| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* 5-0-beta-sec:
bumping version
fix version update task to deal with .beta1.1
Eliminate instance level writers for class accessors
allow :file to be outside rails root, but anything else must be inside the rails view directory
Don't short-circuit reject_if proc
stop caching mime types globally
use secure string comparisons for basic auth username / password
|
| |
| |
| |
| |
| |
| | |
rails view directory
CVE-2016-0752
|
| |
| |
| |
| |
| |
| | |
of html_safe in favour of raw() in AV helpers.
Also changed usage of html_safe to make use of raw() instead so that the intended behaviour is verified with raw()
|
|\ \
| | |
| | |
| | | |
Use ActiveSupport::SafeBuffer when flushing content_for
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Previously, when content_for is flushed, the content
was replaced directly by a new value in
ActionView::OutputFlow#set. The problem is this new
value passed to the method may not be an instance of
ActiveSupport::SafeBuffer.
This change forces the value to be set to a new
instance of ActiveSupport::SafeBuffer.
|
|\ \ \
| | | |
| | | | |
Pass the current locale to Inflector from the pluralize text helper.
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
The pluralize text helper uses the Inflector to determine the plural
form. The inflector accepts an optional parameter for the locale,
so we can pass it from the text helper to have locale-aware pluralizations
on the text helpers level.
The pluralize text helper now only accepts 2 positional arguments:
`count` and `singular`. Passing `plural` as a positional argument
is now deprecated.
|
| | | | |
|
|\ \ \ \
| | | | |
| | | | | |
Per-form CSRF tokens
|
| | | | | |
|
|/ / / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This fixes the case when you try to render an html you know safe and the
file is named something.html. With this commit the content of the html
won't be escaped anymore because AV won't use Raw handler and choose
Html handler instead.
|
|\ \ \ \
| | | | |
| | | | |
| | | | |
| | | | | |
stevenspiel/titleize_model_name_for_default_submit_button_value
titleize the model name on default submit buttons
|
| | |_|/
| |/| | |
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
the radios
Fixes #22773
|
|\ \ \ \
| | | | |
| | | | | |
TestController#parameters returns AC::Parameters
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Fixes #22827
ActionView::TestCase::TestController#parameters should return an
instance of ActionController::Parameters rather than a hash. This
enables helper methods to use the correct interface.
|
|/ / / / |
|
|/ / / |
|
|\ \ \
| | | |
| | | | |
wrapping i18n missing keys made optional
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
`I18n.translate` helper will wrap the missing translation keys
in a <span> tag only if `debug_missing_translation` configuration has
a truthy value. Default value is `true`. For example in `application.rb`:
# in order to turn off missing key wrapping
config.action_view.debug_missing_translation = false
|
|\ \ \ \
| |/ / /
|/| | | |
Prevent ActionController::Parameters in url_for
|
| | | | |
|
| | | | |
|
| | | | |
|
| | | | |
|
|/ / /
| | |
| | |
| | |
| | |
| | | |
Introduced in e56c63542780fe2fb804636a875f95cae08ab3f4, `CacheHelper#fragment_cache_key` is a duplicate of `ActionController::Caching::Fragments#fragment_cache_key`.
We now require the view to provide this method on its own (as with `view_cache_dependencies`); `ActionController::Caching::Fragments` exports its version as a `helper_method`.
|
|\ \ \
| | | |
| | | | |
In url_for, never append ? when the query string is empty anyway.
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
It used to behave like this:
url_for(controller: 'x', action: 'y', q: {})
# -> "/x/y?"
We previously avoided empty query strings in most cases by removing
nil values, then checking whether params was empty. But as you can
see above, even non-empty params can yield an empty query string. So
I changed the code to just directly check whether the query string
ended up empty.
(To make everything more consistent, the "removing nil values"
functionality should probably move to ActionPack's Hash#to_query, the
place where empty hashes and arrays get removed. However, this would
change a lot more behavior.)
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Erroneously removed in 58910dc7.
The stubbing was a regression test to ensure `time_zone_select` wasn't implemented with
`grep`. Rename the test and add a comment to make the intent clearer.
|
| | | |
| | | |
| | | |
| | | | |
We never touch the index, so don't bother.
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
When calling `test_time_zone_select_with_priority_zones_as_regexp` it would
define `=~` on the fake zones, but it would never be cleaned up because of
the zone cache.
Nuke it so `test_time_zone_select_with_priority_zones_as_regexp_using_grep_finds_no_zones`
accidentally find any zones because of `=~` being implemented.
|
|\ \ \ \
| | | | |
| | | | | |
Removed Mocha from Action View
|
| | | | | |
|
| | | | | |
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
This commit fixes the bug convering `false` to `locals[as]` when
`options[:object]` is `false` (close #22260).
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
According to the W3 spec[1] the value should use a 1-based index
and not a 0-based index for the week number.
[1]: http://www.w3.org/TR/html-markup/datatypes.html#form.data.week
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Now both `javascript_include_tag` and `stylesheet_tag` can accept `host` option
to provide custom host for the asset
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
`link_to :back` creates a link to whatever was
passed in via the referer header. If an attacker
can alter the referer header, that would create
a cross-site scripting vulnerability on every
page that uses `link_to :back`
This commit restricts the back URL to valid
non-javascript URLs.
https://github.com/rails/rails/issues/14444
|
| | | | | |
|
| |/ / /
|/| | | |
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
{day: params[:day].to_i, month: params[:month].to_id}
Adds in test test_date_select_with_selected_in_hash and change log
fixes typo in CHANGELOG
|
|\ \ \ \
| | | | |
| | | | | |
Fix a faulty form_for test
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Stumbled upon this one while trying to deprecate the String/Symbol
passing to `form_for`.
This test passed on an accident, because the signature of `form_for`
currently accepts 2 positional arguments and a block. Calling it with
the wrong number of arguments caused:
```ruby
(byebug) form_for(:post, @post, html: { id: 'create-post' })
*** ArgumentError Exception: wrong number of arguments (3 for 1..2)
```
This made the test pass, because it was still an `ArgumentError`. :-)
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
It's already represented in the key name. Demonstrate with a test.
Also test that the default isn't output.
|
| |_|/ /
|/| | | |
|
| | | | |
|
| | | |
| | | |
| | | |
| | | |
| | | | |
When `require 'active_support/rails'`, 'active_support/deprecation'
is automatically loaded.
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Rails 4.x and earlier didn't support `Mime::Type[:FOO]`, so libraries
that support multiple Rails versions would've had to feature-detect
whether to use `Mime::Type[:FOO]` or `Mime::FOO`.
`Mime[:foo]` has been around for ages to look up registered MIME types
by symbol / extension, though, so libraries and plugins can safely
switch to that without breaking backward- or forward-compatibility.
Note: `Mime::ALL` isn't a real MIME type and isn't registered for lookup
by type or extension, so it's not available as `Mime[:all]`. We use it
internally as a wildcard for `respond_to` negotiation. If you use this
internal constant, continue to reference it with `Mime::ALL`.
Ref. efc6dd550ee49e7e443f9d72785caa0f240def53
|
| | | | |
|
| | | | |
|