Permalink
Switch branches/tags
Commits on Apr 22, 2013
  1. allow the branch to be managed with a modern rake

    fxn committed Apr 22, 2013
Commits on Apr 9, 2013
  1. Merge branch '2-3-later' into 2-3-stable

    tenderlove committed Apr 9, 2013
    * 2-3-later:
      adding test for CVE
Commits on Apr 4, 2013
  1. typo

    fxn committed Apr 4, 2013
  2. Revert "Revert "Revert "Switched to newer rdoc and gem package tasks …

    fxn committed Apr 4, 2013
    …(and their requires)."""
    
    We need an old RDoc to be able to generate the API.
    
    This reverts commit af7da4d.
Commits on Mar 18, 2013
  1. bumping to 2.3.18

    tenderlove committed Mar 18, 2013
  2. Revert "Revert "Switched to newer rdoc and gem package tasks (and the…

    tenderlove committed Mar 18, 2013
    …ir requires).""
    
    I can't build the gems without reverting this commit.
    
    This reverts commit dad3109.
Commits on Mar 16, 2013
  1. fix protocol checking in sanitization [CVE-2013-1857]

    tenderlove committed Mar 15, 2013
    Conflicts:
    	actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
    	actionpack/test/controller/html-scanner/sanitizer_test.rb
  2. fix incorrect ^$ usage leading to XSS in sanitize_css [CVE-2013-1855]

    charliesome authored and tenderlove committed Feb 12, 2013
    Conflicts:
    	actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
Commits on Feb 15, 2013
  1. Revert "Switched to newer rdoc and gem package tasks (and their requi…

    fxn committed Feb 15, 2013
    …res)."
    
    This is a manual revert of commit 79aa54d, since the commit itself touches
    in addition some version numbers.
    
    API generation before Rails 3 uses the Jamis template, which requires an
    old version of RDoc. To generate the API you need Rake 0.8.x or 0.9.x,
    and the RDoc distributed with 1.8.7 (version 1.0.1).
Commits on Feb 11, 2013
  1. Merge branch '2-3-sec' into 2-3-stable

    tenderlove committed Feb 11, 2013
    * 2-3-sec:
      bumping to 2.3.17
      fix serialization vulnerability
      fixing attr_protected CVE-2013-0276
  2. Revert "Merge pull request #9251 from Davidslv/patch-1"

    carlosantoniodasilva committed Feb 11, 2013
    This reverts commit d6adcb4, reversing
    changes made to 2e4aa39.
    
    Reason: merged to unmaintained branch.
  3. Merge pull request #9251 from Davidslv/patch-1

    carlosantoniodasilva committed Feb 11, 2013
    Add alias to maintain coherence with other methods, in end_of_day
  4. Update activesupport/lib/active_support/core_ext/time/calculations.rb

    Davidslv committed Feb 11, 2013
    Just maintaining the coherence with other methods, since everything has "at_" as prefix.
  5. bumping to 2.3.17

    tenderlove committed Feb 11, 2013
  6. fix serialization vulnerability

    kraatob authored and tenderlove committed Feb 8, 2013
Commits on Feb 10, 2013
  1. adding test for CVE

    tenderlove committed Feb 10, 2013
Commits on Feb 6, 2013
  1. Merge pull request #9194 from kwstannard/2-3-stable

    fxn committed Feb 6, 2013
    Docs: Fixed bad exists? documentation.
Commits on Feb 5, 2013
  1. Docs: Fixed bad exists? documentation.

    kwstannard committed Feb 5, 2013
    Base#exists? does not actually take options like finder methods. Trying
    to use what the documentation suggests will return a PG error because it
    will look for a column named 'conditions'.
    
    I changed the documentation to reflect how the exists? method actually
    works.
Commits on Feb 2, 2013
  1. use the decimal HTML escape code for single quotes instead of the hex…

    morgancurrie authored and rafaelfranca committed Feb 1, 2013
    … one so webkit-based browsers properly translate the code in form fields
Commits on Jan 28, 2013
  1. Merge pull request #9099 from pietro/2-3-gemspec-bump

    carlosantoniodasilva committed Jan 28, 2013
    Bump version on 2.3 gemspecs too.
  2. Bump version on gemspecs too.

    Pietro Monteiro
    Pietro Monteiro committed Jan 28, 2013
  3. bumping version

    tenderlove committed Jan 28, 2013
  4. Add an OkJson backend and remove the YAML backend

    NZKoz authored and tenderlove committed Jan 23, 2013
    Fixes CVE-2013-0333.  The ActiveSupport::JSON::Backends::Yaml class is present but the functionality has been removed entirely.
Commits on Jan 24, 2013
  1. backporting deep_munge

    tenderlove committed Jan 24, 2013
  2. Squashed commit of the following:

    tenderlove committed Aug 8, 2012
    commit 9ef905f
    Author: Rafael Mendonça França <rafaelmfranca@gmail.com>
    Date:   Tue Aug 7 22:38:40 2012 -0300
    
        Fix tests about single quote escaping
    
    commit 780a718
    Author: Santiago Pastorino <santiago@wyeworks.com>
    Date:   Tue Jul 31 22:25:54 2012 -0300
    
        html_escape should escape single quotes
    
        https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
        Closes #7215
    
        Conflicts:
        	actionpack/test/controller/new_base/render_template_test.rb
        	actionpack/test/template/asset_tag_helper_test.rb
        	actionpack/test/template/erb_util_test.rb
        	actionpack/test/template/javascript_helper_test.rb
        	actionpack/test/template/template_test.rb
        	activesupport/lib/active_support/core_ext/string/output_safety.rb
        	activesupport/test/core_ext/string_ext_test.rb
        	railties/test/application/assets_test.rb
  3. Do not mark strip_tags result as html_safe

    spastorino authored and tenderlove committed Aug 8, 2012
    Thanks to Marek Labos & Nethemba
Commits on Jan 22, 2013
  1. Merge pull request #9030 from johndouthat/2-3-stable

    steveklabnik committed Jan 22, 2013
    Add .gemspec files to 2-3-stable to help Bundler
  2. Add gemspecs for bundler

    johndouthat committed Jan 21, 2013