github/rails
1
1
Fork 0
mirror of https://github.com/github/rails.git synced 2026-01-13 08:37:54 -05:00
Code Issues Packages Projects Releases Wiki Activity
10,339 Commits 34 Branches 105 Tags
github39
Commit Graph

744 Commits

Author SHA1 Message Date
Charlie Somerville
221477dc21 fix this bit 2014-01-21 12:51:40 +11:00
Mislav Marohnić
18c7c1f753 Disable auto-generated form field IDs by passing nil for "id" attribute 
Previously it was not possible to opt out of auto-generated ID values
for various form fields.
 2014-01-13 13:22:06 -08:00
Nathan Witmer
72cebbcb59 Escape the unit value provided to number_to_currency 
Fixes CVE-2013-6415.

Previously the values were trusted blindly allowing for potential XSS attacks.

This is different from the original upstream patch for 3.x in that return values
from other number helper methods are not marked as html_safe, so the html
escaping always applies. This requires applications to explicitly set .html_safe
on unit strings and number separators when calling number_to_currency.
 2013-12-03 14:32:26 -07:00
Charlie Somerville
aa4dfa6937 delete link_to_function and button_to_function 2013-10-24 12:46:41 -04:00
Charlie Somerville
ca7a53cbe9 fix tests 2013-10-24 12:46:30 -04:00
Charlie Somerville
6db8e71ad8 delete tests that hit PrototypeHelper 2013-10-24 12:25:38 -04:00
Charlie Somerville
a4274b33f7 rip out scriptaculous 2013-10-24 12:23:20 -04:00
Charlie Somerville
9645f8be89 delete prototype.js helpers 2013-10-24 12:21:25 -04:00
Charlie Somerville
06d4ca0254 establish a baseline by skipping all tests failing before 2.0.0 2013-08-06 17:41:45 -07:00
Xavier Noria
2eede7e5ac s/escape_once/html_escape/, since html safety is the contract that now says whether something has to be escaped 
Conflicts:
	actionpack/CHANGELOG
	actionpack/lib/action_view/helpers/form_tag_helper.rb
	actionpack/lib/action_view/helpers/url_helper.rb
	actionpack/test/template/url_helper_test.rb
 2013-02-16 20:44:20 -08:00
rizwanreza
3df96518be Allow content_tag options to take an array [#1741 state:resolved] [rizwanreza, Nick Quaranto] 
Example:
  content_tag('p', "limelight", :class => ["song", "play"])
  # => <p class="song play">limelight</p>

Signed-off-by: Pratik Naik <pratiknaik@gmail.com>
 2013-02-16 20:22:41 -08:00
Michael Koziarski
abe97736b8 Be sure to javascript_escape the email address to prevent apostrophes inadvertently causing javascript errors. 
This fixes CVE-2011-0446
 2011-02-09 09:20:16 +13:00
Michael Koziarski
dbbf2fd19c Revert "Makes form_helper use overriden model accessors backport" 
This change introduced breakages and test failures.

This reverts commit 8141f0894e.
 2010-09-27 12:20:54 +13:00
Santiago Pastorino
43e2bbe28e Making time_zone_options_for_select return a html_safe string master backport 2010-08-15 10:07:38 -03:00
Santiago Pastorino
8141f0894e Makes form_helper use overriden model accessors backport 
[#3374]
 2010-08-01 19:49:45 -03:00
Michael Koziarski
cbf36cf57c Revert "make text_field and hidden_field omit the value attribute if the developer explicitly passes in :value => nil [#4839 state:reopened]" 
This reverts commit 52c922fad1
 2010-06-23 16:54:05 +12:00
Michael Koziarski
52c922fad1 make text_field and hidden_field omit the value attribute if the developer explicitly passes in :value => nil [#4839 state:resolved] 
Signed-off-by: Michael Koziarski <michael@koziarski.com>

Conflicts:

	actionpack/lib/action_view/helpers/form_helper.rb
 2010-06-23 16:25:19 +12:00
Michael Koziarski
5796a92433 Merge commit 'mislav/auto_link_2-3-stable' into 2-3-stable 2010-05-29 14:05:21 +12:00
Jeremy Kemper
f7e27bd078 i18n: t() handles single keys returning an Array, also 2010-05-24 20:41:28 -07:00
Jeremy Kemper
6a9e188c0c HTML safety: fix textarea with nil content 2010-05-24 20:13:07 -07:00
José Valim
50f3754525 Ensure translations work with symbols. 2010-05-24 23:38:49 +02:00
Santiago Pastorino
4986d5ed04 translate helper method using an array is deprecated 
Signed-off-by: José Valim <jose.valim@gmail.com>
 2010-05-24 23:38:48 +02:00
Santiago Pastorino
6b0616d1b8 translation method of TranslationHelper module returns a SafeBuffer Array backport 
[#4675 state:committed]

Signed-off-by: José Valim <jose.valim@gmail.com>
 2010-05-24 20:56:44 +02:00
Santiago Pastorino
d3da1a2c66 Revert "translation method of TranslationHelper module returns always SafeBuffer [#4194 status:resolved]" 
This reverts commit 2310aef29b.

