| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
| |
marked them as pending.
|
| |
|
|
|
|
| |
Loofah already deals with this.
|
| |
|
|
|
|
|
|
| |
Implemented ActionView: FullSanitizer, LinkSanitizer and WhiteListSanitizer in sanitizers.rb.
Deprecated protocol_separator and bad_tags.
Added new tests in sanitizers_test.rb and reimplemented assert_dom_equal with Loofah.
|
|
|
|
| |
reviewed: @tenderlove
|
|
|
|
|
|
|
|
|
|
| |
:precision was incorrectly being applied to Rationals
before:
ActiveSupport::NumberHelper.number_to_rounded Rational(10, 3), precision: 2
=> "3.3"
after:
ActiveSupport::NumberHelper.number_to_rounded Rational(10, 3), precision: 2
=> "3.33"
|
|\
| |
| |
| | |
Allow custom asset host to be passed in asset_url
|
| | |
|
| | |
|
| | |
|
|\ \
| | |
| | | |
Dup options hash to prevent modifications
|
| |/
| |
| |
| | |
`options[:default]` and `options[:raise]` can be mistakenly added to the `options` hash. This can be a problem if you're reusing the same object.
|
|/ |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously, only the object and method name from the label tag were
used when looking up the translation for a label. If a value is
given for the label, this ought to be additionally used. The
following:
# form.html.erb
<%= form_for @post do |f| %>
<%= f.label :type, value: "long" %>
<% end %>
# en.yml
en:
activerecord:
attributes:
post/long: "Long-form Post"
Used to simply return "long", but now it will return "Long-form
Post".
|
| |
|
| |
|
|\
| |
| | |
Change favicon_link_tag helper mimetype from image/vnd.microsoft.icon to image/x-icon.
|
| |
| |
| |
| |
| |
| |
| |
| | |
image/x-icon.
Although the official IANA-registered MIME type for ICO files is image/vnd.microsoft.icon,
registered in 2003, it was submitted to IANA by a third party and is not recognized by Microsoft products.
The MIME type image/x-icon should be used since is the one recognized by the major browsers on the market.
|
|/ |
|
|
|
|
| |
Related with cbb917455f306cf5818644b162f22be09f77d4b2
|
|\
| |
| |
| |
| |
| |
| | |
Remove wrapping div with inline styles for hidden form fields.
Conflicts:
actionview/CHANGELOG.md
|
| |
| |
| |
| |
| |
| | |
We are dropping HTML 4.01 and XHTML strict compliance since input
tags directly inside a form are valid HTML5, and the absense of
inline styles help in validating for Content Security Policy.
|
| | |
|
|/
|
|
| |
closes #14147
|
| |
|
| |
|
|
|
|
|
| |
with_css_classes: true option overwrites other html classes.
Concatenate day month and year classes rather than overwriting.
|
|
|
|
| |
variant -- trying to pass it back in makes a mess of things (oh, and doesnt work)
|
|
|
|
|
|
|
| |
Closes #14405.
This is a follow-up to 9e997e9039435617b6a844158f5437e97f6bc107 to restore
the documented behavior.
|
|\
| |
| |
| |
| |
| |
| |
| | |
add include_hidden option to collection_check_boxes helper
Conflicts:
actionview/CHANGELOG.md
actionview/test/template/form_collections_helper_test.rb
|
| | |
|
| | |
|
| |
| |
| |
| |
| | |
Before we had a bug in the resolver cache so the disable_cache were not
working when passing options to find
|
| |
| |
| |
| | |
finder object
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Related to: #14242 #14243 14293
Variants passed to LookupContext#find() seem to be ignored, so
I've used the setter instead: `finder.variants = [ variant ]`.
I've also added some more test cases for variants. Hopefully this
time passing tests will mean it actually works.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Take variants into account when calculating template digests in
ActionView::Digest.
Digestor#digest now takes a hash as an argument to support variants and
allow more flexibility in the future. Old-style arguments have been
deprecated.
Fixes #14242
|
| | |
|
| |
| |
| |
| |
| | |
This is a follow up to #14170. While backporting I recognized
that this call is not needed at all.
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| | |
Before we were calling to_sym in the mime type, even when it is unknown
what can cause denial of service since symbols are not removed by the
garbage collector.
Fixes: CVE-2014-0082
|
|\ \
| | |
| | |
| | |
| | |
| | | |
Conflicts:
actionview/CHANGELOG.md
activerecord/CHANGELOG.md
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Previously the values of these options were trusted leading to
potential XSS vulnerabilities.
Fixes: CVE-2014-0081
|
| | |
| | |
| | |
| | |
| | |
| | | |
This test were assuming that the list of render options will always be
the same. Fixing that so this doesn't break when we add/remove render
option in the future.
|
| | |
| | |
| | |
| | | |
#13618]
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
automatically call @foo.to_partial_path
Calling `render @foo` allows local variables but not options to be
passed to the partial renderer. The correct way to render an object AND
pass options to the partial renderer is to pass the object in the
`:partial` parameter. However, there were previously no tests for this
behaviour (in `render_helper_test.rb` at least).
|