github/rails
1
1
Fork 0
mirror of https://github.com/github/rails.git synced 2026-01-14 17:18:04 -05:00
Code Issues Packages Projects Releases Wiki Activity
24,493 Commits 34 Branches 105 Tags
3-1-github
Commit Graph

3614 Commits

Author SHA1 Message Date
Santiago Pastorino
63e67ea1a6 Do not mark strip_tags result as html_safe 
Thanks to Marek Labos & Nethemba

CVE-2012-3465
 2012-08-09 15:58:33 -03:00
Santiago Pastorino
b6a0a1166f escape select_tag :prompt values 
CVE-2012-3463
 2012-08-09 15:49:08 -03:00
Santiago Pastorino
d0c9759d3a html_escape should escape single quotes 
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
Closes #7215
 2012-08-06 21:39:35 -03:00
Aaron Patterson
28e744d682 adding a test for #6459 2012-06-14 10:55:30 -07:00
Aaron Patterson
f4174ad429 Array parameters should not contain nil values. 2012-06-10 22:47:42 -05:00
Aaron Patterson
5b83bbfab7 Strip [nil] from parameters hash. 
Thanks to Ben Murphy for reporting this!

CVE-2012-2660
 2012-05-30 15:13:55 -07:00
Rafael Mendonça França
a74b6a023b Merge pull request #3237 from sakuro/data-url-scheme 
Support data: url scheme
 2012-05-13 19:15:00 -03:00
Andrew White
e98893b189 Don't ignore nil positional arguments for url helpers - fixes #6196. 2012-05-10 22:07:14 +01:00
Andrew White
7336b33008 Refactor the handling of default_url_options in integration tests 
This commit improves the handling of default_url_options in integration
tests by making behave closer to how a real application operates.

Specifically the following issues have been addressed:

* Options specified in routes.rb are used (fixes #546)
* Options specified in controllers are used
* Request parameters are recalled correctly
* Tests can override default_url_options directly
 2012-05-10 21:33:31 +01:00
Andrew White
0cfa6b71f2 Reset the request parameters after a constraints check 
A callable object passed as a constraint for a route may access the request
parameters as part of its check. This causes the combined parameters hash
to be cached in the environment hash. If the constraint fails then any subsequent
access of the request parameters will be against that stale hash.

To fix this we delete the cache after every call to `matches?`. This may have a
negative performance impact if the contraint wraps a large number of routes as the
parameters hash is built by merging GET, POST and path parameters.

Fixes #2510.
(cherry picked from commit 56030506563352944fed12a6bb4793bb2462094b)
 2012-05-03 00:02:08 +01:00
Andrew White
78c181b701 Escape interpolated params when redirecting - fixes #5688 2012-04-29 21:37:03 +01:00
Andrew White
8af2fd8891 Don't convert params if the request isn't HTML - fixes #5341 
(cherry picked from commit d6bbd337ef)
 2012-04-29 10:52:59 +01:00
Arun Agrawal
54d3645e93 :subdomain can now be specified with a value of false in url_for, 
allowing for subdomain(s) removal from the host during link generation. 

Closes #4083

cherry-picked from 

de942e5534
96aa3bd0ea
 2012-04-01 00:16:38 +05:30
Arun Agrawal
c1c62e8b1a Build fix for form_options_helper_test.rb ruby-1.8.7 2012-03-19 12:30:39 +05:30
Aaron Patterson
66b8ef164d Merge pull request #5457 from brianmario/typo-fix 
Fix typo in redirect test
 2012-03-15 15:22:56 -07:00
Aaron Patterson
47147a0555 Merge pull request #5456 from brianmario/redirect-sanitization 
Strip null bytes from Location header
 2012-03-15 14:58:49 -07:00
Arun Agrawal
d024ce1d6c Test fix failing in 1.8.7-p358 2012-03-07 18:27:58 +05:30
Aaron Patterson
11881ad478 Merge branch '3-1-4' into 3-1-stable 
* 3-1-4:
  bumping to 3.1.4
  Ensure [] respects the status of the buffer.
  updating RAILS_VERSION
  use AS::SafeBuffer#clone_empty for flushing the output_buffer
  add AS::SafeBuffer#clone_empty
  fix output safety issue with select options
 2012-03-01 09:51:21 -08:00
Andrew White
5c18b995c1 Detect optional glob params when adding non-greedy regexp - closes #4817. 2012-02-26 00:29:43 +00:00
Arun Agrawal
6e49b3d006 assert => assert_equal 2012-02-25 21:13:53 +05:30
Arun Agrawal
406ece4729 fixed build for ruby187-p358 2012-02-25 17:50:47 +05:30
Sergey Nartimov
1be2bbec31 fix output safety issue with select options 2012-02-20 15:42:19 -08:00
Andrew White
a7862366ff Remove fixture files with Windows incompatible filenames 
Windows doesn't allow `\ / : * ? " < > |` in filenames so create
the fixture files at runtime and ignore the incompatible ones when
running on Windows.
 2012-02-20 04:59:59 +00:00
Andrew White
5fcbb94edc Fix ActionDispatch::Static to serve files with unencoded PCHAR 
RFC 3986[1] allows sub-delim characters in path segments unencoded,
however Rack::File requires them to be encoded so we use URI's
unescape method to leave them alone and then escape them again.

