| Commit message (Collapse) | Author | Age | Files | Lines |
|\
| |
| | |
Extract the confirm call in its own, overridable method in rails_ujs
|
| | |
|
| |
| |
| |
| | |
`</ps>` is not a valid closing tag for `<p>`.
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Running HTML responses through `DOMParser#parseFromString` results in
complete `HTMLDocument` instances with unnecessary surrounding tags.
For example:
new DOMParser().parseFromString('<p>hello</p>', 'text/html')
Will output:
<html>
<head></head>
<body>
<p>hello</p>
</body>
</html>
This is passed to the `ajax:success` handler as `event.detail[0]`
(`data`), but cannot be used directly without first traversing the
document.
To resolve this, only XML content is passed through `parseFromString`,
while HTML content is treated as plain-text.
This matches the behavior of jquery-ujs, which relied on jQuery's
response-type inference.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Because the UJS library creates a script tag to process responses it
normally requires the script-src attribute of the content security
policy to include 'unsafe-inline'.
To work around this we generate a per-request nonce value that is
embedded in a meta tag in a similar fashion to how CSRF protection
embeds its token in a meta tag. The UJS library can then read the
nonce value and set it on the dynamically generated script tag to
enable it to execute without needing 'unsafe-inline' enabled.
Nonce generation isn't 100% safe - if your script tag is including
user generated content in someway then it may be possible to exploit
an XSS vulnerability which can take advantage of the nonce. It is
however an improvement on a blanket permission for inline scripts.
It is also possible to use the nonce within your own script tags by
using `nonce: true` to set the nonce value on the tag, e.g
<%= javascript_tag nonce: true do %>
alert('Hello, World!');
<% end %>
Fixes #31689.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Global ignores at toplevel .gitignore
* Component-specific ignores in each toplevel directory
* Remove `actionview/test/tmp/.keep` for JRuby
```
rm actionview/test/tmp/ -fr
cd actionview/
bundle exec jruby -Itest test/template/digestor_test.rb
```
Related to #11743, #30392.
Closes #29978.
|
| |
|
|\
| |
| | |
Does not include disabled element in params
|
| |
| |
| |
| |
| |
| |
| | |
In the case of remote, it should be the same behavior as submitting
HTML form.
Fixes #30444
|
|\ \
| |/
|/| |
Fix callback in rails ujs
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Together, fix to the following lint violation.
```
rails/actionview/test/ujs/public/test/data-confirm.js
303:11 error Strings must use singlequote quotes
rails/actionview/test/ujs/public/test/data-remote.js
414:32 error Extra semicolon semi
✖ 2 problems (2 errors, 0 warnings)
```
|
| | |
|
| |
| |
| |
| |
| | |
... so that we can run most, if not all, of rails-ujs
tests without necessarily requiring an internet connection.
|
| |
| |
| |
| |
| | |
This reverts commit 3420a14590c0e6915d8b6c242887f74adb4120f9, reversing
changes made to afb66a5a598ce4ac74ad84b125a5abf046dcf5aa.
|
|/ |
|
|
|
|
|
|
| |
".. with __dir__ we can restore order in the Universe." - by @fxn
Related to 5b8738c2df003a96f0e490c43559747618d10f5f
|
|
|
|
|
|
| |
-
Restore ability to accept ecmascript
JS response should not modify DOM.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The existing UJS event behavior relies on browsers not sending events for
various events when an element is disabled. For example, imagine the following:
<button type="submit" disabled="disabled">Click me</button>
The above button is disabled, so browsers will not trigger a click event and
all UJS behavior is prevented. However, imagine a button like this:
<button type="submit" disabled="disabled"><strong>Click me</strong></button>
The above is treated differently by browsers such as Chrome/Safari. These
browsers do not consider the strong tag to be disabled, and will trigger click
events. UJS has logic to walk up the DOM to find an associated element subject
to UJS behavior. But, this logic does not take into account the disabled
status of the element.
I originally thought we could simply change the selectors used to match
elements to ignore disabled elements. However, UJS disables some elements as
part of the event chain. So, an element might match early in the chain and
then fail to match later. Instead of changing the selectors I added a callback
to the chain that calls `stopEverything` if an element is disabled when the
event chain begins.
|
| |
|
| |
|
|
|
|
|
|
|
| |
```
go get -u github.com/client9/misspell/cmd/misspell
misspell -w -error -source=text .
```
|
|
|
|
| |
[ci skip]
|
|
|
|
|
|
| |
Some methods were added to public API in
5b14129d8d4ad302b4e11df6bd5c7891b75f393c and they should be not part of
the public API.
|
|
|
|
| |
Follow up to 79a5ea9eadb4d43b62afacedc0706cbe88c54496
|
|
|