## Rails 3.0.17 (Aug 9, 2012)
* There is an XSS vulnerability in the strip_tags helper in Ruby on Rails, the
helper doesn't correctly handle malformed html. As a result an attacker can
execute arbitrary javascript through the use of specially crafted malformed
html.
*Marek from Nethemba (www.nethemba.com) & Santiago Pastorino*
* When a "prompt" value is supplied to the `select_tag` helper, the "prompt"
value is not escaped. If untrusted data is not escaped, and is supplied as
the prompt value, there is a potential for XSS attacks.
Vulnerable code will look something like this:
select_tag("name", options, :prompt => UNTRUSTED_INPUT)
*Santiago Pastorino*
pkgsrc change: add RUBY_RAILS_STRICT_DEP which will be enabled later.
## Rails 3.0.14 (Jun 12, 2012)
* nil is removed from array parameter values
CVE-2012-2694
* Rails 3.0.13 (May 31, 2012)
* Strip null bytes from Location header
* load the encoding converter to work around [ruby-core:41556] when switching
encodings
* Avoid inspecting the whole route set, closes#1525
* whitelist protocols for auto_link
* Strip [nil] from parameters hash. Thanks to Ben Murphy for reporting this!
CVE-2012-2660
pkgsrc change:
* Tweak COMMENT.
*Rails 3.0.12 (unreleased)*
* Fix using `tranlate` helper with a html translation which uses the `:count`
option for pluralization.
*Jon Leighton*
*Rails 3.0.11 (unreleased)*
* Fix XSS security vulnerability in the `translate` helper method. When using
interpolation in combination with HTML-safe translations, the interpolated
input would not get HTML escaped. *GH 3664*
Before:
translate('foo_html', :something => '<script>') # => "...<script>..."
After:
translate('foo_html', :something => '<script>') # => "...<script>..."
*Sergey Nartimov*
* Implement a workaround for a bug in ruby-1.9.3p0 where an error would be
raised while attempting to convert a template from one encoding to another.
Please see http://redmine.ruby-lang.org/issues/5564 for details of the bug.
The workaround is to load all conversions into memory ahead of time, and will
only happen if the ruby version is exactly 1.9.3p0. The hope is obviously
that the underlying problem will be resolved in the next patchlevel release
of 1.9.3.
* Fix assert_select_email to work on multipart and non-multipart emails as the
method stopped working correctly in Rails 3.x due to changes in the new mail
gem.
* Fix url_for when passed a hash to prevent additional options (eg. :host,
:protocol) from being added to the hash after calling it.
Rails 3.0.10
* Fixes an issue where cache sweepers with only after filters would
have no controller object, it would raise undefined method
controller_name for nil [jeroenj]
* Ensure status codes are logged when exceptions are raised.
* Subclasses of OutputBuffer are respected.
* Fixed ActionView::FormOptionsHelper#select with :multiple => false
* Avoid extra call to Cache#read in case of a fragment cache hit
*Rails 3.0.9 (unreleased)*
* json_escape will now return a SafeBuffer string if it receives
SafeBuffer string [tenderlove]
* Make sure escape_js returns SafeBuffer string if it receives
SafeBuffer string [Prem Sichanugrist]
* Fix text helpers to work correctly with the new SafeBuffer
restriction [Paul Gallagher, Arun Agrawal, Prem Sichanugrist]
*Rails 3.0.6 (April 5, 2011)
* Fixed XSS vulnerability in `auto_link`. `auto_link` no longer marks input as
html safe. Please make sure that calls to auto_link() are wrapped in a
sanitize(), or a raw() depending on the type of input passed to auto_link().
For example:
<%= sanitize(auto_link(some_user_input)) %>
Thanks to Torben Schulz for reporting this. The fix can be found here:
61ee3449674c591747db95f9b3472c5c3bd9e84d
* Fixes the output of `rake routes` to be correctly match to the
behavior of the application, as the regular expression used to match
the path is greedy and won't capture the format part by default
[Prem Sichanugrist]
* Fixes an issue with number_to_human when converting values which are
less than 1 but greater than -1 [Josh Kalderimis]
* Sensitive query string parameters (specified in
config.filter_parameters) will now be filtered out from the request
paths in the log file. [Prem Sichanugrist, fxn]
* URL parameters which return nil for to_param are now removed from
the query string [Andrew White]
* Don't allow i18n to change the minor version, version now set to ~>
0.5.0 [Santiago Pastorino]
* Make TranslationHelper#translate use the :rescue_format option in
I18n 0.5.0 [Sven Fuchs]
* Fix regression: javascript_include_tag shouldn't raise if you
register an expansion key with nil or [] value [Santiago Pastorino]
* Fix Action caching bug where an action that has a non-cacheable
response always renders a nil response body. It now correctly
renders the response body. [Cheah Chu Yeow]
* More strict dependency reflect gemspec's description.
*Rails 3.0.3 (November 16, 2010)*
* When ActiveRecord::Base objects are sent to predicate methods, the id of
the object should be sent to ARel, not the ActiveRecord::Base object.
* :constraints routing should only do sanity checks against regular
expressions. String arguments are OK.
*Rails 3.0.2 (November 15, 2010)*
* The helper number_to_currency accepts a new :negative_format option to be
able to configure how to render negative amounts. [Don Wilson]
Action Pack is a framework for handling and responding to web requests. It
provides mechanisms for *routing* (mapping request URLs to actions), defining
*controllers* that implement actions, and generating responses by rendering
*views*, which are templates of various formats. In short, Action Pack
provides the view and controller layers in the MVC paradigm.
(This is part of Ruby on Rails 3.)
