Skip to content
This repository
  • 5 commits
  • 31 files changed
  • 0 comments
  • 1 contributor

Showing 31 changed files with 111 additions and 86 deletions. Show diff stats Hide diff stats

  1. 2  RAILS_VERSION
  2. 4  actionmailer/CHANGELOG.md
  3. 2  actionmailer/lib/action_mailer/version.rb
  4. 16  actionpack/CHANGELOG.md
  5. 2  actionpack/lib/action_pack/version.rb
  6. 4  actionpack/lib/action_view/helpers/form_tag_helper.rb
  7. 2  actionpack/lib/action_view/helpers/sanitize_helper.rb
  8. 2  actionpack/test/controller/new_base/render_template_test.rb
  9. 4  actionpack/test/controller/render_test.rb
  10. 16  actionpack/test/template/asset_tag_helper_test.rb
  11. 10  actionpack/test/template/erb_util_test.rb
  12. 6  actionpack/test/template/form_options_helper_test.rb
  13. 8  actionpack/test/template/form_tag_helper_test.rb
  14. 10  actionpack/test/template/javascript_helper_test.rb
  15. 4  actionpack/test/template/sanitize_helper_test.rb
  16. 2  actionpack/test/template/template_test.rb
  17. 10  actionpack/test/template/url_helper_test.rb
  18. 4  activemodel/CHANGELOG.md
  19. 2  activemodel/lib/active_model/version.rb
  20. 4  activerecord/CHANGELOG.md
  21. 2  activerecord/lib/active_record/version.rb
  22. 4  activeresource/CHANGELOG.md
  23. 2  activeresource/lib/active_resource/version.rb
  24. 4  activesupport/CHANGELOG.md
  25. 53  activesupport/lib/active_support/core_ext/string/output_safety.rb
  26. 2  activesupport/lib/active_support/version.rb
  27. 4  activesupport/test/core_ext/string_ext_test.rb
  28. 4  railties/CHANGELOG.md
  29. 2  railties/lib/rails/version.rb
  30. 4  railties/test/application/assets_test.rb
  31. 2  version.rb
2  RAILS_VERSION
... ...
@@ -1 +1 @@
1  
-3.1.7
  1
+3.1.8
4  actionmailer/CHANGELOG.md
Source Rendered
... ...
@@ -1,3 +1,7 @@
  1
+## Rails 3.1.8 (Aug 9, 2012)
  2
+
  3
+*   No changes.
  4
+
1 5
 ## Rails 3.1.7 (Jul 26, 2012)
2 6
 
3 7
 *   No changes.
2  actionmailer/lib/action_mailer/version.rb
@@ -2,7 +2,7 @@ module ActionMailer
2 2
   module VERSION #:nodoc:
3 3
     MAJOR = 3
4 4
     MINOR = 1
5  
-    TINY  = 7
  5
+    TINY  = 8
6 6
     PRE   = nil
7 7
 
8 8
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
16  actionpack/CHANGELOG.md
Source Rendered
... ...
@@ -1,3 +1,19 @@
  1
+## Rails 3.1.8 (Aug 9, 2012)
  2
+
  3
+* There is an XSS vulnerability in the strip_tags helper in Ruby on Rails, the
  4
+  helper doesn't correctly handle malformed html.  As a result an attacker can
  5
+  execute arbitrary javascript through the use of specially crafted malformed
  6
+  html.
  7
+
  8
+  *Marek from Nethemba (www.nethemba.com) & Santiago Pastorino*
  9
+
  10
+* When a "prompt" value is supplied to the `select_tag` helper, the "prompt" value is not escaped.
  11
+  If untrusted data is not escaped, and is supplied as the prompt value, there is a potential for XSS attacks.
  12
+  Vulnerable code will look something like this:
  13
+    select_tag("name", options, :prompt => UNTRUSTED_INPUT)
  14
+
  15
+  *Santiago Pastorino*
  16
+
1 17
 ## Rails 3.1.7 (Jul 26, 2012)
2 18
 
3 19
 * Do not convert digest auth strings to symbols. CVE-2012-3424
2  actionpack/lib/action_pack/version.rb
@@ -2,7 +2,7 @@ module ActionPack
2 2
   module VERSION #:nodoc:
3 3
     MAJOR = 3
4 4
     MINOR = 1
5  
-    TINY  = 7
  5
+    TINY  = 8
6 6
     PRE   = nil
7 7
 
8 8
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
4  actionpack/lib/action_view/helpers/form_tag_helper.rb
@@ -114,11 +114,11 @@ def select_tag(name, option_tags = nil, options = {})
114 114
         html_name = (options[:multiple] == true && !name.to_s.ends_with?("[]")) ? "#{name}[]" : name
115 115
 
116 116
         if options.delete(:include_blank)
117  
-          option_tags = "<option value=\"\"></option>".html_safe + option_tags
  117
+          option_tags = content_tag(:option, '', :value => '').safe_concat(option_tags)
118 118
         end
119 119
 
120 120
         if prompt = options.delete(:prompt)
121  
-          option_tags = "<option value=\"\">#{prompt}</option>".html_safe + option_tags
  121
+          option_tags = content_tag(:option, prompt, :value => '').safe_concat(option_tags)
122 122
         end
123 123
 
124 124
         content_tag :select, option_tags, { "name" => html_name, "id" => sanitize_to_id(name) }.update(options.stringify_keys)
2  actionpack/lib/action_view/helpers/sanitize_helper.rb
@@ -81,7 +81,7 @@ def sanitize_css(style)
81 81
       #   strip_tags("<div id='top-bar'>Welcome to my website!</div>")
82 82
       #   # => Welcome to my website!
83 83
       def strip_tags(html)
84  
-        self.class.full_sanitizer.sanitize(html).try(:html_safe)
  84
+        self.class.full_sanitizer.sanitize(html)
85 85
       end
86 86
 
87 87
       # Strips all link tags from +text+ leaving just the link text.
2  actionpack/test/controller/new_base/render_template_test.rb
@@ -120,7 +120,7 @@ class TestWithoutLayout < Rack::TestCase
120 120
     test "rendering a template with error properly exceprts the code" do
121 121
       get :with_error
122 122
       assert_status 500
123  
-      assert_match "undefined local variable or method `idontexist'", response.body
  123
+      assert_match "undefined local variable or method `idontexist", response.body
124 124
     end
125 125
   end
126 126
 
4  actionpack/test/controller/render_test.rb
@@ -152,7 +152,7 @@ def render_text_hello_world
152 152
 
153 153
   # :ported:
154 154
   def render_text_hello_world_with_layout
155  
-    @variable_for_layout = ", I'm here!"
  155
+    @variable_for_layout = ", I am here!"
156 156
     render :text => "hello world", :layout => true
157 157
   end
158 158
 
@@ -781,7 +781,7 @@ def test_render_text
781 781
   # :ported:
782 782
   def test_do_with_render_text_and_layout
783 783
     get :render_text_hello_world_with_layout
784  
-    assert_equal "<html>hello world, I'm here!</html>", @response.body
  784
+    assert_equal "<html>hello world, I am here!</html>", @response.body
785 785
   end
786 786
 
787 787
   # :ported:
16  actionpack/test/template/asset_tag_helper_test.rb
@@ -162,8 +162,8 @@ def teardown
162 162
     %(image_tag(".pdf.png")) => %(<img alt=".pdf" src="/images/.pdf.png" />),
163 163
     %(image_tag("http://www.rubyonrails.com/images/rails.png")) => %(<img alt="Rails" src="http://www.rubyonrails.com/images/rails.png" />),
164 164
     %(image_tag("//www.rubyonrails.com/images/rails.png")) => %(<img alt="Rails" src="//www.rubyonrails.com/images/rails.png" />),
165  
-    %(image_tag("mouse.png", :mouseover => "/images/mouse_over.png")) => %(<img alt="Mouse" onmouseover="this.src='/images/mouse_over.png'" onmouseout="this.src='/images/mouse.png'" src="/images/mouse.png" />),
166  
-    %(image_tag("mouse.png", :mouseover => image_path("mouse_over.png"))) => %(<img alt="Mouse" onmouseover="this.src='/images/mouse_over.png'" onmouseout="this.src='/images/mouse.png'" src="/images/mouse.png" />),
  165
+    %(image_tag("mouse.png", :mouseover => "/images/mouse_over.png")) => %(<img alt="Mouse" onmouseover="this.src=&#x27;/images/mouse_over.png&#x27;" onmouseout="this.src=&#x27;/images/mouse.png&#x27;" src="/images/mouse.png" />),
  166
+    %(image_tag("mouse.png", :mouseover => image_path("mouse_over.png"))) => %(<img alt="Mouse" onmouseover="this.src=&#x27;/images/mouse_over.png&#x27;" onmouseout="this.src=&#x27;/images/mouse.png&#x27;" src="/images/mouse.png" />),
167 167
     %(image_tag("mouse.png", :alt => nil)) => %(<img src="/images/mouse.png" />),
168 168
     %(image_tag("data:image/gif;base64,R0lGODlhAQABAID/AMDAwAAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw==", :alt => nil)) => %(<img src="data:image/gif;base64,R0lGODlhAQABAID/AMDAwAAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw==" />),
169 169
   }
@@ -1096,8 +1096,8 @@ def test_should_compute_proper_path
1096 1096
     assert_dom_equal(%(/collaboration/hieraki/javascripts/xmlhr.js), javascript_path("xmlhr"))
1097 1097
     assert_dom_equal(%(/collaboration/hieraki/stylesheets/style.css), stylesheet_path("style"))
1098 1098
     assert_dom_equal(%(/collaboration/hieraki/images/xml.png), image_path("xml.png"))
1099  
-    assert_dom_equal(%(<img alt="Mouse" onmouseover="this.src='/collaboration/hieraki/images/mouse_over.png'" onmouseout="this.src='/collaboration/hieraki/images/mouse.png'" src="/collaboration/hieraki/images/mouse.png" />), image_tag("mouse.png", :mouseover => "/images/mouse_over.png"))
1100  
-    assert_dom_equal(%(<img alt="Mouse2" onmouseover="this.src='/collaboration/hieraki/images/mouse_over2.png'" onmouseout="this.src='/collaboration/hieraki/images/mouse2.png'" src="/collaboration/hieraki/images/mouse2.png" />), image_tag("mouse2.png", :mouseover => image_path("mouse_over2.png")))
  1099
+    assert_dom_equal(%(<img alt="Mouse" onmouseover="this.src=&#x27;/collaboration/hieraki/images/mouse_over.png&#x27;" onmouseout="this.src=&#x27;/collaboration/hieraki/images/mouse.png&#x27;" src="/collaboration/hieraki/images/mouse.png" />), image_tag("mouse.png", :mouseover => "/images/mouse_over.png"))
  1100
+    assert_dom_equal(%(<img alt="Mouse2" onmouseover="this.src=&#x27;/collaboration/hieraki/images/mouse_over2.png&#x27;" onmouseout="this.src=&#x27;/collaboration/hieraki/images/mouse2.png&#x27;" src="/collaboration/hieraki/images/mouse2.png" />), image_tag("mouse2.png", :mouseover => image_path("mouse_over2.png")))
1101 1101
   end
1102 1102
 
1103 1103
   def test_should_ignore_relative_root_path_on_complete_url
@@ -1110,8 +1110,8 @@ def test_should_compute_proper_path_with_asset_host
1110 1110
     assert_dom_equal(%(gopher://assets.example.com/collaboration/hieraki/javascripts/xmlhr.js), javascript_path("xmlhr"))
1111 1111
     assert_dom_equal(%(gopher://assets.example.com/collaboration/hieraki/stylesheets/style.css), stylesheet_path("style"))
1112 1112
     assert_dom_equal(%(gopher://assets.example.com/collaboration/hieraki/images/xml.png), image_path("xml.png"))
1113  
-    assert_dom_equal(%(<img alt="Mouse" onmouseover="this.src='gopher://assets.example.com/collaboration/hieraki/images/mouse_over.png'" onmouseout="this.src='gopher://assets.example.com/collaboration/hieraki/images/mouse.png'" src="gopher://assets.example.com/collaboration/hieraki/images/mouse.png" />), image_tag("mouse.png", :mouseover => "/images/mouse_over.png"))
1114  
-    assert_dom_equal(%(<img alt="Mouse2" onmouseover="this.src='gopher://assets.example.com/collaboration/hieraki/images/mouse_over2.png'" onmouseout="this.src='gopher://assets.example.com/collaboration/hieraki/images/mouse2.png'" src="gopher://assets.example.com/collaboration/hieraki/images/mouse2.png" />), image_tag("mouse2.png", :mouseover => image_path("mouse_over2.png")))
  1113
+    assert_dom_equal(%(<img alt="Mouse" onmouseover="this.src=&#x27;gopher://assets.example.com/collaboration/hieraki/images/mouse_over.png&#x27;" onmouseout="this.src=&#x27;gopher://assets.example.com/collaboration/hieraki/images/mouse.png&#x27;" src="gopher://assets.example.com/collaboration/hieraki/images/mouse.png" />), image_tag("mouse.png", :mouseover => "/images/mouse_over.png"))
  1114
+    assert_dom_equal(%(<img alt="Mouse2" onmouseover="this.src=&#x27;gopher://assets.example.com/collaboration/hieraki/images/mouse_over2.png&#x27;" onmouseout="this.src=&#x27;gopher://assets.example.com/collaboration/hieraki/images/mouse2.png&#x27;" src="gopher://assets.example.com/collaboration/hieraki/images/mouse2.png" />), image_tag("mouse2.png", :mouseover => image_path("mouse_over2.png")))
1115 1115
   end
1116 1116
 
1117 1117
   def test_should_compute_proper_path_with_asset_host_and_default_protocol
@@ -1120,8 +1120,8 @@ def test_should_compute_proper_path_with_asset_host_and_default_protocol
1120 1120
     assert_dom_equal(%(gopher://assets.example.com/collaboration/hieraki/javascripts/xmlhr.js), javascript_path("xmlhr"))
1121 1121
     assert_dom_equal(%(gopher://assets.example.com/collaboration/hieraki/stylesheets/style.css), stylesheet_path("style"))
1122 1122
     assert_dom_equal(%(gopher://assets.example.com/collaboration/hieraki/images/xml.png), image_path("xml.png"))
1123  
-    assert_dom_equal(%(<img alt="Mouse" onmouseover="this.src='gopher://assets.example.com/collaboration/hieraki/images/mouse_over.png'" onmouseout="this.src='gopher://assets.example.com/collaboration/hieraki/images/mouse.png'" src="gopher://assets.example.com/collaboration/hieraki/images/mouse.png" />), image_tag("mouse.png", :mouseover => "/images/mouse_over.png"))
1124  
-    assert_dom_equal(%(<img alt="Mouse2" onmouseover="this.src='gopher://assets.example.com/collaboration/hieraki/images/mouse_over2.png'" onmouseout="this.src='gopher://assets.example.com/collaboration/hieraki/images/mouse2.png'" src="gopher://assets.example.com/collaboration/hieraki/images/mouse2.png" />), image_tag("mouse2.png", :mouseover => image_path("mouse_over2.png")))
  1123
+    assert_dom_equal(%(<img alt="Mouse" onmouseover="this.src=&#x27;gopher://assets.example.com/collaboration/hieraki/images/mouse_over.png&#x27;" onmouseout="this.src=&#x27;gopher://assets.example.com/collaboration/hieraki/images/mouse.png&#x27;" src="gopher://assets.example.com/collaboration/hieraki/images/mouse.png" />), image_tag("mouse.png", :mouseover => "/images/mouse_over.png"))
  1124
+    assert_dom_equal(%(<img alt="Mouse2" onmouseover="this.src=&#x27;gopher://assets.example.com/collaboration/hieraki/images/mouse_over2.png&#x27;" onmouseout="this.src=&#x27;gopher://assets.example.com/collaboration/hieraki/images/mouse2.png&#x27;" src="gopher://assets.example.com/collaboration/hieraki/images/mouse2.png" />), image_tag("mouse2.png", :mouseover => image_path("mouse_over2.png")))
1125 1125
   end
1126 1126
 
1127 1127
   def test_should_ignore_asset_host_on_complete_url
10  actionpack/test/template/erb_util_test.rb
@@ -8,11 +8,11 @@ class ErbUtilTest < Test::Unit::TestCase
8 8
     define_method "test_html_escape_#{expected.gsub(/\W/, '')}" do
9 9
       assert_equal expected, html_escape(given)
10 10
     end
  11
+  end
11 12
 
12  
-    unless given == '"'
13  
-      define_method "test_json_escape_#{expected.gsub(/\W/, '')}" do
14  
-        assert_equal ERB::Util::JSON_ESCAPE[given], json_escape(given)
15  
-      end
  13
+  ERB::Util::JSON_ESCAPE.each do |given, expected|
  14
+    define_method "test_json_escape_#{expected.gsub(/\W/, '')}" do
  15
+      assert_equal ERB::Util::JSON_ESCAPE[given], json_escape(given)
16 16
     end
17 17
   end
18 18
 
@@ -40,7 +40,7 @@ def test_html_escape_passes_html_escpe_unmodified
40 40
 
41 41
   def test_rest_in_ascii
42 42
     (0..127).to_a.map {|int| int.chr }.each do |chr|
43  
-      next if chr.in?('&"<>')
  43
+      next if chr.in?('&"<>\'')
44 44
       assert_equal chr, html_escape(chr)
45 45
     end
46 46
   end
6  actionpack/test/template/form_options_helper_test.rb
@@ -907,7 +907,7 @@ def test_time_zone_select_with_default_time_zone_and_value
907 907
 
