1 files changed, 48 insertions, 10 deletions
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
index 3d507392b1..3e3df19a84 100644
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@@ -1,8 +1,39 @@
-*   Fix generating a path for engine inside a resources block (#8533)
+*   `ActionController::Parameters#permit!` permits hashes in array values.
+
+    *Xavier Noria*
+
+*   Converts hashes in arrays of unfiltered params to unpermitted params.
+
+    Fixes #13382
+
+    *Xavier Noria*
+
+*   New config option to opt out of params "deep munging" that was used to
+    address security vulnerability CVE-2013-0155. In your app config:
+
+        config.action_dispatch.perform_deep_munge = false
+
+    Take care to understand the security risk involved before disabling this.
+    [Read more.](https://groups.google.com/forum/#!topic/rubyonrails-security/t1WFuuQyavI)
+
+    *Bernard Potocki*
+
+*   `rake routes` shows routes defined under assets prefix.
+
+    *Ryunosuke SATO*
+
+*   Extend cross-site request forgery (CSRF) protection to GET requests with
+    JavaScript responses, protecting apps from cross-origin `<script>` tags.
+
+    *Jeremy Kemper*
+
+*   Fix generating a path for engine inside a resources block.
+
+    Fixes #8533.
 
     *Piotr Sarnacki*
 
-*   Add Mime::Type.register "text/vcard", :vcf to the default list of mime types
+*   Add `Mime::Type.register "text/vcard", :vcf` to the default list of mime types.
 
     *DHH*
 
@@ -26,7 +57,7 @@
     The request variant is a specialization of the request format, like `:tablet`,
     `:phone`, or `:desktop`.
 
-    You can set the variant in a before_action:
+    You can set the variant in a `before_action`:
 
         request.variant = :tablet if request.user_agent =~ /iPad/
 
@@ -45,16 +76,25 @@
         app/views/projects/show.html+tablet.erb
         app/views/projects/show.html+phone.erb
 
+    You can also simplify the variants definition using the inline syntax:
+
+        respond_to do |format|
+          format.js         { render "trash" }
+          format.html.phone { redirect_to progress_path }
+          format.html.none  { render "trash" }
+        end
+
     *Łukasz Strzałkowski*
 
-*   Fix header `Content-Type: #<Mime::NullType:...>` in localized template.
+*   Fix render of localized templates without an explicit format using wrong
+    content header and not passing correct formats to template due to the
+    introduction of the `NullType` for mimes.
 
-    When localized template has no format in the template name,
-    the response now has the default and correct `content-type`.
+    Templates like `hello.it.erb` were subject to this issue.
 
     Fixes #13064.
 
-    *Angelo Capilleri*
+    *Angelo Capilleri*, *Carlos Antonio da Silva*
 
 *   Try to escape each part of a url correctly when using a redirect route.
 
@@ -85,9 +125,7 @@
 
 *   Add `session#fetch` method
 
-    fetch behaves similarly to [Hash#fetch](http://www.ruby-doc.org/core-1.9.3/Hash.html#method-i-fetch),
-    with the exception that the returned value is always saved into the session.
-
+    fetch behaves like [Hash#fetch](http://www.ruby-doc.org/core-1.9.3/Hash.html#method-i-fetch).
     It returns a value from the hash for the given key.
     If the key can’t be found, there are several options: