aboutsummaryrefslogtreecommitdiffstats
path: root/activesupport/lib/active_support/core_ext/string/output_safety.rb
Commit message (Collapse)AuthorAgeFilesLines
* Enable `Layout/EmptyLinesAroundAccessModifier` copRyuta Kamizono2019-06-131-1/+0
| | | | | | | | | | | We sometimes say "✂️ newline after `private`" in a code review (e.g. https://github.com/rails/rails/pull/18546#discussion_r23188776, https://github.com/rails/rails/pull/34832#discussion_r244847195). Now `Layout/EmptyLinesAroundAccessModifier` cop have new enforced style `EnforcedStyle: only_before` (https://github.com/rubocop-hq/rubocop/pull/7059). That cop and enforced style will reduce the our code review cost.
* Preserve html_safe? status on ActiveSupport::SafeBuffer#*r7kamura2019-04-191-0/+6
|
* Merge pull request #34405 from shugo/safe_buffer_backref_fixMatthew Draper2019-03-281-2/+37
|\ | | | | sub, sub!, gsub, and gsub! should set back references
| * Eliminate a thread local variable as suggested by nobuShugo Maeda2019-02-141-8/+1
| |
| * Remove trailing spaceShugo Maeda2018-11-081-1/+1
| |
| * Add a commented code example of what will be producedShugo Maeda2018-11-081-22/+22
| |
| * sub, sub!, gsub, and gsub! should set back referencesShugo Maeda2018-11-081-2/+44
| |
* | support slice assignment on SafeBufferRichard Monette2019-03-131-2/+6
|/
* Handle more unsafe String methods (#33990)Janosch Müller2018-09-271-2/+15
| | | | | | | | | | * Handle more unsafe String methods * Fix codeclimate issue * Revert stylistic change [Janosch Müller + Rafael Mendonça França]
* SafeBuffer should maintain safety upon getting a slice via a range if ↵Yumin Wong2018-08-311-3/+1
| | | | | | original buffer was safe. Co-Authored-By: no-itsbackpack <no-itsbackpack@github.com>
* Update incorrect backtick usage in RDoc to teletypeT.J. Schuck2017-11-221-1/+1
| | | [ci skip]
* [Active Support] require_relative => requireAkira Matsuda2017-10-211-3/+3
| | | | This basically reverts 8da30ad6be34339124ba4cb4e36aea260dda12bc
* Remove obsolete documentation [ci skip]Max Felsher2017-10-191-3/+0
| | | | | Instructions to use `h` or `html_escape` in ERB templates were added to `actionpack/lib/action_view/template_handlers/erb.rb` in a1b0349 (Rails 2.1), but ERB has automatically escaped values since Rails 3.
* Clarify intentions around method redefinitionsMatthew Draper2017-09-011-3/+3
| | | | | | | | | Don't use remove_method or remove_possible_method just before a new definition: at best the purpose is unclear, and at worst it creates a race condition. Instead, prefer redefine_method when practical, and silence_redefinition_of_method otherwise.
* [Active Support] `rubocop -a --only Layout/EmptyLineAfterMagicComment`Koichi ITO2017-07-111-0/+1
|
* Use frozen-string-literal in ActiveSupportKir Shatrov2017-07-091-0/+1
|
* [Active Support] require => require_relativeAkira Matsuda2017-07-011-2/+2
|
* :golf: else + if = elsifAkira Matsuda2017-01-171-10/+8
|
* Add more rubocop rules about whitespacesRafael Mendonça França2016-10-291-1/+1
|
* normalizes indentation and whitespace across the projectXavier Noria2016-08-061-3/+3
|
* applies new string literal convention in activesupport/libXavier Noria2016-08-061-7/+7
| | | | | The current code base is not uniform. After some discussion, we have chosen to go with double quotes by default.
* Missing require 'active_support/multibyte/unicode'Akira Matsuda2016-07-121-0/+1
|
* s/responsibilty/responsibility/Vipul A M2016-03-221-1/+1
| | | | | | s/symantically/semantically/ [ci skip]
* drop array allocations on `html_safe`Aaron Patterson2016-02-081-1/+1
| | | | | | | | For better or worse, anonymous `*` args will allocate arrays. Ideally, the interpreter would optimize away this allocation. However, given the number of times we call `html_safe` it seems worth the shedding idealism and going for performance. This line was the top allocation spot for a scaffold (and presumably worse on real applications).
* Fix nodoc to internal class error document some of themVipul A M2016-01-251-0/+1
| | | | | | | [ci skip] Fixes #20808 [Vipul A M & Julio Lopez]
* Use CGI.escapeHTML for html escapeTakashi Kokubun2015-12-211-4/+2
|
* Merge pull request #19992 from greysteil/handle-invalid-utf8-in-html-escapeSean Griffin2015-10-201-2/+2
|\ | | | | | | Handle invalid UTF-8 strings when HTML escaping
| * Handle invalid UTF-8 strings when HTML escapingGrey Baker2015-06-081-2/+2
| | | | | | | | | | | | | | Use `ActiveSupport::Multibyte::Unicode.tidy_bytes` to handle invalid UTF-8 strings in `ERB::Util.unwrapped_html_escape` and `ERB::Util.html_escape_once`. Prevents user-entered input passed from a querystring into a form field from causing invalid byte sequence errors.
