aboutsummaryrefslogtreecommitdiffstats
path: root/activesupport/lib/active_support/core_ext/string/output_safety.rb
Commit message (Collapse)AuthorAgeFilesLines
* The hex escape sequence can be of any lengthGodfrey Chan2014-07-021-1/+1
|
* Fix escape_once double-escaping hex-encoded entitiesJohn F. Douthat2014-07-021-1/+1
| | | | (This is a manual merge of #9102)
* drastically reduce object allocationsAaron Patterson2014-06-021-6/+13
| | | | | | | | | | before this change, we were allocating AS::SafeBuffer objects that were being interpolated in to a string, so the safe buffer object was being thrown away. This change only allocates a string (vs a string *and* a safebuffer) and interpolates the string. On my test application, this reduced the AS::SafeBuffer objects from 1527k per request to about 500 per request.
* reduce AS::SafeBuffer allocationsAaron Patterson2014-06-021-1/+2
| | | | | | | | | | | | html_escape_interpolated_argument is only used in mutation methods: https://github.com/rails/rails/blob/c07d09559ec171e1904b55c7ad7e8c7d586ca51b/activesupport/lib/active_support/core_ext/string/output_safety.rb#L174 https://github.com/rails/rails/blob/c07d09559ec171e1904b55c7ad7e8c7d586ca51b/activesupport/lib/active_support/core_ext/string/output_safety.rb#L179 The return value doesn't need to be converted to an AS::SafeBuffer since we know that the current object is an AS::SafeBuffer and will be mutated, and the return value from html_escape_interpolated_argument will be thrown away
* concat is a hotspot (via AV#append=), so just directly define the methodsAaron Patterson2014-06-021-4/+6
|
* Move require to actual fileCarlos Antonio da Silva2014-04-021-0/+1
| | | | | Change to require all active_support/deprecation since that's the actual entry point for the deprecation methods.
* DRY AS::SafeBuffer a bit using existing helperPavel Pravosud2014-04-021-5/+1
|
* Make AS::SafeBuffer#prepend act like String#prependPavel Pravosud2014-03-311-6/+13
| | | | | | | Make `#prepend` method modify instance in-place and return self instead of just returning modified value. That is exactly what `#prepend!` method was doing previously, so it's deprecated from now on.
* Clarify behavior of json_escape, update examplesJon Jensen2014-01-091-12/+12
| | | | | | | | The behavior of json_escape was fixed in 2f1c5789, but the doc changes and example in that commit incorrectly indicated that the return value would be html-safe. Since quotation marks are preserved, the raw value is not safe to use in other contexts (specifically HTML attributes).
* Fixes interpolation on SafeBufferJulien Letessier2013-12-141-7/+12
| | | | | | | | | Interpolation was untested and did not work with hash arguments. Adds - support for interpolation with hash argument - tests for the above - tests for safe/unsafe interpolation
* Review json_escape docs [ci skip]Carlos Antonio da Silva2013-12-041-22/+22
|
* Also move html_esacpe regex to a constant (see 9d25af60)Godfrey Chan2013-12-041-1/+2
|
* Added \u2028 \u2029 to json_escapeGodfrey Chan2013-12-041-5/+7
|
* Use lower case letters in unicodes sequences to match the new encoder's outputGodfrey Chan2013-12-041-1/+1
|
* Fixed a long-standing bug in `json_escape` that strips quotation marksGodfrey Chan2013-12-041-12/+49
|
* Avoid generating more strings while iterating to create methodsCarlos Antonio da Silva2013-12-021-1/+1
| | | | | Use the already existing strings instead of creating a new one each time just to test if it responds to the methods.
