unnecessary surrounding tags. For example: new DOMParser().parseFromString('<p>hello</p>', 'text/html') Will output: <html> <head></head> <body> <p>hello</p> </body> </html> This is passed to the `ajax:success` handler as `event.detail[0]` (`data`), but cannot be used directly without first traversing the document. To resolve this, only XML content is passed through `parseFromString`, while HTML content is treated as plain-text. This matches the behavior of jquery-ujs, which relied on jQuery's response-type inference.
* Add support for automatic nonce generation for Rails UJSAndrew White2018-02-192-1/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | Because the UJS library creates a script tag to process responses it normally requires the script-src attribute of the content security policy to include 'unsafe-inline'. To work around this we generate a per-request nonce value that is embedded in a meta tag in a similar fashion to how CSRF protection embeds its token in a meta tag. The UJS library can then read the nonce value and set it on the dynamically generated script tag to enable it to execute without needing 'unsafe-inline' enabled. Nonce generation isn't 100% safe - if your script tag is including user generated content in someway then it may be possible to exploit an XSS vulnerability which can take advantage of the nonce. It is however an improvement on a blanket permission for inline scripts. It is also possible to use the nonce within your own script tags by using `nonce: true` to set the nonce value on the tag, e.g <%= javascript_tag nonce: true do %> alert('Hello, World!'); <% end %> Fixes #31689.
* Revert unintentional change in 41e3bbdJavan Makhmali2018-01-011-1/+1
|
* Improve `preventDefault` fix for rails-ujsJavan Makhmali2018-01-011-6/+11
| | | | | | | | Improves 049a3374aa85f33091f0e7cba8635edd4b4786bd: * Attempt native `preventDefault()` before stepping in * Fix that calling `preventDefault()` more than once would throw an error * Fix that non-cancelable events could be canceled
* Fix IE 10 and IE 11's broken `preventDefault`Yuri S2017-12-271-0/+5
| | | | https://github.com/turbolinks/turbolinks/issues/233 https://stackoverflow.com/questions/23349191/event-preventdefault-is-not-working-in-ie-11-for-custom-events
* Enable to call Rails.ajax without beforeSendta1kt0me2017-10-281-1/+1
|
* Merge pull request #30513 from y-yagi/fix_30444Akira Matsuda2017-10-251-1/+1
|\ | | | | Does not include disabled element in params
| * Does not include disabled element in paramsyuuji.yaginuma2017-09-031-1/+1
| | | | | | | | | | | | | | In the case of remote, it should be the same behavior as submitting HTML form. Fixes #30444
* | Merge pull request #29710 from padi/rails-ujs-docsGuillermo Iguaran2017-10-222-0/+25
|\ \ | | | | | | Adds descriptions to rails-ujs methods [ci skip]
| * | Adds descriptions to rails-ujs methods [ci skip]Marc Rendl Ignacio2017-07-072-0/+25
| |/
* / Fix callback in rails ujsVasin Dmitriy2017-06-071-5/+4
|/
* Fix server-generated JS response processing on IE9 when using rails-ujs and ↵Josh Goodall2017-05-171-1/+1
| | | | remote: true
* Fix mistake in JS response parser:Dmytro Vasin2017-04-131-3/+3
| | | | | | - Restore ability to accept ecmascript JS response should not modify DOM.
* Set current page as default for ajax requestsDmytro Vasin2017-04-111-0/+1
|
* Reorganize rails-ujs filesJavan Makhmali2017-03-305-0/+224