RubyGems - actionpack - Versions diffs - 4.0.1 → 4.2.11.1 - Mend

actionpack 4.0.1 → 4.2.11.1

Potentially problematic release.

This version of actionpack might be problematic. Click here for more details.

Files changed (241) hide show

checksums.yaml +5 -5
data/CHANGELOG.md +402 -1173
data/MIT-LICENSE +1 -1
data/README.rdoc +7 -7
data/lib/abstract_controller/base.rb +39 -7
data/lib/abstract_controller/callbacks.rb +32 -53
data/lib/abstract_controller/collector.rb +11 -1
data/lib/abstract_controller/helpers.rb +26 -16
data/lib/abstract_controller/railties/routes_helpers.rb +3 -3
data/lib/abstract_controller/rendering.rb +57 -127
data/lib/abstract_controller/url_for.rb +1 -1
data/lib/abstract_controller.rb +1 -2
data/lib/action_controller/base.rb +19 -10
data/lib/action_controller/caching/fragments.rb +7 -1
data/lib/action_controller/caching.rb +2 -12
data/lib/action_controller/log_subscriber.rb +29 -20
data/lib/action_controller/metal/conditional_get.rb +37 -12
data/lib/action_controller/metal/data_streaming.rb +1 -1
data/lib/action_controller/metal/etag_with_template_digest.rb +50 -0
data/lib/action_controller/metal/exceptions.rb +1 -1
data/lib/action_controller/metal/flash.rb +17 -0
data/lib/action_controller/metal/force_ssl.rb +2 -2
data/lib/action_controller/metal/head.rb +8 -6
data/lib/action_controller/metal/helpers.rb +6 -2
data/lib/action_controller/metal/http_authentication.rb +45 -23
data/lib/action_controller/metal/instrumentation.rb +9 -6
data/lib/action_controller/metal/live.rb +173 -20
data/lib/action_controller/metal/mime_responds.rb +127 -232
data/lib/action_controller/metal/params_wrapper.rb +16 -9
data/lib/action_controller/metal/rack_delegation.rb +1 -1
data/lib/action_controller/metal/redirecting.rb +34 -26
data/lib/action_controller/metal/renderers.rb +39 -12
data/lib/action_controller/metal/rendering.rb +41 -14
data/lib/action_controller/metal/request_forgery_protection.rb +147 -19
data/lib/action_controller/metal/streaming.rb +19 -21
data/lib/action_controller/metal/strong_parameters.rb +166 -22
data/lib/action_controller/metal/testing.rb +0 -1
data/lib/action_controller/metal/url_for.rb +11 -12
data/lib/action_controller/metal.rb +14 -8
data/lib/action_controller/model_naming.rb +1 -1
data/lib/action_controller/railtie.rb +5 -1
data/lib/action_controller/test_case.rb +160 -94
data/lib/action_controller.rb +2 -18
data/lib/action_dispatch/http/cache.rb +5 -4
data/lib/action_dispatch/http/filter_parameters.rb +2 -2
data/lib/action_dispatch/http/filter_redirect.rb +5 -4
data/lib/action_dispatch/http/headers.rb +46 -10
data/lib/action_dispatch/http/mime_negotiation.rb +31 -4
data/lib/action_dispatch/http/mime_type.rb +25 -26
data/lib/action_dispatch/http/mime_types.rb +1 -0
data/lib/action_dispatch/http/parameter_filter.rb +1 -1
data/lib/action_dispatch/http/parameters.rb +25 -41
data/lib/action_dispatch/http/request.rb +49 -32
data/lib/action_dispatch/http/response.rb +127 -25
data/lib/action_dispatch/http/upload.rb +9 -21
data/lib/action_dispatch/http/url.rb +97 -70
data/lib/action_dispatch/journey/formatter.rb +35 -19
data/lib/action_dispatch/journey/gtg/builder.rb +3 -3
data/lib/action_dispatch/journey/gtg/simulator.rb +10 -7
data/lib/action_dispatch/journey/gtg/transition_table.rb +23 -33
data/lib/action_dispatch/journey/nfa/dot.rb +2 -2
data/lib/action_dispatch/journey/nfa/simulator.rb +1 -1
data/lib/action_dispatch/journey/nfa/transition_table.rb +5 -5
data/lib/action_dispatch/journey/nodes/node.rb +4 -0
data/lib/action_dispatch/journey/parser.rb +51 -59
data/lib/action_dispatch/journey/parser.y +12 -10
data/lib/action_dispatch/journey/path/pattern.rb +16 -19
data/lib/action_dispatch/journey/route.rb +8 -19
data/lib/action_dispatch/journey/router/strexp.rb +9 -6
data/lib/action_dispatch/journey/router/utils.rb +54 -18
data/lib/action_dispatch/journey/router.rb +53 -75
data/lib/action_dispatch/journey/routes.rb +4 -0
data/lib/action_dispatch/journey/scanner.rb +5 -5
data/lib/action_dispatch/journey/visitors.rb +81 -60
data/lib/action_dispatch/journey/visualizer/fsm.css +0 -4
data/lib/action_dispatch/journey/visualizer/index.html.erb +2 -2
data/lib/action_dispatch/middleware/callbacks.rb +7 -7
data/lib/action_dispatch/middleware/cookies.rb +119 -43
data/lib/action_dispatch/middleware/debug_exceptions.rb +32 -13
data/lib/action_dispatch/middleware/exception_wrapper.rb +60 -20
data/lib/action_dispatch/middleware/flash.rb +37 -24
data/lib/action_dispatch/middleware/params_parser.rb +2 -2
data/lib/action_dispatch/middleware/public_exceptions.rb +12 -3
data/lib/action_dispatch/middleware/reloader.rb +11 -2
data/lib/action_dispatch/middleware/remote_ip.rb +40 -54
data/lib/action_dispatch/middleware/request_id.rb +1 -1
data/lib/action_dispatch/middleware/session/cache_store.rb +3 -3
data/lib/action_dispatch/middleware/session/cookie_store.rb +8 -7
data/lib/action_dispatch/middleware/show_exceptions.rb +6 -2
data/lib/action_dispatch/middleware/ssl.rb +10 -7
data/lib/action_dispatch/middleware/static.rb +79 -23
data/lib/action_dispatch/middleware/templates/rescues/{_request_and_response.erb → _request_and_response.html.erb} +0 -0
data/lib/action_dispatch/middleware/templates/rescues/_request_and_response.text.erb +23 -0
data/lib/action_dispatch/middleware/templates/rescues/_source.erb +21 -19
data/lib/action_dispatch/middleware/templates/rescues/_trace.html.erb +52 -0
data/lib/action_dispatch/middleware/templates/rescues/_trace.text.erb +9 -0
data/lib/action_dispatch/middleware/templates/rescues/{diagnostics.erb → diagnostics.html.erb} +1 -1
data/lib/action_dispatch/middleware/templates/rescues/diagnostics.text.erb +9 -0
data/lib/action_dispatch/middleware/templates/rescues/layout.erb +6 -0
data/lib/action_dispatch/middleware/templates/rescues/missing_template.html.erb +11 -0
data/lib/action_dispatch/middleware/templates/rescues/missing_template.text.erb +3 -0
data/lib/action_dispatch/middleware/templates/rescues/{routing_error.erb → routing_error.html.erb} +3 -1
data/lib/action_dispatch/middleware/templates/rescues/routing_error.text.erb +11 -0
data/lib/action_dispatch/middleware/templates/rescues/template_error.html.erb +20 -0
data/lib/action_dispatch/middleware/templates/rescues/template_error.text.erb +7 -0
data/lib/action_dispatch/middleware/templates/rescues/{unknown_action.erb → unknown_action.html.erb} +1 -1
data/lib/action_dispatch/middleware/templates/rescues/unknown_action.text.erb +3 -0
data/lib/action_dispatch/middleware/templates/routes/_table.html.erb +120 -64
data/lib/action_dispatch/railtie.rb +5 -2
data/lib/action_dispatch/request/session.rb +12 -0
data/lib/action_dispatch/request/utils.rb +35 -0
data/lib/action_dispatch/routing/endpoint.rb +10 -0
data/lib/action_dispatch/routing/inspector.rb +11 -17
data/lib/action_dispatch/routing/mapper.rb +519 -312
data/lib/action_dispatch/routing/polymorphic_routes.rb +204 -79
data/lib/action_dispatch/routing/redirection.rb +51 -26
