Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Commits on Aug 9, 2012
  1. Santiago Pastorino

    Do not mark strip_tags result as html_safe

    spastorino authored
    Thanks to Marek Labos & Nethemba
Commits on Aug 14, 2010
  1. Santiago Pastorino

    Deletes trailing whitespaces (over text files only find * -type f -ex…

    spastorino authored
    …ec sed 's/[ \t]*$//' -i {} \;)
Commits on Aug 9, 2010
  1. Xavier Noria
Commits on Aug 4, 2010
  1. Yehuda Katz

    Concernify SanitizeHelper and TextHelper so including TextHelper corr…

    wycats authored
    …ectly include SanitizeHelper and extends its ClassMethods
Commits on Jul 13, 2010
  1. Fixed many references to the old config/environment.rb and Rails::Ini…

    Benjamin Quorning authored
Commits on Jun 16, 2010
  1. Rizwan Reza
Commits on Jun 14, 2010
  1. Xavier Noria

    edit pass: the names of Rails components have a space, ie, "Active Re…

    fxn authored
    …cord", not "ActiveRecord"
Commits on Feb 1, 2010
  1. For performance reasons, you can no longer call html_safe! on Strings…

    Yehuda Katz authored
    …. Instead, all Strings are always not html_safe?. Instead, you can get a SafeBuffer from a String by calling #html_safe, which will
      * Additionally, instead of doing concat("</form>".html_safe), you can do
        safe_concat("</form>"), which will skip both the flag set, and the flag
      * For the first pass, I converted virtually all #html_safe!s to #html_safe,
        and the tests pass. A further optimization would be to try to use
        #safe_concat as much as possible, reducing the performance impact if
        we know up front that a String is safe.
Commits on Jan 16, 2010
  1. Pratik

    Merge docrails

    lifo authored
Commits on Dec 22, 2009
  1. Joshua Peek

    All AD modules are "deferrable"

    josh authored
Commits on Oct 7, 2009
  1. Michael Koziarski

    Switch to on-by-default XSS escaping for rails.

    NZKoz authored
      This consists of:
      * String#html_safe! a method to mark a string as 'safe'
      * ActionView::SafeBuffer a string subclass which escapes anything unsafe which is concatenated to it
      * Calls to String#html_safe! throughout the rails helpers
      * a 'raw' helper which lets you concatenate trusted HTML from non-safety-aware sources (e.g. presantized strings in the DB)
      * New ERB implementation based on erubis which uses a SafeBuffer instead of a String
    Hat tip to Django for the inspiration.
Commits on Nov 24, 2008
  1. Joshua Peek

    prefer autoloaded html scanner

    josh authored
  2. Jeremy Kemper
Commits on Aug 26, 2008
  1. Joshua Peek

    Require missing libraries and check for defined ActionController cons…

    josh authored
    …tant so ActionView can be used standalone
  2. Joshua Peek
Commits on Jul 16, 2008
  1. Pratik

    Merge with docrails.

    lifo authored
Commits on May 25, 2008
  1. Pratik

    Merge docrails.

    lifo authored
    Signed-off-by: Pratik Naik <>
Commits on May 11, 2008
  1. Michael Schuerig Michael Koziarski

    Added not to sanitize helper docs that it doesn't guarantee well-form…

    mschuerig authored NZKoz committed
    …ed markup.
    Signed-off-by: Michael Koziarski <>
    [#166 state:resolved]
Commits on May 2, 2008
  1. Xavier Noria Pratik

    Improve documentation coverage and markup

    fxn authored lifo committed
    Signed-off-by: Pratik Naik <>
Commits on Nov 26, 2007
  1. risk danger olson

    Refactor sanitizer helpers into HTML classes and make it easy to swap…

    technoweenie authored
    … them out with custom implementations. Closes #10129.  [rick]
    git-svn-id: 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
Commits on Oct 10, 2007
  1. David Heinemeier Hansson

    Extracted sanitization methods from TextHelper to SanitizeHelper [DHH…

    dhh authored
    …] Changed SanitizeHelper#sanitize to only allow the custom attributes and tags when specified in the call [DHH]
    git-svn-id: 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
Something went wrong with that request. Please try again.