| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |\
| |
| |
| | |
Handle invalid UTF-8 strings when HTML escaping
|
| | |
| |
| |
| |
| |
| |
| | |
Use `ActiveSupport::Multibyte::Unicode.tidy_bytes` to handle invalid UTF-8
strings in `ERB::Util.unwrapped_html_escape` and `ERB::Util.html_escape_once`.
Prevents user-entered input passed from a querystring into a form field from
causing invalid byte sequence errors.
|
| |/
|
|
| |
[ci skip]
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
`coder.represent_scalar` means something along the lines of "Here is a quoted
string, you can just add it to the output", which is not the case here. It only
works for simple strings that can appear unquoted in YAML, but causes problems
for e.g. primitive-like strings ("1", "true").
`coder.represent_object` on the other hand, means that "This is the Ruby-object
representation for this thing suitable for use in YAML dumping", which is what
we want here.
Before:
YAML.load ActiveSupport::SafeBuffer.new("Hello").to_yaml # => "Hello"
YAML.load ActiveSupport::SafeBuffer.new("true").to_yaml # => true
YAML.load ActiveSupport::SafeBuffer.new("false").to_yaml # => false
YAML.load ActiveSupport::SafeBuffer.new("1").to_yaml # => 1
YAML.load ActiveSupport::SafeBuffer.new("1.1").to_yaml # => 1.1
After:
YAML.load ActiveSupport::SafeBuffer.new("Hello").to_yaml # => "Hello"
YAML.load ActiveSupport::SafeBuffer.new("true").to_yaml # => "true"
YAML.load ActiveSupport::SafeBuffer.new("false").to_yaml # => "false"
YAML.load ActiveSupport::SafeBuffer.new("1").to_yaml # => "1"
YAML.load ActiveSupport::SafeBuffer.new("1.1").to_yaml # => "1.1"
If we ever want Ruby to behave more like PHP or JavaScript though, this is an
excellent trick to use ;)
|
| |\
| |
| | |
Amended json_escape comments
|
| | |
| |
| |
| | |
still be html_escaped if being inserted ingot he DOM via JQuery's html() method.
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
the object being accessed currently returns `html_safe?` as true,
we used to set `@html_safe` variable as true on new object created. When doing something like
x = 'Hello'.html_safe
x[/a/, 1]
would throw an error on ruby 2.2, since when nothign gets matched nil is returned by the code and it tries to set `@html_safe` value to true,
which would error since starting 2.2 nil is frozen.
This change adds a safety net to avoid setting `@html_safe = true` on frozen objects.
Fixes #18235
|
| | |
| |
| |
| |
| |
| | |
It should be part of the documented public API, since we have an entire
section of the guides dedicated to it. Documented in a way that
addresses the concerns which kept it undocumented in the past.
|
| | | |
|
| | | |
|
| | |
| |
| |
| | |
(This is a manual merge of #9102)
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
before this change, we were allocating AS::SafeBuffer objects that were
being interpolated in to a string, so the safe buffer object was being
thrown away. This change only allocates a string (vs a string *and* a
safebuffer) and interpolates the string.
On my test application, this reduced the AS::SafeBuffer objects from
1527k per request to about 500 per request.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
html_escape_interpolated_argument is only used in mutation methods:
https://github.com/rails/rails/blob/c07d09559ec171e1904b55c7ad7e8c7d586ca51b/activesupport/lib/active_support/core_ext/string/output_safety.rb#L174
https://github.com/rails/rails/blob/c07d09559ec171e1904b55c7ad7e8c7d586ca51b/activesupport/lib/active_support/core_ext/string/output_safety.rb#L179
The return value doesn't need to be converted to an AS::SafeBuffer since
we know that the current object is an AS::SafeBuffer and will be
mutated, and the return value from html_escape_interpolated_argument
will be thrown away
|
| | | |
|
| | |
| |
| |
| |
| | |
Change to require all active_support/deprecation since that's the actual
entry point for the deprecation methods.
|
| | | |
|
| |/
|
|
|
|
|
| |
Make `#prepend` method modify instance in-place and return self
instead of just returning modified value. That is exactly what
`#prepend!` method was doing previously, so it's deprecated from
now on.
|
| |
|
|
|
|
|
|
| |
The behavior of json_escape was fixed in 2f1c5789, but the doc
changes and example in that commit incorrectly indicated that the
return value would be html-safe. Since quotation marks are
preserved, the raw value is not safe to use in other contexts
(specifically HTML attributes).
|
| |
|
|
|
|
|
|
|
| |
Interpolation was untested and did not work with hash arguments.
