1
0
Fork 0
mirror of https://github.com/rails/rails.git synced 2022-11-09 12:12:34 -05:00
Commit graph

12 commits

Author SHA1 Message Date
Carlos Antonio da Silva
608eddc6f5 Move escape_once logic to ERB::Util, where it belongs to
All the logic is based on the HTML_ESCAPE constant available in
ERB::Util, so it seems more logic to have the entire method there and
just delegate the helper to use it.
2012-02-01 08:55:18 -02:00
Aaron Patterson
fd918fe5ed AP tests should inherit from AS::TestCase 2012-01-05 17:05:44 -08:00
Aaron Patterson
0b02284545 ensuring that json_escape returns html safe strings when passed an html safe string 2011-06-09 15:29:17 -07:00
Prem Sichanugrist
a9f3c9da01 Using Object#in? and Object#either? in various places
There're a lot of places in Rails source code which make a lot of sense to switching to Object#in? or Object#either? instead of using [].include?.
2011-04-11 03:17:09 +08:00
Santiago Pastorino
b451de0d6d Deletes trailing whitespaces (over text files only find * -type f -exec sed 's/[ \t]*$//' -i {} \;) 2010-08-14 04:12:33 -03:00
Aaron Patterson
d4d352bf94 fisting codes so it will parse [#4430 state:resolved]
Signed-off-by: wycats <wycats@gmail.com>
2010-04-17 15:57:36 -04:00
Yehuda Katz
4cbb9db0a5 For performance reasons, you can no longer call html_safe! on Strings. Instead, all Strings are always not html_safe?. Instead, you can get a SafeBuffer from a String by calling #html_safe, which will SafeBuffer.new(self).
* Additionally, instead of doing concat("</form>".html_safe), you can do
    safe_concat("</form>"), which will skip both the flag set, and the flag
    check.
  * For the first pass, I converted virtually all #html_safe!s to #html_safe,
    and the tests pass. A further optimization would be to try to use
    #safe_concat as much as possible, reducing the performance impact if
    we know up front that a String is safe.
2010-01-31 19:39:13 -08:00
Michael Koziarski
9415935902 Switch to on-by-default XSS escaping for rails.
This consists of:

  * String#html_safe! a method to mark a string as 'safe'
  * ActionView::SafeBuffer a string subclass which escapes anything unsafe which is concatenated to it
  * Calls to String#html_safe! throughout the rails helpers
  * a 'raw' helper which lets you concatenate trusted HTML from non-safety-aware sources (e.g. presantized strings in the DB)
  * New ERB implementation based on erubis which uses a SafeBuffer instead of a String

Hat tip to Django for the inspiration.
2009-10-08 09:31:20 +13:00
Yehuda Katz + Carl Lerche
86fc43fd58 ActionPack components should no longer have undeclared dependencies.
* Tests can be run in isolation
  * Dependencies added
  * A few tests modified to avoid depending on AS deps 
    not depended on my files they were testing
2009-06-08 13:34:07 -07:00
Rick Olson
0ff7a2d89f add json_escape ERB util to escape html entities in json strings that are output in HTML pages. [rick]
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@9241 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
2008-04-08 04:52:01 +00:00
Jeremy Kemper
9d755f1983 require abstract_unit directly since test is in load path
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8564 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
2008-01-05 13:32:06 +00:00
David Heinemeier Hansson
d6859a7216 Add tests for html_escape, and remove an unneeded backslash (closes #10511) [fxn]
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8422 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
2007-12-16 23:53:45 +00:00