Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | all numerics should be html_safe - Closes #1935 | Damien Mathieu | 2011-07-03 | 1 | -1/+1 |
| | |||||
* | calling unsafe methods which don't return a string shouldn't fail | Damien Mathieu | 2011-06-22 | 1 | -2/+2 |
| | |||||
* | safe_concat should not work on dirty buffers. | José Valim | 2011-06-16 | 1 | -4/+13 |
| | |||||
* | Fix safe buffer by adding a dirty status. | José Valim | 2011-06-16 | 1 | -12/+24 |
| | |||||
* | Define ActiveSupport#to_param as to_str - closes #1663 | Andrew White | 2011-06-12 | 1 | -0/+4 |
| | |||||
* | ensuring that json_escape returns html safe strings when passed an html safe ↵ | Aaron Patterson | 2011-06-09 | 1 | -1/+2 |
| | | | | string | ||||
* | Prefer 'each' over 'for in' syntax. | Sebastian Martinez | 2011-06-07 | 1 | -1/+1 |
| | |||||
* | Ensure that the strings returned by SafeBuffer#gsub and friends aren't ↵ | Michael Koziarski | 2011-06-07 | 1 | -0/+13 |
| | | | | | | | | | | considered html_safe? Also make sure that the versions of those methods which modify a string in place such as gsub! can't be called on safe buffers at all. Conflicts: activesupport/test/safe_buffer_test.rb | ||||
* | Revert "Merge pull request #275 from pk-amooma/master" | José Valim | 2011-05-07 | 1 | -2/+2 |
| | | | | | | | Several AP tests fail after this change. This reverts commit aaf01cd53718c8aa5b69ac056b997e6dd9893777, reversing changes made to 9cc18c52faeebaad6a76bd62cdca1c6b9f96afed. | ||||
* | for escaping HTML can be treated as normal XML | Philipp Kempgen (Amooma) | 2011-04-14 | 1 | -2/+2 |
| | |||||
* | properly escape "'" to "'" for XML/HTML (BTW Erubis does that as well) | Philipp Kempgen (Amooma) | 2011-04-14 | 1 | -2/+2 |
| | |||||
* | s/ERb/ERB/g | Akira Matsuda | 2011-04-03 | 1 | -1/+1 |
| | | | | | The author of ERB sais, his eRuby implementation was originally named "ERb/ERbLight" and then renamed to "ERB" when started bundled as a Ruby standard lib. http://www2a.biglobe.ne.jp/~seki/ruby/erb.html | ||||
* | Active Support typos. | R.T. Lechow | 2011-03-05 | 1 | -1/+1 |
| | |||||
* | Removed Array#safe_join in AS core_ext and moved it to a view helper with ↵ | Josh Kalderimis | 2011-02-10 | 1 | -31/+0 |
| | | | | | | the same same. This also changes how safe_join works, if items or the separator are not html_safe they are html_escape'd, a html_safe string is always returned. Signed-off-by: José Valim <jose.valim@gmail.com> | ||||
* | Revert "Removed Array#safe_join in AS core_ext and moved it to a view helper ↵ | José Valim | 2011-02-10 | 1 | -0/+31 |
| | | | | | | | | with the same same." Applied the wrong version. This reverts commit 98c0c5db50a7679b3d58769ac22cb0a27a62c930. | ||||
* | Removed Array#safe_join in AS core_ext and moved it to a view helper with ↵ | Josh Kalderimis | 2011-02-10 | 1 | -31/+0 |
| | | | | the same same. | ||||
* | Corrected the html_safe implementation for Array. Moved the html safe ↵ | Josh Kalderimis | 2011-02-10 | 1 | -7/+22 |
| | | | | version of join to its own method (safe_join) as not to degrade the performance of join for unrelated html_safe use. [#6298 state:resolved] | ||||
* | Initial html_safe implemention for Array | Paul Hieromnimon | 2011-02-10 | 1 | -0/+16 |
| | |||||
* | make sure we play nicely when syck is activated | Aaron Patterson | 2011-01-28 | 1 | -5/+8 |
| | |||||
* | Psych correctly gets visitor for SafeBuffer from superclass | brainopia | 2011-01-28 | 1 | -2/+5 |
| | |||||
* | applies API conventions to the RDoc of json_encode | Xavier Noria | 2010-11-20 | 1 | -10/+12 |
| | | | | | | | | * Examples running with the text are preferred over separate Example sections. * No need to call puts, in # => we show the return value, not STDOUT. * Say explicitly that double quotes are removed. * Specify that we are talking \uXXX, rather than, say, HTML entities. | ||||
