* 3-2-sec: bumping version CVE-2013-0156: Safe XML params parsing. Doesn't allow symbols or yaml. * Strip nils from collections on JSON and XML posts. [CVE-2013-0155] * dealing with empty hashes. Thanks Damien Mathieu Avoid Rack security warning no secret provided Conflicts: actionpack/CHANGELOG.md activerecord/CHANGELOG.md activesupport/CHANGELOG.md
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content Closes #7215 Conflicts: actionpack/test/template/erb_util_test.rb actionpack/test/template/form_tag_helper_test.rb actionpack/test/template/text_helper_test.rb actionpack/test/template/url_helper_test.rb activesupport/lib/active_support/core_ext/string/output_safety.rb
[ci skip] closes #5790
I also removed the other require as it's already present in `activesupport/core_ext/time/calculations`
Logic in clone_empty method was dealing with old @dirty variable, which has changed by @html_safe in this commit: 139963c This was issuing a "not initialized variable" warning - related to: #5237 The logic applied by this method is already handled by the  override, so there is no need to reset the variable here.
* 3-2-2: bumping to 3.2.2 Ensure  respects the status of the buffer. Merge pull request #4834 from sskirby/fix_usage_of_psql_in_db_test_prepare Merge pull request #5084 from johndouthat/patch-1 updating RAILS_VERSION delete vulnerable AS::SafeBuffer# use AS::SafeBuffer#clone_empty for flushing the output_buffer add AS::SafeBuffer#clone_empty fix output safety issue with select options
In asset_tag_helper_test.rb there is an assert on the number of bytes in a concatenated file. This test failed because Windows converts \n to \r\n as the default for "w". This is different than in *nix systems where there is no conversion done. THe test that failed was test_caching_stylesheet_link_tag_when_caching_on Using bin mode fixes this behavior on windows and makes no change on the *nix systems.