908 908
   def test_options_for_select_with_element_attributes
909 909
     assert_dom_equal(
910  
-      "<option value=\"&lt;Denmark&gt;\" class=\"bold\">&lt;Denmark&gt;</option>\n<option value=\"USA\" onclick=\"alert('Hello World');\">USA</option>\n<option value=\"Sweden\">Sweden</option>\n<option value=\"Germany\">Germany</option>",
  910
+      "<option value=\"&lt;Denmark&gt;\" class=\"bold\">&lt;Denmark&gt;</option>\n<option value=\"USA\" onclick=\"alert(&#x27;Hello World&#x27;);\">USA</option>\n<option value=\"Sweden\">Sweden</option>\n<option value=\"Germany\">Germany</option>",
911 911
       options_for_select([ [ "<Denmark>", { :class => 'bold' } ], [ "USA", { :onclick => "alert('Hello World');" } ], [ "Sweden" ], "Germany" ])
912 912
     )
913 913
   end
@@ -943,13 +943,13 @@ def test_option_html_attributes_with_single_element_hash
943 943
   def test_option_html_attributes_with_multiple_element_hash
944 944
     output = option_html_attributes([ 'foo', 'bar', { :class => 'fancy', 'onclick' => "alert('Hello World');" } ])
945 945
     assert output.include?(" class=\"fancy\"")
946  
-    assert output.include?(" onclick=\"alert('Hello World');\"")
  946
+    assert output.include?(" onclick=\"alert(&#x27;Hello World&#x27;);\"")
947 947
   end
948 948
 
949 949
   def test_option_html_attributes_with_multiple_hashes
950 950
     output = option_html_attributes([ 'foo', 'bar', { :class => 'fancy' }, { 'onclick' => "alert('Hello World');" } ])
951 951
     assert output.include?(" class=\"fancy\"")
952  
-    assert output.include?(" onclick=\"alert('Hello World');\"")
  952
+    assert output.include?(" onclick=\"alert(&#x27;Hello World&#x27;);\"")
953 953
   end
954 954
 
955 955
   def test_option_html_attributes_with_special_characters
8  actionpack/test/template/form_tag_helper_test.rb
@@ -206,6 +206,12 @@ def test_select_tag_with_prompt
206 206
     assert_dom_equal expected, actual
207 207
   end
208 208
 
  209
+  def test_select_tag_escapes_prompt
  210
+    actual = select_tag "places", "<option>Home</option><option>Work</option><option>Pub</option>".html_safe, :prompt => "<script>alert(1337)</script>"
  211
+    expected = %(<select id="places" name="places"><option value="">&lt;script&gt;alert(1337)&lt;/script&gt;</option><option>Home</option><option>Work</option><option>Pub</option></select>)
  212
+    assert_dom_equal expected, actual
  213
+  end
  214
+
209 215
   def test_select_tag_with_prompt_and_include_blank
210 216
     actual = select_tag "places", "<option>Home</option><option>Work</option><option>Pub</option>".html_safe, :prompt => "string", :include_blank => true
211 217
     expected = %(<select name="places" id="places"><option value="">string</option><option value=""></option><option>Home</option><option>Work</option><option>Pub</option></select>)
@@ -366,7 +372,7 @@ def test_stringify_symbol_keys
366 372
 
367 373
   def test_submit_tag
368 374
     assert_dom_equal(
369  
-      %(<input name='commit' data-disable-with="Saving..." onclick="alert('hello!')" type="submit" value="Save" />),
  375
+      %(<input name='commit' data-disable-with="Saving..." onclick="alert(&#x27;hello!&#x27;)" type="submit" value="Save" />),
370 376
       submit_tag("Save", :disable_with => "Saving...", :onclick => "alert('hello!')")
371 377
     )
372 378
   end
10  actionpack/test/template/javascript_helper_test.rb
@@ -40,12 +40,12 @@ def test_escape_javascript_with_safebuffer
40 40
   end
41 41
 
42 42
   def test_button_to_function
43  
-    assert_dom_equal %(<input type="button" onclick="alert('Hello world!');" value="Greeting" />),
  43
+    assert_dom_equal %(<input type="button" onclick="alert(&#x27;Hello world!&#x27;);" value="Greeting" />),
44 44
       button_to_function("Greeting", "alert('Hello world!')")
45 45
   end
46 46
 