data/lib/action_dispatch/routing/route_set.rb +331 -206
data/lib/action_dispatch/routing/routes_proxy.rb +5 -4
data/lib/action_dispatch/routing/url_for.rb +19 -5
data/lib/action_dispatch/routing.rb +9 -6
data/lib/action_dispatch/testing/assertions/dom.rb +2 -26
data/lib/action_dispatch/testing/assertions/response.rb +9 -15
data/lib/action_dispatch/testing/assertions/routing.rb +22 -22
data/lib/action_dispatch/testing/assertions/selector.rb +2 -429
data/lib/action_dispatch/testing/assertions/tag.rb +2 -134
data/lib/action_dispatch/testing/assertions.rb +11 -7
data/lib/action_dispatch/testing/integration.rb +31 -29
data/lib/action_dispatch/testing/test_request.rb +1 -1
data/lib/action_dispatch/testing/test_response.rb +1 -5
data/lib/action_dispatch.rb +5 -8
data/lib/action_pack/gem_version.rb +15 -0
data/lib/action_pack/version.rb +4 -7
data/lib/action_pack.rb +1 -1
metadata +77 -159
data/lib/abstract_controller/layouts.rb +0 -423
data/lib/abstract_controller/view_paths.rb +0 -96
data/lib/action_controller/deprecated/integration_test.rb +0 -5
data/lib/action_controller/deprecated.rb +0 -7
data/lib/action_controller/metal/responder.rb +0 -287
data/lib/action_controller/record_identifier.rb +0 -31
data/lib/action_controller/vendor/html-scanner.rb +0 -5
data/lib/action_dispatch/middleware/templates/rescues/_trace.erb +0 -24
data/lib/action_dispatch/middleware/templates/rescues/missing_template.erb +0 -7
data/lib/action_dispatch/middleware/templates/rescues/template_error.erb +0 -43
data/lib/action_view/base.rb +0 -201
data/lib/action_view/buffers.rb +0 -49
data/lib/action_view/context.rb +0 -36
data/lib/action_view/dependency_tracker.rb +0 -93
data/lib/action_view/digestor.rb +0 -113
data/lib/action_view/flows.rb +0 -76
data/lib/action_view/helpers/active_model_helper.rb +0 -49
data/lib/action_view/helpers/asset_tag_helper.rb +0 -320
data/lib/action_view/helpers/asset_url_helper.rb +0 -355
data/lib/action_view/helpers/atom_feed_helper.rb +0 -203
data/lib/action_view/helpers/cache_helper.rb +0 -196
data/lib/action_view/helpers/capture_helper.rb +0 -216
data/lib/action_view/helpers/controller_helper.rb +0 -25
data/lib/action_view/helpers/csrf_helper.rb +0 -30
data/lib/action_view/helpers/date_helper.rb +0 -1083
data/lib/action_view/helpers/debug_helper.rb +0 -39
data/lib/action_view/helpers/form_helper.rb +0 -1880
data/lib/action_view/helpers/form_options_helper.rb +0 -838
data/lib/action_view/helpers/form_tag_helper.rb +0 -785
data/lib/action_view/helpers/javascript_helper.rb +0 -117
data/lib/action_view/helpers/number_helper.rb +0 -441
data/lib/action_view/helpers/output_safety_helper.rb +0 -38
data/lib/action_view/helpers/record_tag_helper.rb +0 -106
data/lib/action_view/helpers/rendering_helper.rb +0 -90
data/lib/action_view/helpers/sanitize_helper.rb +0 -256
data/lib/action_view/helpers/tag_helper.rb +0 -173
data/lib/action_view/helpers/tags/base.rb +0 -148
data/lib/action_view/helpers/tags/check_box.rb +0 -64
data/lib/action_view/helpers/tags/checkable.rb +0 -16
data/lib/action_view/helpers/tags/collection_check_boxes.rb +0 -44
data/lib/action_view/helpers/tags/collection_helpers.rb +0 -84
data/lib/action_view/helpers/tags/collection_radio_buttons.rb +0 -36
data/lib/action_view/helpers/tags/collection_select.rb +0 -28
data/lib/action_view/helpers/tags/color_field.rb +0 -25
data/lib/action_view/helpers/tags/date_field.rb +0 -13
data/lib/action_view/helpers/tags/date_select.rb +0 -72
data/lib/action_view/helpers/tags/datetime_field.rb +0 -22
