github/rails
1
1
Fork 0
mirror of https://github.com/github/rails.git synced 2026-01-14 17:18:04 -05:00
Code Issues Packages Projects Releases Wiki Activity
10,305 Commits 34 Branches 105 Tags
github33
Commit Graph

3925 Commits

Author SHA1 Message Date
Charlie Somerville
e423b0095f fix broken tests and warnings 2013-08-07 00:46:51 -07:00
Charlie Somerville
3f416f3a54 remove obsoleted usage of URI.unescape 2013-08-07 00:02:27 -07:00
Charlie Somerville
06d4ca0254 establish a baseline by skipping all tests failing before 2.0.0 2013-08-06 17:41:45 -07:00
Aaron Patterson
37ea897a44 fix protocol checking in sanitization [CVE-2013-1857] 
Conflicts:
	actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
	actionpack/test/controller/html-scanner/sanitizer_test.rb
 2013-03-18 15:01:49 -03:00
Aman Gupta
55d463eeea merge routing_tricks plugin for subdomain routing 2013-03-05 17:21:59 -08:00
Aman Gupta
76d83c0d5c use OutputBuffer#safe_append= for <%== to avoid extra string allocations 2013-02-26 01:07:29 -08:00
Aman Gupta
e43316238d flush whitespace before statements to preserve line numbers 2013-02-25 22:13:11 -08:00
Aman Gupta
331461a65e optimize generated erb to reduce method calls 
before:

        ');@output_buffer.append= ( content_icon row[:content] );@output_buffer.safe_concat('
');@output_buffer.safe_concat('        ');@output_buffer.append= ( spinner_img );@output_buffer.safe_concat('
');@output_buffer.safe_concat('      </td>
      <td class="content">
        ');@output_buffer.append= ( content_link row[:content] );@output_buffer.safe_concat('
');@output_buffer.safe_concat('      </td>
      <td class="message">
');

after:

        ';@output_buffer.append=( content_icon row[:content] );@output_buffer.safe_append='
        ';@output_buffer.append=( spinner_img );@output_buffer.safe_append='
      </td>
      <td class="content">
        ';@output_buffer.append=( content_link row[:content] );@output_buffer.safe_append='
      </td>
      <td class="message">
';
 2013-02-22 02:56:17 -08:00
Aman Gupta
fd05501b4d ActionView::OutputBuffer and Erubis handler from rails 3.2 2013-02-21 06:03:01 -08:00
Aman Gupta
1c215bab58 integrate monkey-patches from rails_xss/action_view 2013-02-21 03:20:01 -08:00
Aman Gupta
c7238a0746 faster html escaping code from rails master 2013-02-21 02:44:37 -08:00
Xavier Noria
2eede7e5ac s/escape_once/html_escape/, since html safety is the contract that now says whether something has to be escaped 
Conflicts:
	actionpack/CHANGELOG
	actionpack/lib/action_view/helpers/form_tag_helper.rb
	actionpack/lib/action_view/helpers/url_helper.rb
	actionpack/test/template/url_helper_test.rb
 2013-02-16 20:44:20 -08:00
Xavier Noria
507b8182cf url_for no longer escapes HTML, the :escape option is also gone 
Rationale: url_for is just a path/URL generator, it is the responsability of the caller to escape conveniently HTML needs it, JavaScript needs different escaping, a text mail needs no escaping at all, etc.

Backported to 2.3. Conflicts:
	actionpack/CHANGELOG
	actionpack/lib/action_view/helpers/url_helper.rb
	actionpack/test/template/url_helper_test.rb
 2013-02-16 20:32:13 -08:00
rizwanreza
3df96518be Allow content_tag options to take an array [#1741 state:resolved] [rizwanreza, Nick Quaranto] 
Example:
  content_tag('p', "limelight", :class => ["song", "play"])
  # => <p class="song play">limelight</p>

Signed-off-by: Pratik Naik <pratiknaik@gmail.com>
 2013-02-16 20:22:41 -08:00
Aman Gupta
b18f5c9af1 bump mocha dependency 2012-12-08 20:35:13 -08:00
Aman Gupta
ba9248e6e3 Remove call to Kernel#gem 2012-11-09 14:47:38 -08:00
Ryan Tomayko
899e99a025 pin to rack ~> 1.1 instead of ~> 1.1.0 
Some pretty gnarly bugs and security issues are present in the
latest rack 1.1.x release. There are 1.2.x and 1.3.x releases that
correct these.

This changes the gem dependencies to allow for rack versions > 1.1.
At GitHub we're on 1.2.4 (latest 1.2.x release at present) and
should have some results from real world testing soon.
 2011-11-17 12:51:32 -08:00
Aaron Patterson
60f783d9ce fixing strip tags vulnerability 2011-08-16 14:58:13 -07:00
Aaron Patterson
fb1588c5ff 2.3.14. yay. :'( 2011-08-16 14:57:05 -07:00
Aaron Patterson
dea5a10f71 bumping to 2.3.13 2011-08-16 14:34:14 -07:00
Aaron Patterson
11dafeaa75 fixing response splitting problem 2011-08-16 14:25:45 -07:00
Xavier Noria
78a1fda7c8 contrib app minor tweak 2011-07-27 13:23:42 -07:00
Ryan Davis
79aa54d0c7 + Switched to newer rdoc and gem package tasks (and their requires). 
+ Fixed deprecated usage in gemspecs.

