github/rails
1
1
Fork 0
mirror of https://github.com/github/rails.git synced 2026-01-09 14:48:01 -05:00
Code Issues Packages Projects Releases Wiki Activity
28,542 Commits 34 Branches 105 Tags
3-2-github
Commit Graph

2856 Commits

Author SHA1 Message Date
Charlie Somerville
76ad4030e5 whoops, we don't want to create an output_buffer local 2014-10-07 16:35:37 +11:00
Charlie Somerville
d69e65ab34 use bytesize and byteslice rather than length and slice! 2014-10-07 16:29:14 +11:00
Charlie Somerville
8b5e2df964 shut this deprecation warning up for now 2014-09-19 18:26:17 +10:00
Aaron Patterson
6a051299f9 Feature detect based on Ruby version. 
I didn't want to do this, FNM_EXTGLOB is defined on 2.1.x, but Dir.glob
returns the wrong value on Ruby less than 2.2.0.  Checking for a
case-insensitive FS seems too hard, so just check Ruby version  Checking
for a case-insensitive FS seems too hard, so just check Ruby version.
 2014-05-18 12:00:57 -07:00
Aaron Patterson
c40df47055 feature detect for FNM_EXTGLOB for older Ruby. Fixes #15053 2014-05-10 11:53:02 -07:00
Aaron Patterson
03e016f22a use fnmatch to test for case insensitive file systems 
this is due to:

  https://bugs.ruby-lang.org/issues/5994
 2014-05-09 14:46:46 -07:00
Rafael Mendonça França
a3bda38467 Merge branch '3-2-17' into 3-2-stable 
Conflicts:
	actionpack/CHANGELOG.md
 2014-02-18 15:57:32 -03:00
Rafael Mendonça França
388d2f8888 Use the reference for the mime type to get the format 
Before we were calling to_sym in the mime type, even when it is unknown
what can cause denial of service since symbols are not removed by the
garbage collector.

Fixes: CVE-2014-0082
 2014-02-18 15:02:54 -03:00
Rafael Mendonça França
eaa2101b29 Escape format, negative_format and units options of number helpers 
Previously the values of these options were trusted leading to
potential XSS vulnerabilities.

Fixes: CVE-2014-0081
 2014-02-18 15:02:29 -03:00
Carlos Antonio da Silva
31a485fa5a Merge pull request #13183 from sorah/never_ignore_i18n_translate_raise_option 
Escalate missing error when :raise is true in translate helper, fix regression introduced by security fix.

Conflicts:
	actionpack/CHANGELOG.md
 2013-12-04 22:34:15 -02:00
Rafael Mendonça França
c82025fcd6 Fix documentation of number_to_currency helper 
Now users have to explicit mark the unit as safe if they trust it.

Closes #13161
 2013-12-04 10:22:46 -02:00
Michael Koziarski
78790e4bce Stop using i18n's built in HTML error handling. 
i18n doesn't depend on active support which means it can't use our html_safe
code to do its escaping when generating the spans.  Rather than try to sanitize
the output from i18n, just revert to our old behaviour of rescuing the error
and constructing the tag ourselves.

Fixes: CVE-2013-4491

Conflicts:
	actionpack/lib/action_view/helpers/translation_helper.rb

Backport: 50afd8eec9d088ad5a2d41f00a05520d5b78a6a0
 2013-12-02 14:02:15 -08:00
Michael Koziarski
5ed70c591f Escape the unit value provided to number_to_currency 
Fixes CVE-2013-6415

Previously the values were trusted blindly allowing for potential XSS attacks.
 2013-12-02 13:49:41 -08:00
Aaron Patterson
bee3b7f937 Only use valid mime type symbols as cache keys 
CVE-2013-6414
 2013-11-30 17:03:18 -08:00
Kassio Borges
424a5a7d46 fix issue #11605 2013-08-24 15:24:36 -03:00
Rafael Mendonça França
2553bd785c Merge pull request #10971 from dtaniwaki/escape_link_to_unless 
Always escape the result of link_to_unless method
 2013-06-24 16:15:56 -03:00
Rafael Mendonça França
9f754e801f Compare host scheme using case-insensitive regexp 
Before:

    image_tag("HTTP://google.com")
    # => "<img alt=\"Google\" src=\"/assets/HTTP://google.com\" />"
    image_tag("http://google.com")
    # => "<img alt=\"Google\" src=\"http://google.com\" />"

After:

    image_tag("HTTP://google.com")
    # => "<img alt=\"Google\" src=\"HTTP://google.com\" />"
    image_tag("http://google.com")
    # => "<img alt=\"Google\" src=\"http://google.com\" />"

Backport of #10969
 2013-06-16 22:05:26 -03:00
Ben Tucker
5a6d9d5491 Merging in fix from #8222 2013-05-06 09:36:40 -04:00
Ryan McGeary
44a9aedd7b Fix explicit names on multiple file fields 
If a file field tag is passed the multiple option, it is turned into an
array field (appending "[]"), but if the file field is passed an
explicit name as an option, leave the name alone (do not append "[]").

