Commit message (Collapse) | Author | Age | Files | Lines | ||
---|---|---|---|---|---|---|
... | ||||||
* | | Remove duplicate html_escape docs | Jeremy Kemper | 2011-12-11 | 1 | -10/+1 | |
| | | ||||||
* | | Use 1.9 native XML escaping to speed up html_escape and shush regexp warnings | Jeremy Kemper | 2011-12-11 | 1 | -15/+36 | |
| | | | | | | | | | | | | | | | | | | | | | | | | length user system total real before 6 0.010000 0.000000 0.010000 ( 0.012378) after 6 0.010000 0.000000 0.010000 ( 0.012866) before 60 0.040000 0.000000 0.040000 ( 0.046273) after 60 0.040000 0.000000 0.040000 ( 0.036421) before 600 0.390000 0.000000 0.390000 ( 0.390670) after 600 0.210000 0.000000 0.210000 ( 0.209094) before 6000 3.750000 0.000000 3.750000 ( 3.751008) after 6000 1.860000 0.000000 1.860000 ( 1.857901) | |||||
* | | Restore performance of ERB::Util.html_escape | Jon Jensen | 2011-12-03 | 1 | -1/+1 | |
|/ | | | | | | | Revert html_escape to do a single gsub again, but add the "n" flag (no language, i.e. not multi-byte) to protect against XSS via invalid utf8 Signed-off-by: José Valim <jose.valim@gmail.com> | |||||
* | ruby193: String#prepend is also unsafe | Akira Matsuda | 2011-10-05 | 1 | -1/+1 | |
| | ||||||
* | override unsafe methods only if defined on String | Akira Matsuda | 2011-10-05 | 1 | -10/+12 | |
| | ||||||
* | remove superfluous to_s in ERB::Util.html_escape | Alexey Vakhov | 2011-09-24 | 1 | -1/+1 | |
| | ||||||
* | fix incorrect comment | Vijay Dev | 2011-09-22 | 1 | -1/+1 | |
| | ||||||
* | Proper lines numbers for stack trace info | Santiago Pastorino | 2011-09-16 | 1 | -1/+1 | |
| | ||||||
* | revert the changes from c60995f3 - related to marking sub,gsub as ↵ | Vijay Dev | 2011-09-09 | 1 | -20/+1 | |
| | | | | unavailable to use with safe strings | |||||
* | Revert removing gsub and sub from safe buffer. | José Valim | 2011-09-08 | 1 | -3/+3 | |
| | ||||||
* | this should have gone with the previous commit | Xavier Noria | 2011-09-08 | 1 | -4/+4 | |
| | ||||||
* | copy-edits a couple of exception messages | Xavier Noria | 2011-09-08 | 1 | -4/+4 | |
| | | | | | | | "Safe Buffer" should either be the constant with the class name, or go in lower case. I've chosen to follow the same terminology that is used in the AS core extensiong guide, "safe string", though "safe buffer" is also used elsewhere, we should pick one. | |||||
* | better method documentation on disable safe string methods | Damien Mathieu | 2011-09-08 | 1 | -6/+12 | |
| | ||||||
* | make gsub and sub unavailable in SafeBuffers - Closes #1555 | Damien Mathieu | 2011-09-08 | 1 | -3/+16 | |
| | ||||||
* | properly escape html to avoid invalid utf8 causing XSS attacks | Aaron Patterson | 2011-08-16 | 1 | -1/+1 | |
| | ||||||
* | Reset @dirty to false when slicing an instance of SafeBuffer | Brian Cardarella | 2011-07-29 | 1 | -0/+6 | |
| | ||||||
* | Merge branch 'master' of git://github.com/lifo/docrails | Xavier Noria | 2011-07-05 | 1 | -8/+8 | |
|\ | ||||||
| * | document meta methods | Vijay Dev | 2011-07-03 | 1 | -8/+8 | |
| | | ||||||
* | | all numerics should be html_safe - Closes #1935 | Damien Mathieu | 2011-07-03 | 1 | -1/+1 | |
|/ | ||||||
* | calling unsafe methods which don't return a string shouldn't fail | Damien Mathieu | 2011-06-22 | 1 | -2/+2 | |
| | ||||||
* | safe_concat should not work on dirty buffers. | José Valim | 2011-06-16 | 1 | -4/+13 | |
| | ||||||
* | Fix safe buffer by adding a dirty status. | José Valim | 2011-06-16 | 1 | -12/+24 | |
| | ||||||
* | Define ActiveSupport#to_param as to_str - closes #1663 | Andrew White | 2011-06-12 | 1 | -0/+4 | |
| | ||||||
* | ensuring that json_escape returns html safe strings when passed an html safe ↵ | Aaron Patterson | 2011-06-09 | 1 | -1/+2 | |
| | | | | string | |||||
* | Prefer 'each' over 'for in' syntax. | Sebastian Martinez | 2011-06-07 | 1 | -1/+1 | |
| | ||||||
* | Ensure that the strings returned by SafeBuffer#gsub and friends aren't ↵ | Michael Koziarski | 2011-06-07 | 1 | -0/+13 | |
| | | | | | | | | | | considered html_safe? Also make sure that the versions of those methods which modify a string in place such as gsub! can't be called on safe buffers at all. Conflicts: activesupport/test/safe_buffer_test.rb | |||||
