Egor Homakov
baa240d09c
Use \A in Regexps
...
So, if there is redirect_to params[:q]
i can send ?q=javascript:asdf()%0A/localpath
Or something more nasty, so please use \A
2013-02-01 00:01:11 +07:00
Aaron Patterson
bb21d6ed7a
remove dead code
2013-01-30 10:24:58 -08:00
Aaron Patterson
0cabcf924a
change parameter name for positional args
2013-01-30 10:24:58 -08:00
Aaron Patterson
cc00239151
nodoc the helper classes, cache stuff for optimized helper
2013-01-30 10:24:58 -08:00
Aaron Patterson
c337e8707c
cache path parts in the instance
2013-01-30 10:24:58 -08:00
Aaron Patterson
8e5b4372d0
stop evaling a string every time
2013-01-30 10:24:58 -08:00
Aaron Patterson
27bccf02ee
moving helper classes outside the private block
2013-01-30 10:24:58 -08:00
Aaron Patterson
3bfdfc869b
pushing specialization down to the optimized class
2013-01-30 10:24:57 -08:00
Aaron Patterson
026c40fc18
use polymorphism to remove conditional
2013-01-30 10:24:57 -08:00
Aaron Patterson
23b2d60697
move conditionals to instance
2013-01-30 10:24:57 -08:00
Aaron Patterson
06f2ec4530
pull stuff out of the caller and hide in the instance
2013-01-30 10:24:57 -08:00
Aaron Patterson
2cdbe2270d
moving more stuff on to the instance
2013-01-30 10:24:57 -08:00
Aaron Patterson
d783ba2029
move optimize_helper? to the helper instance
2013-01-30 10:24:57 -08:00
Aaron Patterson
532e12287e
moving more stuff to the instance
2013-01-30 10:24:57 -08:00
Aaron Patterson
621ca05ae4
moving some stuff to the initializer
2013-01-30 10:24:57 -08:00
Aaron Patterson
44dd44ad70
moved more evald code
2013-01-30 10:24:57 -08:00
Aaron Patterson
fc8f45a3c1
factored out some of the dynamic code
2013-01-30 10:24:56 -08:00
Semyon Perepelitsa
540ebe37cd
Fix content_tag_for
with array html option.
...
It would embed array as string instead of joining it like `content_tag` does:
content_tag(:td, class: ["foo", "bar"]){}
#=> '<td class="foo bar"></td>'
Before:
content_tag_for(:td, item, class: ["foo", "bar"]){}
#=> '<td class="item ["foo", "bar"]" id="item_1"></td>'
After:
content_tag_for(:td, item, class: ["foo", "bar"]){}
#=> '<td class="item foo bar" id="item_1"></td>'
2013-01-31 01:28:57 +08:00
Guillermo Iguaran
673915035d
Changelog about BestStandardsSupport removal
2013-01-29 16:35:03 -05:00
Guillermo Iguaran
54a90a4794
Add 'X-UA-Compatible' => 'chrome=1' to default headers
2013-01-29 14:55:03 -05:00
Guillermo Iguaran
3bccd12373
Remove BestStandardsSupport middleware
2013-01-29 14:20:58 -05:00
Carlos Antonio da Silva
29000a7dbd
Merge pull request #9104 from bemurphy/remove_bad_idea_parser_test
...
Remove yaml Proc param parser test
2013-01-29 03:24:17 -08:00
Brendon Murphy
c302741d8f
Remove yaml Proc param parser test
...
I don't believe this test is exercising any explicit params_parser
behavior that the other two Proc tests aren't already doing. Given
that we now know it's a bad idea to load user input via YAML.load,
somebody reading this test might get a dangerous idea about building
out a YAML params parser.
2013-01-28 23:18:16 -08:00
Akira Matsuda
c38515693a
s/ERb/ERB/
2013-01-29 14:16:30 +09:00
Rafael Mendonça França
ba6cae4cc5
Merge pull request #9096 from tricknotes/fix-code-comment
...
Fix code comment
2013-01-28 15:49:15 -08:00
Ryunosuke SATO
8a13721b8c
Fix JavaScript syntax in code comment [ci skip]
2013-01-29 08:38:26 +09:00
Carlos Antonio da Silva
68f69ec31e
Move AS changelog entry to the top, improve AP changelog a bit
...
