aboutsummaryrefslogtreecommitdiffstats
path: root/actionview
Commit message (Collapse)AuthorAgeFilesLines
* Preparing for 4.1.0.beta2 releaseRafael Mendonça França2014-02-182-1/+5
|
* Escape format, negative_format and units options of number helpersRafael Mendonça França2014-02-182-5/+53
| | | | | | | Previously the values of these options were trusted leading to potential XSS vulnerabilities. Fixes: CVE-2014-0081
* Get ready to release 4.1.0.beta1David Heinemeier Hansson2013-12-171-1/+1
|
* Fix integration test to pass same-origin verificationJeremy Kemper2013-12-171-1/+1
|
* Disable available locales checks to avoid warnings running the testsCarlos Antonio da Silva2013-12-171-0/+3
|
* Merge pull request #13255 from strzalek/bump-builderRafael Mendonça França2013-12-121-1/+1
|\ | | | | Bump up builder
| * More liberal builder dependencyŁukasz Strzałkowski2013-12-121-1/+1
| | | | | | | | Allowing us to get 3.2.x versions if needed.
* | Merge pull request #13284 from aayushkhandelwal11/typos_correctedGodfrey Chan2013-12-111-1/+1
|\ \ | | | | | | s/everytime/every time/
| * | typos rectified [ci skip]Aayush khandelwal2013-12-121-1/+1
| | |
* | | test description uses "disable" when it should be "disabled"Waynn Lue2013-12-111-1/+1
| | |
* | | value is "disabled" not "disable"Waynn Lue2013-12-111-1/+1
|/ /
* / Fix typo in docs, missing colon in Symbol literal [ci skip]Semyon Perepelitsa2013-12-111-1/+1
|/
* Merge pull request #13059 from imkmf/cycle-accepts-arrayRafael Mendonça França2013-12-063-1/+26
|\ | | | | | | | | | | | | Cycle object should accept an array Conflicts: actionview/CHANGELOG.md
| * A Cycle object should accept an array and cycle through it as it wouldKristian Freeman2013-12-063-1/+24
| | | | | | | | with a set of comma-separated objects.
* | Label only accepts `:index` and `:namespace` attributes from the inputAndriel Nuernberg2013-12-055-2/+98
| |
* | Remove the explicit order set for the initializerRafael Mendonça França2013-12-051-1/+1
| | | | | | | | | | | | | | This will fix the regression added on b068e20b35797aa6deaa377a48c990759734f515. See tests added at ff08d31 to a better understanding about the problem
* | Merge pull request #13189 from strzalek/retain-ap-av-depJeremy Kemper2013-12-052-9/+0
|\ \ | | | | | | Retain ActionPack dependency on ActionView. Fixes #12979.
| * | Include AV::Layouts directly in AM::BaseŁukasz Strzałkowski2013-12-051-6/+0
| | | | | | | | | | | | No need to do this in railtie as AM depends on AV either way
| * | Retain ActionPack dependency on ActionViewŁukasz Strzałkowski2013-12-052-3/+0
| | |
* | | Escalate missing error when :raise is trueShota Fukumori (sora_h)2013-12-052-1/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Before ec16ba75a5493b9da972eea08bae630eba35b62f, ActionView::Helpers::TranslationHelper#translate has raised errors with specifying options[:raise] to true. This should work by this fix: begin t(:"translations.missing", raise: true) rescue I18n::MissingTranslationData p :hello! end
* | | Added \u2028 \u2029 to json_escapeGodfrey Chan2013-12-042-1/+5
| | |
* | | Use lower case letters in unicodes sequences to match the new encoder's outputGodfrey Chan2013-12-041-3/+3
| | |
* | | Fixed a long-standing bug in `json_escape` that strips quotation marksGodfrey Chan2013-12-041-0/+4
| | |
* | | Added failing test for json_escape striping quotation marksGodfrey Chan2013-12-041-0/+45
| | | | | | | | | | | | Expanded test coverage for html_escape and json_escape
* | | Fix issue where TextHelper#simple_format was calling missing 'raw' methodMario Visic2013-12-052-0/+7
| | |
* | | Fix documentation of number_to_currency helperRafael Mendonça França2013-12-041-4/+4
|/ / | | | | | | | | | | | | | | | | | | Now users have to explicit mark the unit as safe if they trust it. Closes #13161 Conflicts: actionpack/lib/action_view/helpers/number_helper.rb actionpack/test/template/number_helper_i18n_test.rb
* | Action Pack VariantsŁukasz Strzałkowski2013-12-046-12/+25
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | By default, variants in the templates will be picked up if a variant is set and there's a match. The format will be: app/views/projects/show.html.erb app/views/projects/show.html+tablet.erb app/views/projects/show.html+phone.erb If request.variant = :tablet is set, we'll automatically be rendering the html+tablet template. In the controller, we can also tailer to the variants with this syntax: class ProjectsController < ActionController::Base def show respond_to do |format| format.html do |html| @stars = @project.stars html.tablet { @notifications = @project.notifications } html.phone { @chat_heads = @project.chat_heads } end format.js format.atom end end end The variant itself is nil by default, but can be set in before filters, like so: class ApplicationController < ActionController::Base before_action do if request.user_agent =~ /iPad/ request.variant = :tablet end end end This is modeled loosely on custom mime types, but it's specifically not intended to be used together. If you're going to make a custom mime type, you don't need a variant. Variants are for variations on a single mime types.