Fixes #9830
 2013-04-05 15:35:20 -04:00
Dmitry Vorotilin
2c22376fe0 Common behavior with adding formats to lookup_context for TemplateRenderer and PartialRenderer 2013-04-02 10:36:23 -07:00
hoffm
1b12d08a0f Backport #9347 to rails 3.2 2013-03-19 09:30:50 -05:00
Yves Senn
f662a748a5 do not freeze NumberHelper defaults. 
Closes #9767.
 2013-03-18 16:51:35 +01:00
Juan Barreneche
ce755697fc Extract hardcoded lists to Redo::RestaurantsList 2013-03-14 18:02:20 -03:00
Carlos Antonio da Silva
a0c3c1e1f7 Merge pull request #9616 from exviva/multiple_select_name_double_square_brackets 
Fix incorrectly appended square brackets to a multiple select box

Before:

    select(:category, [], {}, {:multiple => true, :name => "post[category][]"})
    # => <select name="post[category][][]" ...>

After:

    select(:category, [], {}, {:multiple => true, :name => "post[category][]"})
    # => <select name="post[category][]" ...>

Conflicts:
	actionpack/CHANGELOG.md
	actionpack/lib/action_view/helpers/tags/base.rb
	actionpack/test/template/form_options_helper_test.rb
 2013-03-09 12:05:30 -03:00
Carlos Antonio da Silva
fdcd7c0f2e Change tabs to spaces in form options helper [ci skip] 2013-02-21 12:48:45 -03:00
Rodrigo Rosenfeld Rosas
d82b5db059 Add another NumberHelper missing dependency 
Another missing dependency, now affecting #number_to_percentage.

It depends on reverse_merge.
 2013-01-29 17:13:39 -02:00
Rodrigo Rosenfeld Rosas
56fd56406c Add NumberHelper missing dependency 
symbolize_keys depends on hash/keys AS core extension
 2013-01-29 16:34:48 -02:00
Carlos Antonio da Silva
756188b512 Do not call fields_for from form_for, to avoid instantiating two builders 
Conflicts:
	actionpack/lib/action_view/helpers/form_helper.rb
	actionpack/test/template/form_helper_test.rb
 2013-01-06 11:06:26 -02:00
Carlos Antonio da Silva
4179470f01 Merge pull request #8719 from pcasaretto/fix-actionview-doc-typo 
Fix typo on form_tag_helper.rb [ci skip]
 2013-01-03 11:24:34 -02:00
jasl
ea881ca85a fix block.arity raise nil error when not given a block to "content_tag_for" 2013-01-02 16:48:09 +08:00
Andrew White
fbf23ed933 Make distance_of_time_in_words work with DateTime offsets 
Because DateTime#to_time returns self when it has a non-zero offset
and subtracting two DateTime instances returns a Rational then the
distance_of_time_in_words methods outputs an incorrect value.

This is fixed in master because we can rely on Ruby 1.9.3's
implementation of to_time but it can't be fixed on Ruby 1.8.7 as
there is no way to map the DateTime to a Time with a non-zero offset.

We can workaround the problem by casting to Float before doing
the subtraction in the distance_of_time_in_words method.

Closes #8390
 2012-12-04 14:21:52 +00:00
Andrew White
18e1227312 Make output of distance_of_time_in_words consistent 
This commit fixes the output of distance_of_time_in_words when
using integer or duration arguments. Previously a distance of
more than 30 seconds would be output as 'Less than 1 minute'
when using integer arguments and '1 minute' when using two
Time instances more than 30 seconds apart.

Cherry picked from 5fdd4cd9e47be972f146a8a17a74c8f4700e2ac0
 2012-12-04 14:21:52 +00:00
Jeremy Kemper
9d6e502f81 Override <%== to always behave as literal text rather than toggling based on whether escaping is enabled. Fixes that existing plaintext email templates using <%== unexpectedly flipped to *escaping* HTML when #8235 was merged. 
Conflicts:
	actionpack/test/template/template_test.rb
 2012-12-03 10:32:23 -07:00
Rafael Mendonça França
eaa0d0b774 Merge pull request #8402 from senny/8376_descriptive_error_message_for_partial_layout_true 
More descriptive error when rendering a partial with `:layout => true`
Conflicts:
	actionpack/CHANGELOG.md
	actionpack/lib/action_view/renderer/partial_renderer.rb
 2012-12-02 15:16:58 -02:00
Steve Klabnik
1a876f6228 Add i18n scope to disance_of_time_in_words. 
This is a backport of rails/rails#7997.
 2012-11-26 10:41:20 -08:00
José Valim
666a7e34f5 Merge pull request #8235 from tilsammans/dont_escape_actionmailer_when_plaintext 
Introduce `ActionView::Template::Handlers::ERB.escape_whitelist`

Conflicts:
	actionpack/CHANGELOG.md
	actionpack/test/template/template_test.rb
 2012-11-16 09:59:15 -02:00
DawidJanczak
89a8143d36 [ci skip] Correct examples for form_tag helper. 2012-11-14 11:56:15 +00:00
Rafael Mendonça França
2a6f208ee1 Merge pull request #8108 from Casecommons/fix-multiple-and-index-in-instance-tag 
Support :multiple option on input tags that also have :index
Conflicts:
	actionpack/lib/action_view/helpers/tags/base.rb
	actionpack/lib/action_view/helpers/tags/collection_check_boxes.rb
 2012-11-08 14:34:51 -02:00
Rafael Mendonça França
6b7cd20ab3 Revert "Merge pull request #7797 from senny/7459_prefix_tempalte_assertion_variables" 
This reverts commit 2bad605873.

Conflicts:
	actionpack/CHANGELOG.md

Reason: This added a regression related with shoulda-matchers, since it
is expecting the instance variable @layouts

See 9e1188eea6/lib/shoulda/matchers/action_controller/render_with_layout_matcher.rb (L74)

This will introduce back #7459 but this stable release will be backward compatible.
Related with #8068.
 2012-10-30 23:52:51 -02:00
Riley
380800e4a2 Accept :remote as symbol in link_to options 
Accept either :remote or 'remote' in both the html_options and
(url_)options hash arguments to link_to.
 2012-10-06 17:23:04 -04:00
Rafael Mendonça França
2bad605873 Merge pull request #7797 from senny/7459_prefix_tempalte_assertion_variables 
prefix TemplateAssertions ivars.

Closes #7459
Conflicts:
	actionpack/lib/action_controller/test_case.rb
	actionpack/lib/action_view/test_case.rb
 2012-10-01 23:58:05 -03:00
Vasiliy Ermolovich
4b1985578a correct handling of date selects when using both disabled and discard options 
we should take disabled option not only from `html_options` hash but from
`options` hash too like `build_select` method does it. So

datetime_select("post", "updated_at", { :discard_minute => true }, { :disabled => true })
datetime_select("post", "updated_at", :discard_minute => true , :disabled => true)

both these variants work now

closes #7431
 2012-08-25 18:48:14 +03:00
Rafael Mendonça França
c091fae21f Merge pull request #7410 from sandeepravi/default_options_helper_value 
option_tags coerced to "" instead of nil

Closes #7404
 2012-08-21 13:44:54 -03:00
Santiago Pastorino
7987e7419a Merge branch '3-2-8' into 3-2-stable 2012-08-09 18:15:59 -03:00
Santiago Pastorino
e91e4e8bbe Do not mark strip_tags result as html_safe 
Thanks to Marek Labos & Nethemba

CVE-2012-3465
 2012-08-09 16:06:17 -03:00
Santiago Pastorino
6d0526db91 escape select_tag :prompt values 
CVE-2012-3463
 2012-08-09 15:48:17 -03:00
Prem Sichanugrist
6c4673030e Rearrange example output of javascript_include_tag 2012-08-06 16:38:52 -04:00
Prem Sichanugrist
8e2a05b33d Do not include application.js if it doesn't exists 
Rails were including 'application.js' to the pack when using
`javascript_include_tag :all` even there's no application.js in the
public directory.
 2012-08-06 16:38:52 -04:00
Rafael Mendonça França
f50a5d2eee Revert "Deprecate link_to_function and button_to_function helpers" 
This reverts commit 9dc57fe9c4.
 2012-08-01 16:00:47 -03:00
Rafael Mendonça França
e826a5c749 Revert "Deprecate :mouseover options for image_tag helper." 
This reverts commit 1aff7725c7.

Conflicts:
	actionpack/CHANGELOG.md
 2012-08-01 15:58:56 -03:00