diff options
author | lest <just.lest@gmail.com> | 2011-11-17 18:29:55 +0300 |
---|---|---|
committer | Jon Leighton <j@jonathanleighton.com> | 2011-11-17 23:07:39 +0000 |
commit | e8d57f361a9982382f75449ec0d65d6c798b9ce2 (patch) | |
tree | 1d170b34597a5abdc55c650a3306935081f6b524 /actionpack/CHANGELOG.md | |
parent | 1079724fe643fe63e6d58a37274c2cf0ff172a8b (diff) | |
download | rails-e8d57f361a9982382f75449ec0d65d6c798b9ce2.tar.gz rails-e8d57f361a9982382f75449ec0d65d6c798b9ce2.tar.bz2 rails-e8d57f361a9982382f75449ec0d65d6c798b9ce2.zip |
_html translation should escape interpolated arguments
Diffstat (limited to 'actionpack/CHANGELOG.md')
-rw-r--r-- | actionpack/CHANGELOG.md | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md index 4c265c41d8..9d847c763b 100644 --- a/actionpack/CHANGELOG.md +++ b/actionpack/CHANGELOG.md @@ -64,6 +64,20 @@ ## Rails 3.1.2 (unreleased) ## +* Fix XSS security vulnerability in the `translate` helper method. When using interpolation + in combination with HTML-safe translations, the interpolated input would not get HTML + escaped. *GH 3664* + + Before: + + translate('foo_html', :something => '<script>') # => "...<script>..." + + After: + + translate('foo_html', :something => '<script>') # => "...<script>..." + + *Sergey Nartimov* + * Upgrade sprockets dependency to ~> 2.1.0 * Ensure that the format isn't applied twice to the cache key, else it becomes impossible |