* | optimize string literals in erb templatesAaron Patterson2013-12-031-2/+2
| |
* | Remove the escaping skipRafael Mendonça França2013-12-031-1/+1
| | | | | | | | | | We are generating safe strings in the paragraph, so we can escape the tags
* | Stop using i18n's built in HTML error handling.Michael Koziarski2013-12-022-14/+10
| | | | | | | | | | | | | | | | | | i18n doesn't depend on active support which means it can't use our html_safe code to do its escaping when generating the spans. Rather than try to sanitize the output from i18n, just revert to our old behaviour of rescuing the error and constructing the tag ourselves. Fixes: CVE-2013-4491
* | Ensure simple_format escapes its html attributesMichael Koziarski2013-12-021-1/+1
| | | | | | | | | | | | | | | | | | | | The previous behavior equated the sanitize option for simple_format with the escape option of content_tag, however these are two distinct concepts. This fixes CVE-2013-6416 Conflicts: actionview/lib/action_view/helpers/text_helper.rb
* | Escape the unit value provided to number_to_currencyMichael Koziarski2013-12-022-1/+3
| | | | | | | | | | | | Previously the unit values were trusted leading to potential XSS vulnerabilities. Fixes: CVE-2013-6415
* | Only use valid mime type symbols as cache keysAaron Patterson2013-12-021-0/+7
| | | | | | | | CVE-2013-6414
* | Merge pull request #13138 from gsamokovarov/remove-cattr-requiresGuillermo Iguaran2013-12-026-6/+6
|\ \ | | | | | | Remove deprecated cattr_* requires
| * | Remove deprecated cattr_* requiresGenadi Samokovarov2013-12-036-6/+6
| | |
* | | Make ActionView::Tags loading tread safeRafael Mendonça França2013-12-024-32/+40
|/ /
* | activemodel isn't a runtime dependency for actionviewGuillermo Iguaran2013-12-021-2/+2
| |
* | Merge pull request #13117 from akshay-vishnoi/typoXavier Noria2013-12-022-2/+2
|\ \ | | | | | | Typo and grammatical fixes [ci skip]
| * | Typo and grammatical fixes [ci skip]Akshay Vishnoi2013-12-022-2/+2
| | |
* | | `ActionView::MissingTemplate` for partials includes underscore.Yves Senn2013-12-024-4/+13
|/ / | | | | | | | | | | Missing partial folder/_partial instead of folder/partial. Closes #13002.
* / unnecessary checking of `size` with `second regex` if matched with first oneKuldeep Aggarwal2013-11-271-2/+5
|/
* More typo fixesAkira Matsuda2013-11-272-2/+2
|
* Minor typo fixesAkira Matsuda2013-11-274-6/+6
|
* Revert "Merge pull request #13027 from akshay-vishnoi/f-refactor"Carlos Antonio da Silva2013-11-251-1/+1
| | | | | | | | | | | This reverts commit f4a5a9ea4d183f4102796215d4502c46dbe3e52b, reversing changes made to 7ccb482181ee6c47c765406009018a15172812de. Reason: The logic is different, the first call to #option_value_selected? is for the :selected option (the argument is the "selected" variable), the second call is for the :disabled option (the argument is the "disabled" variable).
* avoiding calling of #option_value_selected? two timesAkshay Vishnoi2013-11-251-1/+1
|
* _implied_layout_name should be privateRafael Mendonça França2013-11-191-9/+11
|
* Use the right indentationRafael Mendonça França2013-11-191-1/+1
|
* Renderer#_render_template should be privateRafael Mendonça França2013-11-191-7/+7
| | | | Closes #12831
* Improve readability of sentence in partial-renderer docs [ci skip]Mac Martine2013-11-191-1/+1
|
* Use `set_backtrace` instead of `@backtrace` in ActionView errorShimpei Makimoto2013-11-163-2/+13
|