Skip to content
This repository

Aug 09, 2012

  1. Santiago Pastorino

    Do not mark strip_tags result as html_safe

    Thanks to Marek Labos & Nethemba
    
    CVE-2012-3465
    authored August 08, 2012
  2. Santiago Pastorino

    escape select_tag :prompt values

    CVE-2012-3463
    authored August 08, 2012

May 26, 2012

  1. Egor Homakov

    do not force sanitize and whitelist protocols for auto_link

    sanitize is not always required so we cannot make it. let's just
    whitelist protocols
    authored May 26, 2012

May 25, 2012

  1. Egor Homakov

    auto_link final sanitize

    authored May 25, 2012

Mar 27, 2012

  1. Aaron Patterson

    load the encoding converter to work around [ruby-core:41556] when swi…

    …tching encodings
    authored December 08, 2011 carlosantoniodasilva committed March 27, 2012

Mar 26, 2012

  1. Carlos Antonio da Silva

    Fix AV::FixtureResolver and rjs tests with random order errors

    Due to the hash ordering changes on Ruby 1.8.7-p358.

Feb 21, 2012

  1. Akira Matsuda

    use AS::SafeBuffer#clone_empty for flushing the output_buffer

    authored February 13, 2012 tenderlove committed February 20, 2012

Feb 20, 2012

  1. Sergey Nartimov

    fix output safety issue with select options

    authored February 20, 2012 tenderlove committed February 20, 2012

Nov 19, 2011

  1. Jon Leighton

    Don't html-escape the :count option to translate if it's a Numeric. F…

    …ixes #3685.
    
    Conflicts:
    
    	actionpack/CHANGELOG.md
    
    Conflicts:
    
    	actionpack/CHANGELOG.md
    authored November 19, 2011

Nov 17, 2011

  1. Sergey Nartimov

    _html translation should escape interpolated arguments

    Conflicts:
    
    	actionpack/CHANGELOG.md
    authored November 17, 2011 jonleighton committed November 17, 2011
  2. Jon Leighton

    Implement a workaround for a bug in ruby-1.9.3p0.

    The bug is that an error would be raised while attempting to convert a
    template from one encoding to another.
    
    Please see http://redmine.ruby-lang.org/issues/5564 for more details.
    
    The workaround is to load all conversions into memory ahead of time,
    and will only happen if the ruby version is *exactly* 1.9.3p0. The
    hope is obviously that the underlying problem will be resolved in
    the next patchlevel release of 1.9.3.
    
    Conflicts:
    
    	actionpack/CHANGELOG.md
    authored November 06, 2011

Sep 27, 2011

  1. Philip Arndt

    Fixes #3087 by removing autoload for non-existant DeprecatedBlockHelpers

    authored September 27, 2011

Aug 31, 2011

  1. Aaron Patterson

    use String#start_with? rather than creating regexps or comparing char…

    …acter values
    authored August 31, 2011

Aug 16, 2011

  1. Aaron Patterson

    Merge branch '3-0-10' into 3-0-stable

    * 3-0-10:
      bumping rails to 3.0.10
      properly subsituting bad utf8 characters
      Tags with invalid names should also be stripped in order to prevent XSS attacks.  Thanks Sascha Depold for the report.
      prevent sql injection attacks by escaping quotes in column names
      Properly escape glob characters.
      bumping to 3.0.10.rc1
      more changelog updates
      updating CHANGELOGs
    authored August 16, 2011
  2. Aaron Patterson

    Properly escape glob characters.

    authored August 16, 2011

Aug 11, 2011

  1. Remove 'parameters_for_url' from 'form_tag' method signature

    authored August 11, 2011 grzuy committed August 11, 2011

Jul 17, 2011

  1. Lauri Hahne

    made sure that the possible new output_buffer created by CacheHelper …

    …is of the same type as the original
    authored July 17, 2011

Jul 15, 2011

  1. Lauri Hahne

    fixed CacheHelper to properly support html_safe output buffers

    authored July 15, 2011

Jul 01, 2011

  1. Bogdan Gusiev

    Fixed ActionView::FormOptionsHelper#select with :multiple => false

    (cherry picked from commit 0fdac01)
    
