| Commit message (Collapse) | Author | Age | Files | Lines |
|\
| |
| | |
Per-form CSRF tokens
|
| | |
|
|/
|
|
|
|
|
| |
This fixes the case when you try to render an html you know safe and the
file is named something.html. With this commit the content of the html
won't be escaped anymore because AV won't use Raw handler and choose
Html handler instead.
|
|\
| |
| |
| |
| | |
stevenspiel/titleize_model_name_for_default_submit_button_value
titleize the model name on default submit buttons
|
| | |
|
| |
| |
| |
| |
| |
| | |
the radios
Fixes #22773
|
|\ \
| | |
| | | |
TestController#parameters returns AC::Parameters
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Fixes #22827
ActionView::TestCase::TestController#parameters should return an
instance of ActionController::Parameters rather than a hash. This
enables helper methods to use the correct interface.
|
|/ / |
|
|/ |
|
|\
| |
| | |
wrapping i18n missing keys made optional
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
`I18n.translate` helper will wrap the missing translation keys
in a <span> tag only if `debug_missing_translation` configuration has
a truthy value. Default value is `true`. For example in `application.rb`:
# in order to turn off missing key wrapping
config.action_view.debug_missing_translation = false
|
|\ \
| |/
|/| |
Prevent ActionController::Parameters in url_for
|
| | |
|
| | |
|
| | |
|
| | |
|
|/
|
|
|
|
| |
Introduced in e56c63542780fe2fb804636a875f95cae08ab3f4, `CacheHelper#fragment_cache_key` is a duplicate of `ActionController::Caching::Fragments#fragment_cache_key`.
We now require the view to provide this method on its own (as with `view_cache_dependencies`); `ActionController::Caching::Fragments` exports its version as a `helper_method`.
|
|\
| |
| | |
In url_for, never append ? when the query string is empty anyway.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
It used to behave like this:
url_for(controller: 'x', action: 'y', q: {})
# -> "/x/y?"
We previously avoided empty query strings in most cases by removing
nil values, then checking whether params was empty. But as you can
see above, even non-empty params can yield an empty query string. So
I changed the code to just directly check whether the query string
ended up empty.
(To make everything more consistent, the "removing nil values"
functionality should probably move to ActionPack's Hash#to_query, the
place where empty hashes and arrays get removed. However, this would
change a lot more behavior.)
|
| |
| |
| |
| |
| |
| |
| | |
Erroneously removed in 58910dc7.
The stubbing was a regression test to ensure `time_zone_select` wasn't implemented with
`grep`. Rename the test and add a comment to make the intent clearer.
|
| |
| |
| |
| | |
We never touch the index, so don't bother.
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When calling `test_time_zone_select_with_priority_zones_as_regexp` it would
define `=~` on the fake zones, but it would never be cleaned up because of
the zone cache.
Nuke it so `test_time_zone_select_with_priority_zones_as_regexp_using_grep_finds_no_zones`
accidentally find any zones because of `=~` being implemented.
|
|\ \
| | |
| | | |
Removed Mocha from Action View
|
| | | |
|
| | | |
|
| | |
| | |
| | |
| | |
| | | |
This commit fixes the bug convering `false` to `locals[as]` when
`options[:object]` is `false` (close #22260).
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
According to the W3 spec[1] the value should use a 1-based index
and not a 0-based index for the week number.
[1]: http://www.w3.org/TR/html-markup/datatypes.html#form.data.week
|
| | |
| | |
| | |
| | |
| | | |
Now both `javascript_include_tag` and `stylesheet_tag` can accept `host` option
to provide custom host for the asset
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
`link_to :back` creates a link to whatever was
passed in via the referer header. If an attacker
can alter the referer header, that would create
a cross-site scripting vulnerability on every
page that uses `link_to :back`
This commit restricts the back URL to valid
non-javascript URLs.
https://github.com/rails/rails/issues/14444
|
| | | |
|
| |/
|/| |
|
| |
| |
| |
| |
| |
| |
| |
| | |
{day: params[:day].to_i, month: params[:month].to_id}
Adds in test test_date_select_with_selected_in_hash and change log
fixes typo in CHANGELOG
|
|\ \
| | |
| | | |
Fix a faulty form_for test
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Stumbled upon this one while trying to deprecate the String/Symbol
passing to `form_for`.
