_html translation should escape interpolated arguments

author: lest <just.lest@gmail.com> 2011-11-17 18:29:55 +0300
committer: Jon Leighton <j@jonathanleighton.com> 2011-11-17 23:07:39 +0000
commit: e8d57f361a9982382f75449ec0d65d6c798b9ce2 (patch)
tree: 1d170b34597a5abdc55c650a3306935081f6b524 /actionpack/CHANGELOG.md
parent: 1079724fe643fe63e6d58a37274c2cf0ff172a8b (diff)
download: rails-e8d57f361a9982382f75449ec0d65d6c798b9ce2.tar.gz
rails-e8d57f361a9982382f75449ec0d65d6c798b9ce2.tar.bz2
rails-e8d57f361a9982382f75449ec0d65d6c798b9ce2.zip
1 files changed, 14 insertions, 0 deletions
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
index 4c265c41d8..9d847c763b 100644
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@@ -64,6 +64,20 @@
 
 ## Rails 3.1.2 (unreleased) ##
 
+*   Fix XSS security vulnerability in the `translate` helper method. When using interpolation
+    in combination with HTML-safe translations, the interpolated input would not get HTML
+    escaped. *GH 3664*
+
+    Before:
+
+        translate('foo_html', :something => '<script>') # => "...<script>..."
+
+    After:
+
+        translate('foo_html', :something => '<script>') # => "...&lt;script&gt;..."
+
+    *Sergey Nartimov*
+
 *   Upgrade sprockets dependency to ~> 2.1.0
 
 *   Ensure that the format isn't applied twice to the cache key, else it becomes impossible
author	lest <just.lest@gmail.com>	2011-11-17 18:29:55 +0300
committer	Jon Leighton <j@jonathanleighton.com>	2011-11-17 23:07:39 +0000
commit	e8d57f361a9982382f75449ec0d65d6c798b9ce2 (patch)
tree	1d170b34597a5abdc55c650a3306935081f6b524 /actionpack/CHANGELOG.md
parent	1079724fe643fe63e6d58a37274c2cf0ff172a8b (diff)
download	rails-e8d57f361a9982382f75449ec0d65d6c798b9ce2.tar.gz rails-e8d57f361a9982382f75449ec0d65d6c798b9ce2.tar.bz2 rails-e8d57f361a9982382f75449ec0d65d6c798b9ce2.zip