Commits on Aug 9, 2012
  1. @spastorino

    Bump to 3.0.17

    spastorino committed Aug 9, 2012
  2. @spastorino

    Add CHANGELOG entries

    spastorino committed Aug 9, 2012
  3. @spastorino

    Do not mark strip_tags result as html_safe

    Thanks to Marek Labos & Nethemba
    
    CVE-2012-3465
    spastorino committed Aug 8, 2012
  4. @spastorino

    escape select_tag :prompt values

    CVE-2012-3463
    spastorino committed Aug 8, 2012
Commits on Aug 8, 2012
  1. @rafaelfranca
  2. @spastorino @tenderlove

    html_escape should escape single quotes

    https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
    Closes #7215
    
    Conflicts:
    	actionpack/test/controller/new_base/render_template_test.rb
    	actionpack/test/template/asset_tag_helper_test.rb
    	actionpack/test/template/erb_util_test.rb
    	actionpack/test/template/javascript_helper_test.rb
    	actionpack/test/template/template_test.rb
    	activesupport/lib/active_support/core_ext/string/output_safety.rb
    	activesupport/test/core_ext/string_ext_test.rb
    	railties/test/application/assets_test.rb
    spastorino committed with tenderlove Jul 31, 2012
Commits on Aug 4, 2012
  1. @pixeltrix

    Backport of fix from #5173 - fixes #7252

    Rather than use the MySQL specific TINYTEXT, MEDIUMTEXT and LONGTEXT
    datatypes, Active Record migrations use TEXT(n) where n is the limit
    specified by the developer. Unfortunately how MySQL interprets n
    depends on the column's encoding so any limit above 5592405 will be
    interpreted as a LONGTEXT when the encoding is UTF-8.
    
    This commit fixes this by interpreting the limit within the adapter
    and using the specific MySQL datatype as appropriate.
    pixeltrix committed Aug 4, 2012
Commits on Jul 26, 2012
  1. @tenderlove

    bumping to 3.0.16

    tenderlove committed Jul 26, 2012
  2. @tenderlove

    updating release date

    tenderlove committed Jul 26, 2012
  3. @tenderlove

    updating changelog with CVE

    tenderlove committed Jul 26, 2012
  4. @tenderlove
Commits on Jul 23, 2012
  1. @tenderlove

    updating changelogs

    tenderlove committed Jul 23, 2012
Commits on Jun 13, 2012
  1. @tenderlove

    3.0.15

    tenderlove committed Jun 12, 2012
  2. @tenderlove
Commits on Jun 12, 2012
  1. @tenderlove

    updating changelogs

    tenderlove committed Jun 12, 2012
Commits on Jun 11, 2012
  1. @tenderlove

    bumping to 3.0.14

    tenderlove committed Jun 11, 2012
  2. @tenderlove
  3. @tenderlove
  4. @tenderlove

    Merge branch '3-0-stable-sec' into 3-0-stable-rel

    * 3-0-stable-sec:
      Array parameters should not contain nil values.
      Additional fix for CVE-2012-2661
    tenderlove committed Jun 11, 2012
  5. @kennyj @tenderlove

    Fix GH #3163. Should quote database on mysql/mysql2.

    Conflicts:
    
    	activerecord/test/cases/adapters/mysql/mysql_adapter_test.rb
    
    Conflicts:
    
    	activerecord/lib/active_record/connection_adapters/abstract_mysql_adapter.rb
    	activerecord/test/cases/adapters/mysql/mysql_adapter_test.rb
    
    Conflicts:
    
    	activerecord/lib/active_record/connection_adapters/mysql2_adapter.rb
    	activerecord/lib/active_record/connection_adapters/mysql_adapter.rb
    	activerecord/test/cases/adapters/mysql/mysql_adapter_test.rb
    	activerecord/test/cases/adapters/mysql2/schema_test.rb
    kennyj committed with tenderlove Mar 3, 2012
  6. @tenderlove
Commits on Jun 8, 2012
  1. @ernie @tenderlove

    Additional fix for CVE-2012-2661

    While the patched PredicateBuilder in 3.0.13 prevents a user
    from specifying a table name using the `table.column` format,
    it doesn't protect against the nesting of hashes changing the
    table context in the next call to build_from_hash. This fix
    covers this case as well.
    ernie committed with tenderlove Jun 8, 2012
Commits on May 31, 2012
  1. @tenderlove

    Merge branch '3-0-rel' into 3-0-stable

    * 3-0-rel:
      bumping to 3.0.13
      updating CHANGELOGs
      bumping to 3.0.13.rc1
    tenderlove committed May 31, 2012
  2. @tenderlove

    Merge branch '3-0-stable-sec' into 3-0-stable

    * 3-0-stable-sec:
      Strip [nil] from parameters hash. Thanks to Ben Murphy for reporting this!
      predicate builder should not recurse for determining where columns. Thanks to Ben Murphy for reporting this
    tenderlove committed May 31, 2012
  3. @tenderlove

    bumping to 3.0.13

    tenderlove committed May 31, 2012
  4. @tenderlove

    updating CHANGELOGs

    tenderlove committed May 31, 2012
  5. @tenderlove

    Merge branch '3-0-stable-sec' into 3-0-rel

    * 3-0-stable-sec:
      Strip [nil] from parameters hash. Thanks to Ben Murphy for reporting this!
      predicate builder should not recurse for determining where columns. Thanks to Ben Murphy for reporting this
    tenderlove committed May 31, 2012
Commits on May 30, 2012
  1. @tenderlove

    Strip [nil] from parameters hash.

    Thanks to Ben Murphy for reporting this!
    
    CVE-2012-2660
    
    Conflicts:
    
    	actionpack/lib/action_dispatch/http/request.rb
    tenderlove committed May 30, 2012
  2. @tenderlove

    predicate builder should not recurse for determining where columns.

    Thanks to Ben Murphy for reporting this
    
    CVE-2012-2661
    tenderlove committed May 30, 2012
Commits on May 28, 2012
  1. @tenderlove

    bumping to 3.0.13.rc1

    tenderlove committed May 28, 2012
Commits on May 27, 2012
  1. @rafaelfranca
Commits on May 26, 2012
  1. @rafaelfranca

    Merge pull request #6495 from homakov/3-0-stable

    auto_link shouldn't always sanitize
    rafaelfranca committed May 26, 2012
  2. @homakov

    do not force sanitize and whitelist protocols for auto_link

    sanitize is not always required so we cannot make it. let's just
    whitelist protocols
    homakov committed May 26, 2012
Commits on May 25, 2012
  1. @tenderlove

    Merge pull request #6485 from homakov/3-0-stable

    auto_link sanitize output
    tenderlove committed May 25, 2012
  2. @homakov

    auto_link final sanitize

    homakov committed May 25, 2012