data/lib/action_view/helpers/tags/datetime_local_field.rb +0 -19
data/lib/action_view/helpers/tags/datetime_select.rb +0 -8
data/lib/action_view/helpers/tags/email_field.rb +0 -8
data/lib/action_view/helpers/tags/file_field.rb +0 -8
data/lib/action_view/helpers/tags/grouped_collection_select.rb +0 -29
data/lib/action_view/helpers/tags/hidden_field.rb +0 -8
data/lib/action_view/helpers/tags/label.rb +0 -66
data/lib/action_view/helpers/tags/month_field.rb +0 -13
data/lib/action_view/helpers/tags/number_field.rb +0 -18
data/lib/action_view/helpers/tags/password_field.rb +0 -12
data/lib/action_view/helpers/tags/radio_button.rb +0 -31
data/lib/action_view/helpers/tags/range_field.rb +0 -8
data/lib/action_view/helpers/tags/search_field.rb +0 -24
data/lib/action_view/helpers/tags/select.rb +0 -40
data/lib/action_view/helpers/tags/tel_field.rb +0 -8
data/lib/action_view/helpers/tags/text_area.rb +0 -18
data/lib/action_view/helpers/tags/text_field.rb +0 -29
data/lib/action_view/helpers/tags/time_field.rb +0 -13
data/lib/action_view/helpers/tags/time_select.rb +0 -8
data/lib/action_view/helpers/tags/time_zone_select.rb +0 -20
data/lib/action_view/helpers/tags/url_field.rb +0 -8
data/lib/action_view/helpers/tags/week_field.rb +0 -13
data/lib/action_view/helpers/tags.rb +0 -39
data/lib/action_view/helpers/text_helper.rb +0 -443
data/lib/action_view/helpers/translation_helper.rb +0 -107
data/lib/action_view/helpers/url_helper.rb +0 -635
data/lib/action_view/helpers.rb +0 -58
data/lib/action_view/locale/en.yml +0 -56
data/lib/action_view/log_subscriber.rb +0 -30
data/lib/action_view/lookup_context.rb +0 -241
data/lib/action_view/model_naming.rb +0 -12
data/lib/action_view/path_set.rb +0 -77
data/lib/action_view/railtie.rb +0 -43
data/lib/action_view/record_identifier.rb +0 -84
data/lib/action_view/renderer/abstract_renderer.rb +0 -47
data/lib/action_view/renderer/partial_renderer.rb +0 -492
data/lib/action_view/renderer/renderer.rb +0 -50
data/lib/action_view/renderer/streaming_template_renderer.rb +0 -103
data/lib/action_view/renderer/template_renderer.rb +0 -96
data/lib/action_view/routing_url_for.rb +0 -107
data/lib/action_view/tasks/dependencies.rake +0 -17
data/lib/action_view/template/error.rb +0 -138
data/lib/action_view/template/handlers/builder.rb +0 -26
data/lib/action_view/template/handlers/erb.rb +0 -146
data/lib/action_view/template/handlers/raw.rb +0 -11
data/lib/action_view/template/handlers.rb +0 -53
data/lib/action_view/template/resolver.rb +0 -326
data/lib/action_view/template/text.rb +0 -34
data/lib/action_view/template/types.rb +0 -57
data/lib/action_view/template.rb +0 -339
data/lib/action_view/test_case.rb +0 -270
data/lib/action_view/testing/resolvers.rb +0 -50
data/lib/action_view/vendor/html-scanner/html/document.rb +0 -68
data/lib/action_view/vendor/html-scanner/html/node.rb +0 -532
data/lib/action_view/vendor/html-scanner/html/sanitizer.rb +0 -188
data/lib/action_view/vendor/html-scanner/html/selector.rb +0 -830
data/lib/action_view/vendor/html-scanner/html/tokenizer.rb +0 -107
data/lib/action_view/vendor/html-scanner/html/version.rb +0 -11
data/lib/action_view/vendor/html-scanner.rb +0 -20
data/lib/action_view.rb +0 -93

data/lib/action_view/vendor/html-scanner/html/sanitizer.rb DELETED Viewed

@@ -1,188 +0,0 @@
-require 'set'
-require 'cgi'
-require 'active_support/core_ext/class/attribute_accessors'
-module HTML
-  class Sanitizer
-    def sanitize(text, options = {})