47 47
   def test_button_to_function_with_onclick
48  
-    assert_dom_equal "<input onclick=\"alert('Goodbye World :('); alert('Hello world!');\" type=\"button\" value=\"Greeting\" />",
  48
+    assert_dom_equal "<input onclick=\"alert(&#x27;Goodbye World :(&#x27;); alert(&#x27;Hello world!&#x27;);\" type=\"button\" value=\"Greeting\" />",
49 49
       button_to_function("Greeting", "alert('Hello world!')", :onclick => "alert('Goodbye World :(')")
50 50
   end
51 51
 
@@ -55,17 +55,17 @@ def test_button_to_function_without_function
55 55
   end
56 56
 
57 57
   def test_link_to_function
58  
-    assert_dom_equal %(<a href="#" onclick="alert('Hello world!'); return false;">Greeting</a>),
  58
+    assert_dom_equal %(<a href="#" onclick="alert(&#x27;Hello world!&#x27;); return false;">Greeting</a>),
59 59
       link_to_function("Greeting", "alert('Hello world!')")
60 60
   end
61 61
 
62 62
   def test_link_to_function_with_existing_onclick
63  
-    assert_dom_equal %(<a href="#" onclick="confirm('Sanity!'); alert('Hello world!'); return false;">Greeting</a>),
  63
+    assert_dom_equal %(<a href="#" onclick="confirm(&#x27;Sanity!&#x27;); alert(&#x27;Hello world!&#x27;); return false;">Greeting</a>),
64 64
       link_to_function("Greeting", "alert('Hello world!')", :onclick => "confirm('Sanity!')")
65 65
   end
66 66
 
67 67
   def test_function_with_href
68  
-    assert_dom_equal %(<a href="http://example.com/" onclick="alert('Hello world!'); return false;">Greeting</a>),
  68
+    assert_dom_equal %(<a href="http://example.com/" onclick="alert(&#x27;Hello world!&#x27;); return false;">Greeting</a>),
69 69
       link_to_function("Greeting", "alert('Hello world!')", :href => 'http://example.com/')
70 70
   end
71 71
 
4  actionpack/test/template/sanitize_helper_test.rb
@@ -42,9 +42,9 @@ def test_strip_tags
42 42
     [nil, '', '   '].each do |blank|
43 43
       stripped = strip_tags(blank)
44 44
       assert_equal blank, stripped
45  
-      assert stripped.html_safe? unless blank.nil?
46 45
     end
47  
-    assert strip_tags("<script>").html_safe?
  46
+    assert_equal "", strip_tags("<script>")
  47
+    assert_equal "something &lt;img onerror=alert(1337)", ERB::Util.html_escape(strip_tags("something <img onerror=alert(1337)"))
48 48
   end
49 49
 
50 50
   def test_sanitize_is_marked_safe
2  actionpack/test/template/template_test.rb
@@ -77,7 +77,7 @@ def test_template_does_not_lose_its_source_after_rendering_if_it_does_not_have_a
77 77
   def test_locals
78 78
     @template = new_template("<%= my_local %>")
79 79
     @template.locals = [:my_local]
80  
-    assert_equal "I'm a local", render(:my_local => "I'm a local")
  80
+    assert_equal "I am a local", render(:my_local => "I am a local")
81 81
   end
82 82
 
83 83
   def test_restores_buffer
10  actionpack/test/template/url_helper_test.rb
@@ -193,7 +193,7 @@ def test_link_with_nil_html_options
193 193
 
194 194
   def test_link_tag_with_custom_onclick
195 195
     link = link_to("Hello", "http://www.example.com", :onclick => "alert('yay!')")
196  
-    expected = %{<a href="http://www.example.com" onclick="alert('yay!')">Hello</a>}
  196
+    expected = %{<a href="http://www.example.com" onclick="alert(&#x27;yay!&#x27;)">Hello</a>}
197 197
     assert_dom_equal expected, link
198 198
   end
199 199
 
@@ -203,12 +203,12 @@ def test_link_tag_with_javascript_confirm
203 203
       link_to("Hello", "http://www.example.com", :confirm => "Are you sure?")
204 204
     )
205 205
     assert_dom_equal(
206  
-      "<a href=\"http://www.example.com\" data-confirm=\"You can't possibly be sure, can you?\">Hello</a>",
207  
-      link_to("Hello", "http://www.example.com", :confirm => "You can't possibly be sure, can you?")
  206
+      "<a href=\"http://www.example.com\" data-confirm=\"You cant possibly be sure, can you?\">Hello</a>",
  207
+      link_to("Hello", "http://www.example.com", :confirm => "You cant possibly be sure, can you?")
208 208
     )
209 209
     assert_dom_equal(
210  
-      "<a href=\"http://www.example.com\" data-confirm=\"You can't possibly be sure,\n can you?\">Hello</a>",
211  
-      link_to("Hello", "http://www.example.com", :confirm => "You can't possibly be sure,\n can you?")
  210
+      "<a href=\"http://www.example.com\" data-confirm=\"You cant possibly be sure,\n can you?\">Hello</a>",
  211
+      link_to("Hello", "http://www.example.com", :confirm => "You cant possibly be sure,\n can you?")
212 212
     )
213 213
   end
214 214
 