* | s/JQuery/jQuery/Akira Matsuda2015-09-181-1/+1
|/ | | | [ci skip]
* [ci skip] Add space after erb block.yui-knk2015-03-121-1/+1
|
* Properly dump primitive-like AS::SafeBuffer strings as YAMLGodfrey Chan2015-02-111-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `coder.represent_scalar` means something along the lines of "Here is a quoted string, you can just add it to the output", which is not the case here. It only works for simple strings that can appear unquoted in YAML, but causes problems for e.g. primitive-like strings ("1", "true"). `coder.represent_object` on the other hand, means that "This is the Ruby-object representation for this thing suitable for use in YAML dumping", which is what we want here. Before: YAML.load ActiveSupport::SafeBuffer.new("Hello").to_yaml # => "Hello" YAML.load ActiveSupport::SafeBuffer.new("true").to_yaml # => true YAML.load ActiveSupport::SafeBuffer.new("false").to_yaml # => false YAML.load ActiveSupport::SafeBuffer.new("1").to_yaml # => 1 YAML.load ActiveSupport::SafeBuffer.new("1.1").to_yaml # => 1.1 After: YAML.load ActiveSupport::SafeBuffer.new("Hello").to_yaml # => "Hello" YAML.load ActiveSupport::SafeBuffer.new("true").to_yaml # => "true" YAML.load ActiveSupport::SafeBuffer.new("false").to_yaml # => "false" YAML.load ActiveSupport::SafeBuffer.new("1").to_yaml # => "1" YAML.load ActiveSupport::SafeBuffer.new("1.1").to_yaml # => "1.1" If we ever want Ruby to behave more like PHP or JavaScript though, this is an excellent trick to use ;)
* Merge pull request #14028 from uberllama/json_escape_commentsRafael Mendonça França2015-02-061-0/+5
|\ | | | | Amended json_escape comments
| * Amended json_escape comment to clarify that user-generated content must ↵Yuval Kordov2014-02-121-0/+5
| | | | | | | | still be html_escaped if being inserted ingot he DOM via JQuery's html() method.
* | Remove deprecated `ActiveSupport::SafeBuffer#prepend`Rafael Mendonça França2015-01-041-6/+0
| |
* | Just check if the buffer exists before changing itRafael Mendonça França2014-12-291-1/+3
| |
* | When trying to access a character on a string buffer object via `:[]`, if ↵Vipul A M2014-12-291-1/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | the object being accessed currently returns `html_safe?` as true, we used to set `@html_safe` variable as true on new object created. When doing something like x = 'Hello'.html_safe x[/a/, 1] would throw an error on ruby 2.2, since when nothign gets matched nil is returned by the code and it tries to set `@html_safe` value to true, which would error since starting 2.2 nil is frozen. This change adds a safety net to avoid setting `@html_safe = true` on frozen objects. Fixes #18235
* | Document `String#html_safe` [ci skip]Sean Griffin2014-11-241-0/+5
| | | | | | | | | | | | It should be part of the documented public API, since we have an entire section of the guides dedicated to it. Documented in a way that addresses the concerns which kept it undocumented in the past.
* | instance_eval is evilAkira Matsuda2014-10-251-1/+1
| |
* | The hex escape sequence can be of any lengthGodfrey Chan2014-07-021-1/+1
| |
* | Fix escape_once double-escaping hex-encoded entitiesJohn F. Douthat2014-07-021-1/+1
| | | | | | | | (This is a manual merge of #9102)
* | drastically reduce object allocationsAaron Patterson2014-06-021-6/+13
| | | | | | | | | | | | | | | | | | | | before this change, we were allocating AS::SafeBuffer objects that were being interpolated in to a string, so the safe buffer object was being thrown away. This change only allocates a string (vs a string *and* a safebuffer) and interpolates the string. On my test application, this reduced the AS::SafeBuffer objects from 1527k per request to about 500 per request.
* | reduce AS::SafeBuffer allocationsAaron Patterson2014-06-021-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | html_escape_interpolated_argument is only used in mutation methods: https://github.com/rails/rails/blob/c07d09559ec171e1904b55c7ad7e8c7d586ca51b/activesupport/lib/active_support/core_ext/string/output_safety.rb#L174 https://github.com/rails/rails/blob/c07d09559ec171e1904b55c7ad7e8c7d586ca51b/activesupport/lib/active_support/core_ext/string/output_safety.rb#L179 The return value doesn't need to be converted to an AS::SafeBuffer since we know that the current object is an AS::SafeBuffer and will be mutated, and the return value from html_escape_interpolated_argument will be thrown away
* | concat is a hotspot (via AV#append=), so just directly define the methodsAaron Patterson2014-06-021-4/+6
| |
* | Move require to actual fileCarlos Antonio da Silva2014-04-021-0/+1
| | | | | | | | | | Change to require all active_support/deprecation since that's the actual entry point for the deprecation methods.
* | DRY AS::SafeBuffer a bit using existing helperPavel Pravosud2014-04-021-5/+1
| |
* | Make AS::SafeBuffer#prepend act like String#prependPavel Pravosud2014-03-311-6/+13
|/ | | | | | | Make `#prepend` method modify instance in-place and return self instead of just returning modified value. That is exactly what `#prepend!` method was doing previously, so it's deprecated from now on.
* Clarify behavior of json_escape, update examplesJon Jensen2014-01-091-12/+12
| | | | | | | | The behavior of json_escape was fixed in 2f1c5789, but the doc changes and example in that commit incorrectly indicated that the return value would be html-safe. Since quotation marks are preserved, the raw value is not safe to use in other contexts (specifically HTML attributes).
* Fixes interpolation on SafeBufferJulien Letessier2013-12-141-7/+12
| | | | | | | | | Interpolation was untested and did not work with hash arguments. Adds - support for interpolation with hash argument - tests for the above - tests for safe/unsafe interpolation
* Review json_escape docs [ci skip]Carlos Antonio da Silva2013-12-041-22/+22
|
* Also move html_esacpe regex to a constant (see 9d25af60)Godfrey Chan2013-12-041-1/+2
|
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-29 09:10:32 +0000