Permalink
Browse files

updating CHANGELOG for actionpack

  • Loading branch information...
tenderlove committed Apr 5, 2011
1 parent 61ee344 commit 6bb9efeb9388ea61027168b48351375e63bca8d8
Showing with 10 additions and 0 deletions.
  1. +10 −0 actionpack/CHANGELOG
View
@@ -1,5 +1,15 @@
*Rails 3.0.6 (unreleased)*
+* Fixed XSS vulnerability in `auto_link`. `auto_link` no longer marks input as
+ html safe. Please make sure that calls to auto_link() are wrapped in a
+ sanitize(), or a raw() depending on the type of input passed to auto_link().
+ For example:
+
+ <%= sanitize(auto_link(some_user_input)) %>
+
+ Thanks to Torben Schulz for reporting this. The fix can be found here:
+ 61ee3449674c591747db95f9b3472c5c3bd9e84d
+
* Fixes the output of `rake routes` to be correctly match to the behavior of the application, as the regular expression used to match the path is greedy and won't capture the format part by default [Prem Sichanugrist]
* Fixes an issue with number_to_human when converting values which are less than 1 but greater than -1 [Josh Kalderimis]

0 comments on commit 6bb9efe

Please sign in to comment.