| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|\
| |
| |
| |
| |
| | |
Conflicts:
actionview/CHANGELOG.md
activerecord/CHANGELOG.md
|
| |
| |
| |
| |
| |
| |
| | |
Previously the values of these options were trusted leading to
potential XSS vulnerabilities.
Fixes: CVE-2014-0081
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This is an option for to HTML content with a content type of
`text/html`. This rendering option calls `ERB::Util.html_escape`
internally to escape unsafe HTML string, so you will have to mark your
string as html safe if you have any HTML tag in it.
Please see #12374 for more detail.
|
| |
| |
| |
| |
| |
| |
| |
| | |
This is as an option to render content with a content type of
`text/plain`. This is the preferred option if you are planning to render
a plain text content.
Please see #12374 for more detail.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This is an option for sending a raw content back to browser. Note that
this rendering option will unset the default content type and does not
include "Content-Type" header back in the response.
You should only use this option if you are expecting the "Content-Type"
header to not be set. More information on "Content-Type" header can be
found on RFC 2616, section 7.2.1.
Please see #12374 for more detail.
|
| |
| |
| |
| | |
#13618]
|
|\ \
| | |
| | | |
be more specific about csrf token and ajax - not whitelisted outside of jquery-rails [ci skip]
|
| | |
| | |
| | |
| | | |
jquery-rails [ci skip]
|
| | |
| | |
| | | |
I did not see in the docs that `button_to` supports not only URLs but paths as well. I documented this functionality with a unit tests and added an example to the docs as well.
|
| | |
| | |
| | |
| | |
| | | |
Add a config to setup whether raise exception for missing translation or
not.
|
| | |
| | |
| | | |
image_tag only supports :alt and :size as additional keys, not three.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The use of `display:inline` with the content_tag call in the
extra_tags_for_form method potentially causes display issues with some
browsers, namely Internet Explorer. IE's behaviour of not collapsing
the line height on divs with ostensibly no content means that the
automatically added div containing the hidden authenticity_token, utf8
and _method form input tags may interfere with other visible form
elements in certain circumstances. The use of `display:none` rather
than `display:inline` fixes this problem.
Fixes #6403
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
- While editing an existing record, end_year is equal to current selected year plus 5 by default.
- While editing an existing record, start_year is equal to current selected year value minus 5 by default.
- Fixes #13552
Acked-by: Prathamesh Sonpatki <csonpatki@gmail.com>
Acked-by: Prathamesh Sonpatki <csonpatki@gmail.com>
|
| | | |
|
| | | |
|
| |/
|/| |
|
| | |
|
|\ \
| | |
| | |
| | |
| | |
| | |
| | | |
Cycle object should accept an array
Conflicts:
actionview/CHANGELOG.md
|
| | |
| | |
| | |
| | | |
with a set of comma-separated objects.
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Before ec16ba75a5493b9da972eea08bae630eba35b62f,
ActionView::Helpers::TranslationHelper#translate has raised errors with
specifying options[:raise] to true.
This should work by this fix:
begin
t(:"translations.missing", raise: true)
rescue I18n::MissingTranslationData
p :hello!
end
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Now users have to explicit mark the unit as safe if they trust it.
Closes #13161
Conflicts:
actionpack/lib/action_view/helpers/number_helper.rb
actionpack/test/template/number_helper_i18n_test.rb
|
| | |
| | |
| | |
| | |
| | | |
We are generating safe strings in the paragraph, so we can escape the
tags
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
i18n doesn't depend on active support which means it can't use our html_safe
code to do its escaping when generating the spans. Rather than try to sanitize
the output from i18n, just revert to our old behaviour of rescuing the error
and constructing the tag ourselves.
Fixes: CVE-2013-4491
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The previous behavior equated the sanitize option for simple_format with the
escape option of content_tag, however these are two distinct concepts.
This fixes CVE-2013-6416
Conflicts:
actionview/lib/action_view/helpers/text_helper.rb
|
| | |
| | |
| | |
| | |
| | |
| | | |
Previously the unit values were trusted leading to potential XSS vulnerabilities.
Fixes: CVE-2013-6415
|
|\ \ \
| | | |
| | | | |
Remove deprecated cattr_* requires
|
| | | | |
|
|/ / / |
|
| | | |
|
|/ / |
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This reverts commit f4a5a9ea4d183f4102796215d4502c46dbe3e52b, reversing
changes made to 7ccb482181ee6c47c765406009018a15172812de.
Reason:
The logic is different, the first call to #option_value_selected? is for
the :selected option (the argument is the "selected" variable), the second
call is for the :disabled option (the argument is the "disabled" variable).
|
| | |
|