4  activemodel/CHANGELOG.md
Source Rendered
... ...
@@ -1,3 +1,7 @@
  1
+## Rails 3.1.8 (Aug 9, 2012)
  2
+
  3
+*   No changes.
  4
+
1 5
 ## Rails 3.1.7 (Jul 26, 2012)
2 6
 
3 7
 *   No changes.
2  activemodel/lib/active_model/version.rb
@@ -2,7 +2,7 @@ module ActiveModel
2 2
   module VERSION #:nodoc:
3 3
     MAJOR = 3
4 4
     MINOR = 1
5  
-    TINY  = 7
  5
+    TINY  = 8
6 6
     PRE   = nil
7 7
 
8 8
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
4  activerecord/CHANGELOG.md
Source Rendered
... ...
@@ -1,3 +1,7 @@
  1
+## Rails 3.1.8 (Aug 9, 2012)
  2
+
  3
+*   No changes.
  4
+
1 5
 ## Rails 3.1.7 (Jul 26, 2012)
2 6
 
3 7
 *   No changes.
2  activerecord/lib/active_record/version.rb
@@ -2,7 +2,7 @@ module ActiveRecord
2 2
   module VERSION #:nodoc:
3 3
     MAJOR = 3
4 4
     MINOR = 1
5  
-    TINY  = 7
  5
+    TINY  = 8
6 6
     PRE   = nil
7 7
 
8 8
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
4  activeresource/CHANGELOG.md
Source Rendered
... ...
@@ -1,3 +1,7 @@
  1
+## Rails 3.1.8 (Aug 9, 2012)
  2
+
  3
+*   No changes.
  4
+
1 5
 ## Rails 3.1.7 (Jul 26, 2012)
2 6
 
3 7
 *   No changes.
2  activeresource/lib/active_resource/version.rb
@@ -2,7 +2,7 @@ module ActiveResource
2 2
   module VERSION #:nodoc:
3 3
     MAJOR = 3
4 4
     MINOR = 1
5  
-    TINY  = 7
  5
+    TINY  = 8
6 6
     PRE   = nil
7 7
 
8 8
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
4  activesupport/CHANGELOG.md
Source Rendered
... ...
@@ -1,3 +1,7 @@
  1
+## Rails 3.1.8 (Aug 9, 2012)
  2
+
  3
+*   No changes.
  4
+
1 5
 ## Rails 3.1.7 (Jul 26, 2012)
2 6
 
3 7
 *   No changes.
53  activesupport/lib/active_support/core_ext/string/output_safety.rb
@@ -3,45 +3,24 @@
3 3
 
4 4
 class ERB
5 5
   module Util
6  
-    HTML_ESCAPE = { '&' => '&amp;',  '>' => '&gt;',   '<' => '&lt;', '"' => '&quot;' }
  6
+    HTML_ESCAPE = { '&' => '&amp;',  '>' => '&gt;',   '<' => '&lt;', '"' => '&quot;', "'" => '&#x27;' }
7 7
     JSON_ESCAPE = { '&' => '\u0026', '>' => '\u003E', '<' => '\u003C' }
8 8
 
