ActionView::Helpers::UrlHelper#url_for used to escape the URLs it generated by
default. This was most commonly seen when generating a path with multiple
query parameters, e.g.
url_for(:controller => :foo, :action => :bar, :this => 123, :that => 456)
would return
http://example.com/foo/bar?that=456&this=123
escaping an ampersand that shouldn't be escaped. This is both wrong and
inconsistent with the behavior of ActionController#url_for, and is changed.
Signed-off-by: Michael Koziarski <michael@koziarski.com>
By using config rather than hardcoded constants, we can evolve the
configuration system over time (we'd just need to update the config
method with more robust capabilities and all consumers would get
the capabilities with no code changes)
This consists of:
* String#html_safe! a method to mark a string as 'safe'
* ActionView::SafeBuffer a string subclass which escapes anything unsafe which is concatenated to it
* Calls to String#html_safe! throughout the rails helpers
* a 'raw' helper which lets you concatenate trusted HTML from non-safety-aware sources (e.g. presantized strings in the DB)
* New ERB implementation based on erubis which uses a SafeBuffer instead of a String
Hat tip to Django for the inspiration.
state:resolved]
The test case now mimicks the template environment more closely, so it's
possible to use render, load helper dependencies.
This also fixes assert_select, and similar assertions. Because view tests
and helpers generally don't render full templates assert_select looks
first in rendered and then in output_buffer to find the rendered output.
Additional `master'-only changes: Made the Action Pack Rakefile run the
ActionView::TestCase tests, and made ActionView::Rendering#_render_text
always return a string.
Signed-off-by: Joshua Peek <josh@joshpeek.com>
* request.formats is much simpler now
* For XHRs or Accept headers with a single item, we use the Accept header
* For other requests, we use params[:format] or fallback to HTML
* This is primarily to work around the fact that browsers provide completely
broken Accept headers, so we have to whitelist the few cases we can
specifically isolate and treat other requests as coming from the browser
* For APIs, we can support single-item Accept headers, which disambiguates
from the browsers
* Requests to an action that only has an XML template from the browser will
no longer find the template. This worked previously because most browsers
provide a catch-all */*, but this was mostly accidental behavior. If you
want to serve XML, either use the :xml format in links, or explicitly
specify the XML template: render "template.xml".
* only one of partial_name or :as will be available as a local
* `object` is removed
* Simplify _layout_for in most cases.
* Remove <% render :partial do |args| %>
* <% render :partial do %> still works fine
* Call _evaluate_assigns_and_ivars at the two entry points so we don't have to
do a check at every render.
* Make template.render viable without having to go through a wrapper method
* Remove old TemplateHandler#render(template, local_assigns) path so we don't have
to set self.template every time we render a template.
* Move Template rescuing code to Template#render so it gets caught every time.
* Pull in some tests from Pratik that test render @object in ActionView
