@@ -18,7 +18,7 @@ module Mime # end class Type @@html_types = Set.new [:html, :all] - @@unverifiable_types = Set.new [:text, :json, :csv, :xml, :rss, :atom, :yaml] + @@unverifiable_types = Set.new [:json, :csv, :xml, :rss, :atom, :yaml] cattr_reader :html_types, :unverifiable_types # A simple helper class used in parsing the accept header actionpack/lib/action_controller/mime_type.rb 7ce3a597249d99b1b3247d5f0ea5490416bd8f38 Michael Koziarski NZKoz michael@koziarski.com http://github.com/rails/rails/commit/099a98e9b7108dae3e0f78b207e0a7dc5913bd1a 099a98e9b7108dae3e0f78b207e0a7dc5913bd1a 2008-11-18T09:53:48-08:00 2008-11-16T11:35:25-08:00 Verify form submissions for text/plain posts too. Some browsers can POST requests with text/plain encoding, allowing attackers to potentially subvert the request forgery prevention. http://pseudo-flaw.net/content/web-browsers/form-data-encoding-roundup/ 1a12dbfe5aff023b4a355098d6c1a5995071e323 Michael Koziarski NZKoz michael@koziarski.com