Also since the path gets passed to Dir[] we need to escape any glob
characters in the path.

[1]: http://www.ietf.org/rfc/rfc3986.txt
 2012-02-17 14:16:45 +00:00
Piotr Sarnacki
238d80c24c Fix http digest authentication with trailing '/' or '?' (fixes #4038 and #3228) 2012-01-10 04:55:00 +01:00
Piotr Sarnacki
c2af40b679 Add original_fullpath and original_url methods to Request 2012-01-10 04:53:55 +01:00
Santiago Pastorino
b7c7f08c87 Pass extensions to javascript_path and stylesheet_path helpers. Closes #3417 2012-01-03 17:52:00 -02:00
José Valim
6d5a27aa6f Override respond_to? since we are also overriding method_missing. 2012-01-03 20:33:14 +01:00
Aaron Patterson
d5389523f4 rack bodies should be a list 2011-12-22 13:10:36 -07:00
Aaron Patterson
3e00e1f6e3 refactoring routing tests 
Conflicts:

	actionpack/test/controller/routing_test.rb
 2011-12-22 13:05:40 -07:00
Aaron Patterson
040b7946d2 adding tests for #4029 2011-12-20 19:52:33 -07:00
Aaron Patterson
4371be2125 use Array#join so that file encoding doesn't impact returned string. 
Fixes #3957
 2011-12-12 19:47:25 -08:00
Arun Agrawal
49bbdf29c2 Fix broken encoding test 2011-12-10 19:42:09 +05:30
Aaron Patterson
e568c67b67 load the encoding converter to work around [ruby-core:41556] when switching encodings 2011-12-08 15:12:07 -08:00
Santiago Pastorino
a2f4ef1d80 Merge pull request #3428 from adrianpike/asset_path_conflicts 
Issue #3427 - asset_path_conflicts
 2011-12-06 11:19:06 -02:00
Jon Leighton
1edef70e49 Don't html-escape the :count option to translate if it's a Numeric. Fixes #3685. 
Conflicts:

	actionpack/CHANGELOG.md
 2011-11-19 13:29:12 +00:00
lest
1b527d7985 _html translation should escape interpolated arguments 2011-11-17 23:08:10 +00:00
Alexander Uvarov
1d8c5769e3 Fix impractical I18n lookup in nested fields_for 2011-11-17 21:55:04 +06:00
Bradford Folkens
92955d0053 Fix trouble using :subdomain in development environment when using numeric addresses. 
Otherwise the following occurs:

TypeError: can't convert nil into String
    /Users/bfolkens/dev/bfolkens-rails-core/actionpack/lib/action_dispatch/http/url.rb:75:in host_or_subdomain_and_domain'
    /Users/bfolkens/dev/bfolkens-rails-core/actionpack/lib/action_dispatch/http/url.rb:37:in url_for'
    /Users/bfolkens/dev/bfolkens-rails-core/actionpack/lib/action_dispatch/routing/url_for.rb:147:in test_subdomain_may_be_accepted_with_numeric_host'
    /Users/bfolkens/dev/bfolkens-rails-core/activesupport/lib/active_support/testing/setup_and_teardown.rb:67:in run'
    /Users/bfolkens/dev/bfolkens-rails-core/activesupport/lib/active_support/callbacks.rb:426:in send'
    /Users/bfolkens/dev/bfolkens-rails-core/activesupport/lib/active_support/callbacks.rb:81:in run'
 2011-11-07 23:23:36 -06:00
Jon Leighton
75ae4b3492 Stub find_template so that when handle_render_error is called in ActionView::Template, we get to see the actual underlying error rather than a NoMethodError. 
This shows an encoding bug on Ruby 1.9.3.
 2011-11-03 19:08:52 +00:00
Santiago Pastorino
816f0b691d Merge pull request #1796 from jdeseno/master 
link_to doesn't allow rel attribute when also specifying method
 2011-11-01 01:09:55 -02:00
Christopher Meiklejohn
b23cd21c2d Ensure that the format isn't applied twice to the cache key, else it becomes impossible to target with expire_action. 2011-10-31 15:17:46 -04:00
José Valim
86a5271e74 Provide failing test case for #3298 #2509 2011-10-12 09:21:33 +02:00
José Valim
f23f5ec6cd Fix wrong identation and remove extra spaces. 2011-10-12 09:01:00 +02:00
OZAWA Sakuro
c57aec50ef Support data: url scheme in asset paths. 2011-10-06 23:35:04 +09:00
Santiago Pastorino
4f2c238f3a stylesheet_link_tag('/stylesheets/application') and similar helpers doesn't throw Sprockets::FileOutsidePaths exception anymore 2011-10-05 15:42:25 -02:00
José Valim
d9d1bb2fb9 Fix the lame config.action_controller.present? check scattered throughout assets_path. 2011-10-05 02:28:40 +02:00
José Valim
db8db4a466 Ensure default_asset_host_protocol is respected, closes #2980. 2011-10-05 02:07:25 +02:00
José Valim
f63b1dee65 TestCase should respect the view_assigns API instead of pulling variables on its own. 2011-10-02 11:33:12 +02:00
Santiago Pastorino
7e2de385fe javascript_path and stylesheet_path should honor the asset pipelining 2011-09-28 20:13:56 -03:00