actionpack 3.2.8.rc2 → 3.2.8

data/CHANGELOG.md

@@ -1,4 +1,18 @@
-## Rails 3.2.8 ##
+## Rails 3.2.8 (Aug 9, 2012) ##
+
+*   There is an XSS vulnerability in the strip_tags helper in Ruby on Rails, the
+    helper doesn't correctly handle malformed html.  As a result an attacker can
+    execute arbitrary javascript through the use of specially crafted malformed
+    html.
+
+    *Marek from Nethemba (www.nethemba.com) & Santiago Pastorino*
+
+*   When a "prompt" value is supplied to the `select_tag` helper, the "prompt" value is not escaped.
+    If untrusted data is not escaped, and is supplied as the prompt value, there is a potential for XSS attacks.
+    Vulnerable code will look something like this:
+    select_tag("name", options, :prompt => UNTRUSTED_INPUT)
+
+    *Santiago Pastorino*
 
 *   Reverted the deprecation of `:confirm`. *Rafael Mendonça França*
 

data/lib/action_pack/version.rb

@@ -3,7 +3,7 @@ module ActionPack
     MAJOR = 3
     MINOR = 2
     TINY  = 8
-    PRE   = "rc2"
+    PRE   = nil
 
     STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
   end

data/lib/action_view/helpers/form_tag_helper.rb

@@ -122,11 +122,11 @@ module ActionView
         html_name = (options[:multiple] == true && !name.to_s.ends_with?("[]")) ? "#{name}[]" : name
 
         if options.delete(:include_blank)
-          option_tags = "<option value=\"\"></option>".html_safe + option_tags
+          option_tags = content_tag(:option, '', :value => '').safe_concat(option_tags)
         end
 
         if prompt = options.delete(:prompt)
-          option_tags = "<option value=\"\">#{prompt}</option>".html_safe + option_tags
+          option_tags = content_tag(:option, prompt, :value => '').safe_concat(option_tags)
         end
 
         content_tag :select, option_tags, { "name" => html_name, "id" => sanitize_to_id(name) }.update(options.stringify_keys)

data/lib/action_view/helpers/sanitize_helper.rb

@@ -80,7 +80,7 @@ module ActionView
       #   strip_tags("<div id='top-bar'>Welcome to my website!</div>")
       #   # => Welcome to my website!
       def strip_tags(html)
-        self.class.full_sanitizer.sanitize(html).try(:html_safe)
+        self.class.full_sanitizer.sanitize(html)
       end
 
       # Strips all link tags from +text+ leaving just the link text.

metadata

@@ -1,15 +1,15 @@
 --- !ruby/object:Gem::Specification
 name: actionpack
 version: !ruby/object:Gem::Version
-  version: 3.2.8.rc2
-  prerelease: 6
+  version: 3.2.8
+  prerelease: 
 platform: ruby
 authors:
 - David Heinemeier Hansson
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-08-03 00:00:00.000000000 Z
+date: 2012-08-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -18,7 +18,7 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 3.2.8.rc2
+        version: 3.2.8
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -26,7 +26,7 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 3.2.8.rc2
+        version: 3.2.8
 - !ruby/object:Gem::Dependency
   name: activemodel
   requirement: !ruby/object:Gem::Requirement
@@ -34,7 +34,7 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 3.2.8.rc2
+        version: 3.2.8
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -42,7 +42,7 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 3.2.8.rc2
+        version: 3.2.8
 - !ruby/object:Gem::Dependency
   name: rack-cache
   requirement: !ruby/object:Gem::Requirement
@@ -384,9 +384,12 @@ required_ruby_version: !ruby/object:Gem::Requirement
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements:
-  - - ! '>'
+  - - ! '>='
     - !ruby/object:Gem::Version
-      version: 1.3.1
+      version: '0'
+      segments:
+      - 0
+      hash: 4400436490322718554
 requirements:
 - none
 rubyforge_project: