aboutsummaryrefslogtreecommitdiffstats
path: root/activesupport/lib/active_support/core_ext/string/output_safety.rb
Commit message (Collapse)AuthorAgeFilesLines
* ruby193: String#prepend is also unsafeAkira Matsuda2011-10-051-1/+1
|
* override unsafe methods only if defined on StringAkira Matsuda2011-10-051-10/+12
|
* remove superfluous to_s in ERB::Util.html_escapeAlexey Vakhov2011-09-241-1/+1
|
* fix incorrect commentVijay Dev2011-09-221-1/+1
|
* Proper lines numbers for stack trace infoSantiago Pastorino2011-09-161-1/+1
|
* revert the changes from c60995f3 - related to marking sub,gsub as ↵Vijay Dev2011-09-091-20/+1
| | | | unavailable to use with safe strings
* Revert removing gsub and sub from safe buffer.José Valim2011-09-081-3/+3
|
* this should have gone with the previous commitXavier Noria2011-09-081-4/+4
|
* copy-edits a couple of exception messagesXavier Noria2011-09-081-4/+4
| | | | | | | "Safe Buffer" should either be the constant with the class name, or go in lower case. I've chosen to follow the same terminology that is used in the AS core extensiong guide, "safe string", though "safe buffer" is also used elsewhere, we should pick one.
* better method documentation on disable safe string methodsDamien Mathieu2011-09-081-6/+12
|
* make gsub and sub unavailable in SafeBuffers - Closes #1555Damien Mathieu2011-09-081-3/+16
|
* properly escape html to avoid invalid utf8 causing XSS attacksAaron Patterson2011-08-161-1/+1
|
* Reset @dirty to false when slicing an instance of SafeBufferBrian Cardarella2011-07-291-0/+6
|
* Merge branch 'master' of git://github.com/lifo/docrailsXavier Noria2011-07-051-8/+8
|\
| * document meta methodsVijay Dev2011-07-031-8/+8
| |
* | all numerics should be html_safe - Closes #1935Damien Mathieu2011-07-031-1/+1
|/
* calling unsafe methods which don't return a string shouldn't failDamien Mathieu2011-06-221-2/+2
|
* safe_concat should not work on dirty buffers.José Valim2011-06-161-4/+13
|
* Fix safe buffer by adding a dirty status.José Valim2011-06-161-12/+24
|
* Define ActiveSupport#to_param as to_str - closes #1663Andrew White2011-06-121-0/+4
|
* ensuring that json_escape returns html safe strings when passed an html safe ↵Aaron Patterson2011-06-091-1/+2
| | | | string
* Prefer 'each' over 'for in' syntax.Sebastian Martinez2011-06-071-1/+1
|
* Ensure that the strings returned by SafeBuffer#gsub and friends aren't ↵Michael Koziarski2011-06-071-0/+13
| | | | | | | | | | considered html_safe? Also make sure that the versions of those methods which modify a string in place such as gsub! can't be called on safe buffers at all. Conflicts: activesupport/test/safe_buffer_test.rb
* Revert "Merge pull request #275 from pk-amooma/master"José Valim2011-05-071-2/+2
| | | | | | | Several AP tests fail after this change. This reverts commit aaf01cd53718c8aa5b69ac056b997e6dd9893777, reversing changes made to 9cc18c52faeebaad6a76bd62cdca1c6b9f96afed.
* for escaping HTML can be treated as normal XMLPhilipp Kempgen (Amooma)2011-04-141-2/+2
|
* properly escape "'" to "'" for XML/HTML (BTW Erubis does that as well)Philipp Kempgen (Amooma)2011-04-141-2/+2
|
* s/ERb/ERB/gAkira Matsuda2011-04-031-1/+1
| | | | | The author of ERB sais, his eRuby implementation was originally named "ERb/ERbLight" and then renamed to "ERB" when started bundled as a Ruby standard lib. http://www2a.biglobe.ne.jp/~seki/ruby/erb.html
* Active Support typos.R.T. Lechow2011-03-051-1/+1
|
* Removed Array#safe_join in AS core_ext and moved it to a view helper with ↵Josh Kalderimis2011-02-101-31/+0
| | | | | | the same same. This also changes how safe_join works, if items or the separator are not html_safe they are html_escape'd, a html_safe string is always returned. Signed-off-by: José Valim <jose.valim@gmail.com>
* Revert "Removed Array#safe_join in AS core_ext and moved it to a view helper ↵José Valim2011-02-101-0/+31
| | | | | | | | with the same same." Applied the wrong version. This reverts commit 98c0c5db50a7679b3d58769ac22cb0a27a62c930.
