rails

mirror of https://github.com/github/rails.git synced 2026-04-04 03:00:58 -04:00

Files

Michael Koziarski 80da8eb43d Merge the prerequisites for on-by-default XSS escaping into rails.

This consists of:

* String#html_safe! a method to mark a string as 'safe'
* ActionView::SafeBuffer a string subclass which escapes anything unsafe which is concatenated to it
* Calls to String#html_safe! throughout the rails helpers
* a 'raw' helper which lets you concatenate trusted HTML from non-safety-aware sources (e.g. presantized strings in the DB)

Note, this does *not* give you on-by-default XSS escaping in 2.3 applications.  To get that you'll need to install a plugin:

http://github.com/nzkoz/rails_xss

2009-10-08 13:59:21 +13:00

activerecord

Revert "Only save the session if we're actually writing to it [#2703 state:resolved]"

2009-05-30 09:36:32 -05:00

controller

Monkey patch Rack::Lint to allow string subclass body

2009-10-06 15:55:56 +01:00

fixtures

Fixes a bug where layouts provided with an absolute path would not be found because they were prefixed by 'layouts'. This bug only appears if the path does not contain the word 'layouts'.

2009-09-28 14:40:21 +13:00

template

Merge the prerequisites for on-by-default XSS escaping into rails.