actionpack 2.3.12 → 2.3.14

data/CHANGELOG

@@ -1935,7 +1935,7 @@ superclass' view_paths.  [Rick Olson]
 
 * Update documentation for erb trim syntax. #5651 [matt@mattmargolis.net]
 
-* Pass :id => nil or :class => nil to error_messages_for to supress that html attribute. #3586 [olivier_ansaldi@yahoo.com, sebastien@goetzilla.info]
+* Pass :id => nil or :class => nil to error_messages_for to supress that html attribute. #3586 [olivier_ansaldi@yahoo.com]
 
 * Reset @html_document between requests so assert_tag works. #4810 [Jarkko Laine, easleydp@gmail.com]
 
@@ -2532,7 +2532,7 @@ superclass' view_paths.  [Rick Olson]
 
 * Provide support for decimal columns to form helpers. Closes #5672. [Dave Thomas]
 
-* Pass :id => nil or :class => nil to error_messages_for to supress that html attribute. #3586 [olivier_ansaldi@yahoo.com, sebastien@goetzilla.info]
+* Pass :id => nil or :class => nil to error_messages_for to supress that html attribute. #3586 [olivier_ansaldi@yahoo.com]
 
 * Reset @html_document between requests so assert_tag works. #4810 [Jarkko Laine, easleydp@gmail.com]
 

data/Rakefile

@@ -78,7 +78,7 @@ spec = Gem::Specification.new do |s|
 
   s.requirements << 'none'
 
-  s.add_dependency('activesupport', '= 2.3.12' + PKG_BUILD)
+  s.add_dependency('activesupport', '= 2.3.14' + PKG_BUILD)
   s.add_dependency('rack', '~> 1.1.0')
 
   s.require_path = 'lib'

data/lib/action_controller/response.rb

@@ -64,12 +64,13 @@ module ActionController # :nodoc:
     # the character set information will also be included in the content type
     # information.
     def content_type=(mime_type)
-      self.headers["Content-Type"] =
+      new_content_type =
         if mime_type =~ /charset/ || (c = charset).nil?
           mime_type.to_s
         else
           "#{mime_type}; charset=#{c}"
         end
+      self.headers["Content-Type"] = URI.escape(new_content_type, "\r\n")
     end
 
     # Returns the response's content MIME type, or nil if content type has been set.

data/lib/action_controller/vendor/html-scanner/html/node.rb

@@ -162,7 +162,7 @@ module HTML #:nodoc:
           end
           
           closing = ( scanner.scan(/\//) ? :close : nil )
-          return Text.new(parent, line, pos, content) unless name = scanner.scan(/[-:\w\x00-\x09\x0b-\x0c\x0e-\x1f]+/)
+          return Text.new(parent, line, pos, content) unless name = scanner.scan(/[^\s!>\/]+/)
           name.downcase!
   
           unless closing

data/lib/action_pack/version.rb

@@ -2,7 +2,7 @@ module ActionPack #:nodoc:
   module VERSION #:nodoc:
     MAJOR = 2
     MINOR = 3
-    TINY  = 12
+    TINY  = 14
 
     STRING = [MAJOR, MINOR, TINY].join('.')
   end

data/test/controller/content_type_test.rb

@@ -46,6 +46,11 @@ class ContentTypeController < ActionController::Base
       format.rss  { render :text   => "hello world!", :content_type => Mime::XML }
     end
   end
+  
+  def render_content_type_from_user_input
+    response.content_type= params[:hello]
+    render :text=>"hello"
+  end
 
   def rescue_action(e) raise end
 end
@@ -129,6 +134,11 @@ class ContentTypeTest < ActionController::TestCase
     assert_equal Mime::HTML, @response.content_type
     assert_equal "utf-8", @response.charset
   end
+  
+  def test_user_supplied_value
+    get :render_content_type_from_user_input, :hello=>"hello/world\r\nAttack: true"
+    assert_equal "hello/world%0D%0AAttack: true", @response.content_type
+  end
 end
 
 class AcceptBasedContentTypeTest < ActionController::TestCase

data/test/controller/html-scanner/sanitizer_test.rb

@@ -5,6 +5,13 @@ class SanitizerTest < ActionController::TestCase
     @sanitizer = nil # used by assert_sanitizer
   end
 
+  def test_strip_tags_with_quote
+    sanitizer = HTML::FullSanitizer.new
+    string    = '<" <img src="trollface.gif" onload="alert(1)"> hi'
+
+    assert_equal ' hi', sanitizer.sanitize(string)
+  end
+
   def test_strip_tags
     sanitizer = HTML::FullSanitizer.new
     assert_equal("<<<bad html", sanitizer.sanitize("<<<bad html"))

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: actionpack
 version: !ruby/object:Gem::Version 
-  hash: 27
+  hash: 31
   prerelease: 
   segments: 
   - 2
   - 3
-  - 12
-  version: 2.3.12
+  - 14
+  version: 2.3.14
 platform: ruby
 authors: 
 - David Heinemeier Hansson
@@ -15,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2011-06-08 00:00:00 Z
+date: 2011-08-16 00:00:00 Z
 dependencies: 
 - !ruby/object:Gem::Dependency 
   name: activesupport
@@ -25,12 +25,12 @@ dependencies:
     requirements: 
     - - "="
       - !ruby/object:Gem::Version 
-        hash: 27
+        hash: 31
         segments: 
         - 2
         - 3
-        - 12
-        version: 2.3.12
+        - 14
+        version: 2.3.14
   type: :runtime
   version_requirements: *id001
 - !ruby/object:Gem::Dependency 
@@ -527,7 +527,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
 requirements: 
 - none
 rubyforge_project: actionpack
-rubygems_version: 1.8.2
+rubygems_version: 1.8.8
 signing_key: 
 specification_version: 3
 summary: Web-flow and rendering framework putting the VC in MVC.