0
@@ -1,5 +1,7 @@
0
 *SVN*
0
 
0
+* Demote Hash#to_xml to use XmlSimple#xml_in_string so it can't read files or stdin.  #8453 [candlerb, Jeremy Kemper]
0
+
0
 * Document Object#blank?.  #6491 [Chris Mear]
0
 
0
 * Update Dependencies to ignore constants inherited from ancestors. Closes #6951. [Nicholas Seckar]

0
@@ -1,6 +1,27 @@
0
 require 'date'
0
 require 'xml_simple'
0
 
0
+# Locked down XmlSimple#xml_in_string
0
+class XmlSimple
0
+  # Same as xml_in but doesn't try to smartly shoot itself in the foot.
0
+  def xml_in_string(string, options = nil)
0
+    handle_options('in', options)
0
+
0
+    @doc = parse(string)
0
+    result = collapse(@doc.root)
0
+
0
+    if @options['keeproot']
0
+      merge({}, @doc.root.name, result)
0
+    else
0
+      result
0
+    end
0
+  end
0
+
0
+  def self.xml_in_string(string, options = nil)
0
+    new.xml_in_string(string, options)
0
+  end
0
+end
0
+
0
 module ActiveSupport #:nodoc:
0
   module CoreExtensions #:nodoc:
0
     module Hash #:nodoc:
0
@@ -81,14 +102,14 @@ module ActiveSupport #:nodoc:
0
         module ClassMethods
0
           def from_xml(xml)
0
             # TODO: Refactor this into something much cleaner that doesn't rely on XmlSimple
0
-            undasherize_keys(typecast_xml_value(XmlSimple.xml_in(xml,
0
+            undasherize_keys(typecast_xml_value(XmlSimple.xml_in_string(xml,
0
               'forcearray'   => false,
0
               'forcecontent' => true,
0
               'keeproot'     => true,
0
               'contentkey'   => '__content__')
0
-            ))            
0
+            ))
0
           end
0
-          
0
+
0
           def create_from_xml(xml)
0
             ActiveSupport::Deprecation.warn("Hash.create_from_xml has been renamed to Hash.from_xml", caller)
0
             from_xml(xml)