actionpack 3.2.8.rc2 → 3.2.8

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of actionpack might be problematic. Click here for more details.

@@ -1,4 +1,18 @@
1
- ## Rails 3.2.8 ##
1
+ ## Rails 3.2.8 (Aug 9, 2012) ##
2
+
3
+ * There is an XSS vulnerability in the strip_tags helper in Ruby on Rails, the
4
+ helper doesn't correctly handle malformed html. As a result an attacker can
5
+ execute arbitrary javascript through the use of specially crafted malformed
6
+ html.
7
+
8
+ *Marek from Nethemba (www.nethemba.com) & Santiago Pastorino*
9
+
10
+ * When a "prompt" value is supplied to the `select_tag` helper, the "prompt" value is not escaped.
11
+ If untrusted data is not escaped, and is supplied as the prompt value, there is a potential for XSS attacks.
12
+ Vulnerable code will look something like this:
13
+ select_tag("name", options, :prompt => UNTRUSTED_INPUT)
14
+
15
+ *Santiago Pastorino*
2
16
 
3
17
  * Reverted the deprecation of `:confirm`. *Rafael Mendonça França*
4
18
 
@@ -3,7 +3,7 @@ module ActionPack
3
3
  MAJOR = 3
4
4
  MINOR = 2
5
5
  TINY = 8
6
- PRE = "rc2"
6
+ PRE = nil
7
7
 
8
8
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
9
9
  end
@@ -122,11 +122,11 @@ module ActionView
122
122
  html_name = (options[:multiple] == true && !name.to_s.ends_with?("[]")) ? "#{name}[]" : name
123
123
 
124
124
  if options.delete(:include_blank)
125
- option_tags = "<option value=\"\"></option>".html_safe + option_tags
125
+ option_tags = content_tag(:option, '', :value => '').safe_concat(option_tags)
126
126
  end
127
127
 
128
128
  if prompt = options.delete(:prompt)
129
- option_tags = "<option value=\"\">#{prompt}</option>".html_safe + option_tags
129
+ option_tags = content_tag(:option, prompt, :value => '').safe_concat(option_tags)
130
130
  end
131
131
 
132
132
  content_tag :select, option_tags, { "name" => html_name, "id" => sanitize_to_id(name) }.update(options.stringify_keys)
@@ -80,7 +80,7 @@ module ActionView
80
80
  # strip_tags("<div id='top-bar'>Welcome to my website!</div>")
81
81
  # # => Welcome to my website!
82
82
  def strip_tags(html)
83
- self.class.full_sanitizer.sanitize(html).try(:html_safe)
83
+ self.class.full_sanitizer.sanitize(html)
84
84
  end
85
85
 
86
86
  # Strips all link tags from +text+ leaving just the link text.
metadata CHANGED
@@ -1,15 +1,15 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: actionpack
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.2.8.rc2
5
- prerelease: 6
4
+ version: 3.2.8
5
+ prerelease:
6
6
  platform: ruby
7
7
  authors:
8
8
  - David Heinemeier Hansson
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2012-08-03 00:00:00.000000000 Z
12
+ date: 2012-08-09 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: activesupport
@@ -18,7 +18,7 @@ dependencies:
18
18
  requirements:
19
19
  - - '='
20
20
  - !ruby/object:Gem::Version
21
- version: 3.2.8.rc2
21
+ version: 3.2.8
22
22
  type: :runtime
23
23
  prerelease: false
24
24
  version_requirements: !ruby/object:Gem::Requirement
@@ -26,7 +26,7 @@ dependencies:
26
26
  requirements:
27
27
  - - '='
28
28
  - !ruby/object:Gem::Version
29
- version: 3.2.8.rc2
29
+ version: 3.2.8
30
30
  - !ruby/object:Gem::Dependency
31
31
  name: activemodel
32
32
  requirement: !ruby/object:Gem::Requirement
@@ -34,7 +34,7 @@ dependencies:
34
34
  requirements:
35
35
  - - '='
36
36
  - !ruby/object:Gem::Version
37
- version: 3.2.8.rc2
37
+ version: 3.2.8
38
38
  type: :runtime
39
39
  prerelease: false
40
40
  version_requirements: !ruby/object:Gem::Requirement
@@ -42,7 +42,7 @@ dependencies:
42
42
  requirements:
43
43
  - - '='
44
44
  - !ruby/object:Gem::Version
45
- version: 3.2.8.rc2
45
+ version: 3.2.8
46
46
  - !ruby/object:Gem::Dependency
47
47
  name: rack-cache
48
48
  requirement: !ruby/object:Gem::Requirement
@@ -384,9 +384,12 @@ required_ruby_version: !ruby/object:Gem::Requirement
384
384
  required_rubygems_version: !ruby/object:Gem::Requirement
385
385
  none: false
386
386
  requirements:
387
- - - ! '>'
387
+ - - ! '>='
388
388
  - !ruby/object:Gem::Version
389
- version: 1.3.1
389
+ version: '0'
390
+ segments:
391
+ - 0
392
+ hash: 4400436490322718554
390
393
  requirements:
391
394
  - none
392
395
  rubyforge_project: