| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
| |
We sometimes say "✂️ newline after `private`" in a code review (e.g.
https://github.com/rails/rails/pull/18546#discussion_r23188776,
https://github.com/rails/rails/pull/34832#discussion_r244847195).
Now `Layout/EmptyLinesAroundAccessModifier` cop have new enforced style
`EnforcedStyle: only_before` (https://github.com/rubocop-hq/rubocop/pull/7059).
That cop and enforced style will reduce the our code review cost.
|
| |
|
|\
| |
| | |
sub, sub!, gsub, and gsub! should set back references
|
| | |
|
| | |
|
| | |
|
| | |
|
|/ |
|
|
|
|
|
|
|
|
|
|
| |
* Handle more unsafe String methods
* Fix codeclimate issue
* Revert stylistic change
[Janosch Müller + Rafael Mendonça França]
|
|
|
|
|
|
| |
original buffer was safe.
Co-Authored-By: no-itsbackpack <no-itsbackpack@github.com>
|
|
|
| |
[ci skip]
|
|
|
|
| |
This basically reverts 8da30ad6be34339124ba4cb4e36aea260dda12bc
|
|
|
|
|
| |
Instructions to use `h` or `html_escape` in ERB templates were added to
`actionpack/lib/action_view/template_handlers/erb.rb` in a1b0349 (Rails
2.1), but ERB has automatically escaped values since Rails 3.
|
|
|
|
|
|
|
|
|
| |
Don't use remove_method or remove_possible_method just before a new
definition: at best the purpose is unclear, and at worst it creates a
race condition.
Instead, prefer redefine_method when practical, and
silence_redefinition_of_method otherwise.
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
| |
The current code base is not uniform. After some discussion,
we have chosen to go with double quotes by default.
|
| |
|
|
|
|
|
|
| |
s/symantically/semantically/
[ci skip]
|
|
|
|
|
|
|
|
| |
For better or worse, anonymous `*` args will allocate arrays. Ideally,
the interpreter would optimize away this allocation. However, given the
number of times we call `html_safe` it seems worth the shedding idealism
and going for performance. This line was the top allocation spot for a
scaffold (and presumably worse on real applications).
|
|
|
|
|
|
|
| |
[ci skip]
Fixes #20808
[Vipul A M & Julio Lopez]
|
| |
|
|\
| |
| |
| | |
Handle invalid UTF-8 strings when HTML escaping
|
| |
| |
| |
| |
| |
| |
| | |
Use `ActiveSupport::Multibyte::Unicode.tidy_bytes` to handle invalid UTF-8
strings in `ERB::Util.unwrapped_html_escape` and `ERB::Util.html_escape_once`.
Prevents user-entered input passed from a querystring into a form field from
causing invalid byte sequence errors.
|
|/
|
|
| |
[ci skip]
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
`coder.represent_scalar` means something along the lines of "Here is a quoted
string, you can just add it to the output", which is not the case here. It only
works for simple strings that can appear unquoted in YAML, but causes problems
for e.g. primitive-like strings ("1", "true").
`coder.represent_object` on the other hand, means that "This is the Ruby-object
representation for this thing suitable for use in YAML dumping", which is what
we want here.
Before:
YAML.load ActiveSupport::SafeBuffer.new("Hello").to_yaml # => "Hello"
YAML.load ActiveSupport::SafeBuffer.new("true").to_yaml # => true
YAML.load ActiveSupport::SafeBuffer.new("false").to_yaml # => false
YAML.load ActiveSupport::SafeBuffer.new("1").to_yaml # => 1
YAML.load ActiveSupport::SafeBuffer.new("1.1").to_yaml # => 1.1
After:
YAML.load ActiveSupport::SafeBuffer.new("Hello").to_yaml # => "Hello"
YAML.load ActiveSupport::SafeBuffer.new("true").to_yaml # => "true"
YAML.load ActiveSupport::SafeBuffer.new("false").to_yaml # => "false"
YAML.load ActiveSupport::SafeBuffer.new("1").to_yaml # => "1"
YAML.load ActiveSupport::SafeBuffer.new("1.1").to_yaml # => "1.1"
If we ever want Ruby to behave more like PHP or JavaScript though, this is an
excellent trick to use ;)
|
|\
| |
| | |
Amended json_escape comments
|
| |
| |
| |
| | |
still be html_escaped if being inserted ingot he DOM via JQuery's html() method.
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
the object being accessed currently returns `html_safe?` as true,
we used to set `@html_safe` variable as true on new object created. When doing something like
x = 'Hello'.html_safe
x[/a/, 1]
would throw an error on ruby 2.2, since when nothign gets matched nil is returned by the code and it tries to set `@html_safe` value to true,
which would error since starting 2.2 nil is frozen.
This change adds a safety net to avoid setting `@html_safe = true` on frozen objects.
Fixes #18235
|
| |
| |
| |
| |
| |
| | |
It should be part of the documented public API, since we have an entire
section of the guides dedicated to it. Documented in a way that
addresses the concerns which kept it undocumented in the past.
|
| | |
|
| | |
|
| |
| |
| |
| | |
(This is a manual merge of #9102)
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
before this change, we were allocating AS::SafeBuffer objects that were
being interpolated in to a string, so the safe buffer object was being
thrown away. This change only allocates a string (vs a string *and* a
safebuffer) and interpolates the string.
On my test application, this reduced the AS::SafeBuffer objects from
1527k per request to about 500 per request.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
html_escape_interpolated_argument is only used in mutation methods:
https://github.com/rails/rails/blob/c07d09559ec171e1904b55c7ad7e8c7d586ca51b/activesupport/lib/active_support/core_ext/string/output_safety.rb#L174
https://github.com/rails/rails/blob/c07d09559ec171e1904b55c7ad7e8c7d586ca51b/activesupport/lib/active_support/core_ext/string/output_safety.rb#L179
The return value doesn't need to be converted to an AS::SafeBuffer since
we know that the current object is an AS::SafeBuffer and will be
mutated, and the return value from html_escape_interpolated_argument
will be thrown away
|
| | |
|
| |
| |
| |
| |
| | |
Change to require all active_support/deprecation since that's the actual
entry point for the deprecation methods.
|
| | |
|
|/
|
|
|
|
|
| |
Make `#prepend` method modify instance in-place and return self
instead of just returning modified value. That is exactly what
`#prepend!` method was doing previously, so it's deprecated from
now on.
|
|
|
|
|
|
|
|
| |
The behavior of json_escape was fixed in 2f1c5789, but the doc
changes and example in that commit incorrectly indicated that the
return value would be html-safe. Since quotation marks are
preserved, the raw value is not safe to use in other contexts
(specifically HTML attributes).
|
|
|
|
|
|
|
|
|
| |
Interpolation was untested and did not work with hash arguments.
Adds
- support for interpolation with hash argument
- tests for the above
- tests for safe/unsafe interpolation
|
| |
|
| |
|