| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
| |
Before we were calling to_sym in the mime type, even when it is unknown
what can cause denial of service since symbols are not removed by the
garbage collector.
Fixes: CVE-2014-0082
|
|\
| |
| |
| |
| |
| | |
Conflicts:
actionview/CHANGELOG.md
activerecord/CHANGELOG.md
|
| |
| |
| |
| |
| |
| |
| | |
Previously the values of these options were trusted leading to
potential XSS vulnerabilities.
Fixes: CVE-2014-0081
|
| |
| |
| |
| |
| |
| | |
This test were assuming that the list of render options will always be
the same. Fixing that so this doesn't break when we add/remove render
option in the future.
|
| |
| |
| |
| | |
#13618]
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
automatically call @foo.to_partial_path
Calling `render @foo` allows local variables but not options to be
passed to the partial renderer. The correct way to render an object AND
pass options to the partial renderer is to pass the object in the
`:partial` parameter. However, there were previously no tests for this
behaviour (in `render_helper_test.rb` at least).
|
| |
| |
| | |
I did not see in the docs that `button_to` supports not only URLs but paths as well. I documented this functionality with a unit tests and added an example to the docs as well.
|
| |
| |
| |
| |
| | |
Add a config to setup whether raise exception for missing translation or
not.
|
|\ \
| | |
| | | |
Improve ERB dependency detection
|
| | |
| | |
| | |
| | | |
Each chunk of text coming after `render` is now handled individually as a possible list of arguments.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The current implementation can't handle some special cases of oddly-formatted Ruby. Now we are able to detect them:
* Multi-line arguments on the `render` call
* Strings containing quotes, e.g. `"something's wrong"`
* Multiple kinds of identifiers - instance variables, class variables and globals
* Method chains as arguments for the `render` call
Also, this fix reduces the rate of "false positives" which showed up when we had calls/access to identifiers containing `render`, like `surrender` and `rendering`.
|
| | | |
|
|/ /
| |
| |
| |
| |
| | |
This Adds helpers(jruby_skip & rbx_skip). In Future, Plan is to use
these helpers instead of calls directly to
RUBY_ENGINE/RbConfig/JRUBY_VERSION
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The use of `display:inline` with the content_tag call in the
extra_tags_for_form method potentially causes display issues with some
browsers, namely Internet Explorer. IE's behaviour of not collapsing
the line height on divs with ostensibly no content means that the
automatically added div containing the hidden authenticity_token, utf8
and _method form input tags may interfere with other visible form
elements in certain circumstances. The use of `display:none` rather
than `display:inline` fixes this problem.
Fixes #6403
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| | |
Change most tests to make use of assert_raise returning the raised
exception rather than relying on a combination of flunk + rescue to
check for exception types/messages.
|
|\ \
| |/
|/| |
allow video_tag to accept `size` as `Number` for square shaped videos
|
| | |
|
|/ |
|
| |
|
| |
|
| |
|
|\
| |
| |
| |
| |
| |
| | |
Cycle object should accept an array
Conflicts:
actionview/CHANGELOG.md
|
| |
| |
| |
| | |
with a set of comma-separated objects.
|
| | |
|
|\ \
| | |
| | | |
Retain ActionPack dependency on ActionView. Fixes #12979.
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Before ec16ba75a5493b9da972eea08bae630eba35b62f,
ActionView::Helpers::TranslationHelper#translate has raised errors with
specifying options[:raise] to true.
This should work by this fix:
begin
t(:"translations.missing", raise: true)
rescue I18n::MissingTranslationData
p :hello!
end
|
| | | |
|
| | | |
|
| | |
| | |
| | |
| | | |
Expanded test coverage for html_escape and json_escape
|
|/ / |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
By default, variants in the templates will be picked up if a variant is set
and there's a match. The format will be:
app/views/projects/show.html.erb
app/views/projects/show.html+tablet.erb
app/views/projects/show.html+phone.erb
If request.variant = :tablet is set, we'll automatically be rendering the
html+tablet template.
In the controller, we can also tailer to the variants with this syntax:
class ProjectsController < ActionController::Base
def show
respond_to do |format|
format.html do |html|
@stars = @project.stars
html.tablet { @notifications = @project.notifications }
html.phone { @chat_heads = @project.chat_heads }
end
format.js
format.atom
end
end
end
The variant itself is nil by default, but can be set in before filters, like
so:
class ApplicationController < ActionController::Base
before_action do
if request.user_agent =~ /iPad/
request.variant = :tablet
end
end
end
This is modeled loosely on custom mime types, but it's specifically not
intended to be used together. If you're going to make a custom mime type,
you don't need a variant. Variants are for variations on a single mime
types.
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
i18n doesn't depend on active support which means it can't use our html_safe
code to do its escaping when generating the spans. Rather than try to sanitize
the output from i18n, just revert to our old behaviour of rescuing the error
and constructing the tag ourselves.
Fixes: CVE-2013-4491
|
| |
| |
| |
| |
| |
| | |
Previously the unit values were trusted leading to potential XSS vulnerabilities.
Fixes: CVE-2013-6415
|
|/
|
|
|
|
| |
Missing partial folder/_partial instead of folder/partial.
Closes #13002.
|
| |
|
| |
|
| |
|
|\
| |
| | |
fix simple_format escapes own output when sanitize is set to true
|
| | |
|
|/ |
|
|
|
| |
Same as 4d4ff531b8807ee88a3fc46875c7e76f613956fb
|
|
|
|
|
| |
Rails 3.2 API allowed arbitrary input for cdata_section;
this change re-introduces the old behaviour.
|
|\
| |
| |
| |
| |
| |
| | |
Add params option for button_to
Conflicts:
actionpack/CHANGELOG.md
|
| |
| |
| |
| |
| |
| | |
The parameters are rendered as hidden form fields within the generated
form. This is useful for when a record has multiple buttons associated
with it, each of which target the same controller method, but which
need to submit different attributes.
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
causing #12521
If config.action_view.cache_template_loading = false, most likely in a development
configuration if config.cache_classes = false &
config.action_controller.perform_caching = true.
config.action_view.cache_template_loading defaults to the value of config.cache_classes
|
| |
| |
| |
| | |
These test were not running at all,
Now it will run as a tests part.
|