提交 · cc986db54665c4155f1b8da5d3f2ebf4a55ef23f · 张重言 / rails

05 3月, 2013 1 次提交
- A
  
  Call String#gsub with Hash directly · cc986db5
  由 Aman Gupta 提交于 3月 04, 2013
  
  cc986db5
13 9月, 2012 1 次提交
- F
  
  update AS/core_ext docs [ci skip] · 794a70f9
  由 Francesco Rodriguez 提交于 9月 12, 2012
  
  794a70f9
09 9月, 2012 1 次提交
- K
  
  &#39 dates back to SGML when &#x27 was introduced in HTML 4.0 · 6b2a24c3
  由 Kalys Osmonov 提交于 9月 03, 2012
  
  6b2a24c3
01 8月, 2012 1 次提交

html_escape should escape single quotes · b6ab4417

由 Santiago Pastorino 提交于 7月 31, 2012

https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
Closes #7215

b6ab4417

24 5月, 2012 1 次提交

Revert "Remove blank trailing comments" · 1ad0b378

由 Vijay Dev 提交于 5月 23, 2012

This reverts commit fa6d921e.

Reason: Not a fan of such massive changes. We usually close such changes
if made to Rails master as a pull request. Following the same principle
here and reverting.

[ci skip]

1ad0b378

20 5月, 2012 1 次提交

Remove blank trailing comments · fa6d921e

由 Henrik Hodne 提交于 5月 20, 2012

For future reference, this is the regex I used: ^\s*#\s*\n(?!\s*#). Replace
with the first match, and voilà! Note that the regex matches a little bit too
much, so you probably want to `git add -i .` and go through every single diff
to check if it actually should be changed.

fa6d921e

18 5月, 2012 1 次提交
- V
  
  doesn't modify params in SafeBuffer#% · 3b1c30c9
  由 Vasiliy Ermolovich 提交于 5月 18, 2012
  
  3b1c30c9
17 5月, 2012 1 次提交
- V
  
  fix safe string interpolation with SafeBuffer#%, closes #6352 · 9fb21e98
  由 Vasiliy Ermolovich 提交于 5月 16, 2012
  
  9fb21e98
12 5月, 2012 1 次提交
- F
  
  remove unnecessary 'examples' noise · ef440bb0
  由 Francesco Rodriguez 提交于 5月 11, 2012
  
  ef440bb0
29 4月, 2012 2 次提交
- A
  
  String quotes and trailing spaces · 432a65fa
  由 Alexey Gaziev 提交于 4月 29, 2012
  
  432a65fa
- A
  
  AS core_ext refactoring · 1946d7b9
  由 Alexey Gaziev 提交于 4月 26, 2012
  
  1946d7b9
02 3月, 2012 1 次提交

Stop SafeBuffer#clone_empty from issuing warnings · 681d89f9

由 Carlos Antonio da Silva 提交于 3月 02, 2012

Logic in clone_empty method was dealing with old @dirty variable, which
has changed by @html_safe in this commit:
https://github.com/rails/rails/commit/139963c99a955520db6373343662e55f4d16dcd1

This was issuing a "not initialized variable" warning - related to:
https://github.com/rails/rails/pull/5237

The logic applied by this method is already handled by the [] override,
so there is no need to reset the variable here.

681d89f9

01 3月, 2012 1 次提交
- J
  
  Ensure [] respects the status of the buffer. · 8ccaa341
  由 José Valim 提交于 2月 29, 2012
  
  8ccaa341
21 2月, 2012 2 次提交
- A
  
  delete vulnerable AS::SafeBuffer#[] · 71d8c77e
  由 Akira Matsuda 提交于 2月 13, 2012
  
  71d8c77e
- A
  
  add AS::SafeBuffer#clone_empty · 71b95bd9
  由 Akira Matsuda 提交于 2月 13, 2012
  
  71b95bd9
02 2月, 2012 1 次提交
- V
  
  revise docs [ci skip] · d7a85c5c
  由 Vijay Dev 提交于 2月 01, 2012
  
  d7a85c5c
01 2月, 2012 2 次提交
- C
  
  Move escaping regexps to constants · 9d25af60
  由 Carlos Antonio da Silva 提交于 1月 12, 2012
  
  9d25af60
- C
  Move escape_once logic to ERB::Util, where it belongs to · 608eddc6
  由 Carlos Antonio da Silva 提交于 1月 12, 2012
```
All the logic is based on the HTML_ESCAPE constant available in
ERB::Util, so it seems more logic to have the entire method there and
just delegate the helper to use it.
```
  608eddc6
05 1月, 2012 2 次提交
- R
  
  No need to override the to_yaml method in ActiveSupporte::SafeBuffer · ae7dcb4b
  由 Rafael Mendonça França 提交于 1月 04, 2012
  
  ae7dcb4b
- R
  
  No need to check if YAML::ENGINE is defined since ruby 1.9 does that · 0bf51e98
  由 Rafael Mendonça França 提交于 1月 04, 2012
  
