| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously, when using `render file:`, it was possible to render files
not only at an absolute path or relative to the current directory, but
relative to ANY view paths. This was probably done for absolutely
maximum compatibility when addressing CVE-2016-0752, but I think is
unlikely to be used in practice.
Tihs commit removes the ability to `render file:` with a path relative
to a non-fallback view path.
Make FallbackResolver.new private
To ensure nobody is making FallbackResolvers other than "/" and "".
Make reject_files_external_... no-op for fallbacks
Because there are only two values used for path: "" and "/", and
File.join("", "") == File.join("/", "") == "/", this method was only
testing that the absolute paths started at "/" (which of course all do).
This commit doesn't change any behaviour, but it makes it explicit that
the FallbackFileSystemResolver works this way.
Remove outside_app_allowed argument
Deprecate find_all_anywhere
This is now equivalent to find_all
Remove outside_app argument
Deprecate find_file for find
Both LookupContext#find_file and PathSet#find_file are now equivalent to
their respective #find methods.
|
| | |
|
| |\
| |
| | |
RFC: Introduce Template::File
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The previous behaviour of render file: was essentially the same as
render template:, except that templates can be specified as an absolute
path on the filesystem.
This makes sense for historic reasons, but now render file: is almost
exclusively used to render raw files (not .erb) like public/404.html. In
addition to complicating the code in template/resolver.rb, I think the
current behaviour is surprising to developers.
This commit deprecates the existing "lookup a template from anywhere"
behaviour and replaces it with "render this file exactly as it is on
disk". Handlers will no longer be used (it will render the same as if
the :raw handler was used), but formats (.html, .xml, etc) will still be
detected (and will default to :plain).
The existing render file: behaviour was the path through which Rails
apps were vulnerable in the recent CVE-2019-5418. Although the
vulnerability has been patched in a fully backwards-compatible way, I
think it's a strong hint that we should drop the existing
previously-vulnerable behaviour if it isn't a benefit to developers.
|
| | | |
|
| |\ \
| |/
|/|
| |
| | |
erose/better-error-reporting-for-syntax-errors-in-templates
Display a more helpful error message when an ERB template has a Ruby syntax error.
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Custom glob patterns tie the implementation (Using Dir.glob) to the API
we provide.
It also doesn't really work. extract_handler_and_format_and_variant
expects the handler, format, and variant to be at the end of the
template path, and in the same order as they are in the default pattern.
This deprecates specifying a custom path for FileSystemResolver and
removes the pattern argument of OptimizedFileSystemResolver#initialize,
which does not work with a custom pattern.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Many tests were using `render file:`, but were only testing the
behaviour of `render template:` (file: just allows more paths/ is less
secure then template:).
The reason for so many `render file:` is probably that they were the old
default.
This commit replaces `render file:` with `render template:` anywhere the
test wasn't specifically interested in using `render file:`.
|
| |\ \
| | |
| | | |
Validate types assigned to LookupContext#formats=
|
| | | | |
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | |
| | | |
This is a developer quality of life improvement, to ensure that unknown
formats aren't assigned (which it would previously accept, but wouldn't
work 100% correctly due to caching).
|
| | | |
| | |
| | |
| | |
| | | |
Having a format listed twice had no effect. This is mostly helpful to
avoid an extra format when assigning [:html, "*/*"]
|
| | | |
| | |
| | |
| | |
| | | |
This also removes the mutation we were performing on the values being
passed in.
|
| |\ \ \
| | | |
| | | | |
Remove virtual_path from fallback templates
|
| | |/ / |
|
| |\ \ \
| |/ /
|/| | |
Raise exception when building invalid mime type
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
This allows mime types in the form text/html, text/*, or */*
This required a few minor test/code changes where previously nil was
used as a mime string.
|
| |/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
All actionview caches are already cleared at the start of each request
(when Resolver.caching is false) by PerExecutionDigestCacheExpiry, which
calls LookupContext::DetailsKey.clear (which clears all caches).
Because caches are always cleared per-request in dev, we shouldn't need
this extra logic to compare mtimes and conditionally reload templates.
