kotovalexarian-likes-github/rails--rails
1
0
Fork 0
mirror of https://github.com/rails/rails.git synced 2022-11-09 12:12:34 -05:00
Code Releases Activity
rails--rails/actionview
History
John Hawthorn eb52904eb5 Always reject files external to app 
Previously, when using `render file:`, it was possible to render files
not only at an absolute path or relative to the current directory, but
relative to ANY view paths. This was probably done for absolutely
maximum compatibility when addressing CVE-2016-0752, but I think is
unlikely to be used in practice.

Tihs commit removes the ability to `render file:` with a path relative
to a non-fallback view path.

Make FallbackResolver.new private

To ensure nobody is making FallbackResolvers other than "/" and "".

Make reject_files_external_... no-op for fallbacks

Because there are only two values used for path: "" and "/", and
File.join("", "") == File.join("/", "") == "/", this method was only
testing that the absolute paths started at "/" (which of course all do).

This commit doesn't change any behaviour, but it makes it explicit that
the FallbackFileSystemResolver works this way.

Remove outside_app_allowed argument

Deprecate find_all_anywhere

This is now equivalent to find_all

Remove outside_app argument

Deprecate find_file for find

Both LookupContext#find_file and PathSet#find_file are now equivalent to
their respective #find methods.
2019-04-03 09:02:28 -07:00
..
app/assets/javascripts Revert "Pass HTML responses as plain-text in rails-ujs" 2019-03-17 14:50:39 -04:00
bin Use frozen string literal in actionview/ 2017-07-24 11:53:43 +03:00
lib Always reject files external to app 2019-04-03 09:02:28 -07:00
test Always reject files external to app 2019-04-03 09:02:28 -07:00
.gitignore Clean up and consolidate .gitignores 2018-02-17 14:26:19 -08:00
actionview.gemspec Fix links in gemspec and docs from http to https. 2019-03-09 19:42:35 +05:30
blade.yml
CHANGELOG.md [ci skip] Follow up c8bf334104 2019-04-01 21:26:13 +02:00
coffeelint.json Test rails-ujs in our travis matrix 2017-02-22 13:49:28 -05:00
MIT-LICENSE Bump license years for 2019 2018-12-31 10:24:38 +07:00
package.json Prep release 2019-03-11 11:58:15 -04:00
Rakefile Respect ENV variables when finding DBs etc for the test suite 2019-02-06 01:20:06 +10:30
README.rdoc Merge pull request #35559 from ashishprajapati/ashishprajapati/important_textual_improvements 2019-03-09 22:54:21 +01:00
RUNNING_UJS_TESTS.rdoc Fix typos and add a few suggestions 2017-11-28 19:27:43 +01:00
RUNNING_UNIT_TESTS.rdoc Fix typos and add a few suggestions 2017-11-28 19:27:43 +01:00

README.rdoc 

= Action View

Action View is a framework for handling view template lookup and rendering, and provides
view helpers that assist when building HTML forms, Atom feeds and more.
Template formats that Action View handles are ERB (embedded Ruby, typically
used to inline short Ruby snippets inside HTML), and XML Builder.

You can read more about Action View in the {Action View Overview}[https://edgeguides.rubyonrails.org/action_view_overview.html] guide.

== Download and installation

The latest version of Action View can be installed with RubyGems:

  $ gem install actionview

Source code can be downloaded as part of the Rails project on GitHub:

* https://github.com/rails/rails/tree/master/actionview


== License

Action View is released under the MIT license:

* https://opensource.org/licenses/MIT


== Support

API documentation is at

* https://api.rubyonrails.org

Bug reports for the Ruby on Rails project can be filed here:

* https://github.com/rails/rails/issues

Feature requests should be discussed on the rails-core mailing list here:

* https://groups.google.com/forum/?fromgroups#!forum/rubyonrails-core