Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | Call String#gsub with Hash directly | Aman Gupta | 2013-03-04 | 1 | -2/+2 |
| | |||||
* | Merge branch 'master' of github.com:lifo/docrails | Vijay Dev | 2012-09-21 | 1 | -1/+0 |
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Conflicts: actionmailer/lib/action_mailer/base.rb activesupport/lib/active_support/configurable.rb activesupport/lib/active_support/core_ext/module/deprecation.rb guides/source/action_controller_overview.md guides/source/active_support_core_extensions.md guides/source/ajax_on_rails.textile guides/source/association_basics.textile guides/source/upgrading_ruby_on_rails.md While resolving conflicts, I have chosen to ignore changes done in docrails at some places - these will be most likely 1.9 hash syntax changes. | ||||
| * | update AS/core_ext docs [ci skip] | Francesco Rodriguez | 2012-09-12 | 1 | -1/+0 |
| | | |||||
* | | ' dates back to SGML when ' was introduced in HTML 4.0 | Kalys Osmonov | 2012-09-09 | 1 | -1/+1 |
|/ | |||||
* | Merge pull request #3578 from amatsuda/remove_j_alias_for_json_escape | Rafael Mendonça França | 2012-08-21 | 1 | -7/+0 |
|\ | | | | | Remove j alias for ERB::Util.json_escape | ||||
| * | Remove j alias for ERB::Util.json_escape | Akira Matsuda | 2011-11-09 | 1 | -7/+0 |
| | | |||||
* | | html_escape should escape single quotes | Santiago Pastorino | 2012-07-31 | 1 | -3/+3 |
| | | | | | | | | | | https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content Closes #7215 | ||||
* | | doesn't modify params in SafeBuffer#% | Vasiliy Ermolovich | 2012-05-18 | 1 | -3/+1 |
| | | |||||
* | | fix safe string interpolation with SafeBuffer#%, closes #6352 | Vasiliy Ermolovich | 2012-05-16 | 1 | -0/+14 |
| | | |||||
* | | remove unnecessary 'examples' noise | Francesco Rodriguez | 2012-05-11 | 1 | -2/+0 |
| | | |||||
* | | String quotes and trailing spaces | Alexey Gaziev | 2012-04-29 | 1 | -5/+5 |
| | | |||||
* | | AS core_ext refactoring | Alexey Gaziev | 2012-04-29 | 1 | -8/+13 |
| | | |||||
* | | Stop SafeBuffer#clone_empty from issuing warnings | Carlos Antonio da Silva | 2012-03-02 | 1 | -3/+1 |
| | | | | | | | | | | | | | | | | | | | | | | | | Logic in clone_empty method was dealing with old @dirty variable, which has changed by @html_safe in this commit: https://github.com/rails/rails/commit/139963c99a955520db6373343662e55f4d16dcd1 This was issuing a "not initialized variable" warning - related to: https://github.com/rails/rails/pull/5237 The logic applied by this method is already handled by the [] override, so there is no need to reset the variable here. | ||||
* | | Ensure [] respects the status of the buffer. | José Valim | 2012-02-29 | 1 | -12/+18 |
| | | |||||
* | | delete vulnerable AS::SafeBuffer#[] | Akira Matsuda | 2012-02-20 | 1 | -6/+0 |
| | | |||||
* | | add AS::SafeBuffer#clone_empty | Akira Matsuda | 2012-02-20 | 1 | -0/+6 |
| | | |||||
* | | revise docs [ci skip] | Vijay Dev | 2012-02-01 | 1 | -1/+1 |
| | | |||||
* | | Move escaping regexps to constants | Carlos Antonio da Silva | 2012-02-01 | 1 | -2/+4 |
| | | |||||
* | | Move escape_once logic to ERB::Util, where it belongs to | Carlos Antonio da Silva | 2012-02-01 | 1 | -0/+15 |
| | | | | | | | | | | | | All the logic is based on the HTML_ESCAPE constant available in ERB::Util, so it seems more logic to have the entire method there and just delegate the helper to use it. | ||||
* | | No need to override the to_yaml method in ActiveSupporte::SafeBuffer | Rafael Mendonça França | 2012-01-04 | 1 | -5/+0 |
| | | |||||
* | | No need to check if YAML::ENGINE is defined since ruby 1.9 does that | Rafael Mendonça França | 2012-01-04 | 1 | -1/+1 |
| | | |||||
* | | We don't need a special html_escape for 1.8 anymore | Guillermo Iguaran | 2011-12-21 | 1 | -27/+15 |
| | | |||||
* | | Remove duplicate html_escape docs | Jeremy Kemper | 2011-12-11 | 1 | -10/+1 |
| | | |||||
* | | Use 1.9 native XML escaping to speed up html_escape and shush regexp warnings | Jeremy Kemper | 2011-12-11 | 1 | -15/+36 |