Adds
- support for interpolation with hash argument
- tests for the above
- tests for safe/unsafe interpolation
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
Use the already existing strings instead of creating a new one each time
just to test if it responds to the methods.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit 8ce3c1e5dde9fb180813e4d89324db03da110b13, reversing
changes made to f93da579ce7f77dbd58b9a2165861aee265b8c93.
Reason: It slow down the running time.
require "diffbench"
load 'output_safety.rb'
N = 10000
b = ActiveSupport::SafeBuffer.new("hello world")
DiffBench.bm do
report "capitalize in safe buffer" do
N.times do
b.capitalize
end
end
end
> git checkout 069ea45; diffbench bench.rb;
diffbench bench.rb;diffbench
bench.rb;diffbench bench.rb;diffbench
bench.rb;diffbench bench.rb;diffbench
bench.rb;
Running benchmark with current working tree
Checkout HEAD^
Running benchmark with HEAD^
Checkout to previous HEAD again
user system total
real
----------------------------------capitalize
in safe buffer
After patch: 0.010000 0.000000 0.010000
( 0.009733)
Before patch: 0.010000 0.000000 0.010000
( 0.007702)
Improvement: -26%
Running benchmark with current working tree
Checkout HEAD^
Running benchmark with HEAD^
Checkout to previous HEAD again
user system total
real
----------------------------------capitalize
in safe buffer
After patch: 0.010000 0.000000 0.010000
( 0.009768)
Before patch: 0.010000 0.000000 0.010000
( 0.007896)
Improvement: -24%
Running benchmark with current working tree
Checkout HEAD^
Running benchmark with HEAD^
Checkout to previous HEAD again
user system total
real
----------------------------------capitalize
in safe buffer
After patch: 0.010000 0.000000 0.010000
( 0.009938)
Before patch: 0.010000 0.000000 0.010000
( 0.007768)
Improvement: -28%
Running benchmark with current working tree
Checkout HEAD^
Running benchmark with HEAD^
Checkout to previous HEAD again
user system total
real
----------------------------------capitalize
in safe buffer
After patch: 0.010000 0.000000 0.010000
( 0.010001)
Before patch: 0.010000 0.000000 0.010000
( 0.007873)
Improvement: -27%
Running benchmark with current working tree
Checkout HEAD^
Running benchmark with HEAD^
Checkout to previous HEAD again
user system total
real
----------------------------------capitalize
in safe buffer
After patch: 0.010000 0.000000 0.010000
( 0.009670)
Before patch: 0.010000 0.000000 0.010000
( 0.007800)
Improvement: -24%
Running benchmark with current working tree
Checkout HEAD^
Running benchmark with HEAD^
Checkout to previous HEAD again
user system total
real
----------------------------------capitalize
in safe buffer
After patch: 0.010000 0.000000 0.010000
( 0.009949)
Before patch: 0.010000 0.000000 0.010000
( 0.007752)
Improvement: -28%
|
| | |
|
| | |
|
| | |
|
| |\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Conflicts:
actionmailer/lib/action_mailer/base.rb
activesupport/lib/active_support/configurable.rb
activesupport/lib/active_support/core_ext/module/deprecation.rb
guides/source/action_controller_overview.md
guides/source/active_support_core_extensions.md
guides/source/ajax_on_rails.textile
guides/source/association_basics.textile
guides/source/upgrading_ruby_on_rails.md
While resolving conflicts, I have chosen to ignore changes done in
docrails at some places - these will be most likely 1.9 hash syntax
changes.
|
| | | |
|
| |/ |
|
| |\
| |
| | |
Remove j alias for ERB::Util.json_escape
|
| | | |
|
| | |
| |
| |
| |
| | |
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
Closes #7215
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Logic in clone_empty method was dealing with old @dirty variable, which
has changed by @html_safe in this commit:
https://github.com/rails/rails/commit/139963c99a955520db6373343662e55f4d16dcd1
This was issuing a "not initialized variable" warning - related to:
https://github.com/rails/rails/pull/5237
The logic applied by this method is already handled by the [] override,
so there is no need to reset the variable here.
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| | |
All the logic is based on the HTML_ESCAPE constant available in
ERB::Util, so it seems more logic to have the entire method there and
just delegate the helper to use it.
|