* | Revert "Merge pull request #275 from pk-amooma/master" | José Valim | 2011-05-07 | 1 | -2/+2 | |
| | | | | | | | Several AP tests fail after this change. This reverts commit aaf01cd53718c8aa5b69ac056b997e6dd9893777, reversing changes made to 9cc18c52faeebaad6a76bd62cdca1c6b9f96afed. | |||||
* | for escaping HTML can be treated as normal XML | Philipp Kempgen (Amooma) | 2011-04-14 | 1 | -2/+2 | |
| | ||||||
* | properly escape "'" to "'" for XML/HTML (BTW Erubis does that as well) | Philipp Kempgen (Amooma) | 2011-04-14 | 1 | -2/+2 | |
| | ||||||
* | s/ERb/ERB/g | Akira Matsuda | 2011-04-03 | 1 | -1/+1 | |
| | | | | | The author of ERB sais, his eRuby implementation was originally named "ERb/ERbLight" and then renamed to "ERB" when started bundled as a Ruby standard lib. http://www2a.biglobe.ne.jp/~seki/ruby/erb.html | |||||
* | Active Support typos. | R.T. Lechow | 2011-03-05 | 1 | -1/+1 | |
| | ||||||
* | Removed Array#safe_join in AS core_ext and moved it to a view helper with ↵ | Josh Kalderimis | 2011-02-10 | 1 | -31/+0 | |
| | | | | | | the same same. This also changes how safe_join works, if items or the separator are not html_safe they are html_escape'd, a html_safe string is always returned. Signed-off-by: José Valim <jose.valim@gmail.com> | |||||
* | Revert "Removed Array#safe_join in AS core_ext and moved it to a view helper ↵ | José Valim | 2011-02-10 | 1 | -0/+31 | |
| | | | | | | | | with the same same." Applied the wrong version. This reverts commit 98c0c5db50a7679b3d58769ac22cb0a27a62c930. | |||||
* | Removed Array#safe_join in AS core_ext and moved it to a view helper with ↵ | Josh Kalderimis | 2011-02-10 | 1 | -31/+0 | |
| | | | | the same same. | |||||
* | Corrected the html_safe implementation for Array. Moved the html safe ↵ | Josh Kalderimis | 2011-02-10 | 1 | -7/+22 | |
| | | | | version of join to its own method (safe_join) as not to degrade the performance of join for unrelated html_safe use. [#6298 state:resolved] | |||||
* | Initial html_safe implemention for Array | Paul Hieromnimon | 2011-02-10 | 1 | -0/+16 | |
| | ||||||
* | make sure we play nicely when syck is activated | Aaron Patterson | 2011-01-28 | 1 | -5/+8 | |
| | ||||||
* | Psych correctly gets visitor for SafeBuffer from superclass | brainopia | 2011-01-28 | 1 | -2/+5 | |
| | ||||||
* | applies API conventions to the RDoc of json_encode | Xavier Noria | 2010-11-20 | 1 | -10/+12 | |
| | | | | | | | | * Examples running with the text are preferred over separate Example sections. * No need to call puts, in # => we show the return value, not STDOUT. * Say explicitly that double quotes are removed. * Specify that we are talking \uXXX, rather than, say, HTML entities. | |||||
* | Make safe_append= live on AV::OutputBuffer not AS::SafeBuffer | Michael Koziarski | 2010-11-08 | 1 | -1/+0 | |
| | | | | | | Conflicts: actionpack/lib/action_view/template/handlers/erb.rb | |||||
* | Added support for Erubis <%== tag | Jan Maurits Faber | 2010-11-08 | 1 | -0/+1 | |
| | | | | | | | <%== x %> is syntactic sugar for <%= raw(x) %> Signed-off-by: Michael Koziarski <michael@koziarski.com> [#5918 status:committed] | |||||
* | Merge branch 'master' of git://github.com/lifo/docrails | Xavier Noria | 2010-10-19 | 1 | -0/+6 | |
|\ | ||||||
| * | json_escape makes json invalid doc change [#1485 state:resolved] | Neeraj Singh | 2010-10-16 | 1 | -0/+6 | |
| | | ||||||
* | | explains why ERB::Util#h is removed before being re-aliased | Xavier Noria | 2010-10-18 | 1 | -0/+1 | |
|/ | ||||||
* | moves Object#singleton_class to Kernel#singleton_class to match Ruby also ↵ | Xavier Noria | 2010-04-05 | 1 | -1/+1 | |
| | | | | there, same for #class_eval to simplify, and adds coverage for class_eval | |||||
* | Require AS singleton_class code in AS output_safety | snusnu | 2010-03-17 | 1 | -1/+2 | |
| | | | | Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net> | |||||
* | Remove some 1.9 warnings (resulting in some fixed bugs). Remaining AM ↵ | wycats | 2010-03-17 | 1 | -2/+4 | |
| | | | | warnings are in dependencies. | |||||
* | to_str works here | Jeremy Kemper | 2010-03-15 | 1 | -5/+1 | |
| | ||||||
* | Be sure to pass through args to to_yaml | Jeremy Kemper | 2010-03-11 | 1 | -2/+2 | |
| | ||||||
* | Write strings to fragment cache, not outputbuffers | Jeremy Kemper | 2010-03-11 | 1 | -1/+5 | |
| |