    Signed-off-by: Andrew White <andyw@pixeltrix.co.uk>
    authored June 30, 2011 pixeltrix committed July 01, 2011

Jun 29, 2011

  1. Guillermo Iguaran

    Avoid extra call to Cache#read in case of a fragment cache hit

Jun 16, 2011

  1. Aaron Patterson

    Merge branch '3-0-9' into 3-0-stable

    * 3-0-9:
      Preparing for 3.0.9 release
      avoid false positives caused by release candidates
      Preparing for 3.0.9.rc5 release
      bumping to rc4
      Make sure that we don't perform in-place mutation on SafeBuffer string
      Update CHANGELOG to mention the json_escape change
      Ensure number helpers can handle HTML safe strings - closes #1597.
      bumping to rc3 since syck is not playing nicely
      bumping to 3.0.9.rc2
      ensuring that json_escape returns html safe strings when passed an html safe string
      Make sure `escape_javascript` return `SafeBuffer` if the incoming argument is already html_safe
      Fix issue #1598 by adding a dependency to the RDoc gem.
      bumping to 3.0.9.rc1
    authored June 16, 2011

Jun 15, 2011

  1. Damien Mathieu

    simplify to only one condition

    Signed-off-by: Andrew White <andyw@pixeltrix.co.uk>
    authored June 15, 2011 pixeltrix committed June 15, 2011
  2. Andrew White

    Make MissingTranslation exception handler respect :rescue_format

    authored June 15, 2011

Jun 11, 2011

  1. Revert "Make sure that we don't perform in-place mutation on SafeBuff…

    …er string"
    
    This reverts commit 104e200.
    authored June 10, 2011

Jun 10, 2011

  1. Prem Sichanugrist

    Make sure that we don't perform in-place mutation on SafeBuffer string

    This will make sure `render :inline` is working.
    
    Closes #1633
    authored June 10, 2011
  2. Andrew White

    Ensure number helpers can handle HTML safe strings - closes #1597.

    authored June 10, 2011 sikachu committed June 10, 2011
  3. Prem Sichanugrist

    Make sure that we don't perform in-place mutation on SafeBuffer string

    This will make sure `render :inline` is working.
    
    Closes #1633
    authored June 10, 2011
  4. Andrew White

    Ensure number helpers can handle HTML safe strings - closes #1597.

    authored June 10, 2011

Jun 09, 2011

  1. Prem Sichanugrist

    Make sure `escape_javascript` return `SafeBuffer` if the incoming arg…

    …ument is already html_safe
    authored June 09, 2011 tenderlove committed June 09, 2011
  2. Prem Sichanugrist

    Make sure `escape_javascript` return `SafeBuffer` if the incoming arg…

    …ument is already html_safe
    authored June 09, 2011

Jun 08, 2011

  1. Prem Sichanugrist

    Add proper fix to `mail_to` helper.

    * Fix the problem on manipulating on the `ActiveSupport::SafeBuffer`
    authored June 08, 2011
  2. Prem Sichanugrist

    Revert "Fixed mailto for SafeBuffer#gsub"

    It was fixing it in a bad way by changing test.
    
    This reverts commit cdf617e.
    authored June 08, 2011
  3. Paul Gallagher

    Make escape_javascript happy to handle SafeBuffers

    * see GH#1553
    * allow for the fact that gsub on SafeBuffer does not pass match variables $1, $2 etc to a block
    authored June 08, 2011
  4. Prem Sichanugrist

    Adapt [059692a] to make sure we perform correct cloning before manipu…

    …lation on `OutputBuffer`.
    
    This has been adapted from [823aa22]. However, after the fragment rendering, `Builder` returns the `String` object instead of `ActionView::OutputBuffer`. Somehow the same procedure which was in [823aa22] does not play nice with the String, and result in the fragment got lost.
    authored June 08, 2011
  5. Arun Agrawal

    Cache helper fixed for SafeBuffer

    authored June 08, 2011
Something went wrong with that request. Please try again.