[ci skip]
2013-01-28 19:40:18 -02:00
Michiel Sikkes
489138802c
Added a Changelog entry for fixing HEAD requests.
2013-01-28 21:29:21 +01:00
Michiel Sikkes
f7277d99bf
Make current_url? work with a HEAD method
...
ActionDispatch::Head was removed in favor of Rack::Head. But Rack::Head
does not convert GET requests to HEAD requests so we need to do
checking for HEAD requests ourselves.
2013-01-28 21:18:57 +01:00
Michiel Sikkes
c4bc360e4e
Remove caching_allowed? from ActionController::Caching
...
Where is this used? No other code references to this method and it
isn't being tested anywhere. No tests fail when commented out.
2013-01-28 21:17:48 +01:00
Santiago Pastorino
5f5a43e2f7
Merge pull request #9032 from firmhouse/head-breaks-csrf
...
Make HEAD work / convert to GET once more
2013-01-28 07:25:20 -08:00
Akira Matsuda
5f30b547c8
Use Encoding::UTF_8 constant 🚯
2013-01-28 17:06:02 +09:00
Akira Matsuda
59deaecc76
Use already defined Encoding constants rather than creating one-trip Strings
2013-01-28 15:23:31 +09:00
Aaron Patterson
789df3be3e
add fetch to CookieJar
2013-01-27 14:17:56 -08:00
Xavier Noria
0b5d3f3273
Merge remote-tracking branch 'docrails/master'
...
Conflicts:
actionpack/lib/action_view/helpers/form_options_helper.rb
guides/code/getting_started/app/controllers/comments_controller.rb
2013-01-26 17:41:56 +01:00
Xavier Noria
4313461587
generic pass before merging docrails
2013-01-26 17:36:38 +01:00
Akira Matsuda
fb2ecaad6c
✂️ "raise" duplication
2013-01-26 12:25:42 +09:00
Carlos Antonio da Silva
9df25844ba
Add keys/values methods to TestSession
...
Bring back the same API we have with Request::Session.
2013-01-25 19:15:32 -02:00
Carlos Antonio da Silva
7d624e0e8c
Integrate Action Pack with Rack 1.5
...
All ActionPack and Railties tests are passing. Closes #8891 .
[Carlos Antonio da Silva + Santiago Pastorino]
2013-01-25 17:28:41 -02:00
Aaron Patterson
ccaeb6b667
use the helpers list rather than getting the methods from the module
2013-01-24 15:43:08 -08:00
Aaron Patterson
06573a3a76
module_eval is not necessary here
2013-01-24 15:33:08 -08:00
Aaron Patterson
345fc3badb
don't need to eval everything
2013-01-24 15:24:07 -08:00
Akira Matsuda + Koichi Sasada
b7b27fc2a3
Set Thread.abort_on_exception for the whole AS, AP, and AR tests
...
this would give us some more clues in case a test silently dies inside Thread
2013-01-24 20:00:45 +09:00
Xavier Noria
8ac94d7c89
ActionDispatch::Http::UploadedFile is a permitted scalar [ Closes #9051 ]
2013-01-23 23:15:26 +01:00
Michiel Sikkes
2ef138f0d4
Added request.head? to forgery protection code
2013-01-22 22:01:57 +01:00
Michiel Sikkes
64245e02e3
Added a test that shows that a HEAD request does not normally pass CSRF protection
2013-01-22 21:05:22 +01:00
Rafael Mendonça França
cb56c39b51
Lets kepp using Ruby 1.9 syntax
2013-01-22 10:40:33 -02:00
Rafael Mendonça França
16e0c8816c
Only check for unpermmited parameters if
...
action_on_unpermitted_parameters is present
2013-01-22 10:38:03 -02:00
Xavier Noria
2d9c4017dd
avoid creating an object in every call
...
This was a suggestion of @carlosantoniodasilva, thanks!
2013-01-22 11:18:41 +01:00
Carlos Antonio da Silva
bf112e551b
Remove tabs, use spaces ✂️
...
[ci skip]
2013-01-22 00:35:33 -02:00
Akira Matsuda
1e8d5e62c6
Merge branch 'isolating_tests'
...
Now we're almost ready to remove this: https://github.com/rails/rails/blob/5294ad8/activesupport/lib/active_support/test_case.rb#L29
2013-01-22 10:27:12 +09:00
Akira Matsuda
9b520d31e5
Restore I18n.locale after running tests
2013-01-22 10:26:44 +09:00
Rafael Mendonça França
5e4fb4da83
Stylistic pass at form_helper_test
2013-01-21 23:01:09 -02:00
José Mota
ee82ce7829
Capture block so content won't leak.
...
The [following pull request](https://github.com/rails/rails/pull/8916 ) fixed
the block being passed to the appropriate helper method. However, the content
being passed into the block is generating repeated markup on the page due to
some weird ERb evaluation.
This commit tries to capture the block's generated output so the page isn't
flooded with markup.
[Rafael França + José Mota]
Closes #8936
2013-01-21 22:02:02 -02:00
Piotr Sarnacki
351b0d9092
Update actionpack's CHANGELOG for 445f14e
2013-01-21 21:53:06 +01:00
Akira Matsuda
d1c02a7fc2
Make sure to reset default_url_options
2013-01-22 05:24:23 +09:00
Piotr Sarnacki
445f14e975
Fix asset_path in mounted engine
...
Historically serving assets from a mountable engine could be achieved by
running ActionDispatch::Static as a part of engine middleware stack or
to copy assets prefixed with an engine name. After introduction of
assets pipeline this is not needed as all of the assets are served or
compiled into main application's assets.
This commit removes the obsolete line making asset_path always generate
paths relative to the root or config.relative_url_root if it's set.
(closes #8119 )
2013-01-21 21:21:39 +01:00
Andrew White
c4106d0c08
Duplicate possible frozen string from route
...
Ruby 1.9 freezes Hash string keys by default so where a route is
defined like this:
get 'search' => 'search'
then the Mapper will derive the action from the key. This blows up
later when the action is added to the parameters hash and the
encoding is forced.
Closes #3429
2013-01-21 17:14:10 +00:00
Rafael Mendonça França
c6a39c01f7
Merge pull request #9014 from virusman/form_helpers_ar_tests
...
AR integration tests for form helpers
2013-01-21 05:52:42 -08:00
virusman
9047ca019a
Added AR integration tests for form helpers
2013-01-21 17:09:12 +04:00
Rafael Mendonça França
68a6fb6953
Merge pull request #9001 from schneems/schneems/routes-path-js
...
In Browser Path Matching with Javascript
2013-01-21 04:06:31 -08:00
Carlos Antonio da Silva
57b65ef416
Fix setting expected value in translation tests
...
It was being set to nil instead due to the wrong assignment.
2013-01-21 09:29:03 -02:00
schneems
8b72d689e3
In Browser Path Matching with Javascript
...
When debugging routes ,it can sometimes be difficult to understand exactly how the paths are matched. This PR adds a JS based path matching widget to the `/rails/info/routes` output. You can enter in a path, and it will tell you which of the routes that path matches, while preserving order (top match wins).
The matching widget in action:
![](http://f.cl.ly/items/3A2F0v2m3m1Z1p3P3O3k/path-match.gif )
Prior to this PR the only way to check matching paths is via mental math, or typing in a path in the url bar and seeing where it goes. This feature will be an invaluable debugging tool by dramatically decreasing the time needed to check a path match.
ATP actionpack
2013-01-20 23:10:24 -06:00
Rafael Mendonça França
e4dbfce1c3
Merge pull request #9007 from dpree/master
...
Enhanced tests for AbstractController::Translation module
2013-01-20 20:26:17 -08:00
Carlos Antonio da Silva
2061c98b42
Review #translate docs [ci skip]
2013-01-20 22:49:42 -02:00
Carlos Antonio da Silva
9a7411a92b
Refactor grep call to remove .each
...
Grep already yields the matching keys to the given block.
2013-01-20 22:09:32 -02:00
Carlos Antonio da Silva
e0cc7ab3ff
Add missing assert calls
2013-01-20 22:03:31 -02:00
Carlos Antonio da Silva
5a69fe724e
Use 1.9 hash style in docs/comments [ci skip]
2013-01-20 22:03:25 -02:00
Carlos Antonio da Silva
f12f08d61f
Fix markdown formatting to highlight block in changelog [ci skip]
2013-01-20 21:45:05 -02:00
Jens Bissinger
37d15d4e1b
Add documentation for abstract controller #translate and #localize method.