-      validate_options(options)
-      return text unless sanitizeable?(text)
-      tokenize(text, options).join
-    end
-    def sanitizeable?(text)
-      !(text.nil? || text.empty? || !text.index("<"))
-    end
-  protected
-    def tokenize(text, options)
-      tokenizer = HTML::Tokenizer.new(text)
-      result = []
-      while token = tokenizer.next
-        node = Node.parse(nil, 0, 0, token, false)
-        process_node node, result, options
-      end
-      result
-    end
-    def process_node(node, result, options)
-      result << node.to_s
-    end
-    def validate_options(options)
-      if options[:tags] && !options[:tags].is_a?(Enumerable)
-        raise ArgumentError, "You should pass :tags as an Enumerable"
-      end
-      if options[:attributes] && !options[:attributes].is_a?(Enumerable)
-        raise ArgumentError, "You should pass :attributes as an Enumerable"
-      end
-    end
-  end
-  class FullSanitizer < Sanitizer
-    def sanitize(text, options = {})
-      result = super
-      # strip any comments, and if they have a newline at the end (ie. line with
-      # only a comment) strip that too
-      result = result.gsub(/<!--(.*?)-->[\n]?/m, "") if (result && result =~ /<!--(.*?)-->[\n]?/m)
-      # Recurse - handle all dirty nested tags
-      result == text ? result : sanitize(result, options)
-    end
-    def process_node(node, result, options)
-      result << node.to_s if node.class == HTML::Text
-    end
-  end
-  class LinkSanitizer < FullSanitizer
-    cattr_accessor :included_tags, :instance_writer => false
-    self.included_tags = Set.new(%w(a href))
-    def sanitizeable?(text)
-      !(text.nil? || text.empty? || !((text.index("<a") || text.index("<href")) && text.index(">")))
-    end
-  protected
-    def process_node(node, result, options)
-      result << node.to_s unless node.is_a?(HTML::Tag) && included_tags.include?(node.name)
-    end
-  end
-  class WhiteListSanitizer < Sanitizer
-    [:protocol_separator, :uri_attributes, :allowed_attributes, :allowed_tags, :allowed_protocols, :bad_tags,
-     :allowed_css_properties, :allowed_css_keywords, :shorthand_css_properties].each do |attr|
-      class_attribute attr, :instance_writer => false
-    end
-    # A regular expression of the valid characters used to separate protocols like
-    # the ':' in 'http://foo.com'
-    self.protocol_separator     = /:|(&#0*58)|(&#x70)|(&#x0*3a)|(%|&#37;)3A/i
-    # Specifies a Set of HTML attributes that can have URIs.
-    self.uri_attributes         = Set.new(%w(href src cite action longdesc xlink:href lowsrc))
-    # Specifies a Set of 'bad' tags that the #sanitize helper will remove completely, as opposed
-    # to just escaping harmless tags like &lt;font&gt;
-    self.bad_tags               = Set.new(%w(script))
-    # Specifies the default Set of tags that the #sanitize helper will allow unscathed.
-    self.allowed_tags           = Set.new(%w(strong em b i p code pre tt samp kbd var sub
-      sup dfn cite big small address hr br div span h1 h2 h3 h4 h5 h6 ul ol li dl dt dd abbr
-      acronym a img blockquote del ins))
-    # Specifies the default Set of html attributes that the #sanitize helper will leave
-    # in the allowed tag.
-    self.allowed_attributes     = Set.new(%w(href src width height alt cite datetime title class name xml:lang abbr))
-    # Specifies the default Set of acceptable css properties that #sanitize and #sanitize_css will accept.
-    self.allowed_protocols      = Set.new(%w(ed2k ftp http https irc mailto news gopher nntp telnet webcal xmpp callto
-      feed svn urn aim rsync tag ssh sftp rtsp afs))
-    # Specifies the default Set of acceptable css properties that #sanitize and #sanitize_css will accept.
-    self.allowed_css_properties = Set.new(%w(azimuth background-color border-bottom-color border-collapse
-      border-color border-left-color border-right-color border-top-color clear color cursor direction display
-      elevation float font font-family font-size font-style font-variant font-weight height letter-spacing line-height
-      overflow pause pause-after pause-before pitch pitch-range richness speak speak-header speak-numeral speak-punctuation
-      speech-rate stress text-align text-decoration text-indent unicode-bidi vertical-align voice-family volume white-space
-      width))
-    # Specifies the default Set of acceptable css keywords that #sanitize and #sanitize_css will accept.
-    self.allowed_css_keywords   = Set.new(%w(auto aqua black block blue bold both bottom brown center
-      collapse dashed dotted fuchsia gray green !important italic left lime maroon medium none navy normal
-      nowrap olive pointer purple red right solid silver teal top transparent underline white yellow))
-    # Specifies the default Set of allowed shorthand css properties for the #sanitize and #sanitize_css helpers.
-    self.shorthand_css_properties = Set.new(%w(background border margin padding))
-    # Sanitizes a block of css code. Used by #sanitize when it comes across a style attribute
-    def sanitize_css(style)
-      # disallow urls
-      style = style.to_s.gsub(/url\s*\(\s*[^\s)]+?\s*\)\s*/, ' ')
-      # gauntlet
-      if style !~ /\A([:,;#%.\sa-zA-Z0-9!]|\w-\w|\'[\s\w]+\'|\"[\s\w]+\"|\([\d,\s]+\))*\z/ ||
-          style !~ /\A(\s*[-\w]+\s*:\s*[^:;]*(;|$)\s*)*\z/
-        return ''
-      end
-      clean = []
-      style.scan(/([-\w]+)\s*:\s*([^:;]*)/) do |prop,val|
-        if allowed_css_properties.include?(prop.downcase)
-          clean <<  prop + ': ' + val + ';'
-        elsif shorthand_css_properties.include?(prop.split('-')[0].downcase)
-          unless val.split().any? do |keyword|
-            !allowed_css_keywords.include?(keyword) &&
-              keyword !~ /\A(#[0-9a-f]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|\d{0,2}\.?\d{0,2}(cm|em|ex|in|mm|pc|pt|px|%|,|\))?)\z/
-          end
-            clean << prop + ': ' + val + ';'
-          end
-        end
-      end
-      clean.join(' ')
-    end
-  protected
-    def tokenize(text, options)
-      options[:parent] = []
-      options[:attributes] ||= allowed_attributes
-      options[:tags]       ||= allowed_tags
-      super
-    end
-    def process_node(node, result, options)
-      result << case node
-        when HTML::Tag
-          if node.closing == :close
-            options[:parent].shift
-          else
-            options[:parent].unshift node.name
-          end
-          process_attributes_for node, options
-          options[:tags].include?(node.name) ? node : nil
-        else
-          bad_tags.include?(options[:parent].first) ? nil : node.to_s.gsub(/</, "&lt;")
-      end
-    end
-    def process_attributes_for(node, options)
-      return unless node.attributes
-      node.attributes.keys.each do |attr_name|
-        value = node.attributes[attr_name].to_s
-        if !options[:attributes].include?(attr_name) || contains_bad_protocols?(attr_name, value)
-          node.attributes.delete(attr_name)
-        else
-          node.attributes[attr_name] = attr_name == 'style' ? sanitize_css(value) : CGI::escapeHTML(CGI::unescapeHTML(value))
-        end
-      end
-    end
-    def contains_bad_protocols?(attr_name, value)
-      uri_attributes.include?(attr_name) &&
-      (value =~ /(^[^\/:]*):|(&#0*58)|(&#x70)|(&#x0*3a)|(%|&#37;)3A/i && !allowed_protocols.include?(value.split(protocol_separator).first.downcase.strip))
-    end
-  end
-end