Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Commits on Feb 1, 2010
  1. For performance reasons, you can no longer call html_safe! on Strings…

    Yehuda Katz authored
    …. Instead, all Strings are always not html_safe?. Instead, you can get a SafeBuffer from a String by calling #html_safe, which will SafeBuffer.new(self).
    
      * Additionally, instead of doing concat("</form>".html_safe), you can do
        safe_concat("</form>"), which will skip both the flag set, and the flag
        check.
      * For the first pass, I converted virtually all #html_safe!s to #html_safe,
        and the tests pass. A further optimization would be to try to use
        #safe_concat as much as possible, reducing the performance impact if
        we know up front that a String is safe.
Commits on Jan 16, 2010
  1. @lifo

    Merge docrails

    lifo authored
Commits on Dec 22, 2009
  1. @josh

    All AD modules are "deferrable"

    josh authored
Commits on Oct 7, 2009
  1. @NZKoz

    Switch to on-by-default XSS escaping for rails.

    NZKoz authored
      This consists of:
    
      * String#html_safe! a method to mark a string as 'safe'
      * ActionView::SafeBuffer a string subclass which escapes anything unsafe which is concatenated to it
      * Calls to String#html_safe! throughout the rails helpers
      * a 'raw' helper which lets you concatenate trusted HTML from non-safety-aware sources (e.g. presantized strings in the DB)
      * New ERB implementation based on erubis which uses a SafeBuffer instead of a String
    
    Hat tip to Django for the inspiration.
Commits on Nov 24, 2008
  1. @josh

    prefer autoloaded html scanner

    josh authored
  2. @jeremy
Commits on Aug 26, 2008
  1. @josh

    Require missing libraries and check for defined ActionController cons…

    josh authored
    …tant so ActionView can be used standalone
  2. @josh
Commits on Jul 16, 2008
  1. @lifo

    Merge with docrails.

    lifo authored
Commits on May 25, 2008
  1. @lifo

    Merge docrails.

    lifo authored
    Signed-off-by: Pratik Naik <pratiknaik@gmail.com>
Commits on May 11, 2008
  1. @mschuerig @NZKoz

    Added not to sanitize helper docs that it doesn't guarantee well-form…

    mschuerig authored NZKoz committed
    …ed markup.
    
    Signed-off-by: Michael Koziarski <michael@koziarski.com>
    
    [#166 state:resolved]
Commits on May 2, 2008
  1. @fxn @lifo

    Improve documentation coverage and markup

    fxn authored lifo committed
    Signed-off-by: Pratik Naik <pratiknaik@gmail.com>
Commits on Nov 26, 2007
  1. @technoweenie

    Refactor sanitizer helpers into HTML classes and make it easy to swap…

    technoweenie authored
    … them out with custom implementations. Closes #10129.  [rick]
    
    git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8213 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
Commits on Oct 10, 2007
  1. @dhh

    Extracted sanitization methods from TextHelper to SanitizeHelper [DHH…

    dhh authored
    …] Changed SanitizeHelper#sanitize to only allow the custom attributes and tags when specified in the call [DHH]
    
    git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7825 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
Something went wrong with that request. Please try again.