| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Closes #8587
|
|\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* 3-2-sec:
bumping version
CVE-2013-0156: Safe XML params parsing. Doesn't allow symbols or yaml.
* Strip nils from collections on JSON and XML posts. [CVE-2013-0155] * dealing with empty hashes. Thanks Damien Mathieu
Avoid Rack security warning no secret provided
Conflicts:
actionpack/CHANGELOG.md
activerecord/CHANGELOG.md
activesupport/CHANGELOG.md
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
(cherry picked from commit e2e513621d732abb8efff9120bd9a444836720d6)
(cherry picked from commit dcdde7da481e11660634278a8004175a1ce20f39)
Backport of #6183, original issue was #6179
Conflicts:
activesupport/lib/active_support/core_ext/time/calculations.rb
activesupport/test/core_ext/time_ext_test
Signed-off-by: Andrew White <andyw@pixeltrix.co.uk>
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The encoding scheme (e.g. ☠ -> "\u2620") was broken for characters
not in the Basic Multilingual Plane. It is possible to escape them
for json using the weird encoding scheme of a twelve-character
sequence representing the UTF-16 surrogate pair (e.g. '𠜎' ->
"\u270e\u263a") but this wasn't properly handled in the escaping code.
Since raw UTF-8 is allowed in json, it was decided to simply pass
through the raw bytes rather than attempt to escape them.
Backport of https://github.com/zbskii/rails/commit/9ace3a8820a5270f9b3f37b593f8bbea3e940f73
Conflicts:
activesupport/CHANGELOG.md
activesupport/lib/active_support/json/encoding.rb
activesupport/test/json/encoding_test.rb
|
| |
| |
| |
| |
| |
| | |
Ruby 1.8 does not support this format in Time, so the format will only
be added to the available date formats on Ruby 1.9. Changelog entry was
changed to explain that as well.
|
| |
| |
| |
| |
| |
| | |
Increase numeric-timestamp precision to nanoseconds
Conflicts:
activesupport/lib/active_support/core_ext/time/conversions.rb
|
| | |
|
| |
| |
| |
| | |
Introduced in 3e53fe6.
|
|/
|
|
|
|
|
|
|
|
| |
Setting options in a custom `#as_json` method had side effects.
Modifications of the `options` hash leaked outside and influenced
the conversion of other objects contained in the hash.
Conflicts:
activesupport/CHANGELOG.md
|
|
|
|
|
|
|
|
|
| |
Avoid memory leak from unflushed logs on other threads leaving tags behind.
Conflicts:
activesupport/CHANGELOG.md
activesupport/lib/active_support/tagged_logging.rb
activesupport/test/tagged_logging_test.rb
|
|
|
|
| |
format strings.
|
|
|
|
|
| |
Check 0180e090ab6cbe66f7b521a0c03e278a0463accd for more reasoning about
that.
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
Closes #7215
Conflicts:
actionpack/test/template/erb_util_test.rb
actionpack/test/template/form_tag_helper_test.rb
actionpack/test/template/text_helper_test.rb
actionpack/test/template/url_helper_test.rb
activesupport/lib/active_support/core_ext/string/output_safety.rb
|
|
|
|
| |
This reverts commit bcfa013399fd2c5b5d25c38912cba3560de1cc57.
|
| |
|
| |
|
|
|
|
|
|
|
| |
Conflicts:
activesupport/lib/active_support/json/encoding.rb
activesupport/test/json/encoding_test.rb
|
|
|
|
|
| |
This is a back-port of rails/rails#6525. See the commit notes there for
details.
|
| |
|
|
|
|
|
|
| |
Conflicts:
activesupport/test/core_ext/duplicable_test.rb
|
| |
|
| |
|
|\
| |
| |
| |
| |
| |
| |
| |
| | |
* 3-2-stable-security:
Ensure [] respects the status of the buffer.
delete vulnerable AS::SafeBuffer#[]
use AS::SafeBuffer#clone_empty for flushing the output_buffer
add AS::SafeBuffer#clone_empty
fix output safety issue with select options
|
| | |
|
| | |
|
| | |
|
|/ |
|
|
|
| |
Same as 91a9b2441783de118a2f9ec11b0aa3ae80133d91
|
| |
|
| |
|
|
|
|
|
|
| |
This reverts commit abe915f23777efe10f17d611bf5718ca855a0704.
This broke all existing keys and it's wrong anyway. The array is just there as a convenience option for building the string. It's intentional that [ "stuff"] and "stuff" generates the same key.
|
|
|
|
| |
Signed-off-by: José Valim <jose.valim@gmail.com>
|
| |
|
|
|
|
|
|
| |
Conflicts:
activesupport/test/callbacks_test.rb
|
| |
|
|
|
|
| |
activesupport tests.
|
|
|
|
| |
ActiveSupport::TaggedLogging::ERROR
|
|
|
|
| |
extend and define ::Base64 if needed
|
|\
| |
| | |
3 2 stable marshalling
|
| | |
|
|/
|
|
|
|
| |
Conflicts:
activesupport/lib/active_support/core_ext/range/include_range.rb
|
|
|
|
|
| |
This reverts commit df3701872d6c97ff49943aea30761b47e60fa9fe, reversing
changes made to a0fd9fb01730af12d66a27b5665cc010bd3b90b4.
|
| |
|
| |
|
|
|
|
|
|
| |
collect(&:method) *DHH*"
This reverts commit 4d20de8a50d889a09e6f5642984775fe796ca943.
|
|\
| |
| | |
Fix expanding cache key for single element arrays
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
In short:
expand_cache_key(element) should not equal expand_cache_key([element])
This way a fragment cache key for an index page with only a single
element in the collection is different than a fragment cache for a
typical show page for that element.
|
| | |
|