Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Branch: 2-3-stable
Commits on Apr 22, 2013
  1. @fxn
Commits on Apr 9, 2013
  1. @tenderlove

    Merge branch '2-3-later' into 2-3-stable

    tenderlove authored
    * 2-3-later:
      adding test for CVE
Commits on Apr 4, 2013
  1. @fxn

    typo

    fxn authored
  2. @fxn

    removes the obsolete task pdoc

    fxn authored
  3. @fxn
  4. @fxn

    Revert "Revert "Revert "Switched to newer rdoc and gem package tasks …

    fxn authored
    …(and their requires)."""
    
    We need an old RDoc to be able to generate the API.
    
    This reverts commit af7da4d.
Commits on Mar 18, 2013
  1. @tenderlove

    bumping to 2.3.18

    tenderlove authored
  2. @tenderlove

    Revert "Revert "Switched to newer rdoc and gem package tasks (and the…

    tenderlove authored
    …ir requires).""
    
    I can't build the gems without reverting this commit.
    
    This reverts commit dad3109.
Commits on Mar 16, 2013
  1. @tenderlove

    fix protocol checking in sanitization [CVE-2013-1857]

    tenderlove authored
    Conflicts:
    	actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
    	actionpack/test/controller/html-scanner/sanitizer_test.rb
  2. @charliesome @tenderlove

    fix incorrect ^$ usage leading to XSS in sanitize_css [CVE-2013-1855]

    charliesome authored tenderlove committed
    Conflicts:
    	actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
  3. @tenderlove
Commits on Feb 15, 2013
  1. @fxn

    Revert "Switched to newer rdoc and gem package tasks (and their requi…

    fxn authored
    …res)."
    
    This is a manual revert of commit 79aa54d, since the commit itself touches
    in addition some version numbers.
    
    API generation before Rails 3 uses the Jamis template, which requires an
    old version of RDoc. To generate the API you need Rake 0.8.x or 0.9.x,
    and the RDoc distributed with 1.8.7 (version 1.0.1).
Commits on Feb 11, 2013
  1. @tenderlove

    Merge branch '2-3-sec' into 2-3-stable

    tenderlove authored
    * 2-3-sec:
      bumping to 2.3.17
      fix serialization vulnerability
      fixing attr_protected CVE-2013-0276
  2. @carlosantoniodasilva

    Revert "Merge pull request #9251 from Davidslv/patch-1"

    carlosantoniodasilva authored
    This reverts commit d6adcb4, reversing
    changes made to 2e4aa39.
    
    Reason: merged to unmaintained branch.
  3. @carlosantoniodasilva

    Merge pull request #9251 from Davidslv/patch-1

    carlosantoniodasilva authored
    Add alias to maintain coherence with other methods, in end_of_day
  4. @Davidslv

    Update activesupport/lib/active_support/core_ext/time/calculations.rb

    Davidslv authored
    Just maintaining the coherence with other methods, since everything has "at_" as prefix.
  5. @tenderlove

    bumping to 2.3.17

    tenderlove authored
  6. @kratob @tenderlove

    fix serialization vulnerability

    kratob authored tenderlove committed
Commits on Feb 10, 2013
  1. @tenderlove

    adding test for CVE

    tenderlove authored
  2. @tenderlove
Commits on Feb 6, 2013
  1. @fxn

    Merge pull request #9194 from kwstannard/2-3-stable

    fxn authored
    Docs: Fixed bad exists? documentation.
Commits on Feb 5, 2013
  1. @kwstannard

    Docs: Fixed bad exists? documentation.

    kwstannard authored
    Base#exists? does not actually take options like finder methods. Trying
    to use what the documentation suggests will return a PG error because it
    will look for a column named 'conditions'.
    
    I changed the documentation to reflect how the exists? method actually
    works.
Commits on Feb 2, 2013
  1. @rafaelfranca
  2. @morgancurrie @rafaelfranca

    use the decimal HTML escape code for single quotes instead of the hex…

    morgancurrie authored rafaelfranca committed
    … one so webkit-based browsers properly translate the code in form fields
Commits on Jan 28, 2013
  1. @carlosantoniodasilva

    Merge pull request #9099 from pietro/2-3-gemspec-bump

    carlosantoniodasilva authored
    Bump version on 2.3 gemspecs too.
  2. @pietro

    Bump version on gemspecs too.

    pietro authored
  3. @tenderlove

    bumping version

    tenderlove authored
  4. @NZKoz @tenderlove

    Add an OkJson backend and remove the YAML backend

    NZKoz authored tenderlove committed
    Fixes CVE-2013-0333.  The ActiveSupport::JSON::Backends::Yaml class is present but the functionality has been removed entirely.
Commits on Jan 24, 2013
  1. @tenderlove
  2. @tenderlove

    backporting deep_munge

    tenderlove authored
  3. @tenderlove

    Squashed commit of the following:

    tenderlove authored
    commit 9ef905f
    Author: Rafael Mendonça França <rafaelmfranca@gmail.com>
    Date:   Tue Aug 7 22:38:40 2012 -0300
    
        Fix tests about single quote escaping
    
    commit 780a718
    Author: Santiago Pastorino <santiago@wyeworks.com>
    Date:   Tue Jul 31 22:25:54 2012 -0300
    
        html_escape should escape single quotes
    
        https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
        Closes #7215
    
        Conflicts:
        	actionpack/test/controller/new_base/render_template_test.rb
        	actionpack/test/template/asset_tag_helper_test.rb
        	actionpack/test/template/erb_util_test.rb
        	actionpack/test/template/javascript_helper_test.rb
        	actionpack/test/template/template_test.rb
        	activesupport/lib/active_support/core_ext/string/output_safety.rb
        	activesupport/test/core_ext/string_ext_test.rb
        	railties/test/application/assets_test.rb
  4. @spastorino @tenderlove

    Do not mark strip_tags result as html_safe

    spastorino authored tenderlove committed
    Thanks to Marek Labos & Nethemba
  5. @tenderlove

    fixing load error messages

    tenderlove authored
Commits on Jan 22, 2013
  1. @steveklabnik

    Merge pull request #9030 from johndouthat/2-3-stable

    steveklabnik authored
    Add .gemspec files to 2-3-stable to help Bundler
  2. @johndouthat

    Add gemspecs for bundler

    johndouthat authored
Something went wrong with that request. Please try again.