Permalink
Browse files

Merge branch '2-1-stable' of git@github.com:rails/rails into 2-1-stable

  • Loading branch information...
2 parents dac9180 + ed949f3 commit 7ce3a597249d99b1b3247d5f0ea5490416bd8f38 @gbuesing gbuesing committed Nov 18, 2008
View
@@ -1,3 +1,8 @@
+*2.1.2 (October 23rd, 2008)*
+
+* Included in Rails 2.1.2
+
+
*2.1.1 (September 4th, 2008)*
* Included in Rails 2.1.1
View
@@ -57,7 +57,7 @@ spec = Gem::Specification.new do |s|
s.rubyforge_project = "actionmailer"
s.homepage = "http://www.rubyonrails.org"
- s.add_dependency('actionpack', '= 2.1.1' + PKG_BUILD)
+ s.add_dependency('actionpack', '= 2.1.2' + PKG_BUILD)
s.has_rdoc = true
s.requirements << 'none'
View
@@ -1,72 +1,12 @@
-*Edge*
+*2.1.2 (October 23rd, 2008)*
+
+* Sanitize the URLs passed to redirect_to to prevent a potential response splitting attack [koz]
* Fixed FormTagHelper#submit_tag with :disable_with option wouldn't submit the button's value when was clicked #633 [Jose Fernandez]
*2.1.1 (September 4th, 2008)*
-* Stopped logging template compiles as it only clogs up the log [DHH]
-
-* Changed the X-Runtime header to report in milliseconds [DHH]
-
-* Changed BenchmarkHelper#benchmark to report in milliseconds [DHH]
-
-* Changed logging format to be millisecond based and skip misleading stats [DHH]. Went from:
-
- Completed in 0.10000 (4 reqs/sec) | Rendering: 0.04000 (40%) | DB: 0.00400 (4%) | 200 OK [http://example.com]
-
- ...to:
-
- Completed in 100ms (View: 40, DB: 4) | 200 OK [http://example.com]
-
-* Add support for shallow nesting of routes. #838 [S. Brent Faulkner]
-
- Example :
-
- map.resources :users, :shallow => true do |user|
- user.resources :posts
- end
-
- - GET /users/1/posts (maps to PostsController#index action as usual)
- named route "user_posts" is added as usual.
-
- - GET /posts/2 (maps to PostsController#show action as if it were not nested)
- Additionally, named route "post" is added too.
-
-* Added button_to_remote helper. #3641 [Donald Piret, Tarmo Tänav]
-
-* Deprecate render_component. Please use render_component plugin from http://github.com/rails/render_component/tree/master [Pratik]
-
-* Routes may be restricted to lists of HTTP methods instead of a single method or :any. #407 [Brennan Dunn, Gaius Centus Novus]
- map.resource :posts, :collection => { :search => [:get, :post] }
- map.session 'session', :requirements => { :method => [:get, :post, :delete] }
-
-* Deprecated implicit local assignments when rendering partials [Josh Peek]
-
-* Introduce current_cycle helper method to return the current value without bumping the cycle. #417 [Ken Collins]
-
-* Allow polymorphic_url helper to take url options. #880 [Tarmo Tänav]
-
-* Switched integration test runner to use Rack processor instead of CGI [Josh Peek]
-
-* Made AbstractRequest.if_modified_sense return nil if the header could not be parsed [Jamis Buck]
-
-* Added back ActionController::Base.allow_concurrency flag [Josh Peek]
-
-* AbstractRequest.relative_url_root is no longer automatically configured by a HTTP header. It can now be set in your configuration environment with config.action_controller.relative_url_root [Josh Peek]
-
-* Update Prototype to 1.6.0.2 #599 [Patrick Joyce]
-
-* Conditional GET utility methods. [Jeremy Kemper]
- response.last_modified = @post.updated_at
- response.etag = [:admin, @post, current_user]
-
- if request.fresh?(response)
- head :not_modified
- else
- # render ...
- end
-
* All 2xx requests are considered successful [Josh Peek]
* Deprecate the limited follow_redirect in functional tests. If you wish to follow redirects, use integration tests. [Michael Koziarski]
View
@@ -80,7 +80,7 @@ spec = Gem::Specification.new do |s|
s.has_rdoc = true
s.requirements << 'none'
- s.add_dependency('activesupport', '= 2.1.1' + PKG_BUILD)
+ s.add_dependency('activesupport', '= 2.1.2' + PKG_BUILD)
s.require_path = 'lib'
s.autorequire = 'action_controller'
@@ -150,7 +150,14 @@ def parse(parent, line, pos, content, strict=true)
end
if scanner.skip(/!\[CDATA\[/)
- scanner.scan_until(/\]\]>/)
+ unless scanner.skip_until(/\]\]>/)
+ if strict
+ raise "expected ]]> (got #{scanner.rest.inspect} for #{content})"
+ else
+ scanner.skip_until(/\Z/)
+ end
+ end
+