This test passed on an accident, because the signature of `form_for`
currently accepts 2 positional arguments and a block. Calling it with
the wrong number of arguments caused:
```ruby
(byebug) form_for(:post, @post, html: { id: 'create-post' })
*** ArgumentError Exception: wrong number of arguments (3 for 1..2)
```
This made the test pass, because it was still an `ArgumentError`. :-)
|
| | |
| | |
| | |
| | |
| | |
| | | |
It's already represented in the key name. Demonstrate with a test.
Also test that the default isn't output.
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Rails 4.x and earlier didn't support `Mime::Type[:FOO]`, so libraries
that support multiple Rails versions would've had to feature-detect
whether to use `Mime::Type[:FOO]` or `Mime::FOO`.
`Mime[:foo]` has been around for ages to look up registered MIME types
by symbol / extension, though, so libraries and plugins can safely
switch to that without breaking backward- or forward-compatibility.
Note: `Mime::ALL` isn't a real MIME type and isn't registered for lookup
by type or extension, so it's not available as `Mime[:all]`. We use it
internally as a wildcard for `respond_to` negotiation. If you use this
internal constant, continue to reference it with `Mime::ALL`.
Ref. efc6dd550ee49e7e443f9d72785caa0f240def53
|
| | | |
|
| | | |
|
|\ \ \
| | | |
| | | | |
Fix - Prevent adding of `data-disable-with` option twice in html.
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Earlier
when `data-disable-with` option is added direclty as in options then
```ruby
submit_tag("Save", { "data-disable-with" => "Processing..." })
# => <input type="submit" name="commit" value="Save" data-disable-with="Processing..." data-disable-with="Processing..." />
```
Now
when `data-disable-with` option is added direclty as in options then
```ruby
submit_tag("Save", { "data-disable-with" => "Processing..." })
# => <input type="submit" name="commit" value="Save" data-disable-with="Processing..." />
```
|
| | | | |
|
|\ \ \ \
| | | | |
| | | | | |
Added test cases where collection partial cached & rendered with different keys
|
| | |_|/
| |/| |
| | | |
| | | | |
rendered for different key
|
|\ \ \ \
| | | | |
| | | | | |
Handle nested fields_for by adding indexes to record_name
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
In case of the form with nested fields_for, i. e.
<%= form_for :foos, url: root_path do |f| %>
<% @foos.each do |foo| %>
<%= f.fields_for 'foo[]', foo do |f2| %>
<%= f2.text_field :id %>
<% foo.bars.each do |bar| %>
<%= f2.fields_for 'bar[]', bar do |b| %>
<%= b.text_field :id %>
<% end %>
<% end %>
<% end %>
<% end %>
<%= f.submit %>
<% end %>
rails doesn't add index for 'foo' in the inner fields_for block, so field names
in the outer fields_for looks like "foos[foo][#{foo_index}][id]" and in the
inner "foos[foo[]][bar][#{bar_index}][id]". Submitting of such form leads to an
error like:
>ActionController::BadRequest (Invalid request parameters: expected Array
>(got Rack::QueryParser::Params) for param `foo'):
This commit adds indexes for the foos in the inner blocks, so field names
become "foos[foo][#{foo_index}][bar][#{bar_index}][id]" and submitting of such
form works fine as expected.
Fixes #15332
|
| | | | |
| | | | |
| | | | |
| | | | | |
as string
|
| |/ / /
|/| | |
| | | |
| | | |
| | | | |
This will avoid a error be raised when the only input on the form is the
`collection_radio_buttons`.
|
| |_|/
|/| | |
|