* Revert "Merge pull request #10600 from aditya-kapoor/code_refactor"Rafael Mendonça França2013-05-151-9/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This reverts commit 8ce3c1e5dde9fb180813e4d89324db03da110b13, reversing changes made to f93da579ce7f77dbd58b9a2165861aee265b8c93. Reason: It slow down the running time. require "diffbench" load 'output_safety.rb' N = 10000 b = ActiveSupport::SafeBuffer.new("hello world") DiffBench.bm do report "capitalize in safe buffer" do N.times do b.capitalize end end end > git checkout 069ea45; diffbench bench.rb; diffbench bench.rb;diffbench bench.rb;diffbench bench.rb;diffbench bench.rb;diffbench bench.rb;diffbench bench.rb; Running benchmark with current working tree Checkout HEAD^ Running benchmark with HEAD^ Checkout to previous HEAD again user system total real ----------------------------------capitalize in safe buffer After patch: 0.010000 0.000000 0.010000 ( 0.009733) Before patch: 0.010000 0.000000 0.010000 ( 0.007702) Improvement: -26% Running benchmark with current working tree Checkout HEAD^ Running benchmark with HEAD^ Checkout to previous HEAD again user system total real ----------------------------------capitalize in safe buffer After patch: 0.010000 0.000000 0.010000 ( 0.009768) Before patch: 0.010000 0.000000 0.010000 ( 0.007896) Improvement: -24% Running benchmark with current working tree Checkout HEAD^ Running benchmark with HEAD^ Checkout to previous HEAD again user system total real ----------------------------------capitalize in safe buffer After patch: 0.010000 0.000000 0.010000 ( 0.009938) Before patch: 0.010000 0.000000 0.010000 ( 0.007768) Improvement: -28% Running benchmark with current working tree Checkout HEAD^ Running benchmark with HEAD^ Checkout to previous HEAD again user system total real ----------------------------------capitalize in safe buffer After patch: 0.010000 0.000000 0.010000 ( 0.010001) Before patch: 0.010000 0.000000 0.010000 ( 0.007873) Improvement: -27% Running benchmark with current working tree Checkout HEAD^ Running benchmark with HEAD^ Checkout to previous HEAD again user system total real ----------------------------------capitalize in safe buffer After patch: 0.010000 0.000000 0.010000 ( 0.009670) Before patch: 0.010000 0.000000 0.010000 ( 0.007800) Improvement: -24% Running benchmark with current working tree Checkout HEAD^ Running benchmark with HEAD^ Checkout to previous HEAD again user system total real ----------------------------------capitalize in safe buffer After patch: 0.010000 0.000000 0.010000 ( 0.009949) Before patch: 0.010000 0.000000 0.010000 ( 0.007752) Improvement: -28%
* Added a blank space and removed to_symaditya-kapoor2013-05-141-4/+5
|
* Removed Class Eval and used define_method instead for the SafeBufferaditya-kapoor2013-05-141-12/+9
|
* Call String#gsub with Hash directlyAman Gupta2013-03-041-2/+2
|
* Merge branch 'master' of github.com:lifo/docrailsVijay Dev2012-09-211-1/+0
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Conflicts: actionmailer/lib/action_mailer/base.rb activesupport/lib/active_support/configurable.rb activesupport/lib/active_support/core_ext/module/deprecation.rb guides/source/action_controller_overview.md guides/source/active_support_core_extensions.md guides/source/ajax_on_rails.textile guides/source/association_basics.textile guides/source/upgrading_ruby_on_rails.md While resolving conflicts, I have chosen to ignore changes done in docrails at some places - these will be most likely 1.9 hash syntax changes.
