| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
Closes #7215
Conflicts:
actionpack/test/template/erb_util_test.rb
actionpack/test/template/form_tag_helper_test.rb
actionpack/test/template/text_helper_test.rb
actionpack/test/template/url_helper_test.rb
activesupport/lib/active_support/core_ext/string/output_safety.rb
|
|
|
|
|
| |
This file uses Time.zone, which is defined in
active_support/core_ext/time/zones.rb.
|
|
|
|
| |
Missing require breaks Time.=== when selectively loading ActiveSupport core_exts in 3.2.4+
|
|
|
|
| |
[ci skip] closes #5790
|
| |
|
| |
|
| |
|
| |
|
|\
| |
| | |
Adding docs to attribute accessor methods.
|
| | |
|
|/ |
|
| |
|
|
|
|
|
| |
I also removed the other require as it's already present in
`activesupport/core_ext/time/calculations`
|
| |
|
|
|
|
|
|
| |
Conflicts:
activesupport/test/core_ext/duplicable_test.rb
|
|
|
|
|
|
|
|
|
|
|
|
| |
Logic in clone_empty method was dealing with old @dirty variable, which
has changed by @html_safe in this commit:
https://github.com/rails/rails/commit/139963c99a955520db6373343662e55f4d16dcd1
This was issuing a "not initialized variable" warning - related to:
https://github.com/rails/rails/pull/5237
The logic applied by this method is already handled by the [] override,
so there is no need to reset the variable here.
|
|\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* 3-2-2:
bumping to 3.2.2
Ensure [] respects the status of the buffer.
Merge pull request #4834 from sskirby/fix_usage_of_psql_in_db_test_prepare
Merge pull request #5084 from johndouthat/patch-1
updating RAILS_VERSION
delete vulnerable AS::SafeBuffer#[]
use AS::SafeBuffer#clone_empty for flushing the output_buffer
add AS::SafeBuffer#clone_empty
fix output safety issue with select options
|
| | |
|
| | |
|
| | |
|
| | |
|
|/
|
|
|
|
|
|
|
|
|
|
| |
In asset_tag_helper_test.rb there is an assert on the number of bytes in a
concatenated file. This test failed because Windows converts \n to \r\n as
the default for "w". This is different than in *nix systems where there is
no conversion done.
THe test that failed was test_caching_stylesheet_link_tag_when_caching_on
Using bin mode fixes this behavior on windows and makes no change on the
*nix systems.
|
|
|
|
| |
[ci skip]
|
| |
|
|\
| |
| | |
Validation guides update 3 2
|
| |
| |
| |
| |
| |
| |
| | |
Use ActiveModel::Errors in inflection example docs as well.
Also fixes wrong information and link to locale file related to
Errors#full_messages in I18n guide.
|
|/
|
|
| |
Update time zone offset information
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
At least Ruby 1.8.7 is required which is ok since 3.2.
Benchmark:
```ruby
require "benchmark"
enum = 1..10_000
N = 100
Benchmark.bm do |x|
x.report "inject block" do
N.times do
enum.inject { |sum, n| sum + n }
end
end
x.report "inject symbol" do
N.times do
enum.inject(:+)
end
end
end
```
Result:
```
user system total real
inject block 0.160000 0.000000 0.160000 ( 0.179723)
inject symbol 0.090000 0.000000 0.090000 ( 0.095667)
```
|
| |
|
|
|
|
| |
use correct variant of checking whether class is a singleton
|
|
|
|
| |
operator
|
|
|
|
|
|
| |
Conflicts:
activesupport/lib/active_support/core_ext/range/include_range.rb
|
|
|
|
|
|
| |
This reverts commit 520918aad9b84eee807eb42fcb32f57c152d50e0.
Reason: build failure
|
| |
|
| |
|
|
|
|
|
|
| |
collect(&:method) *DHH*"
This reverts commit 4d20de8a50d889a09e6f5642984775fe796ca943.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
length user system total real
before 6 0.010000 0.000000 0.010000 ( 0.012378)
after 6 0.010000 0.000000 0.010000 ( 0.012866)
before 60 0.040000 0.000000 0.040000 ( 0.046273)
after 60 0.040000 0.000000 0.040000 ( 0.036421)
before 600 0.390000 0.000000 0.390000 ( 0.390670)
after 600 0.210000 0.000000 0.210000 ( 0.209094)
before 6000 3.750000 0.000000 3.750000 ( 3.751008)
after 6000 1.860000 0.000000 1.860000 ( 1.857901)
|
| |
|
|
|
|
|
|
|
| |
Revert html_escape to do a single gsub again, but add the "n" flag (no
language, i.e. not multi-byte) to protect against XSS via invalid utf8
Signed-off-by: José Valim <jose.valim@gmail.com>
|
| |
|
|
|
|
| |
from ruby's standard library.
|
|\
| |
| | |
Object#in? also accepts multiple parameters
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| | |
A recent change to beginning_of_week and end_of_week added an argument
that can be used to specify the week's starting day as a symbol. Now
these methods were aliased as monday and sunday respectively which as a
consequence of the argument addition, made calls like obj.monday(:sunday)
possible. This commit makes them methods on their own.
|
| | |
|
| | |
|
| | |
|