Skip to content

Latest commit

 

History

History
242 lines (124 loc) · 5.85 KB

CHANGELOG.md

File metadata and controls

242 lines (124 loc) · 5.85 KB
Raw

Rails 5.2.8 (May 09, 2022)

  • No changes.

Rails 5.2.7.1 (April 26, 2022)

  • Fix and add protections for XSS in ActionView::Helpers and ERB::Util.

    Escape dangerous characters in names of tags and names of attributes in the tag helpers, following the XML specification. Rename the option :escape_attributes to :escape, to simplify by applying the option to the whole tag.

    Álvaro Martín Fraguas

Rails 5.2.7 (March 10, 2022)

  • No changes.

Rails 5.2.6.3 (March 08, 2022)

  • No changes.

Rails 5.2.6.2 (February 11, 2022)

  • No changes.

Rails 5.2.6.1 (February 11, 2022)

  • No changes.

Rails 5.2.6 (May 05, 2021)

  • No changes.

Rails 5.2.5 (March 26, 2021)

  • No changes.

Rails 5.2.4.6 (May 05, 2021)

  • No changes.

Rails 5.2.4.5 (February 10, 2021)

  • No changes.

Rails 5.2.4.4 (September 09, 2020)

  • [CVE-2020-15169] Fix potential XSS vulnerability in the translate/t helper

    Jonathan Hefner

Rails 5.2.4.3 (May 18, 2020)

  • [CVE-2020-8167] Check that request is same-origin prior to including CSRF token in XHRs

Rails 5.2.4.2 (March 19, 2020)

  • Fix possible XSS vector in escape_javascript helper

    CVE-2020-5267

    Aaron Patterson

Rails 5.2.4.1 (December 18, 2019)

  • No changes.

Rails 5.2.4 (November 27, 2019)

  • Allow programmatic click events to trigger Rails UJS click handlers. Programmatic click events (eg. ones generated by Rails.fire(link, "click")) don't specify a button. These events were being incorrectly stopped by code meant to ignore scroll wheel and right clicks introduced in #34573.

    Sudara Williams

Rails 5.2.3 (March 27, 2019)

  • Prevent non-primary mouse keys from triggering Rails UJS click handlers. Firefox fires click events even if the click was triggered by non-primary mouse keys such as right- or scroll-wheel-clicks. For example, right-clicking a link such as the one described below (with an underlying ajax request registered on click) should not cause that request to occur.

    <%= link_to 'Remote', remote_path, class: 'remote', remote: true, data: { type: :json } %>

    Fixes #34541

    Wolfgang Hobmaier

Rails 5.2.2.1 (March 11, 2019)

  • Only accept formats from registered mime types

    A lack of filtering on mime types could allow an attacker to read arbitrary files on the target server or to perform a denial of service attack.

    Fixes CVE-2019-5418 Fixes CVE-2019-5419

    John Hawthorn, Eileen M. Uchitelle, Aaron Patterson

Rails 5.2.2 (December 04, 2018)

  • No changes.

Rails 5.2.1.1 (November 27, 2018)

  • No changes.

Rails 5.2.1 (August 07, 2018)

  • Fix leak of skip_default_ids and allow_method_names_outside_object options to HTML attributes.

    Yurii Cherniavskyi

  • Fix issue with button_to's to_form_params

    button_to was throwing exception when invoked with params hash that contains symbol and string keys. The reason for the exception was that to_form_params was comparing the given symbol and string keys.

    The issue is fixed by turning all keys to strings inside to_form_params before comparing them.

    Georgi Georgiev

  • Fix JavaScript views rendering does not work with Firefox when using Content Security Policy.

    Fixes #32577.

    Yuji Yaginuma

  • Add the nonce: true option for javascript_include_tag helper to support automatic nonce generation for Content Security Policy. Works the same way as javascript_tag nonce: true does.

    Yaroslav Markin

Rails 5.2.0 (April 09, 2018)

  • Pass the :skip_pipeline option in image_submit_tag when calling path_to_image.

    Fixes #32248.

    Andrew White

  • Allow the use of callable objects as group methods for grouped selects.

    Until now, the option_groups_from_collection_for_select method was only able to handle method names as group_method and group_label_method parameters, it is now able to receive procs and other callable objects too.

    Jérémie Bonal

  • Add preload_link_tag helper.

    This helper that allows to the browser to initiate early fetch of resources (different to the specified in javascript_include_tag and stylesheet_link_tag). Additionally, this sends Early Hints if supported by browser.

    Guillermo Iguaran

  • Change form_with to generates ids by default.

    When form_with was introduced we disabled the automatic generation of ids that was enabled in form_for. This usually is not an good idea since labels don't work when the input doesn't have an id and it made harder to test with Capybara.

    You can still disable the automatic generation of ids setting config.action_view.form_with_generates_ids to false.

    Nick Pezza

  • Fix issues with field_error_proc wrapping optgroup and select divider option.

    Fixes #31088

    Matthias Neumayr

  • Remove deprecated Erubis ERB handler.

    Rafael Mendonça França

  • Remove default alt text generation.

    Fixes #30096

    Cameron Cundiff

  • Add srcset option to image_tag helper.

    Roberto Miranda

  • Fix issues with scopes and engine on current_page? method.

    Fixes #29401.

    Nikita Savrov

  • Generate field ids in collection_check_boxes and collection_radio_buttons.

    This makes sure that the labels are linked up with the fields.

    Fixes #29014.

    Yuji Yaginuma

  • Add :json type to auto_discovery_link_tag to support JSON Feeds.

    Mike Gunderloy

  • Update distance_of_time_in_words helper to display better error messages for bad input.

    Jay Hayes

Please check 5-1-stable for previous changes.