* Introduce `render :html` as an option to render HTML content with a content
type of `text/html`. This rendering option calls `ERB::Util.html_escape`
internally to escape unsafe HTML string, so you will have to mark your
string as html safe if you have any HTML tag in it.
Please see #12374 for more detail.
*Prem Sichanugrist*
* Introduce `render :plain` as an option to render content with a content type
of `text/plain`. This is the preferred option if you are planning to render
a plain text content.
Please see #12374 for more detail.
*Prem Sichanugrist*
* Introduce `render :body` as an option for sending a raw content back to
browser. Note that this rendering option will unset the default content type
and does not include "Content-Type" header back in the response.
You should only use this option if you are expecting the "Content-Type"
header to not be set. More information on "Content-Type" header can be found
on RFC 2616, section 7.2.1.
Please see #12374 for more detail.
*Prem Sichanugrist*
* Set stream status to 500 (or 400 on BadRequest) when an error is thrown
before commiting.
Fixes #12552.
*Kevin Casey*
* Add new config option `config.action_dispatch.cookies_serializer` for
specifying a serializer for the signed and encrypted cookie jars.
The possible values are:
* `:json` - serialize cookie values with `JSON`
* `:marshal` - serialize cookie values with `Marshal`
* `:hybrid` - transparently migrate existing `Marshal` cookie values to `JSON`
For new apps `:json` option is added by default and `:marshal` is used
when no option is specified to maintain backwards compatibility.
*Łukasz Sarnacki*, *Matt Aimonetti*, *Guillermo Iguaran*, *Godfrey Chan*, *Rafael Mendonça França*
* `FlashHash` now behaves like a `HashWithIndifferentAccess`.
*Guillermo Iguaran*
* Set the `:shallow_path` scope option as each scope is generated rather than
waiting until the `shallow` option is set. Also make the behavior of the
`:shallow` resource option consistent with the behavior of the `shallow` method.
Fixes #12498.
*Andrew White*, *Aleksi Aalto*
* Properly require `action_view` in `AbstractController::Rendering` to prevent
uninitialized constant error for `ENCODING_FLAG`.
*Philipe Fatio*
* Do not discard query parameters that form a hash with the same root key as
the `wrapper_key` for a request using `wrap_parameters`.
*Josh Jordan*
* Ensure that `request.filtered_parameters` is reset between calls to `process`
in `ActionController::TestCase`.
Fixes #13803.
*Andrew White*
* Fix `rake routes` error when `Rails::Engine` with empty routes is mounted.
Fixes #13810.
*Maurizio De Santis*
* Log which keys were affected by deep munge.
Deep munge solves CVE-2013-0155 security vulnerability, but its
behaviour is definately confusing, so now at least information
about for which keys values were set to nil is visible in logs.
*Łukasz Sarnacki*
* Automatically convert dashes to underscores for shorthand routes, e.g:
get '/our-work/latest'
When running `rake routes` you will get the following output:
Prefix Verb URI Pattern Controller#Action
our_work_latest GET /our-work/latest(.:format) our_work#latest
*Mikko Johansson*
* Automatically convert dashes to underscores for url helpers, e.g:
get '/contact-us' => 'pages#contact'
get '/about-us' => 'pages#about_us'
When running `rake routes` you will get the following output:
Prefix Verb URI Pattern Controller#Action
contact_us GET /contact-us(.:format) pages#contact
about_us GET /about-us(.:format) pages#about_us
*Amr Tamimi*
* Fix stream closing when sending file with `ActionController::Live` included.
Fixes #12381
*Alessandro Diaferia*
* Allow an absolute controller path inside a module scope. Fixes #12777.
Example:
namespace :foo do
# will route to BarController without the namespace.
get '/special', to: '/bar#index'
end
* Unique the segment keys array for non-optimized url helpers
In Rails 3.2 you only needed pass an argument for dynamic segment once so
unique the segment keys array to match the number of args. Since the number
of args is less than required parts the non-optimized code path is selected.
This means to benefit from optimized url generation the arg needs to be
specified as many times as it appears in the path.
Fixes #12808.
*Andrew White*
* Show full route constraints in error message.
When an optimized helper fails to generate, show the full route constraints
in the error message. Previously it would only show the contraints that were
required as part of the path.
Fixes #13592.
*Andrew White*
* Use a custom route visitor for optimized url generation. Fixes #13349.
*Andrew White*
* Allow engine root relative redirects using an empty string.
Example:
# application routes.rb
mount BlogEngine => '/blog'
# engine routes.rb
get '/welcome' => redirect('')
This now redirects to the path `/blog`, whereas before it would redirect
to the application root path. In the case of a path redirect or a custom
redirect if the path returned contains a host then the path is treated as
absolute. Similarly for option redirects, if the options hash returned
contains a `:host` or `:domain` key then the path is treated as absolute.
Fixes #7977.
*Andrew White*
* Fix `Encoding::CompatibilityError` when public path is UTF-8
In #5337 we forced the path encoding to ASCII-8BIT to prevent static file handling
from blowing up before an application has had chance to deal with possibly invalid
urls. However this has a negative side effect of making it an incompatible encoding
if the application's public path has UTF-8 characters in it.
To work around the problem we check to see if the path has a valid encoding once
it has been unescaped. If it is not valid then we can return early since it will
not match any file anyway.
Fixes #13518.
*Andrew White*
* `ActionController::Parameters#permit!` permits hashes in array values.
*Xavier Noria*
* Converts hashes in arrays of unfiltered params to unpermitted params.
Fixes #13382.
*Xavier Noria*
* New config option to opt out of params "deep munging" that was used to
address security vulnerability CVE-2013-0155. In your app config:
config.action_dispatch.perform_deep_munge = false
Take care to understand the security risk involved before disabling this.
[Read more.](https://groups.google.com/forum/#!topic/rubyonrails-security/t1WFuuQyavI)
*Bernard Potocki*
* `rake routes` shows routes defined under assets prefix.
*Ryunosuke SATO*
* Extend cross-site request forgery (CSRF) protection to GET requests with
JavaScript responses, protecting apps from cross-origin `