* | Make safe_append= live on AV::OutputBuffer not AS::SafeBuffer | Michael Koziarski | 2010-11-08 | 1 | -1/+0 |
| | | | | | | Conflicts: actionpack/lib/action_view/template/handlers/erb.rb | ||||
* | Added support for Erubis <%== tag | Jan Maurits Faber | 2010-11-08 | 1 | -0/+1 |
| | | | | | | | <%== x %> is syntactic sugar for <%= raw(x) %> Signed-off-by: Michael Koziarski <michael@koziarski.com> [#5918 status:committed] | ||||
* | Merge branch 'master' of git://github.com/lifo/docrails | Xavier Noria | 2010-10-19 | 1 | -0/+6 |
|\ | |||||
| * | json_escape makes json invalid doc change [#1485 state:resolved] | Neeraj Singh | 2010-10-16 | 1 | -0/+6 |
| | | |||||
* | | explains why ERB::Util#h is removed before being re-aliased | Xavier Noria | 2010-10-18 | 1 | -0/+1 |
|/ | |||||
* | moves Object#singleton_class to Kernel#singleton_class to match Ruby also ↵ | Xavier Noria | 2010-04-05 | 1 | -1/+1 |
| | | | | there, same for #class_eval to simplify, and adds coverage for class_eval | ||||
* | Require AS singleton_class code in AS output_safety | snusnu | 2010-03-17 | 1 | -1/+2 |
| | | | | Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net> | ||||
* | Remove some 1.9 warnings (resulting in some fixed bugs). Remaining AM ↵ | wycats | 2010-03-17 | 1 | -2/+4 |
| | | | | warnings are in dependencies. | ||||
* | to_str works here | Jeremy Kemper | 2010-03-15 | 1 | -5/+1 |
| | |||||
* | Be sure to pass through args to to_yaml | Jeremy Kemper | 2010-03-11 | 1 | -2/+2 |
| | |||||
* | Write strings to fragment cache, not outputbuffers | Jeremy Kemper | 2010-03-11 | 1 | -1/+5 |
| | |||||
* | OutputBuffer#to_yaml should return string yaml, not some custom class dump | Jeremy Kemper | 2010-03-11 | 1 | -0/+4 |
| | |||||
* | Making SafeBuffer << an alias for concat method | Santiago Pastorino | 2010-02-05 | 1 | -5/+2 |
| | | | | | | [#3848 state:committed] Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net> | ||||
* | For performance reasons, you can no longer call html_safe! on Strings. ↵ | Yehuda Katz | 2010-01-31 | 1 | -21/+85 |
| | | | | | | | | | | | | Instead, all Strings are always not html_safe?. Instead, you can get a SafeBuffer from a String by calling #html_safe, which will SafeBuffer.new(self). * Additionally, instead of doing concat("</form>".html_safe), you can do safe_concat("</form>"), which will skip both the flag set, and the flag check. * For the first pass, I converted virtually all #html_safe!s to #html_safe, and the tests pass. A further optimization would be to try to use #safe_concat as much as possible, reducing the performance impact if we know up front that a String is safe. | ||||
* | String#<< should work for any object which responds to :to_str, so enable ↵ | José Valim | 2009-12-26 | 1 | -0/+12 |
| | | | | this without the performance hit and make Fixnum safe by default. | ||||
* | Simplify and improve the performance of output_safety | Yehuda Katz | 2009-12-24 | 1 | -22/+6 |
| | |||||
* | Instead of marking raw text in templates as safe, and then putting them ↵ | Yehuda Katz | 2009-12-24 | 1 | -0/+1 |
| | | | | through String#<< which checks if the String is safe, use safe_concat, which uses the original (internal) String#<< and leaves the safe flag as is. Results in a significant performance improvement. | ||||
* | Remove concat before overriding it | Joshua Peek | 2009-12-01 | 1 | -6/+7 |
| | |||||
* | Switch to on-by-default XSS escaping for rails. | Michael Koziarski | 2009-10-08 | 1 | -0/+43 |
This consists of: * String#html_safe! a method to mark a string as 'safe' * ActionView::SafeBuffer a string subclass which escapes anything unsafe which is concatenated to it * Calls to String#html_safe! throughout the rails helpers * a 'raw' helper which lets you concatenate trusted HTML from non-safety-aware sources (e.g. presantized strings in the DB) * New ERB implementation based on erubis which uses a SafeBuffer instead of a String Hat tip to Django for the inspiration. |