aboutsummaryrefslogtreecommitdiffstats
path: root/actionview/test
Commit message (Collapse)AuthorAgeFilesLines
* Use the reference for the mime type to get the formatRafael Mendonça França2014-02-182-0/+34
| | | | | | | | Before we were calling to_sym in the mime type, even when it is unknown what can cause denial of service since symbols are not removed by the garbage collector. Fixes: CVE-2014-0082
* Merge branch '4-1-0-beta2'Rafael Mendonça França2014-02-181-0/+39
|\ | | | | | | | | | | Conflicts: actionview/CHANGELOG.md activerecord/CHANGELOG.md
| * Escape format, negative_format and units options of number helpersRafael Mendonça França2014-02-181-0/+39
| | | | | | | | | | | | | | Previously the values of these options were trusted leading to potential XSS vulnerabilities. Fixes: CVE-2014-0081
* | Fix a fragile test on `action_view/render`Prem Sichanugrist2014-02-181-1/+1
| | | | | | | | | | | | This test were assuming that the list of render options will always be the same. Fixing that so this doesn't break when we add/remove render option in the future.
* | implements new option :month_format_string for date select helpers [Closes ↵Xavier Noria2014-02-151-0/+10
| | | | | | | | #13618]
* | Added tests to render helper that expect `render partial: @foo` toIain Beeston2014-02-122-0/+11
| | | | | | | | | | | | | | | | | | | | automatically call @foo.to_partial_path Calling `render @foo` allows local variables but not options to be passed to the partial renderer. The correct way to render an object AND pass options to the partial renderer is to pass the object in the `:partial` parameter. However, there were previously no tests for this behaviour (in `render_helper_test.rb` at least).
* | Adding an documentation example and a test to button_to with pathAttila Domokos2014-02-021-0/+7
| | | | | | I did not see in the docs that `button_to` supports not only URLs but paths as well. I documented this functionality with a unit tests and added an example to the docs as well.
* | Rails config for raise on missing translationsKassio Borges2014-01-271-0/+10
| | | | | | | | | | Add a config to setup whether raise exception for missing translation or not.
* | Merge pull request #13414 from britto/jb-fix-dependency-matchingRafael Mendonça França2014-01-161-4/+110
|\ \ | | | | | | Improve ERB dependency detection
| * | Avoid scanning multiple render calls as a single match.João Britto2014-01-091-4/+26
| | | | | | | | | | | | Each chunk of text coming after `render` is now handled individually as a possible list of arguments.
| * | Improve ERB dependency detection.João Britto2014-01-091-4/+88
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The current implementation can't handle some special cases of oddly-formatted Ruby. Now we are able to detect them: * Multi-line arguments on the `render` call * Strings containing quotes, e.g. `"something's wrong"` * Multiple kinds of identifiers - instance variables, class variables and globals * Method chains as arguments for the `render` call Also, this fix reduces the rate of "false positives" which showed up when we had calls/access to identifiers containing `render`, like `surrender` and `rendering`.
* | | "serie" => "series"Waynn Lue2014-01-131-2/+2
| | |
* | | standardize on jruby_skip & rbx_skipGaurish Sharma2014-01-131-0/+8
|/ / | | | | | | | | | | This Adds helpers(jruby_skip & rbx_skip). In Future, Plan is to use these helpers instead of calls directly to RUBY_ENGINE/RbConfig/JRUBY_VERSION
* | Switched to use `display:none` in extra_tags_for_form method.Gaelian Ditchburn2014-01-053-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | The use of `display:inline` with the content_tag call in the extra_tags_for_form method potentially causes display issues with some browsers, namely Internet Explorer. IE's behaviour of not collapsing the line height on divs with ostensibly no content means that the automatically added div containing the hidden authenticity_token, utf8 and _method form input tags may interfere with other visible form elements in certain circumstances. The use of `display:none` rather than `display:inline` fixes this problem. Fixes #6403
* | Unused class in AV testAkira Matsuda2013-12-251-2/+0
| |
* | Unused classes in AV testsAkira Matsuda2013-12-243-18/+0
| |
* | Prefer assert_raise instead of flunk + rescue to test for exceptionsCarlos Antonio da Silva2013-12-192-6/+6
| | | | | | | | | | | | Change most tests to make use of assert_raise returning the raised exception rather than relying on a combination of flunk + rescue to check for exception types/messages.
* | Merge pull request #13363 from kuldeepaggarwal/f-video-optionsGuillermo Iguaran2013-12-171-1/+1
|\ \ | |/ |/| allow video_tag to accept `size` as `Number` for square shaped videos
| * allow video_tag to accept `size` as `Number` for square shaped videosKuldeep Aggarwal2013-12-181-1/+1
| |
* | Fix integration test to pass same-origin verificationJeremy Kemper2013-12-171-1/+1
|/
* Disable available locales checks to avoid warnings running the testsCarlos Antonio da Silva2013-12-171-0/+3
|
* test description uses "disable" when it should be "disabled"Waynn Lue2013-12-111-1/+1
|
* value is "disabled" not "disable"Waynn Lue2013-12-111-1/+1
|
* Merge pull request #13059 from imkmf/cycle-accepts-arrayRafael Mendonça França2013-12-061-0/+7
|\ | | | | | | | | | | | | Cycle object should accept an array Conflicts: actionview/CHANGELOG.md
| * A Cycle object should accept an array and cycle through it as it wouldKristian Freeman2013-12-061-0/+7
| | | | | | | | with a set of comma-separated objects.
