Skip to content
Commits on Aug 9, 2012
  1. @spastorino

    Bump to 3.0.17

    spastorino committed
  2. @spastorino

    Do not mark strip_tags result as html_safe

    spastorino committed
    Thanks to Marek Labos & Nethemba
    
    CVE-2012-3465
  3. @spastorino

    escape select_tag :prompt values

    spastorino committed
    CVE-2012-3463
Commits on Aug 8, 2012
  1. @rafaelfranca
  2. @spastorino @tenderlove

    html_escape should escape single quotes

    spastorino committed with tenderlove
    https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
    Closes #7215
    
    Conflicts:
    	actionpack/test/controller/new_base/render_template_test.rb
    	actionpack/test/template/asset_tag_helper_test.rb
    	actionpack/test/template/erb_util_test.rb
    	actionpack/test/template/javascript_helper_test.rb
    	actionpack/test/template/template_test.rb
    	activesupport/lib/active_support/core_ext/string/output_safety.rb
    	activesupport/test/core_ext/string_ext_test.rb
    	railties/test/application/assets_test.rb
Commits on Jul 26, 2012
  1. @tenderlove

    bumping to 3.0.16

    tenderlove committed
  2. @tenderlove

    updating release date

    tenderlove committed
  3. @tenderlove

    updating changelog with CVE

    tenderlove committed
  4. @tenderlove
Commits on Jul 23, 2012
  1. @tenderlove

    updating changelogs

    tenderlove committed
Commits on Jun 13, 2012
  1. @tenderlove

    3.0.15

    tenderlove committed
Commits on Jun 12, 2012
  1. @tenderlove

    updating changelogs

    tenderlove committed
Commits on Jun 11, 2012
  1. @tenderlove

    bumping to 3.0.14

    tenderlove committed
  2. @tenderlove
  3. @tenderlove
  4. @tenderlove
Commits on May 31, 2012
  1. @tenderlove

    bumping to 3.0.13

    tenderlove committed
  2. @tenderlove

    updating CHANGELOGs

    tenderlove committed
  3. @tenderlove

    Merge branch '3-0-stable-sec' into 3-0-rel

    tenderlove committed
    * 3-0-stable-sec:
      Strip [nil] from parameters hash. Thanks to Ben Murphy for reporting this!
      predicate builder should not recurse for determining where columns. Thanks to Ben Murphy for reporting this
Commits on May 30, 2012
  1. @tenderlove

    Strip [nil] from parameters hash.

    tenderlove committed
    Thanks to Ben Murphy for reporting this!
    
    CVE-2012-2660
    
    Conflicts:
    
    	actionpack/lib/action_dispatch/http/request.rb
Commits on May 28, 2012
  1. @tenderlove

    bumping to 3.0.13.rc1

    tenderlove committed
Commits on May 27, 2012
  1. @rafaelfranca
Commits on May 26, 2012
  1. @homakov

    do not force sanitize and whitelist protocols for auto_link

    homakov committed
    sanitize is not always required so we cannot make it. let's just
    whitelist protocols
Commits on May 25, 2012
  1. @homakov

    auto_link final sanitize

    homakov committed
Commits on Mar 27, 2012
  1. @tenderlove

    Merge pull request #5613 from carlosantoniodasilva/fix-build-3-0-193

    tenderlove committed
    Fix build for branch 3-0-stable - Ruby 1.9.3
  2. @josevalim @drogus
  3. @arunagw @carlosantoniodasilva
  4. @tenderlove @carlosantoniodasilva
  5. @miloops @carlosantoniodasilva
  6. @miloops @carlosantoniodasilva
Commits on Mar 26, 2012
  1. @carlosantoniodasilva

    Fix AV::FixtureResolver and rjs tests with random order errors

    carlosantoniodasilva committed
    Due to the hash ordering changes on Ruby 1.8.7-p358.
Commits on Mar 24, 2012
  1. @arunagw @carlosantoniodasilva
Commits on Mar 15, 2012
  1. @tenderlove

    Merge pull request #5457 from brianmario/typo-fix

    tenderlove committed
    Fix typo in redirect test
  2. @tenderlove

    Merge pull request #5456 from brianmario/redirect-sanitization

    tenderlove committed
    Strip null bytes from Location header
    Conflicts:
    
    	actionpack/test/controller/redirect_test.rb
Commits on Mar 7, 2012
  1. @arunagw
Something went wrong with that request. Please try again.