Skip to content


Subversion checkout URL

You can clone with
Download ZIP
Browse files

Update CHANGELOG to mention the new SafeBuffer change

  • Loading branch information...
1 parent 910b34d commit 4252a3560911fdd730c3c26af7073d63e742d3b2 @sikachu sikachu committed
Showing with 30 additions and 1 deletion.
  1. +30 −1 actionpack/CHANGELOG
31 actionpack/CHANGELOG
@@ -1,7 +1,36 @@
-*Rails 3.0.8 (unreleased)*
+*Rails 3.0.9 (unreleased)*
+* Fix text helpers to work correctly with the new SafeBuffer restriction [Paul Gallagher, Arun Agrawal, Prem Sichanugrist]
+*Rails 3.0.8 (June 7, 2011)*
+* It is prohibited to perform a in-place SafeBuffer mutation [tenderlove]
+ The old behavior of SafeBuffer allowed you to mutate string in place via
+ method like `sub!`. These methods can add unsafe strings to a safe buffer,
+ and the safe buffer will continue to be marked as safe.
+ An example problem would be something like this:
+ <%= link_to('hello world', @user).sub!(/hello/, params[:xss]) %>
+ In the above example, an untrusted string (`params[:xss]`) is added to the
+ safe buffer returned by `link_to`, and the untrusted content is successfully
+ sent to the client without being escaped. To prevent this from happening
+ `sub!` and other similar methods will now raise an exception when they are called on a safe buffer.
+ In addition to the in-place versions, some of the versions of these methods which return a copy of the string will incorrectly mark strings as safe. For example:
+ <%= link_to('hello world', @user).sub(/hello/, params[:xss]) %>
+ The new versions will now ensure that *all* strings returned by these methods on safe buffers are marked unsafe.
+ You can read more about this change in
* Fixed github issue #342 with asset paths and relative roots.
*Rails 3.0.7 (April 18, 2011)*
*No changes.

0 comments on commit 4252a35

Please sign in to comment.
Something went wrong with that request. Please try again.