rails/actionview
Damien Burke ab5fb4f224 Don’t allow arbitrary data in back urls
`link_to :back` creates a link to whatever was
passed in via the referer header. If an attacker
can alter the referer header, that would create
a cross-site scripting vulnerability on every
page that uses `link_to :back`

This commit restricts the back URL to valid
non-javascript URLs.

https://github.com/rails/rails/issues/14444
2015-11-03 17:20:48 -08:00
..
bin select the AR adapter through `bin/test`. 2015-06-11 14:24:56 +02:00
lib Don’t allow arbitrary data in back urls 2015-11-03 17:20:48 -08:00
test Don’t allow arbitrary data in back urls 2015-11-03 17:20:48 -08:00
CHANGELOG.md Don’t allow arbitrary data in back urls 2015-11-03 17:20:48 -08:00
MIT-LICENSE Update copyright notices to 2015 [ci skip] 2014-12-31 08:34:14 +01:00
README.rdoc [ci skip] Don’t encourage `sudo gem install` 2015-05-12 14:51:19 -07:00
RUNNING_UNIT_TESTS.rdoc [ci skip] /sqlite/i --> SQLite 2014-07-06 15:23:12 +05:30
Rakefile Remove unused package tasks 2015-05-28 09:06:10 +02:00
actionview.gemspec Upgrade to Ruby 2.2.2 2015-04-14 08:41:56 +05:30

README.rdoc

= Action View

Action View is a framework for handling view template lookup and rendering, and provides
view helpers that assist when building HTML forms, Atom feeds and more.
Template formats that Action View handles are ERB (embedded Ruby, typically
used to inline short Ruby snippets inside HTML), and XML Builder.

== Download and installation

The latest version of Action View can be installed with RubyGems:

  % gem install actionview

Source code can be downloaded as part of the Rails project on GitHub

* https://github.com/rails/rails/tree/master/actionview


== License

Action View is released under the MIT license:

* http://www.opensource.org/licenses/MIT


== Support

API documentation is at

* http://api.rubyonrails.org

Bug reports can be filed for the Ruby on Rails project here:

* https://github.com/rails/rails/issues

Feature requests should be discussed on the rails-core mailing list here:

* https://groups.google.com/forum/?fromgroups#!forum/rubyonrails-core