Skip to content


Subversion checkout URL

You can clone with
Download ZIP
Commits on Jan 17, 2011
  1. @NZKoz

    Change the CSRF whitelisting to only apply to get requests

    NZKoz authored
    Unfortunately the previous method of browser detection and XHR whitelisting is unable to prevent requests issued from some Flash animations and Java applets.  To ease the work required to include the CSRF token in ajax requests rails now supports providing the token in a custom http header:
     X-CSRF-Token: ...
    This fixes CVE-2011-0447
Commits on Sep 1, 2009
  1. @NZKoz

    Clean tag attributes before passing through the escape_once logic.

    NZKoz authored
    Addresses CVE-2009-3009
Commits on Dec 15, 2008
  1. @fcheung @josh

    Fixed session related memory leak [#1558 state:resolved]

    fcheung authored josh committed
    Signed-off-by: Joshua Peek <>
Commits on Nov 18, 2008
  1. @NZKoz

    Verify form submissions for text/plain posts too.

    NZKoz authored
    Some browsers can POST requests with text/plain encoding, allowing attackers to  potentially subvert the request forgery prevention.
Commits on Oct 24, 2008
  1. @packagethief @jeremy

    Fix incorrect closing CDATA delimiter. Add tests for CDATA nodes.

    packagethief authored jeremy committed
    Signed-off-by: Jeremy Kemper <>
  2. @packagethief @jeremy

    Fix that HTML::Node.parse would blow up on unclosed CDATA sections.

    packagethief authored jeremy committed
    If an unclosed CDATA section is encountered and parsing is strict, an
    exception will be raised. Otherwise, we consider the remainder of the line to
    be the section contents. This is consistent with HTML::Tokenizer#scan_tag.
    Signed-off-by: Jeremy Kemper <>
Commits on Oct 23, 2008
  1. @dhh
  2. @dhh

    Make ready for the 2.1.2 release

    dhh authored
Commits on Oct 19, 2008
  1. @NZKoz

    Sanitize the URLs passed to redirect_to to prevent a potential respon…

    NZKoz authored
    …se spli
    CGI.rb and mongrel don't do any sanitization of the contents of HTTP headers
Commits on Oct 5, 2008
  1. @NZKoz

    Reference more detailed documentation on the country_select issue rat…

    NZKoz authored
    …her than just recommending the country_select plugin.
Commits on Sep 22, 2008
  1. @NZKoz

    Bump the Version constants to align with the *next* release rather th…

    NZKoz authored
    …an the previous release.
    This allows people tracking non-release gems or git submodules to use the constants.
Commits on Sep 18, 2008
  1. @NZKoz

    Deprecate country_select for 2.1, it's gone in 2.2

    NZKoz authored
    You can install the country_select plugin to obtain the same, possibly controversial, list of countries.
Commits on Sep 10, 2008
  1. @dhh

    Remove merge clutter

    dhh authored
  2. @dhh

    Fixed FormTagHelper#submit_tag with :disable_with option wouldn't sub…

    dhh authored
    …mit the button's value when was clicked #633 [Jose Fernandez]
Commits on Sep 7, 2008
  1. @al2o3cr @josh

    Ensure routing optimizations are cleared when new routes are added [#981

    al2o3cr authored josh committed
    Signed-off-by: Joshua Peek <>
Commits on Sep 4, 2008
  1. @dhh

    Prepare for release of 2.1.1

    dhh authored
  2. @dhh
  3. @technoweenie @NZKoz

    use mocha for TimeZone mocking in Form Options helper tests

    technoweenie authored NZKoz committed
    Signed-off-by: Tarmo Tänav <>
    Signed-off-by: Michael Koziarski <>
Commits on Aug 30, 2008
  1. @miloops @jeremy

    Allow prototype functions to receive position parameter as a symbol.

    miloops authored jeremy committed
    [#887 state:resolved]
    Signed-off-by: Jeremy Kemper <>
  2. @jeremy

    Fix bad merge from e21ed3e

    jeremy authored
Commits on Aug 28, 2008
  1. @michaelklishin @jeremy

    Request#remote_ip handles the uncommon case that REMOTE_ADDR is a com…

    michaelklishin authored jeremy committed
    …ma-separated list.
    [#523 state:resolved]
    Signed-off-by: Jeremy Kemper <>
  2. @timhaines @jeremy

    Add TestUploadFile.content_type= to match Request.UploadedFile

    timhaines authored jeremy committed
    [#920 state:resolved]
    Signed-off-by: Jeremy Kemper <>
Commits on Aug 24, 2008
  1. @tarmo
  2. @miloops @tarmo

    In javascript helpers option[:type] = :synchronous should work as des…

    miloops authored tarmo committed
    …cribed in docs.
    Signed-off-by: Michael Koziarski <>
  3. @DefV @tarmo

    Fix that label_tag doesn't take a symbol for a name. [#719 state:reso…

    DefV authored tarmo committed
    Signed-off-by: Pratik Naik <>
  4. @dhh @tarmo

    Fixed that AssetTagHelper#compute_public_path shouldn't cache the ass…

    dhh authored tarmo committed
    …et_host along with the source or per-request proc's won't run [DHH]
  5. @js @tarmo

    Ensure mail_to label is obfuscated for javascript encoding. [#294 sta…

    js authored tarmo committed
    Signed-off-by: Pratik Naik <>
  6. @josh @tarmo

    All 2xx requests are considered successful [#217 state:resolved]

    josh authored tarmo committed
  7. @tarmo

    Use fully-qualified controller name when logging. [#600 state:resolved]

    Ripta Pasay authored tarmo committed
    Signed-off-by: Pratik Naik <>
  8. @chuyeow @tarmo

    Ensure url_for(nil) falls back to url_for({}). [#472 state:resolved]

    chuyeow authored tarmo committed
    Signed-off-by: Pratik Naik <>
  9. @jeremy @tarmo

    link_to_function and button_to_function shouldn't modify their option…

    jeremy authored tarmo committed
    …s hashes
Commits on Jul 30, 2008
  1. @miloops @jeremy

    Prototype helpers should generate Element.insert instead of Insertion…

    miloops authored jeremy committed
    ….new, which has been deprecated in Prototype 1.6.
Commits on Jul 24, 2008
  1. @tarmo @NZKoz

    Use :namespace instead of :path_prefix for finding controller. [#544

    tarmo authored NZKoz committed
    :namespace is supposed to be the module where controller exists.
    :path_prefix can contain anything, including variables, which
    makes it unsuitable for determining the module for a controller.
    Signed-off-by: Pratik Naik <>
    Signed-off-by: Michael Koziarski <>
Commits on Jul 15, 2008
  1. @josh @jeremy

    Fixed teardown method typo (plus whitespace)

    josh authored jeremy committed
  2. @NZKoz @jeremy

    Tighten the rescue clause when dealing with invalid instance variable…

    NZKoz authored jeremy committed
    … names in form_helper.
Something went wrong with that request. Please try again.