return CDATA.new(parent, line, pos, scanner.pre_match.gsub(/<!\[CDATA\[/, ''))
end
@@ -265,7 +272,7 @@ def ==(node)
# itself.
class CDATA < Text #:nodoc:
def to_s
- "<![CDATA[#{super}]>"
+ "<![CDATA[#{super}]]>"
end
end
@@ -0,0 +1,15 @@
+require 'abstract_unit'
+
+class CDATANodeTest < Test::Unit::TestCase
+ def setup
+ @node = HTML::CDATA.new(nil, 0, 0, "<p>howdy</p>")
+ end
+
+ def test_to_s
+ assert_equal "<![CDATA[<p>howdy</p>]]>", @node.to_s
+ end
+
+ def test_content
+ assert_equal "<p>howdy</p>", @node.content
+ end
+end
@@ -65,4 +65,25 @@ def test_parse_with_unclosed_tag
assert_nothing_raised { node = HTML::Node.parse(nil,0,0,s,false) }
assert node.attributes.has_key?("onmouseover")
end
+
+ def test_parse_with_valid_cdata_section
+ s = "<![CDATA[<span>contents</span>]]>"
+ node = nil
+ assert_nothing_raised { node = HTML::Node.parse(nil,0,0,s,false) }
+ assert_kind_of HTML::CDATA, node
+ assert_equal '<span>contents</span>', node.content
+ end
+
+ def test_parse_strict_with_unterminated_cdata_section
+ s = "<![CDATA[neverending..."
+ assert_raise(RuntimeError) { HTML::Node.parse(nil,0,0,s) }
+ end
+
+ def test_parse_relaxed_with_unterminated_cdata_section
+ s = "<![CDATA[neverending..."
+ node = nil
+ assert_nothing_raised { node = HTML::Node.parse(nil,0,0,s,false) }
+ assert_kind_of HTML::CDATA, node
+ assert_equal 'neverending...', node.content
+ end
end
@@ -17,6 +17,8 @@ def test_strip_tags
%{This is a test.\n\n\nIt no longer contains any HTML.\n}, sanitizer.sanitize(
%{<title>This is <b>a <a href="" target="_blank">test</a></b>.</title>\n\n<!-- it has a comment -->\n\n<p>It no <b>longer <strong>contains <em>any <strike>HTML</strike></em>.</strong></b></p>\n}))
assert_equal "This has a here.", sanitizer.sanitize("This has a <!-- comment --> here.")
+ assert_equal "This has a here.", sanitizer.sanitize("This has a <![CDATA[<section>]]> here.")
+ assert_equal "This has an unclosed ", sanitizer.sanitize("This has an unclosed <![CDATA[<section>]] here...")
[nil, '', ' '].each { |blank| assert_equal blank, sanitizer.sanitize(blank) }
end
@@ -243,6 +245,14 @@ def test_should_sanitize_img_vbscript
assert_sanitized %(<img src='vbscript:msgbox("XSS")' />), '<img />'
end
+ def test_should_sanitize_cdata_section
+ assert_sanitized "<![CDATA[<span>section</span>]]>", "&lt;![CDATA[&lt;span>section&lt;/span>]]>"
+ end
+
+ def test_should_sanitize_unterminated_cdata_section
+ assert_sanitized "<![CDATA[<span>neverending...", "&lt;![CDATA[&lt;span>neverending...]]>"
+ end
+
protected
def assert_sanitized(input, expected = nil)
@sanitizer ||= HTML::WhiteListSanitizer.new
View
@@ -1,4 +1,6 @@
-*Edge*
+*2.1.2 (October 23rd, 2008)*
+
+* Added SQL escaping for :limit and :offset in MySQL [Jonathan Wiess]
* Multiparameter attributes skip time zone conversion for time-only columns #1030 [Geoff Buesing]
View
@@ -172,7 +172,7 @@ spec = Gem::Specification.new do |s|
s.files = s.files + Dir.glob( "#{dir}/**/*" ).delete_if { |item| item.include?( "\.svn" ) }
end
- s.add_dependency('activesupport', '= 2.1.1' + PKG_BUILD)
+ s.add_dependency('activesupport', '= 2.1.2' + PKG_BUILD)
s.files.delete FIXTURES_ROOT + "/fixture_database.sqlite"
s.files.delete FIXTURES_ROOT + "/fixture_database_2.sqlite"
@@ -2258,12 +2258,12 @@ def becomes(klass)
end
end
- # Updates a single attribute and saves the record. This is especially useful for boolean flags on existing records.
- # Note: This method is overwritten by the Validation module that'll make sure that updates made with this method
- # aren't subjected to validation checks. Hence, attributes can be updated even if the full object isn't valid.
+ # Updates a single attribute and saves the record without going through the normal validation procedure.
+ # This is especially useful for boolean flags on existing records. The regular +update_attribute+ method
+ # in Base is replaced with this when the validations module is mixed in, which it is by default.
def update_attribute(name, value)
send(name.to_s + '=', value)
- save
+ save(false)
end
# Updates all the attributes from the passed-in Hash and saves the record. If the object is invalid, the saving will
Oops, something went wrong.

0 comments on commit 7ce3a59

Please sign in to comment.