| | | | | | | | | | | | | | | | | | | | | | | | | length user system total real before 6 0.010000 0.000000 0.010000 ( 0.012378) after 6 0.010000 0.000000 0.010000 ( 0.012866) before 60 0.040000 0.000000 0.040000 ( 0.046273) after 60 0.040000 0.000000 0.040000 ( 0.036421) before 600 0.390000 0.000000 0.390000 ( 0.390670) after 600 0.210000 0.000000 0.210000 ( 0.209094) before 6000 3.750000 0.000000 3.750000 ( 3.751008) after 6000 1.860000 0.000000 1.860000 ( 1.857901) | ||||
* | | Restore performance of ERB::Util.html_escape | Jon Jensen | 2011-12-03 | 1 | -1/+1 |
|/ | | | | | | | Revert html_escape to do a single gsub again, but add the "n" flag (no language, i.e. not multi-byte) to protect against XSS via invalid utf8 Signed-off-by: José Valim <jose.valim@gmail.com> | ||||
* | ruby193: String#prepend is also unsafe | Akira Matsuda | 2011-10-05 | 1 | -1/+1 |
| | |||||
* | override unsafe methods only if defined on String | Akira Matsuda | 2011-10-05 | 1 | -10/+12 |
| | |||||
* | remove superfluous to_s in ERB::Util.html_escape | Alexey Vakhov | 2011-09-24 | 1 | -1/+1 |
| | |||||
* | fix incorrect comment | Vijay Dev | 2011-09-22 | 1 | -1/+1 |
| | |||||
* | Proper lines numbers for stack trace info | Santiago Pastorino | 2011-09-16 | 1 | -1/+1 |
| | |||||
* | revert the changes from c60995f3 - related to marking sub,gsub as ↵ | Vijay Dev | 2011-09-09 | 1 | -20/+1 |
| | | | | unavailable to use with safe strings | ||||
* | Revert removing gsub and sub from safe buffer. | José Valim | 2011-09-08 | 1 | -3/+3 |
| | |||||
* | this should have gone with the previous commit | Xavier Noria | 2011-09-08 | 1 | -4/+4 |
| | |||||
* | copy-edits a couple of exception messages | Xavier Noria | 2011-09-08 | 1 | -4/+4 |
| | | | | | | | "Safe Buffer" should either be the constant with the class name, or go in lower case. I've chosen to follow the same terminology that is used in the AS core extensiong guide, "safe string", though "safe buffer" is also used elsewhere, we should pick one. | ||||
* | better method documentation on disable safe string methods | Damien Mathieu | 2011-09-08 | 1 | -6/+12 |
| | |||||
* | make gsub and sub unavailable in SafeBuffers - Closes #1555 | Damien Mathieu | 2011-09-08 | 1 | -3/+16 |
| | |||||
* | properly escape html to avoid invalid utf8 causing XSS attacks | Aaron Patterson | 2011-08-16 | 1 | -1/+1 |
| | |||||
* | Reset @dirty to false when slicing an instance of SafeBuffer | Brian Cardarella | 2011-07-29 | 1 | -0/+6 |
| | |||||
* | Merge branch 'master' of git://github.com/lifo/docrails | Xavier Noria | 2011-07-05 | 1 | -8/+8 |
|\ | |||||
| * | document meta methods | Vijay Dev | 2011-07-03 | 1 | -8/+8 |
| | | |||||
* | | all numerics should be html_safe - Closes #1935 | Damien Mathieu | 2011-07-03 | 1 | -1/+1 |
|/ | |||||
* | calling unsafe methods which don't return a string shouldn't fail | Damien Mathieu | 2011-06-22 | 1 | -2/+2 |
| | |||||
* | safe_concat should not work on dirty buffers. | José Valim | 2011-06-16 | 1 | -4/+13 |
| | |||||
* | Fix safe buffer by adding a dirty status. | José Valim | 2011-06-16 | 1 | -12/+24 |
| | |||||
* | Define ActiveSupport#to_param as to_str - closes #1663 | Andrew White | 2011-06-12 | 1 | -0/+4 |
| | |||||
* | ensuring that json_escape returns html safe strings when passed an html safe ↵ | Aaron Patterson | 2011-06-09 | 1 | -1/+2 |
| | | | | string | ||||
* | Prefer 'each' over 'for in' syntax. | Sebastian Martinez | 2011-06-07 | 1 | -1/+1 |
| | |||||
* | Ensure that the strings returned by SafeBuffer#gsub and friends aren't ↵ | Michael Koziarski | 2011-06-07 | 1 | -0/+13 |
| | | | | | | | | | | considered html_safe? Also make sure that the versions of those methods which modify a string in place such as gsub! can't be called on safe buffers at all. Conflicts: activesupport/test/safe_buffer_test.rb | ||||
* | Revert "Merge pull request #275 from pk-amooma/master" | José Valim | 2011-05-07 | 1 | -2/+2 |
| | | | | | | | Several AP tests fail after this change. This reverts commit aaf01cd53718c8aa5b69ac056b997e6dd9893777, reversing changes made to 9cc18c52faeebaad6a76bd62cdca1c6b9f96afed. | ||||
* | for escaping HTML can be treated as normal XML | Philipp Kempgen (Amooma) | 2011-04-14 | 1 | -2/+2 |
| |