* | Label only accepts `:index` and `:namespace` attributes from the inputAndriel Nuernberg2013-12-052-0/+72
| |
* | Merge pull request #13189 from strzalek/retain-ap-av-depJeremy Kemper2013-12-051-2/+0
|\ \ | | | | | | Retain ActionPack dependency on ActionView. Fixes #12979.
| * | Retain ActionPack dependency on ActionViewŁukasz Strzałkowski2013-12-051-2/+0
| | |
* | | Escalate missing error when :raise is trueShota Fukumori (sora_h)2013-12-051-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Before ec16ba75a5493b9da972eea08bae630eba35b62f, ActionView::Helpers::TranslationHelper#translate has raised errors with specifying options[:raise] to true. This should work by this fix: begin t(:"translations.missing", raise: true) rescue I18n::MissingTranslationData p :hello! end
* | | Added \u2028 \u2029 to json_escapeGodfrey Chan2013-12-041-1/+2
| | |
* | | Use lower case letters in unicodes sequences to match the new encoder's outputGodfrey Chan2013-12-041-3/+3
| | |
* | | Added failing test for json_escape striping quotation marksGodfrey Chan2013-12-041-0/+45
| | | | | | | | | | | | Expanded test coverage for html_escape and json_escape
* | | Fix issue where TextHelper#simple_format was calling missing 'raw' methodMario Visic2013-12-051-0/+5
|/ /
* | Action Pack VariantsŁukasz Strzałkowski2013-12-042-3/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | By default, variants in the templates will be picked up if a variant is set and there's a match. The format will be: app/views/projects/show.html.erb app/views/projects/show.html+tablet.erb app/views/projects/show.html+phone.erb If request.variant = :tablet is set, we'll automatically be rendering the html+tablet template. In the controller, we can also tailer to the variants with this syntax: class ProjectsController < ActionController::Base def show respond_to do |format| format.html do |html| @stars = @project.stars html.tablet { @notifications = @project.notifications } html.phone { @chat_heads = @project.chat_heads } end format.js format.atom end end end The variant itself is nil by default, but can be set in before filters, like so: class ApplicationController < ActionController::Base before_action do if request.user_agent =~ /iPad/ request.variant = :tablet end end end This is modeled loosely on custom mime types, but it's specifically not intended to be used together. If you're going to make a custom mime type, you don't need a variant. Variants are for variations on a single mime types.
* | Stop using i18n's built in HTML error handling.Michael Koziarski2013-12-021-1/+1
| | | | | | | | | | | | | | | | | | i18n doesn't depend on active support which means it can't use our html_safe code to do its escaping when generating the spans. Rather than try to sanitize the output from i18n, just revert to our old behaviour of rescuing the error and constructing the tag ourselves. Fixes: CVE-2013-4491
* | Escape the unit value provided to number_to_currencyMichael Koziarski2013-12-021-1/+2
| | | | | | | | | | | | Previously the unit values were trusted leading to potential XSS vulnerabilities. Fixes: CVE-2013-6415
* | `ActionView::MissingTemplate` for partials includes underscore.Yves Senn2013-12-022-4/+4
|/ | | | | | Missing partial folder/_partial instead of folder/partial. Closes #13002.
* More typo fixesAkira Matsuda2013-11-272-2/+2
|
* Minor typo fixesAkira Matsuda2013-11-273-5/+5
|
* Use `set_backtrace` instead of `@backtrace` in ActionView errorShimpei Makimoto2013-11-161-0/+7
|
* Merge pull request #12760 from pseidemann/masterYves Senn2013-11-091-0/+5
|\ | | | | fix simple_format escapes own output when sanitize is set to true
| * fix simple_format escapes own output when sanitize is set to truepseidemann2013-11-081-0/+5
| |
* | Refactor File.expand_path usage to remove additional File.joinAlex Johnson2013-11-051-1/+1
|/
* Warnings removed for ruby trunkArun Agrawal2013-11-011-1/+1
| | | Same as 4d4ff531b8807ee88a3fc46875c7e76f613956fb
* Convert CDATA input to string before gsub'ingCarsten Zimmermann2013-10-291-0/+4
| | | | | Rails 3.2 API allowed arbitrary input for cdata_section; this change re-introduces the old behaviour.
* Merge pull request #10471 from andyw8/button_to_paramsRafael Mendonça França2013-10-241-0/+7
|\ | | | | | | | | | | | | Add params option for button_to Conflicts: actionpack/CHANGELOG.md
| * Add params option for button_toAndy Waite2013-09-181-0/+7
| | | | | | | | | | | | The parameters are rendered as hidden form fields within the generated form. This is useful for when a record has multiple buttons associated with it, each of which target the same controller method, but which need to submit different attributes.
* | Ensure the state is clean after one failureRafael Mendonça França2013-10-161-5/+4
| |
* | Add 2 tests, 1 of which fails, to isolate the digest_caching behaviour ↵Brad Murray2013-10-151-0/+26
| | | | | | | | | | | | | | | | | | | | causing #12521 If config.action_view.cache_template_loading = false, most likely in a development configuration if config.cache_classes = false & config.action_controller.perform_caching = true. config.action_view.cache_template_loading defaults to the value of config.cache_classes
* | Moved viewpathstest into actionview/test/actionpack/controllerArun Agrawal2013-10-091-0/+0
| | | | | | | | These test were not running at all, Now it will run as a tests part.