| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
| |
The behavior of json_escape was fixed in 2f1c5789, but the doc
changes and example in that commit incorrectly indicated that the
return value would be html-safe. Since quotation marks are
preserved, the raw value is not safe to use in other contexts
(specifically HTML attributes).
|
|
|
|
|
|
|
|
|
| |
Interpolation was untested and did not work with hash arguments.
Adds
- support for interpolation with hash argument
- tests for the above
- tests for safe/unsafe interpolation
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
| |
Use the already existing strings instead of creating a new one each time
just to test if it responds to the methods.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit 8ce3c1e5dde9fb180813e4d89324db03da110b13, reversing
changes made to f93da579ce7f77dbd58b9a2165861aee265b8c93.
Reason: It slow down the running time.
require "diffbench"
load 'output_safety.rb'
N = 10000
b = ActiveSupport::SafeBuffer.new("hello world")
DiffBench.bm do
report "capitalize in safe buffer" do
N.times do
b.capitalize
end
end
end
> git checkout 069ea45; diffbench bench.rb;
diffbench bench.rb;diffbench
bench.rb;diffbench bench.rb;diffbench
bench.rb;diffbench bench.rb;diffbench
bench.rb;
Running benchmark with current working tree
Checkout HEAD^
Running benchmark with HEAD^
Checkout to previous HEAD again
user system total
real
----------------------------------capitalize
in safe buffer
After patch: 0.010000 0.000000 0.010000
( 0.009733)
Before patch: 0.010000 0.000000 0.010000
( 0.007702)
Improvement: -26%
Running benchmark with current working tree
Checkout HEAD^
Running benchmark with HEAD^
Checkout to previous HEAD again
user system total
real
----------------------------------capitalize
in safe buffer
After patch: 0.010000 0.000000 0.010000
( 0.009768)
Before patch: 0.010000 0.000000 0.010000
( 0.007896)
Improvement: -24%
Running benchmark with current working tree
Checkout HEAD^
Running benchmark with HEAD^
Checkout to previous HEAD again
user system total
real
----------------------------------capitalize
in safe buffer
After patch: 0.010000 0.000000 0.010000
( 0.009938)
Before patch: 0.010000 0.000000 0.010000
( 0.007768)
Improvement: -28%
Running benchmark with current working tree
Checkout HEAD^
Running benchmark with HEAD^
Checkout to previous HEAD again
user system total
real
----------------------------------capitalize
in safe buffer
After patch: 0.010000 0.000000 0.010000
( 0.010001)
Before patch: 0.010000 0.000000 0.010000
( 0.007873)
Improvement: -27%
Running benchmark with current working tree
Checkout HEAD^
Running benchmark with HEAD^
Checkout to previous HEAD again
user system total
real
----------------------------------capitalize
in safe buffer
After patch: 0.010000 0.000000 0.010000
( 0.009670)
Before patch: 0.010000 0.000000 0.010000
( 0.007800)
Improvement: -24%
Running benchmark with current working tree
Checkout HEAD^
Running benchmark with HEAD^
Checkout to previous HEAD again
user system total
real
----------------------------------capitalize
in safe buffer
After patch: 0.010000 0.000000 0.010000
( 0.009949)
Before patch: 0.010000 0.000000 0.010000
( 0.007752)
Improvement: -28%
|
| |
|
| |
|
| |
|
|\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Conflicts:
actionmailer/lib/action_mailer/base.rb
activesupport/lib/active_support/configurable.rb
activesupport/lib/active_support/core_ext/module/deprecation.rb
guides/source/action_controller_overview.md
guides/source/active_support_core_extensions.md
guides/source/ajax_on_rails.textile
guides/source/association_basics.textile
guides/source/upgrading_ruby_on_rails.md
While resolving conflicts, I have chosen to ignore changes done in
docrails at some places - these will be most likely 1.9 hash syntax
changes.
|
| | |
|
|/ |
|
|\
| |
| | |
Remove j alias for ERB::Util.json_escape
|
| | |
|
| |
| |
| |
| |
| | |
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
Closes #7215
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Logic in clone_empty method was dealing with old @dirty variable, which
has changed by @html_safe in this commit:
https://github.com/rails/rails/commit/139963c99a955520db6373343662e55f4d16dcd1
This was issuing a "not initialized variable" warning - related to:
https://github.com/rails/rails/pull/5237
The logic applied by this method is already handled by the [] override,
so there is no need to reset the variable here.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| | |
All the logic is based on the HTML_ESCAPE constant available in
ERB::Util, so it seems more logic to have the entire method there and
just delegate the helper to use it.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
length user system total real
before 6 0.010000 0.000000 0.010000 ( 0.012378)
after 6 0.010000 0.000000 0.010000 ( 0.012866)
before 60 0.040000 0.000000 0.040000 ( 0.046273)
after 60 0.040000 0.000000 0.040000 ( 0.036421)
before 600 0.390000 0.000000 0.390000 ( 0.390670)
after 600 0.210000 0.000000 0.210000 ( 0.209094)
before 6000 3.750000 0.000000 3.750000 ( 3.751008)
after 6000 1.860000 0.000000 1.860000 ( 1.857901)
|
|/
|
|
|
|
|
| |
Revert html_escape to do a single gsub again, but add the "n" flag (no
language, i.e. not multi-byte) to protect against XSS via invalid utf8
Signed-off-by: José Valim <jose.valim@gmail.com>
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
unavailable to use with safe strings
|
| |
|
| |
|
|
|
|
|
|
|
| |
"Safe Buffer" should either be the constant with the class name,
or go in lower case. I've chosen to follow the same terminology
that is used in the AS core extensiong guide, "safe string",
though "safe buffer" is also used elsewhere, we should pick one.
|
| |
|
| |
|
| |
|
| |
|
|\ |
|