2013-01-20 19:15:15 +01:00
Matthew Stopa
56498b4b9e
Add documentation to ActionDispatch::Response
2013-01-20 10:41:02 -07:00
Arun Agrawal
53ea940c5b
Removing warning: shadowing outer local variable
2013-01-20 23:02:02 +05:30
Xavier Noria
cbec22ce57
strong parameters filters permitted scalars
2013-01-20 17:59:53 +01:00
Jens Bissinger
4685d75736
Removed ActionController::Base dependency from abstract controller translation tests.
2013-01-20 15:53:43 +01:00
Jens Bissinger
1de60c54d3
Test abstract controller's localize method.
2013-01-20 15:44:03 +01:00
Aaron Patterson
b718998f3e
Merge pull request #8978 from chrismcg/remove_i18n_symbol_dependency
...
Remove i18n symbol dependency
2013-01-19 11:20:50 -08:00
Rafael Mendonça França
57126ee5e3
Restore and adapt the implementation reverted at
...
cc1c3c5be0
Now instead of raise, we log by default in development and test
2013-01-19 15:32:27 -02:00
Thomas Drake-Brockman
130370b1c8
Added ability to raise or log on unpermitted params.
2013-01-20 00:39:24 +08:00
Aaron Patterson
f209b176c3
Merge pull request #8977 from Soylent/master
...
Resovled issue rails#7774
2013-01-18 17:27:19 -08:00
Guillermo Iguaran
e636f55531
Fix syntax error 😁
2013-01-18 17:16:30 -05:00
schneems
f654c3cfc0
Remove "Application" section title from routes
...
This PR standardizes the output of the HTML and console based routes to not include the title for "Application Routes" those that are defined by the application. Instead only routes defined in engines get any special treatment.
Based on this conversation:
af5c0fd85f (commitcomment-2458823)
ATP actionpack /cc @carlosantoniodasilva
2013-01-18 15:41:19 -06:00
Francesco Rodriguez
b8ef4f05fb
fix broken examples format in image_tag helper [ci skip]
2013-01-18 12:26:03 -05:00
Guillermo Iguaran
8aebe30ef4
Revert "Merge pull request #8989 from robertomiranda/use-rails-4-find-by"
...
This reverts commit 637a7d9d357a0f3f725b0548282ca8c5e7d4af4a, reversing
changes made to 5937bd02dee112646469848d7fe8a8bfcef5b4c1.
2013-01-18 09:15:19 -05:00
robertomiranda
7baecc4802
User Rails 4 find_by
2013-01-18 07:56:05 -05:00
Thiago Pinto
8c603918ab
repeating documentation for option form helpers
2013-01-17 13:45:16 -05:00
Thiago Pinto
d1238afc21
repeating documentation for date and time form helpers
2013-01-17 13:40:01 -05:00
Chris McGrath
60289ab659
Don't change the original i18n data
2013-01-17 16:01:19 +00:00
Chris McGrath
6bb784eab0
Remove i18n symbol dependency
...
date.order is the only key in rails i18n that is required to be a
symbol. This patch allows for symbols or strings which means:
* No requirement for symbol type in .yml files. A future
YAML.safe_load wouldn't need to load symbols
* Rails could actually use json rather than yml as the backend
2013-01-17 15:21:26 +00:00
Konstantin Papkovskiy
bebb02fd1c
Fix ActionDispatch::Request#formats when HTTP_ACCEPT header is empty string
2013-01-17 17:42:49 +04:00
Carlos Antonio da Silva
ee314a5e5a
Remove useless || operation
2013-01-17 09:28:07 -02:00
Arun Agrawal
c9362182c8
Removing : warning: ambiguous first argument;
2013-01-17 14:43:11 +05:30
Carlos Antonio da Silva
038574a538
Deprecate direct calls to AC::RecordIdentifier.dom_id and dom_class
...
Also add some generic tests to ensure they're properly deprecated.
2013-01-16 23:09:36 -02:00
Colin Burn-Murdoch
3daff0508b
Fix date_select :selected option so you can pass it nil
2013-01-16 21:52:09 +00:00
Yves Senn
19e9e67f95
replace regexp global in #url_for
2013-01-16 18:51:12 +01:00
Carlos Antonio da Silva
e5f5863e86
Remove warnings: "(...) interpreted as grouped expression"
2013-01-16 09:41:08 -02:00
Aditya Sanghi
3c19064610
adding regression test in master for #8631
2013-01-16 16:59:45 +05:30
Carlos Antonio da Silva
e7ffb5e4e3
Fix typo introduced in 0004ca3a
...
[ci skip]
2013-01-16 09:26:45 -02:00
Matthew Stopa
0004ca3a97
More documentation for ActionDispatch::Response
...
[ci skip]
2013-01-16 00:48:25 -07:00
Matthew Stopa
7b1a58bbae
Document ActionDispatch::Response#body method
2013-01-16 00:33:08 -07:00
Rafael Mendonça França
e42b5f99eb
Merge pull request #8958 from balexand/strong_parameters_exception_handling
...
Strong parameters exception handling
2013-01-15 17:28:29 -08:00
Brian Alexander
8e221127ab
strong parameters exception handling
2013-01-15 17:45:34 -07:00
Edward Anderson
7925884b5e
Remove header bloat introduced by BestStandardsSupport middleware
...
The same headers were being duplicated on every request.
2013-01-15 19:16:08 -05:00
Andrew White
f1d8f2af72
Change the behavior of route defaults
...
This commit changes route defaults so that explicit defaults are no
longer required where the key is not part of the path. For example:
resources :posts, bucket_type: 'posts'
will be required whenever constructing the url from a hash such as a
functional test or using url_for directly. However using the explicit
form alters the behavior so it's not required:
resources :projects, defaults: { bucket_type: 'projects' }
This changes existing behavior slightly in that any routes which
only differ in their defaults will match the first route rather
than the closest match.
Closes #8814
2013-01-15 17:22:25 +00:00
Andrew White
90d2802b71
Add support for other types of routing constraints
...
This now allows the use of arrays like this:
get '/foo/:action', to: 'foo', constraints: { subdomain: %w[www admin] }
or constraints where the request method returns an Fixnum like this:
get '/foo', to: 'foo#index', constraints: { port: 8080 }
Note that this only applies to constraints on the request - path
constraints still need to be specified as Regexps as the various
constraints are compiled into a single Regexp.
2013-01-15 17:21:33 +00:00
Andrew White
b28fc685a9
Ensure port is set when passed via the process method
2013-01-15 17:21:33 +00:00
Andrew White
db06d12826
Raise correct exception now Journey is integrated.
...
Now that Journey has been integrated into ActionDispatch we can raise
the exception ActionController::UrlGenerationError directly rather than
raising the internal Journey::Router::RoutingError and then have
ActionDispatch::Routing::RouteSet#generate re-raise the exception.
2013-01-15 17:21:33 +00:00
Carlos Antonio da Silva
9dfe2d6f9f
Revert "log at debug level what line caused the redirect_to"
...
This reverts commit 3fa00070047b5d019d39e691598ee2890283d052.
Reason: This message is usually not accurate and annoying:
Redirected by ~/.rbenv/versions/1.9.3-p327-perf/lib/ruby/1.9.1/logger.rb:371:in `add'`
2013-01-15 12:47:25 -02:00
Steve Klabnik
1dd89250d1
Merge pull request #8938 from colinbm/date_select_value
...
Rename :value to :selected for date_select, and add missing tests/docs
2013-01-14 12:18:36 -08:00
Colin Burn-Murdoch
1fecaf15d7
Rename :value option to :selected, in line with other select helpers
...
Add tests for time & datetime.
Add documentation.
2013-01-14 19:49:07 +00:00
Jeremy Kemper
bf095770e5
Revert benchmark helper regression. Use a #capture within a #benchmark
...
block. Breaks benchmark calls that return non-String values otherwise.
Revert "add benchmark helper that works in erb"
This reverts commit 904e544cc8f5846de7c31827bb5556c6a238c0de.
Conflicts:
actionpack/lib/action_view/helpers.rb
actionpack/lib/action_view/helpers/benchmark_helper.rb
actionpack/test/template/benchmark_helper_test.rb
2013-01-14 10:24:43 -07:00
Rafael Mendonça França
242f12506d
Merge pull request #8916 from josemota/collection-with-block
...
Collection radio buttons and collection check boxes through FormBuilder render the provided block.
Closes #8897
2013-01-13 18:27:41 -08:00
Colin Burn-Murdoch
aea3820261
Allow value to be set on date_select
2013-01-13 21:03:21 +00:00
Steve Klabnik
a0265b98f1
Associaton -> Association
2013-01-13 10:43:24 -05:00
José Mota
8cc60d8136
Collection radio buttons and collection check boxes through FormBuilder render
...
the provided block.