Bumped the version to 2.3.12 so I could test locally with actual
installs. If this is bad form for this project, please beat me up and
I'll split them out.
 2011-05-25 01:49:15 -07:00
José Valim
d793a56121 Merged pull request #198 from robdimarco/2-3-stable. 
Patch for issue 6440 - Session Reset undefined method `destroy' for {}:Hash
 2011-04-28 00:37:53 -07:00
gmarik
b0be721dd9 respect :expire_after option 
- it was broken after
[commit](e0eb8e9c65)
- there's also
[issue](https://rails.lighthouseapp.com/projects/8994/tickets/6634-railsrack-inconsistency-about-expires_afterexpires-cookie-option)

- also: maybe it worth making Rack understand :expire_after as we
duplicate same logic in [cookie_store](https://github.com/gmarik/rails/blob/v2.3.11/actionpack/lib/action_controller/session/cookie_store.rb#L114)

Signed-off-by: José Valim <jose.valim@gmail.com>
 2011-04-14 13:48:35 +02:00
Rob Di Marco
8ca8ac379d Fixed bug 6440 by checking that destroy exists on the session 2011-02-28 22:54:03 -05:00
Rob Di Marco
589ce09564 Unit test that shows calling reset session twice results in an exception 2011-02-28 22:53:36 -05:00
Michael Koziarski
b0c3d451a2 Prepare for the 2.3.11 release 2011-02-09 09:30:53 +13:00
Michael Koziarski
7e86f9b4d2 Change the CSRF whitelisting to only apply to get requests 
Unfortunately the previous method of browser detection and XHR whitelisting is unable to prevent requests issued from some Flash animations and Java applets.  To ease the work required to include the CSRF token in ajax requests rails now supports providing the token in a custom http header:

 X-CSRF-Token: ...

This fixes CVE-2011-0447
 2011-02-09 09:20:17 +13:00
Michael Koziarski
abe97736b8 Be sure to javascript_escape the email address to prevent apostrophes inadvertently causing javascript errors. 
This fixes CVE-2011-0446
 2011-02-09 09:20:16 +13:00
Johnathan Ritzi
4f0c8ef9f1 Fix doc for #check_box [#6311 state:resolved] 
Signed-off-by: Xavier Noria <fxn@hashref.com>
 2011-01-19 08:47:19 +01:00
Michael Koziarski
6d916329b8 Require thread explicitly rather than relying on rubygems to do it. 2010-12-20 11:16:55 +13:00
Pascal Friederich
e0eb8e9c65 Let Rack::Utils.set_cookie_header! create the Set-Cookie header instead of manually fiddling with the response headers [#4941 state:resolved] 
Signed-off-by: José Valim <jose.valim@gmail.com>
 2010-12-01 11:58:45 +01:00
José Valim
2826324e56 Revert "Fix AbstractStore so that it preserves Set-Cookie header as an array, rather than as newline separated strings" 
This reverts commit 36b91e34f4.

Conflicts:

	actionpack/test/activerecord/active_record_store_test.rb
 2010-12-01 11:48:31 +01:00
Andrew White
25139ac92c Don't write out secure cookies unless the request is secure 2010-10-27 15:04:29 +01:00
Andrew White
0e52a609fd Don't create a deprecation proxy object if the variable was passed in local_assigns [#1671 state:resolved] 2010-10-26 12:57:21 +01:00
Aaron Patterson
df78de2bc8 removing space errors 2010-10-21 10:30:18 -07:00
Omar Qureshi
36b91e34f4 Fix AbstractStore so that it preserves Set-Cookie header as an array, rather than as newline separated strings 2010-10-21 10:28:54 -07:00
Michael Koziarski
f5ed5c317e Prepare for the 2.3.10 release 2010-10-15 08:41:59 +13:00
Geoff Buesing
f2e32e4fd7 require 'uri' in action_controller/url_rewriter [#5555 state:resolved] 
Signed-off-by: José Valim <jose.valim@gmail.com>
 2010-10-12 00:58:29 +02:00
Michael Koziarski
dbbf2fd19c Revert "Makes form_helper use overriden model accessors backport" 
This change introduced breakages and test failures.

This reverts commit 8141f0894e.
 2010-09-27 12:20:54 +13:00
W. Andrew Loe III
17f2fb44c0 Only send secure cookies over SSL. 2010-09-14 11:52:40 -07:00
Andrew Kaspick
a159fd0b8c Fix fixtures in integration test sessions 
Signed-off-by: Michael Koziarski <michael@koziarski.com>
 2010-09-10 10:45:23 +12:00
Mikel Lindsaar
597fb1da94 Adding documentation to redirect_to and status code option references 2010-09-09 14:00:09 +10:00
Mislav Marohnić
c6e33d30c1 fix setting session cookie with activerecord and memcache store 
Commit f8f3653 broke setting the session ID cookie for requests without 'HTTP_COOKIE' header
when using activerecord or memcache store. Integration tests didn't catch this because they
always set the HTTP_COOKIE header for mock requests, so now this is changed to only set the
header if there are cookies.

[#5581 state:committed]

Signed-off-by: Santiago Pastorino <santiago@wyeworks.com>
 2010-09-08 12:59:48 -03:00
Jeremy Kemper
a61a39ecd4 Rails 2.3.9 2010-09-04 14:36:40 -07:00
Jeremy Kemper
b2c91983dc Prepare for Rails 2.3.9. Release 2.3.9.pre gems. 2010-08-29 20:19:05 -07:00
Santiago Pastorino
43e2bbe28e Making time_zone_options_for_select return a html_safe string master backport 2010-08-15 10:07:38 -03:00
Santiago Pastorino
8141f0894e Makes form_helper use overriden model accessors backport 
[#3374]
 2010-08-01 19:49:45 -03:00
Santiago Pastorino
a5d8c95a7c Changes the usage of Object#returning with Object#tap 
Signed-off-by: José Valim <jose.valim@gmail.com>
 2010-07-25 22:49:06 +02:00