| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
| |
`link_to :back` creates a link to whatever was
passed in via the referer header. If an attacker
can alter the referer header, that would create
a cross-site scripting vulnerability on every
page that uses `link_to :back`
This commit restricts the back URL to valid
non-javascript URLs.
https://github.com/rails/rails/issues/14444
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The `url_for` methods in `actionpack` and `actionview`
now make a copy of the provided options
before generating polymorphic paths or URLs.
The bug in the previous behavior
is most noticeable in a case like:
url_options = [:new, :post, param: 'value']
if current_page?(url_options)
css_class = "active"
end
link_to "New Post", url_options, class: css_class
|
| |
|
| |
|
|
|
|
|
|
|
| |
Prompted by:
https://github.com/rails/rails/commit/e38dd7bfa4360e241eadf0cf44abdf86ea33a393#commitcomment-11011496
/cc @kuldeepaggarwal
|
|
|
|
|
|
|
| |
This illustrates the purpose of the block for `link_to_if` and
`link_to_unless` helper methods.
It should help to prevent further mistakes like #19844.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
stevenspiel/link_to_if_block_helper_addition"
This reverts commit d459b001b43d25053e7982e96eb8383538a6e358, reversing
changes made to 4d4950fae9e2a6970b5f1793aadc56a0b44e28a3.
:sweat:
The block is not supposed to be passed to `link_to`. It's used for a
customized behavior of the `condtion = false` case. The docs
illustrate that like so:
```
<%=
link_to_if(@current_user.nil?, "Login", { controller: "sessions", action: "new" }) do
link_to(@current_user.login, { controller: "accounts", action: "show", id: @current_user })
end
%>
```
|
|
|
|
| |
Update url_helper.rb
|
|\
| |
| |
| | |
mail_to helper method fix
|
| |
| |
| |
| |
| | |
when mail_to generate blank options for any passed options(cc, bcc, body, subject)
then MICROSOFT OUTLOOK treats it differently and set wrong values in different options.
|
| |
| |
| |
| | |
onwards.
|
| |
| |
| |
| | |
https://github.com/rails/rails/commit/baf14ae513337cb185acf865e93dfc48f3aabf6a
|
|/ |
|
| |
|
| |
|
|
|
|
| |
Related with cbb917455f306cf5818644b162f22be09f77d4b2
|
|
|
| |
I did not see in the docs that `button_to` supports not only URLs but paths as well. I documented this functionality with a unit tests and added an example to the docs as well.
|
|\
| |
| |
| |
| |
| |
| | |
Add params option for button_to
Conflicts:
actionpack/CHANGELOG.md
|
| |
| |
| |
| |
| |
| | |
The parameters are rendered as hidden form fields within the generated
form. This is useful for when a record has multiple buttons associated
with it, each of which target the same controller method, but which
need to submit different attributes.
|
|/
|
|
|
|
|
|
|
|
|
|
|
| |
Require minitest/mock in test where stub method is needed.
Apparently this was being "imported" by minitest pride plugin, which
previously required "minitest/autorun", that required "minitest/mock",
making the method available by chance.
It has been changed in minitest:
https://github.com/seattlerb/minitest/commit/595ce955c0d89575726d10fc18d2afd8f334bcbe
So we need to make sure we require what we really need where necessary.
|
| |
|
|
|
|
|
|
|
| |
In some cases webservers like nginx send the escaped characters
lowercased to the Rails application. The current_page? helper was
comparing the escaped strings that are different since Ruby escapes the
URL using uppercased characters.
|
|
|
|
|
|
| |
Use link_to with block and url_hash, expect block as name.
But ignore block and use url_hash as name.
3-2-stable passes this test. 4-0-stable and master fail this.
|
|
|
|
| |
Same test exists above 2 or 3 lines.
|
| |
|
|
|