* Removed Array#safe_join in AS core_ext and moved it to a view helper with ↵Josh Kalderimis2011-02-101-31/+0
| | | | the same same.
* Corrected the html_safe implementation for Array. Moved the html safe ↵Josh Kalderimis2011-02-101-7/+22
| | | | version of join to its own method (safe_join) as not to degrade the performance of join for unrelated html_safe use. [#6298 state:resolved]
* Initial html_safe implemention for ArrayPaul Hieromnimon2011-02-101-0/+16
|
* make sure we play nicely when syck is activatedAaron Patterson2011-01-281-5/+8
|
* Psych correctly gets visitor for SafeBuffer from superclassbrainopia2011-01-281-2/+5
|
* applies API conventions to the RDoc of json_encodeXavier Noria2010-11-201-10/+12
| | | | | | | | * Examples running with the text are preferred over separate Example sections. * No need to call puts, in # => we show the return value, not STDOUT. * Say explicitly that double quotes are removed. * Specify that we are talking \uXXX, rather than, say, HTML entities.
* Make safe_append= live on AV::OutputBuffer not AS::SafeBufferMichael Koziarski2010-11-081-1/+0
| | | | | | Conflicts: actionpack/lib/action_view/template/handlers/erb.rb
* Added support for Erubis <%== tagJan Maurits Faber2010-11-081-0/+1
| | | | | | | <%== x %> is syntactic sugar for <%= raw(x) %> Signed-off-by: Michael Koziarski <michael@koziarski.com> [#5918 status:committed]
* Merge branch 'master' of git://github.com/lifo/docrailsXavier Noria2010-10-191-0/+6
|\
| * json_escape makes json invalid doc change [#1485 state:resolved]Neeraj Singh2010-10-161-0/+6
| |
* | explains why ERB::Util#h is removed before being re-aliasedXavier Noria2010-10-181-0/+1
|/
* moves Object#singleton_class to Kernel#singleton_class to match Ruby also ↵Xavier Noria2010-04-051-1/+1
| | | | there, same for #class_eval to simplify, and adds coverage for class_eval
* Require AS singleton_class code in AS output_safetysnusnu2010-03-171-1/+2
| | | | Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
* Remove some 1.9 warnings (resulting in some fixed bugs). Remaining AM ↵wycats2010-03-171-2/+4
| | | | warnings are in dependencies.
* to_str works hereJeremy Kemper2010-03-151-5/+1
|
* Be sure to pass through args to to_yamlJeremy Kemper2010-03-111-2/+2
|
* Write strings to fragment cache, not outputbuffersJeremy Kemper2010-03-111-1/+5
|
* OutputBuffer#to_yaml should return string yaml, not some custom class dumpJeremy Kemper2010-03-111-0/+4
|
* Making SafeBuffer << an alias for concat methodSantiago Pastorino2010-02-051-5/+2
| | | | | | [#3848 state:committed] Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
* For performance reasons, you can no longer call html_safe! on Strings. ↵Yehuda Katz2010-01-311-21/+85
| | | | | | | | | | | | Instead, all Strings are always not html_safe?. Instead, you can get a SafeBuffer from a String by calling #html_safe, which will SafeBuffer.new(self). * Additionally, instead of doing concat("</form>".html_safe), you can do safe_concat("</form>"), which will skip both the flag set, and the flag check. * For the first pass, I converted virtually all #html_safe!s to #html_safe, and the tests pass. A further optimization would be to try to use #safe_concat as much as possible, reducing the performance impact if we know up front that a String is safe.
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-18 10:48:03 +0000