| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
true forms
|
| | |
|
| |
|
|
|
|
|
|
|
| |
This reverts commit 48e44edfd0a8a7a29aa8fad39638ac0ee5243f42.
See discussion in #32287
For HTML content in `ajax:success` handlers, `event.detail[0]` should
be an `HTMLDocument` instance.
|
| |
|
| |
Turbolinks replaces the CSP nonce <meta> tag on page change, but inline scripts inserted by UJS need the nonce from the initial page load. In general, it doesn't matter to UJS if the nonce changes after the page loads: only the initial value is relevant.
|
| | |
|
| | |
|
| |
|
|
|
| |
Firefox fires click events on left-, right-
and scroll-wheel (any non-primary mouse key) clicks while other browsers don't.
|
| |
|
|
| |
Fixes #29473.
|
| |
|
|
|
|
|
|
| |
I saw two posts of problem about ajax requesting twice on qiita.
So I think detecting double loaded earlier make easy to find the problem.
https://qiita.com/hot_study_man/items/56dc87ad734cfda68bb6
https://qiita.com/hisas/items/8399aec3a5377bf75017
|
| |
|
|
|
|
|
|
| |
As of now, `HTMLElement.nonce` seems to work only in Chrome.
So, it should not be used now.
https://developer.mozilla.org/en-US/docs/Web/API/HTMLElement/nonce#Browser_compatibility
Fixes #32577.
|
| |\
| |
| | |
Extract the confirm call in its own, overridable method in rails_ujs
|
| | | |
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Running HTML responses through `DOMParser#parseFromString` results in
complete `HTMLDocument` instances with unnecessary surrounding tags.
For example:
new DOMParser().parseFromString('<p>hello</p>', 'text/html')
Will output:
<html>
<head></head>
<body>
<p>hello</p>
</body>
</html>
This is passed to the `ajax:success` handler as `event.detail[0]`
(`data`), but cannot be used directly without first traversing the
document.
To resolve this, only XML content is passed through `parseFromString`,
while HTML content is treated as plain-text.
This matches the behavior of jquery-ujs, which relied on jQuery's
response-type inference.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Because the UJS library creates a script tag to process responses it
normally requires the script-src attribute of the content security
policy to include 'unsafe-inline'.
To work around this we generate a per-request nonce value that is
embedded in a meta tag in a similar fashion to how CSRF protection
embeds its token in a meta tag. The UJS library can then read the
nonce value and set it on the dynamically generated script tag to
enable it to execute without needing 'unsafe-inline' enabled.
Nonce generation isn't 100% safe - if your script tag is including
user generated content in someway then it may be possible to exploit
an XSS vulnerability which can take advantage of the nonce. It is
however an improvement on a blanket permission for inline scripts.
It is also possible to use the nonce within your own script tags by
using `nonce: true` to set the nonce value on the tag, e.g
<%= javascript_tag nonce: true do %>
alert('Hello, World!');
<% end %>
Fixes #31689.
|
| | |
|
| |
|
|
|
|
|
|
| |
Improves 049a3374aa85f33091f0e7cba8635edd4b4786bd:
* Attempt native `preventDefault()` before stepping in
* Fix that calling `preventDefault()` more than once would throw an error
* Fix that non-cancelable events could be canceled
|
| |
|
|
| |
https://github.com/turbolinks/turbolinks/issues/233
https://stackoverflow.com/questions/23349191/event-preventdefault-is-not-working-in-ie-11-for-custom-events
|
| | |
|
| |\
| |
| | |
Does not include disabled element in params
|
| | |
| |
| |
| |
| |
| |
| | |
In the case of remote, it should be the same behavior as submitting
HTML form.
Fixes #30444
|
| |\ \
| | |
| | | |
Adds descriptions to rails-ujs methods [ci skip]
|
| | |/ |
|
| |/ |
|
| |\
| |
| | |
Check for jQuery ajax
|
| | |
| |
| | |
jQuery slim version doesn't have ajax, so if a person include this version ajaxFilter raises error.
|
| |/
|
|
| |
remote: true
|
| |
|
|
|
|
| |
-
Restore ability to accept ecmascript
JS response should not modify DOM.
|
| | |
|
| |
|