Signed-off-by: José Valim <jose.valim@gmail.com>
 2010-05-24 20:56:44 +02:00
Lance Ivy
9e08e196fa Ensure auto_link does not ignore multiple trailing punctuations 
[#2504 state:resolved]
 2010-05-24 11:47:36 +02:00
Mislav Marohnić
17b4fd25e4 avoid auto_linking already linked emails; more robust detection of linked URLs 
References #1523  [#1862 state:resolved]  [#3591 state:resolved]

Add test that shows how link text can contain HTML if needed:
the trick is using block form in combination with `raw`.
Let link text be automatically HTML-escaped

[#2017 state:resolved]
 2010-05-24 11:18:20 +02:00
Mislav Marohnić
bd9ca9aed0 auto_link: support arbitrary URI schemes like "ftp:" and "file:" 
recognizes all URI scheme allowed characters, such as colon and period.

[#3494 state:resolved]
 2010-05-24 11:18:20 +02:00
Santiago Pastorino
adcfb4e8bd simple_format should return html_safe but not escape text, that's for rails_xss plugin [#3767 state:committed] 
Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
 2010-05-07 11:56:53 -07:00
Jeremy Kemper
9e262de3d8 Fix backport error: wrong exception name 2010-04-24 19:38:10 -07:00
Cezary Baginski
ec7716abcd actionpack: added missing encoding comments [#4466 state:resolved] 
Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
 2010-04-24 17:30:59 -07:00
Jeremy Kemper
f6e71c674c Expect an incompatible encoding exception when a template with a magic comment renders a partial without one and its source encoding doesn't match the default external encoding 2010-04-24 17:12:05 -07:00
Jeremy Kemper
fb545f4c60 Expect an incompatible encoding exception when a template doesn't have a magic comment and its source encoding doesn't match the default external encoding 2010-04-24 17:12:00 -07:00
Jeremy Kemper
70034d820f Ensure ERB source begins with the encoding comment 2010-04-24 17:04:50 -07:00
Jeremy Kemper
81e06075b7 Ruby 1.9: ERB template encoding using a magic comment at the top of the file 2010-04-24 17:01:52 -07:00
Vicki Ball
dae247316d made error_message_on work by passing in the object name if there is no object [#3246 state:resolved] 
Signed-off-by: José Valim <jose.valim@gmail.com>
 2010-04-10 14:02:34 +02:00
Santiago Pastorino
958b0e977a fix stack trace lines on class_eval 
Signed-off-by: José Valim <jose.valim@gmail.com>
 2010-04-09 22:06:51 +02:00
Santiago Pastorino
cfb31edb54 Generate routes for nested resources with nil object raise RoutingError [#4262 state:committed] 
Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
 2010-04-06 21:28:51 -07:00
Jeremy Kemper
aa48c79ae4 HTML safety: give a deprecation warning if an array of option tags is passed to select tag. Be sure to join the tag yourself and mark them .html_safe 2010-03-31 19:49:29 -07:00
Bruno Michel
26f2cce232 button_to should generate an html_safe string 
Signed-off-by: Michael Koziarski <michael@koziarski.com>
 2010-03-22 14:07:42 +13:00
Santiago Pastorino
9cfa87519d scope_key_by_partial fix for Ruby 1.9 when there's virtual_path 
[#4202 state:committed]

Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
 2010-03-16 16:05:24 -07:00
Santiago Pastorino
2310aef29b translation method of TranslationHelper module returns always SafeBuffer [#4194 status:resolved] 
Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
 2010-03-16 13:49:59 -07:00
Santiago Pastorino
056f957b22 There's a Ruby issue with File.basename different versions returns different things, so we shouldn't test that 
[#4174]

Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
 2010-03-14 13:37:30 -07:00
Santiago Pastorino
d3a8152203 Adds disable option to date_helpers generated hidden fields when html_options specifies it. ht by Marc Schütz 
[#3807 state:committed]

Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
 2010-03-05 13:49:23 -08:00
Santiago Pastorino
0307dbaba9 add time_separator for minutes only if minutes aren't hidden 
Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
 2010-02-24 18:41:29 -08:00
Santiago Pastorino
39bcf14b34 missing html_safe added and tests 2010-02-19 15:34:18 -08:00
Santiago Pastorino
397262a4ee i18n translate with arrays issue solved 2010-02-19 14:03:50 -08:00
Martin Andert
6227ec11f0 Fix error_messages_for i18n issue if object_name has underscores [#3629 status:resolved] 
Signed-off-by: José Valim <jose.valim@gmail.com>
 2010-02-17 21:07:05 +01:00
Santiago Pastorino and José Ignacio Costa
4158282e32 simple_format returns a safe buffer escaping unsafe input [Santiago Pastorino] (Closes #3767) 
Signed-off-by: David Heinemeier Hansson <david@loudthinking.com>
 2010-02-12 17:25:11 -08:00
Gabriel Mansour
6451e864b9 Fix pluralization for numbers formatted like '1.00' 
Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
 2010-02-07 12:15:10 -08:00
Santiago Pastorino and José Ignacio Costa
9ca6df83f6 Backport html_safe. Use latest rails_xss plugin for forward-compatibility with Rails 3. 2010-02-05 11:07:56 -08:00