| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
| |
(This is a manual merge of #9102)
|
|
|
|
|
|
|
|
|
|
| |
before this change, we were allocating AS::SafeBuffer objects that were
being interpolated in to a string, so the safe buffer object was being
thrown away. This change only allocates a string (vs a string *and* a
safebuffer) and interpolates the string.
On my test application, this reduced the AS::SafeBuffer objects from
1527k per request to about 500 per request.
|
|
|
|
|
|
|
|
|
|
|
|
| |
html_escape_interpolated_argument is only used in mutation methods:
https://github.com/rails/rails/blob/c07d09559ec171e1904b55c7ad7e8c7d586ca51b/activesupport/lib/active_support/core_ext/string/output_safety.rb#L174
https://github.com/rails/rails/blob/c07d09559ec171e1904b55c7ad7e8c7d586ca51b/activesupport/lib/active_support/core_ext/string/output_safety.rb#L179
The return value doesn't need to be converted to an AS::SafeBuffer since
we know that the current object is an AS::SafeBuffer and will be
mutated, and the return value from html_escape_interpolated_argument
will be thrown away
|
| |
|
|
|
|
|
| |
Change to require all active_support/deprecation since that's the actual
entry point for the deprecation methods.
|
| |
|
|
|
|
|
|
|
| |
Make `#prepend` method modify instance in-place and return self
instead of just returning modified value. That is exactly what
`#prepend!` method was doing previously, so it's deprecated from
now on.
|
|
|
|
|
|
|
|
| |
The behavior of json_escape was fixed in 2f1c5789, but the doc
changes and example in that commit incorrectly indicated that the
return value would be html-safe. Since quotation marks are
preserved, the raw value is not safe to use in other contexts
(specifically HTML attributes).
|
|
|
|
|
|
|
|
|
| |
Interpolation was untested and did not work with hash arguments.
Adds
- support for interpolation with hash argument
- tests for the above
- tests for safe/unsafe interpolation
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
| |
Use the already existing strings instead of creating a new one each time
just to test if it responds to the methods.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit 8ce3c1e5dde9fb180813e4d89324db03da110b13, reversing
changes made to f93da579ce7f77dbd58b9a2165861aee265b8c93.
Reason: It slow down the running time.
require "diffbench"
load 'output_safety.rb'
N = 10000
b = ActiveSupport::SafeBuffer.new("hello world")
DiffBench.bm do
report "capitalize in safe buffer" do
N.times do
b.capitalize
end
end
end
> git checkout 069ea45; diffbench bench.rb;
diffbench bench.rb;diffbench
bench.rb;diffbench bench.rb;diffbench
bench.rb;diffbench bench.rb;diffbench
bench.rb;
Running benchmark with current working tree
Checkout HEAD^
Running benchmark with HEAD^
Checkout to previous HEAD again
user system total
real
----------------------------------capitalize
in safe buffer
After patch: 0.010000 0.000000 0.010000
( 0.009733)
Before patch: 0.010000 0.000000 0.010000
( 0.007702)
Improvement: -26%
Running benchmark with current working tree
Checkout HEAD^
Running benchmark with HEAD^
Checkout to previous HEAD again
user system total
real
----------------------------------capitalize
in safe buffer
After patch: 0.010000 0.000000 0.010000
( 0.009768)
Before patch: 0.010000 0.000000 0.010000
( 0.007896)
Improvement: -24%
Running benchmark with current working tree
Checkout HEAD^
Running benchmark with HEAD^
Checkout to previous HEAD again
user system total
real
----------------------------------capitalize
in safe buffer
After patch: 0.010000 0.000000 0.010000
( 0.009938)
Before patch: 0.010000 0.000000 0.010000
( 0.007768)
Improvement: -28%
Running benchmark with current working tree
Checkout HEAD^
Running benchmark with HEAD^
Checkout to previous HEAD again
user system total
real
----------------------------------capitalize
in safe buffer
After patch: 0.010000 0.000000 0.010000
( 0.010001)
Before patch: 0.010000 0.000000 0.010000
( 0.007873)
Improvement: -27%
Running benchmark with current working tree
Checkout HEAD^
Running benchmark with HEAD^
Checkout to previous HEAD again
user system total
real
----------------------------------capitalize
in safe buffer
After patch: 0.010000 0.000000 0.010000
( 0.009670)
Before patch: 0.010000 0.000000 0.010000
( 0.007800)
Improvement: -24%
Running benchmark with current working tree
Checkout HEAD^
Running benchmark with HEAD^
Checkout to previous HEAD again
user system total
real
----------------------------------capitalize
in safe buffer
After patch: 0.010000 0.000000 0.010000
( 0.009949)
Before patch: 0.010000 0.000000 0.010000
( 0.007752)
Improvement: -28%
|
| |
|
| |
|
| |
|
|\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Conflicts:
actionmailer/lib/action_mailer/base.rb
activesupport/lib/active_support/configurable.rb
activesupport/lib/active_support/core_ext/module/deprecation.rb
guides/source/action_controller_overview.md
guides/source/active_support_core_extensions.md
guides/source/ajax_on_rails.textile
guides/source/association_basics.textile
guides/source/upgrading_ruby_on_rails.md
While resolving conflicts, I have chosen to ignore changes done in
docrails at some places - these will be most likely 1.9 hash syntax
changes.
|
| | |
|
|/ |
|
|\
| |
| | |
Remove j alias for ERB::Util.json_escape
|
| | |
|
| |
| |
| |
| |
| | |
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
Closes #7215
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Logic in clone_empty method was dealing with old @dirty variable, which
has changed by @html_safe in this commit:
https://github.com/rails/rails/commit/139963c99a955520db6373343662e55f4d16dcd1
This was issuing a "not initialized variable" warning - related to:
https://github.com/rails/rails/pull/5237
The logic applied by this method is already handled by the [] override,
so there is no need to reset the variable here.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| | |
All the logic is based on the HTML_ESCAPE constant available in
ERB::Util, so it seems more logic to have the entire method there and
just delegate the helper to use it.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
length user system total real
before 6 0.010000 0.000000 0.010000 ( 0.012378)
after 6 0.010000 0.000000 0.010000 ( 0.012866)
before 60 0.040000 0.000000 0.040000 ( 0.046273)
after 60 0.040000 0.000000 0.040000 ( 0.036421)
before 600 0.390000 0.000000 0.390000 ( 0.390670)
after 600 0.210000 0.000000 0.210000 ( 0.209094)
before 6000 3.750000 0.000000 3.750000 ( 3.751008)
after 6000 1.860000 0.000000 1.860000 ( 1.857901)
|
|/
|
|
|
|
|
| |
Revert html_escape to do a single gsub again, but add the "n" flag (no
language, i.e. not multi-byte) to protect against XSS via invalid utf8
Signed-off-by: José Valim <jose.valim@gmail.com>
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
unavailable to use with safe strings
|