aboutsummaryrefslogtreecommitdiffstats
path: root/activesupport/lib/active_support/core_ext/string/output_safety.rb
Commit message (Collapse)AuthorAgeFilesLines
* Revert "Merge pull request #275 from pk-amooma/master"José Valim2011-05-071-2/+2
| | | | | | | Several AP tests fail after this change. This reverts commit aaf01cd53718c8aa5b69ac056b997e6dd9893777, reversing changes made to 9cc18c52faeebaad6a76bd62cdca1c6b9f96afed.
* for escaping HTML can be treated as normal XMLPhilipp Kempgen (Amooma)2011-04-141-2/+2
|
* properly escape "'" to "'" for XML/HTML (BTW Erubis does that as well)Philipp Kempgen (Amooma)2011-04-141-2/+2
|
* s/ERb/ERB/gAkira Matsuda2011-04-031-1/+1
| | | | | The author of ERB sais, his eRuby implementation was originally named "ERb/ERbLight" and then renamed to "ERB" when started bundled as a Ruby standard lib. http://www2a.biglobe.ne.jp/~seki/ruby/erb.html
* Active Support typos.R.T. Lechow2011-03-051-1/+1
|
* Removed Array#safe_join in AS core_ext and moved it to a view helper with ↵Josh Kalderimis2011-02-101-31/+0
| | | | | | the same same. This also changes how safe_join works, if items or the separator are not html_safe they are html_escape'd, a html_safe string is always returned. Signed-off-by: José Valim <jose.valim@gmail.com>
* Revert "Removed Array#safe_join in AS core_ext and moved it to a view helper ↵José Valim2011-02-101-0/+31
| | | | | | | | with the same same." Applied the wrong version. This reverts commit 98c0c5db50a7679b3d58769ac22cb0a27a62c930.
* Removed Array#safe_join in AS core_ext and moved it to a view helper with ↵Josh Kalderimis2011-02-101-31/+0
| | | | the same same.
* Corrected the html_safe implementation for Array. Moved the html safe ↵Josh Kalderimis2011-02-101-7/+22
| | | | version of join to its own method (safe_join) as not to degrade the performance of join for unrelated html_safe use. [#6298 state:resolved]
* Initial html_safe implemention for ArrayPaul Hieromnimon2011-02-101-0/+16
|
* make sure we play nicely when syck is activatedAaron Patterson2011-01-281-5/+8
|
* Psych correctly gets visitor for SafeBuffer from superclassbrainopia2011-01-281-2/+5
|
* applies API conventions to the RDoc of json_encodeXavier Noria2010-11-201-10/+12
| | | | | | | | * Examples running with the text are preferred over separate Example sections. * No need to call puts, in # => we show the return value, not STDOUT. * Say explicitly that double quotes are removed. * Specify that we are talking \uXXX, rather than, say, HTML entities.
* Make safe_append= live on AV::OutputBuffer not AS::SafeBufferMichael Koziarski2010-11-081-1/+0
| | | | | | Conflicts: actionpack/lib/action_view/template/handlers/erb.rb
* Added support for Erubis <%== tagJan Maurits Faber2010-11-081-0/+1
| | | | | | | <%== x %> is syntactic sugar for <%= raw(x) %> Signed-off-by: Michael Koziarski <michael@koziarski.com> [#5918 status:committed]
* Merge branch 'master' of git://github.com/lifo/docrailsXavier Noria2010-10-191-0/+6
|\
| * json_escape makes json invalid doc change [#1485 state:resolved]Neeraj Singh2010-10-161-0/+6
| |
* | explains why ERB::Util#h is removed before being re-aliasedXavier Noria2010-10-181-0/+1
|/
* moves Object#singleton_class to Kernel#singleton_class to match Ruby also ↵Xavier Noria2010-04-051-1/+1
| | | | there, same for #class_eval to simplify, and adds coverage for class_eval
* Require AS singleton_class code in AS output_safetysnusnu2010-03-171-1/+2
| | | | Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
* Remove some 1.9 warnings (resulting in some fixed bugs). Remaining AM ↵wycats2010-03-171-2/+4
| | | | warnings are in dependencies.
* to_str works hereJeremy Kemper2010-03-151-5/+1
|
* Be sure to pass through args to to_yamlJeremy Kemper2010-03-111-2/+2
|
* Write strings to fragment cache, not outputbuffersJeremy Kemper2010-03-111-1/+5
|
* OutputBuffer#to_yaml should return string yaml, not some custom class dumpJeremy Kemper2010-03-111-0/+4
|
* Making SafeBuffer << an alias for concat methodSantiago Pastorino2010-02-051-5/+2
| | | | | | [#3848 state:committed] Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
* For performance reasons, you can no longer call html_safe! on Strings. ↵Yehuda Katz2010-01-311-21/+85
| | | | | | | | | | | | Instead, all Strings are always not html_safe?. Instead, you can get a SafeBuffer from a String by calling #html_safe, which will SafeBuffer.new(self). * Additionally, instead of doing concat("</form>".html_safe), you can do safe_concat("</form>"), which will skip both the flag set, and the flag check. * For the first pass, I converted virtually all #html_safe!s to #html_safe, and the tests pass. A further optimization would be to try to use #safe_concat as much as possible, reducing the performance impact if we know up front that a String is safe.
* String#<< should work for any object which responds to :to_str, so enable ↵José Valim2009-12-261-0/+12
| | | | this without the performance hit and make Fixnum safe by default.
* Simplify and improve the performance of output_safetyYehuda Katz2009-12-241-22/+6
|
* Instead of marking raw text in templates as safe, and then putting them ↵Yehuda Katz2009-12-241-0/+1
| | | | through String#<< which checks if the String is safe, use safe_concat, which uses the original (internal) String#<< and leaves the safe flag as is. Results in a significant performance improvement.
* Remove concat before overriding itJoshua Peek2009-12-011-6/+7
|
* Switch to on-by-default XSS escaping for rails.Michael Koziarski2009-10-081-0/+43
This consists of: * String#html_safe! a method to mark a string as 'safe' * ActionView::SafeBuffer a string subclass which escapes anything unsafe which is concatenated to it * Calls to String#html_safe! throughout the rails helpers * a 'raw' helper which lets you concatenate trusted HTML from non-safety-aware sources (e.g. presantized strings in the DB) * New ERB implementation based on erubis which uses a SafeBuffer instead of a String Hat tip to Django for the inspiration.
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-06 20:36:50 +0000