In the case of having a form_for method being called, the block for each
collection would not be passed and thus the result expected was always the same.
This patch passes the block to the original method like it would be assumed.
2013-01-12 17:42:18 +00:00
Sam Ruby
c692774bba
Fix regression introduced in pull request 8812
...
See https://github.com/rails/rails/pull/8812#commitcomment-2416514
2013-01-11 16:48:58 -05:00
Carlos Antonio da Silva
d61b49e178
Merge pull request #8882 from goshakkk/clearer-conditional
...
Clearer conditional in constraint match check
2013-01-11 03:21:51 -08:00
Jon Leighton
94797ed146
Merge pull request #8623 from virusman/form_helpers_collectionproxy_fix
...
Fixed nested fields bug when called with AssociationProxy
2013-01-11 03:08:41 -08:00
Dylan Smith
bae92681be
Fix json params parsing regression for non-object JSON content.
...
Fixes #8845 .
2013-01-11 00:28:32 -05:00
Gosha Arinich
caa54db8a0
clearer conditional in constraint match check
2013-01-10 23:40:57 +03:00
Guillermo Iguaran
416a179ddf
Merge pull request #8876 from senny/extract_performance_tests
...
Extract ActionDispatch::PerformanceTest
2013-01-10 08:10:22 -08:00
Yves Senn
3e1ed7818b
extract PerformanceTest into rails-performance_tests gem
2013-01-10 17:09:06 +01:00
Rafael Mendonça França
2b5019e234
Merge pull request #8821 from jamis/master
...
Evaluate view_cache_dependencies at the instance level
Conflicts:
actionpack/lib/action_controller/caching.rb
2013-01-10 13:34:40 -02:00
zires
ff8f92b2bf
Remove redundant double quotation marks
2013-01-10 10:23:26 +08:00
Aaron Patterson
8ae9b4623e
adding missing requires
2013-01-09 15:34:58 -08:00
Nathaniel Jones
d2f1ca29fc
Fix typo in deprecation warning
2013-01-09 04:04:57 -06:00
Santiago Pastorino
5d0d82957a
Merge pull request #8824 from mjtko/fix/cookie-store-inheritance
...
Modify CookieStore middleware inheritance to avoid subclassing Rack::Session::Cookie [Fix for #7372 ]
2013-01-08 17:27:13 -08:00
Carlos Antonio da Silva
b28d6e2c76
Remove :yaml related tests and fix other related to parsing empty arrays
...
All Action Pack tests are green.
2013-01-08 20:27:48 -02:00
Carlos Antonio da Silva
21879c560f
Fix warning: & interpreted as argument prefix
2013-01-08 20:16:20 -02:00
Aaron Patterson
e80546cdec
remove yaml as a param parser :burn:
...
If you revert this commit, I will hunt you down, I will make you regret
ever terrible thing you've ever done, I will make you suffer.
2013-01-08 13:50:38 -08:00
Jeremy Kemper
46e0d2397e
CVE-2013-0156: Safe XML params parsing. Doesn't allow symbols or yaml.
2013-01-08 12:42:29 -08:00
Aaron Patterson
8e577fe560
* Strip nils from collections on JSON and XML posts. [CVE-2013-0155] * dealing with empty hashes. Thanks Damien Mathieu
...
Conflicts:
actionpack/CHANGELOG.md
actionpack/lib/action_dispatch/http/request.rb
actionpack/lib/action_dispatch/middleware/params_parser.rb
activerecord/CHANGELOG.md
activerecord/lib/active_record/relation/predicate_builder.rb
activerecord/test/cases/relation/where_test.rb
2013-01-08 12:41:24 -08:00
Jeremy Kemper
c31cc963da
Revert "Merge branch 'master-sec'"
...
This reverts commit 88cc1688d0cb828c17706b41a8bd27870f2a2beb, reversing
changes made to f049016cd348627bf8db0d72382d7580bf802a79.
2013-01-08 12:41:04 -08:00
Aaron Patterson
88cc1688d0
Merge branch 'master-sec'
...
* master-sec:
CVE-2013-0156: Safe XML params parsing. Doesn't allow symbols or yaml.
