| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This consists of:
* String#html_safe! a method to mark a string as 'safe'
* ActionView::SafeBuffer a string subclass which escapes anything unsafe which is concatenated to it
* Calls to String#html_safe! throughout the rails helpers
* a 'raw' helper which lets you concatenate trusted HTML from non-safety-aware sources (e.g. presantized strings in the DB)
* New ERB implementation based on erubis which uses a SafeBuffer instead of a String
Hat tip to Django for the inspiration.
|
|
|
|
| |
Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
|
| |
|
|
|
|
|
|
|
|
| |
allow them to be cleared
Signed-off-by: Michael Koziarski <michael@koziarski.com>
[#3138 state:committed]
|
| |
|
| |
|
|
|
|
| |
activate the gem version
|
|
|
|
| |
place. Just to keep the path shorter.
|
|
|
|
| |
vendor requires.
|
|
|
|
| |
rubygems isn't loaded.
|
| |
|
|
|
|
| |
Signed-off-by: Yehuda Katz <wycats@gmail.com>
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
[#2243 state:committed]
Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
|
|
|
|
|
|
| |
[#3219 state:committed]
Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
| |
Run `rake bundle` before running tests.
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
[#3195 state:committed]
Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
|
| |
|
|
|
|
|
|
| |
Ruby's suite
This reverts commit 5de75398c495f109772b622291362a98bc6c21d1.
|
|
|
|
| |
Signed-off-by: Michael Koziarski <michael@koziarski.com>
|
|
|
|
|
|
|
|
| |
ActiveSupport::Multibyte#clean and #verify.
[#3181 state:committed]
Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
|
|
|
|
| |
Signed-off-by: Joshua Peek <josh@joshpeek.com>
|
|
|
|
|
|
| |
notifying events that are actually being consumed.
Signed-off-by: Joshua Peek <josh@joshpeek.com>
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
When accepting character input from outside of your application you can't
blindly trust that all strings are properly encoded. With these methods
you can check incoming strings and clean them up if necessary.
Signed-off-by: Michael Koziarski <michael@koziarski.com>
Conflicts:
activesupport/lib/active_support/multibyte.rb
|
|
|
|
|
|
| |
Use a constant-time comparison algorithm to compare the candidate HMAC with the calculated HMAC to prevent leaking information about the calculated HMAC.
Signed-off-by: Michael Koziarski <michael@koziarski.com>
|
|
|
|
|
|
| |
original [#1133 state:resolved]
Signed-off-by: Joshua Peek <josh@joshpeek.com>
|
|
|
|
|
|
| |
[#3102 state:incomplete]
Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Move #set_cookie and #delete_cookie inline to optimize. These optimizations should
almost certainly be sent back upstream to Rack. The optimization involves using
an ivar for cookies instead of indexing into the headers each time.
* Was able to use a bare Hash for headers now that cookies have their own joining
semantics (some code assumed that the raw cookies were an Array).
* Cache blankness of body on body=
* Improve expand_cache_key for Arrays of a single element (common in our case)
* Use a simple layout condition check unless conditions are used
* Cache visible actions
* Lazily load the UrlRewriter
* Make etag an ivar that is set on prepare!
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Tentatively replaced HeaderHash with SimpleHeaderHash, which does not preserve
case but does handle converting Arrays to Strings in to_hash. This requires
further discussion.
* Moved default_charset to ActionDispatch::Response to avoid having to hop over
to ActionController. Ideally, this would be a constant on AD::Response, but
some tests expect to be able to change it dynamically and I didn't want to change
them yet.
* Completely override #initialize from Rack::Response. Previously, it was creating
a HeaderHash, and then we were creating an entirely new one. There is no way to
call super without incurring the overhead of creating a HeaderHash.
* Override #write from Rack::Response. Its implementation tracks Content-Length,
and doing so adds additional overhead that could be mooted if other middleware
changes the body. It is more efficiently done at the top-level server.
* Change sending_file to an instance_variable instead of header inspection. In
general, if a state is important, it should be set as a property of the response
not reconstructed later.
* Set the Etag to @body instead of .body. AS::Cache.expand_cache_key handles
Arrays fine, and it's more efficient to let it handle the body parts, since
it is not forced to create a joined String.
* If we detect the default cache control case, just set it, rather than setting
the constituent parts and then running the normal (expensive) code to generate
the string.
|
| |
|