| * update AS/core_ext docs [ci skip]Francesco Rodriguez2012-09-121-1/+0
| |
* | &#39 dates back to SGML when &#x27 was introduced in HTML 4.0Kalys Osmonov2012-09-091-1/+1
|/
* Merge pull request #3578 from amatsuda/remove_j_alias_for_json_escapeRafael Mendonça França2012-08-211-7/+0
|\ | | | | Remove j alias for ERB::Util.json_escape
| * Remove j alias for ERB::Util.json_escapeAkira Matsuda2011-11-091-7/+0
| |
* | html_escape should escape single quotesSantiago Pastorino2012-07-311-3/+3
| | | | | | | | | | https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content Closes #7215
* | doesn't modify params in SafeBuffer#%Vasiliy Ermolovich2012-05-181-3/+1
| |
* | fix safe string interpolation with SafeBuffer#%, closes #6352Vasiliy Ermolovich2012-05-161-0/+14
| |
* | remove unnecessary 'examples' noiseFrancesco Rodriguez2012-05-111-2/+0
| |
* | String quotes and trailing spacesAlexey Gaziev2012-04-291-5/+5
| |
* | AS core_ext refactoringAlexey Gaziev2012-04-291-8/+13
| |
* | Stop SafeBuffer#clone_empty from issuing warningsCarlos Antonio da Silva2012-03-021-3/+1
| | | | | | | | | | | | | | | | | | | | | | | | Logic in clone_empty method was dealing with old @dirty variable, which has changed by @html_safe in this commit: https://github.com/rails/rails/commit/139963c99a955520db6373343662e55f4d16dcd1 This was issuing a "not initialized variable" warning - related to: https://github.com/rails/rails/pull/5237 The logic applied by this method is already handled by the [] override, so there is no need to reset the variable here.
* | Ensure [] respects the status of the buffer.José Valim2012-02-291-12/+18
| |
* | delete vulnerable AS::SafeBuffer#[]Akira Matsuda2012-02-201-6/+0
| |
* | add AS::SafeBuffer#clone_emptyAkira Matsuda2012-02-201-0/+6
| |
* | revise docs [ci skip]Vijay Dev2012-02-011-1/+1
| |
* | Move escaping regexps to constantsCarlos Antonio da Silva2012-02-011-2/+4
| |
* | Move escape_once logic to ERB::Util, where it belongs toCarlos Antonio da Silva2012-02-011-0/+15
| | | | | | | | | | | | All the logic is based on the HTML_ESCAPE constant available in ERB::Util, so it seems more logic to have the entire method there and just delegate the helper to use it.
* | No need to override the to_yaml method in ActiveSupporte::SafeBufferRafael Mendonça França2012-01-041-5/+0
| |
* | No need to check if YAML::ENGINE is defined since ruby 1.9 does thatRafael Mendonça França2012-01-041-1/+1
| |
* | We don't need a special html_escape for 1.8 anymoreGuillermo Iguaran2011-12-211-27/+15
| |
* | Remove duplicate html_escape docsJeremy Kemper2011-12-111-10/+1
| |
* | Use 1.9 native XML escaping to speed up html_escape and shush regexp warningsJeremy Kemper2011-12-111-15/+36
| | | | | | | | | | | | | | | | | | | | | | | | length user system total real before 6 0.010000 0.000000 0.010000 ( 0.012378) after 6 0.010000 0.000000 0.010000 ( 0.012866) before 60 0.040000 0.000000 0.040000 ( 0.046273) after 60 0.040000 0.000000 0.040000 ( 0.036421) before 600 0.390000 0.000000 0.390000 ( 0.390670) after 600 0.210000 0.000000 0.210000 ( 0.209094) before 6000 3.750000 0.000000 3.750000 ( 3.751008) after 6000 1.860000 0.000000 1.860000 ( 1.857901)
* | Restore performance of ERB::Util.html_escapeJon Jensen2011-12-031-1/+1
|/ | | | | | | Revert html_escape to do a single gsub again, but add the "n" flag (no language, i.e. not multi-byte) to protect against XSS via invalid utf8 Signed-off-by: José Valim <jose.valim@gmail.com>
* ruby193: String#prepend is also unsafeAkira Matsuda2011-10-051-1/+1
|
* override unsafe methods only if defined on StringAkira Matsuda2011-10-051-10/+12
|
* remove superfluous to_s in ERB::Util.html_escapeAlexey Vakhov2011-09-241-1/+1
|
* fix incorrect commentVijay Dev2011-09-221-1/+1
|
* Proper lines numbers for stack trace infoSantiago Pastorino2011-09-161-1/+1
|
* revert the changes from c60995f3 - related to marking sub,gsub as ↵Vijay Dev2011-09-091-20/+1
| | | | unavailable to use with safe strings
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-09 22:57:07 +0000