Skip to content
This repository

Jan 08, 2013

  1. Aaron Patterson

    bumping version

    authored January 07, 2013
  2. Jeremy Kemper

    CVE-2013-0156: Safe XML params parsing. Doesn't allow symbols or yaml.

    authored January 05, 2013 tenderlove committed January 08, 2013

Dec 23, 2012

  1. Aaron Patterson

    bumping to 3.0.18

    authored December 23, 2012

Aug 28, 2012

  1. Rafael Mendonça França

    Remove warning when using html_escape with Ruby 1.9.

    Closes #7430
    authored August 28, 2012

Aug 09, 2012

  1. Santiago Pastorino

    Bump to 3.0.17

    authored August 09, 2012

Aug 08, 2012

  1. Santiago Pastorino

    html_escape should escape single quotes

    https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
    Closes #7215
    
    Conflicts:
    	actionpack/test/controller/new_base/render_template_test.rb
    	actionpack/test/template/asset_tag_helper_test.rb
    	actionpack/test/template/erb_util_test.rb
    	actionpack/test/template/javascript_helper_test.rb
    	actionpack/test/template/template_test.rb
    	activesupport/lib/active_support/core_ext/string/output_safety.rb
    	activesupport/test/core_ext/string_ext_test.rb
    	railties/test/application/assets_test.rb
    authored July 31, 2012 tenderlove committed August 07, 2012

Jul 26, 2012

  1. Aaron Patterson

    bumping to 3.0.16

    authored July 26, 2012

Jun 13, 2012

  1. Aaron Patterson

    3.0.15

    authored June 12, 2012

Jun 11, 2012

  1. Aaron Patterson

    bumping to 3.0.14

    authored June 11, 2012

May 31, 2012

  1. Aaron Patterson

    bumping to 3.0.13

    authored May 31, 2012

May 28, 2012

  1. Aaron Patterson

    bumping to 3.0.13.rc1

    authored May 28, 2012

Mar 02, 2012

  1. Carlos Antonio da Silva

    Stop SafeBuffer#clone_empty from issuing warnings

    Logic in clone_empty method was dealing with old @dirty variable, which
    has changed by @html_safe in this commit:
    139963c
    
    This was issuing a "not initialized variable" warning - related to:
    #5237
    
    The logic applied by this method is already handled by the [] override,
    so there is no need to reset the variable here.
    authored March 02, 2012 drogus committed March 02, 2012

Mar 01, 2012

  1. Aaron Patterson

    bumping to 3.0.12

    authored March 01, 2012
  2. Aaron Patterson

    Merge branch '3-0-stable-security' into 3-0-12

    * 3-0-stable-security:
      Ensure [] respects the status of the buffer.
      use AS::SafeBuffer#clone_empty for flushing the output_buffer
      add AS::SafeBuffer#clone_empty
      fix output safety issue with select options
    authored March 01, 2012
  3. José Valim

    Ensure [] respects the status of the buffer.

    authored February 29, 2012 tenderlove committed February 29, 2012

Feb 22, 2012

  1. Aaron Patterson

    updating RAILS_VERSION

    authored February 22, 2012
  2. Jon Leighton

    Merge commit 'v3.0.11' into 3-0-stable

    authored February 22, 2012

Feb 21, 2012

  1. Akira Matsuda

    add AS::SafeBuffer#clone_empty

    authored February 13, 2012 tenderlove committed February 20, 2012

Jan 24, 2012

  1. Aaron Patterson

    Merge pull request #4514 from brainopia/update_timezone_offets

    Update time zone offset information
    authored January 24, 2012

Dec 03, 2011

  1. Aaron Patterson

    `load` should also return the value from `super`

    authored August 23, 2011 sumbach committed December 03, 2011
  2. Aaron Patterson

    require needs to return true or false. thank you Ryan "zenspider" Davis

    authored August 23, 2011 sumbach committed December 03, 2011

Nov 18, 2011

  1. Jon Leighton

    Preparing for 3.0.11 release

    authored November 18, 2011

Nov 01, 2011

  1. Josh Kalderimis

    Remove a circular require in AS deprecations. This is safe as AS depr…

    …ecations is autoloaded as needed.
    authored May 12, 2011 tenderlove committed November 01, 2011

Oct 05, 2011

  1. Akira Matsuda

    ruby193: String#prepend is also unsafe

    authored October 02, 2011 spastorino committed October 05, 2011
  2. Akira Matsuda

    override unsafe methods only if defined on String

    authored October 02, 2011 spastorino committed October 05, 2011

Oct 03, 2011

  1. Jeremy Kemper

    Merge pull request #2801 from jeremyevans/patch-1

    Fix obviously breakage of Time.=== for Time subclasses
    authored October 03, 2011

Aug 16, 2011

  1. Aaron Patterson

    Merge branch '3-0-10' into 3-0-stable

    * 3-0-10:
      bumping rails to 3.0.10
      properly subsituting bad utf8 characters
      Tags with invalid names should also be stripped in order to prevent XSS attacks.  Thanks Sascha Depold for the report.
      prevent sql injection attacks by escaping quotes in column names
      Properly escape glob characters.
      bumping to 3.0.10.rc1
      more changelog updates
      updating CHANGELOGs
    authored August 16, 2011
  2. Aaron Patterson

    bumping rails to 3.0.10

    authored August 16, 2011
  3. Aaron Patterson

    properly subsituting bad utf8 characters

    authored August 16, 2011

Aug 08, 2011

  1. Jason Weathered

    Fix marshal round-tripping of fractional seconds (Time#subsec).

    authored April 17, 2011 tenderlove committed August 07, 2011

Aug 06, 2011

  1. Santiago Pastorino

    Merge pull request #2450 from guilleiguaran/activesupport-gzip-1.8

    Fix ActiveSupport::Gzip under Ruby 1.8.7. Closes #2416
    authored August 06, 2011

Aug 05, 2011

  1. Aaron Patterson

    bumping to 3.0.10.rc1

    authored August 04, 2011

Aug 01, 2011

  1. Santiago Pastorino

    Merge pull request #2393 from bdurand/fix_cache_read_multi

    Fix ArgumentError in ActiveSupport::Cache::CacheStore.read_multi
    authored August 01, 2011

Jul 29, 2011

  1. Aaron Patterson

    delay backtrace scrubbing until we actually raise an exception. fixes #…

    authored July 29, 2011

Jun 28, 2011

  1. Fix JSON decoding of newline character with Yaml backend [#3479 state…

    …:resolved]
    
    Signed-off-by: Santiago Pastorino <santiago@wyeworks.com>
    authored June 14, 2010 tenderlove committed June 28, 2011
Something went wrong with that request. Please try again.