* Strip nils from collections on JSON and XML posts. [CVE-2013-0155] * dealing with empty hashes. Thanks Damien Mathieu
2013-01-08 12:11:18 -08:00
Jeremy Kemper
2ced6f2f8a
CVE-2013-0156: Safe XML params parsing. Doesn't allow symbols or yaml.
2013-01-08 12:03:34 -08:00
Vijay Dev
f049016cd3
Merge branch 'master' of github.com:lifo/docrails
...
Conflicts:
guides/source/getting_started.md
2013-01-09 01:04:15 +05:30
Jamis Buck
0121377cfb
evaluate the dependency blocks at the instance level, not class level
2013-01-08 12:02:11 -07:00
Jamis Buck
70e684a681
view_cache_dependency API
...
A declarative API for specifying dependencies that affect template
cache digest computation. In your controller, specify any of said
dependencies:
view_cache_dependency { "phone" if using_phone? }
When the block is evaluated, the resulting value is included in the
cache digest calculation, allowing you to generate different digests
for effectively the same template. (Mostly useful if you're mucking
with template load paths.)
2013-01-08 11:20:47 -07:00
Steve Klabnik
ac86cbec82
Merge pull request #8810 from NARKOZ/image-submit-tag
...
set 'alt' attribute for image_submit_tag
2013-01-08 07:39:06 -08:00
David Heinemeier Hansson
cc1c3c5be0
Revert "unpermitted params" exception -- it's just not going to work. See the discussion on https://github.com/rails/strong_parameters/pull/75 .
2013-01-08 16:17:30 +01:00
David Heinemeier Hansson
ae3286b743
Never treat action or controller as unpermitted params
2013-01-08 15:52:18 +01:00
Carlos Antonio da Silva
4f002a1df3
Bump rack dependency to 1.4.3
...
It includes security bug fixes and changes the initialization of
Rack::File to accept a hash, otherwise generating warnings.
See 295806e for the warnings fix.
2013-01-08 10:49:02 -02:00
Sam Ruby
9cc82b7719
Eliminate Rack::File headers deprecation warning
...
See http://intertwingly.net/projects/AWDwR4/checkdepot/section-6.1.html
rake test produces:
"Rack::File headers parameter replaces cache_control after Rack 1.5."
Despite what the message says, it appears that the hearders parameter change
will be effective as of Rack 1.5:
https://github.com/rack/rack/blob/rack-1.4/lib/rack/file.rb#L24
https://github.com/rack/rack/blob/master/lib/rack/file.rb#L24
2013-01-08 07:22:48 -05:00
Nihad Abbasov
0f8f75c81a
set 'alt' attribute for image_submit_tag
2013-01-08 15:56:47 +04:00
Carlos Antonio da Silva
c67005f221
Do not generate local vars for partials without object or collection
...
Previously rendering a partial without giving :object or :collection
would generate a local variable with the partial name by default.
This was noticed due to warnings in Ruby 2.0 of not used variables,
which turned out to be the generation of not used variables inside
partials that do not contain objects related to them.
2013-01-08 09:15:20 -02:00
Mark J. Titorenko
109a1b3358
Revert cb3181e - no longer required.
2013-01-08 10:10:39 +00:00
Mark J. Titorenko
fc66b6b004
Fix CookieStore middleware inheritance hierarchy s.t. it inherits from Rack::Session::Abstract::ID rather than Rack::Session::Cookie.
2013-01-08 10:10:36 +00:00
Santiago Pastorino
cb3181e81e
Avoid Rack security warning no secret provided
...
This avoids "SECURITY WARNING: No secret option provided to Rack::Session::Cookie."
2013-01-08 00:33:16 -02:00
Aaron Patterson
d99e8c9e16
* Strip nils from collections on JSON and XML posts. [CVE-2013-0155] * dealing with empty hashes. Thanks Damien Mathieu
...
Conflicts:
actionpack/CHANGELOG.md
actionpack/lib/action_dispatch/http/request.rb
actionpack/lib/action_dispatch/middleware/params_parser.rb
activerecord/CHANGELOG.md
activerecord/lib/active_record/relation/predicate_builder.rb
activerecord/test/cases/relation/where_test.rb
2013-01-07 17:20:12 -08:00
Francesco Rodriguez
2aa08e313d
improve StrongParameters documentation [ci skip]
2013-01-07 16:18:06 -05:00
Gosha Arinich
ae1f86fab5
access @path
and @routes
via reader methods in journey
2013-01-07 17:37:02 +03:00