This should make templates slightly faster in development (particularly
multiple renders of the same template)
|
| | | |
|
| | | |
|
| |\ \
| | |
| | | |
Pass locals in to the template object on construction
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
This commit ensures that locals are passed in to the template objects
when they are constructed, then removes the `locals=` mutator on the
template object. This means we don't need to mutate Template objects
with locals in the `decorate` method.
|
| |/ / |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* Don't call inspect from identifier_method_name
* Add locals Template#inspect
Handler, formats, and variant are usually obvious from looking at the
identifier. However it's not uncommon to have different locals for the
same template so we should make that obvious in inspect.
* Add tests for short_identifier and inspect
[John Hawthorn + Rafael Mendonça França]
|
| | |
| |
| |
| |
| |
| |
| | |
Templates only have one format. Before this commit, templates would be
constructed with a single element array that contained the format. This
commit eliminates the single element array and just implements a
`format` method. This saves one array allocation per template.
|
| | |
| |
| |
| |
| | |
This means we can eliminate nil checks and remove some mutations from
the `decorate` method.
|
| | | |
|
| | |
| |
| |
| | |
Currently, `ActionView::Base.new` will raise a `NotImplementedError` when given an instance of `ActionView::PathSet` on initialization. This commit prevents the raised error in favor of a deprecation warning.
|
| | |
| |
| |
| |
| | |
We no longer depend on `rendered_format` side effects, so we can remove
this method now. 🎉
|
| | |
| |
| |
| |
| |
| | |
This commit is to remove direct access to the "rendered_format"
attribute on the lookup context. "rendered_format" is an implementation
detail that we shouldn't test directly.
|
| | | |
|
| |\ \
| | |
| | | |
Pass the template format to the digestor
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This commit passes the template format to the digestor in order to come
up with a key. Before this commit, the digestor would depend on the
side effect of the template renderer setting the rendered_format on the
lookup context. I would like to remove that mutation, so I've changed
this to pass the template format in to the digestor.
I've introduced a new instance variable that will be alive during a
template render. When the template is being rendered, it pushes the
current template on to a stack, setting `@current_template` to the
template currently being rendered. When the cache helper asks the
digestor for a key, it uses the format of the template currently on the
stack.
|
| |\ \ \
| | | |
| | | |
| | | |
| | | | |
y-yagi/show_deprecated_message_instead_of_raise_exception
Show deprecated message instead of raise exception in `compiled_method_container` method
|
| | |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
`compiled_method_container` method
Since #35036, the subclasses of `ActionView::Base` requires
the `compiled_method_container`.
This is incompatible. For example, `web-console` use view class that
subclass of `ActionView::Base`, and does not work it now cause of this.
Actually, since it seems that it is only `ActionView::Base` that
`compiled_method_container` is necessary, modified the condition that
emits a warning.
|
| |/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Currently `csp_meta_tag` generates `name` attribute only.
However, in libraries like `Material-UI` and `JSS`, expect that the meta tag
that contains the nonce with `property` attribute.
https://material-ui.com/css-in-js/advanced/#how-does-one-implement-csp
https://github.com/cssinjs/jss/blob/master/docs/csp.md
This patch allows `csp_meta_tag` to specify arbitrary options and
allows `nonce` to be passed to those libraries.
|
| |/ |
|
| |\
| |
| | |
Cached collections only work if there is one template
|
| | |
| |
| |
| |
| | |
Cached collections only work if there is one template. If there are
more than one templates, the caching mechanism doesn't have a key.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This commit keeps a stack of lookup contexts on the ActionView::Base
instance. If a format is passed to render, we instantiate a new lookup
context and push it on the stack, that way any child calls to "render"
will use the same format information as the parent. This also isolates
"sibling" calls to render (multiple calls to render in the same
template).
Fixes #35222 #34138
|
| | | |
|
| |/ |
|
| | |
|
| |
|
|
|
| |
This commit exposes all system wide view paths so that we can clear
their caches.
|
| |
|
|
|
| |
This commit splits the digest cache from the "details identity" cache.
Now both caches can be managed independently.
|
| | |
|