9  
-    # Detect whether 1.9 can transcode with XML escaping.
10  
-    if '"&gt;&lt;&amp;&quot;"' == ('><&"'.encode('utf-8', :xml => :attr) rescue false)
11  
-      # A utility method for escaping HTML tag characters.
12  
-      # This method is also aliased as <tt>h</tt>.
13  
-      #
14  
-      # In your ERB templates, use this method to escape any unsafe content. For example:
15  
-      #   <%=h @person.name %>
16  
-      #
17  
-      # ==== Example:
18  
-      #   puts html_escape("is a > 0 & a < 10?")
19  
-      #   # => is a &gt; 0 &amp; a &lt; 10?
20  
-      def html_escape(s)
21  
-        s = s.to_s
22  
-        if s.html_safe?
23  
-          s
24  
-        else
25  
-          s.encode(s.encoding, :xml => :attr)[1...-1].html_safe
26  
-        end
27  
-      end
28  
-    else
29  
-      # A utility method for escaping HTML tag characters.
30  
-      # This method is also aliased as <tt>h</tt>.
31  
-      #
32  
-      # In your ERB templates, use this method to escape any unsafe content. For example:
33  
-      #   <%=h @person.name %>
34  
-      #
35  
-      # ==== Example:
36  
-      #   puts html_escape("is a > 0 & a < 10?")
37  
-      #   # => is a &gt; 0 &amp; a &lt; 10?
38  
-      def html_escape(s)
39  
-        s = s.to_s
40  
-        if s.html_safe?
41  
-          s
42  
-        else
43  
-          s.gsub(/[&"><]/n) { |special| HTML_ESCAPE[special] }.html_safe
44  
-        end
  9
+    # A utility method for escaping HTML tag characters.
  10
+    # This method is also aliased as <tt>h</tt>.
  11
+    #
  12
+    # In your ERB templates, use this method to escape any unsafe content. For example:
  13
+    #   <%=h @person.name %>
  14
+    #
  15
+    # ==== Example:
  16
+    #   puts html_escape("is a > 0 & a < 10?")
  17
+    #   # => is a &gt; 0 &amp; a &lt; 10?
  18
+    def html_escape(s)
  19
+      s = s.to_s
  20
+      if s.html_safe?
  21
+        s
  22
+      else
  23
+        s.gsub(/[&"'><]/n) { |special| HTML_ESCAPE[special] }.html_safe
45 24
       end
46 25
     end
47 26
 
2  activesupport/lib/active_support/version.rb
@@ -2,7 +2,7 @@ module ActiveSupport
2 2
   module VERSION #:nodoc:
3 3
     MAJOR = 3
4 4
     MINOR = 1
5  
-    TINY  = 7
  5
+    TINY  = 8
6 6
     PRE   = nil
7 7
 
8 8
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
4  activesupport/test/core_ext/string_ext_test.rb
@@ -464,8 +464,8 @@ def to_s
464 464
   end
465 465
 
466 466
   test "ERB::Util.html_escape should escape unsafe characters" do
467  
-    string = '<>&"'
468  
-    expected = '&lt;&gt;&amp;&quot;'
  467
+    string = '<>&"\''
  468
+    expected = '&lt;&gt;&amp;&quot;&#x27;'
469 469
     assert_equal expected, ERB::Util.html_escape(string)
470 470
   end
471 471
 
4  railties/CHANGELOG.md
Source Rendered
... ...
@@ -1,3 +1,7 @@
  1
+## Rails 3.1.8 (Aug 9, 2012)
  2
+
  3
+*   No changes.
  4
+
1 5
 ## Rails 3.1.7 (Jul 26, 2012)
2 6
 
3 7
 *   No changes.
2  railties/lib/rails/version.rb
@@ -2,7 +2,7 @@ module Rails
2 2
   module VERSION #:nodoc:
3 3
     MAJOR = 3
4 4
     MINOR = 1
5  
-    TINY  = 7
  5
+    TINY  = 8
6 6
     PRE   = nil
7 7
 
8 8
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
4  railties/test/application/assets_test.rb
@@ -232,7 +232,7 @@ class ::PostsController < ActionController::Base ; end
232 232
 
233 233
       get '/posts'
234 234
       assert_match(/AssetNotPrecompiledError/, last_response.body)
235  
-      assert_match(/app.js isn't precompiled/, last_response.body)
  235
+      assert_match(/app.js isn&#x27;t precompiled/, last_response.body)
236 236
     end
237 237
 
238 238
     test "assets raise AssetNotPrecompiledError when manifest file is present and requested file isn't precompiled if digest is disabled" do
@@ -256,7 +256,7 @@ class ::PostsController < ActionController::Base ; end
256 256
 
257 257
       get '/posts'
258 258
       assert_match(/AssetNotPrecompiledError/, last_response.body)
259  
-      assert_match(/app.js isn't precompiled/, last_response.body)
  259
+      assert_match(/app.js isn&#x27;t precompiled/, last_response.body)
260 260
     end
261 261
 
262 262
     test "precompile properly refers files referenced with asset_path and and run in the provided RAILS_ENV" do
2  version.rb
@@ -2,7 +2,7 @@ module Rails
2 2
   module VERSION #:nodoc:
3 3
     MAJOR = 3
4 4
     MINOR = 1
5  
-    TINY  = 7
  5
+    TINY  = 8
6 6
     PRE   = nil
7 7
 
8 8
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')

No commit comments for this range

Something went wrong with that request. Please try again.