  0bf51e98
21 12月, 2011 1 次提交
- G
  
  We don't need a special html_escape for 1.8 anymore · ba7ef536
  由 Guillermo Iguaran 提交于 12月 21, 2011
  
  ba7ef536
12 12月, 2011 2 次提交

J

Remove duplicate html_escape docs · 9147613c
由 Jeremy Kemper 提交于 12月 11, 2011

9147613c

Use 1.9 native XML escaping to speed up html_escape and shush regexp warnings · 63cd9432

由 Jeremy Kemper 提交于 12月 11, 2011

        length      user     system      total        real
before  6      0.010000   0.000000   0.010000 (  0.012378)
after   6      0.010000   0.000000   0.010000 (  0.012866)
before  60     0.040000   0.000000   0.040000 (  0.046273)
after   60     0.040000   0.000000   0.040000 (  0.036421)
before  600    0.390000   0.000000   0.390000 (  0.390670)
after   600    0.210000   0.000000   0.210000 (  0.209094)
before  6000   3.750000   0.000000   3.750000 (  3.751008)
after   6000   1.860000   0.000000   1.860000 (  1.857901)

63cd9432

03 12月, 2011 1 次提交

Restore performance of ERB::Util.html_escape · 0e17cf17

由 Jon Jensen 提交于 12月 02, 2011

Revert html_escape to do a single gsub again, but add the "n" flag (no
language, i.e. not multi-byte) to protect against XSS via invalid utf8
Signed-off-by: NJosé Valim <jose.valim@gmail.com>

0e17cf17

09 11月, 2011 1 次提交
- A
  
  Remove j alias for ERB::Util.json_escape · ed2eac83
  由 Akira Matsuda 提交于 11月 09, 2011
  
  ed2eac83
05 10月, 2011 2 次提交
- A
  
  ruby193: String#prepend is also unsafe · 87eab595
  由 Akira Matsuda 提交于 10月 02, 2011
  
  87eab595
- A
  
  override unsafe methods only if defined on String · 9c4fe308
  由 Akira Matsuda 提交于 10月 02, 2011
  
  9c4fe308
25 9月, 2011 1 次提交
- A
  
  remove superfluous to_s in ERB::Util.html_escape · f9164749
  由 Alexey Vakhov 提交于 9月 24, 2011
  
  f9164749
22 9月, 2011 1 次提交
- V
  
  fix incorrect comment · 8aa537c9
  由 Vijay Dev 提交于 9月 22, 2011
  
  8aa537c9
17 9月, 2011 1 次提交
- S
  
  Proper lines numbers for stack trace info · 18116791
  由 Santiago Pastorino 提交于 9月 16, 2011
  
  18116791
09 9月, 2011 2 次提交
- V
  revert the changes from c60995f3 - related to marking sub,gsub as unavailable... · e05d4cea
  由 Vijay Dev 提交于 9月 09, 2011
```
revert the changes from c60995f3 - related to marking sub,gsub as unavailable to use with safe strings
```
  e05d4cea
- J
  
  Revert removing gsub and sub from safe buffer. · 6b010c26
  由 José Valim 提交于 9月 08, 2011
  
  6b010c26
08 9月, 2011 4 次提交
- X
  
  this should have gone with the previous commit · 827fcf45
  由 Xavier Noria 提交于 9月 08, 2011
  
  827fcf45
- X
  copy-edits a couple of exception messages · f7627de2
  由 Xavier Noria 提交于 9月 08, 2011
```
"Safe Buffer" should either be the constant with the class name,
or go in lower case. I've chosen to follow the same terminology
that is used in the AS core extensiong guide, "safe string",
though "safe buffer" is also used elsewhere, we should pick one.
```
  f7627de2
- D
  
  better method documentation on disable safe string methods · c60995f3
  由 Damien Mathieu 提交于 9月 08, 2011
  
  c60995f3
- D
  
  make gsub and sub unavailable in SafeBuffers - Closes #1555 · e9f48cdc
  由 Damien Mathieu 提交于 9月 08, 2011
  
  e9f48cdc
17 8月, 2011 1 次提交
- A
  
  properly escape html to avoid invalid utf8 causing XSS attacks · bfc43257
  由 Aaron Patterson 提交于 8月 16, 2011
  
  bfc43257
14 8月, 2011 1 次提交
- B
  
  Reset @dirty to false when slicing an instance of SafeBuffer · 9d5340e7
  由 Brian Cardarella 提交于 7月 29, 2011
  
  9d5340e7
30 7月, 2011 1 次提交
- B
  
  Reset @dirty to false when slicing an instance of SafeBuffer · 6ef1079e
  由 Brian Cardarella 提交于 7月 29, 2011
  
  6ef1079e
03 7月, 2011 1 次提交
- V
  
  document meta methods · caab9f4e
  由 Vijay Dev 提交于 7月 03, 2011
  
  caab9f4e