diff options
Diffstat (limited to 'actionpack/CHANGELOG')
| -rw-r--r-- | actionpack/CHANGELOG | 49 |
1 files changed, 47 insertions, 2 deletions
diff --git a/actionpack/CHANGELOG b/actionpack/CHANGELOG index 6172fa4e07..b0f7d0bc11 100644 --- a/actionpack/CHANGELOG +++ b/actionpack/CHANGELOG @@ -1,4 +1,13 @@ -*Rails 3.1.0 (unreleased)* +*Rails 3.2.0 (unreleased)* + +* send_file now guess the mime type [Esad Hajdarevic] + +* Mime type entries for PDF, ZIP and other formats were added [Esad Hajdarevic] + +* Generate hidden input before select with :multiple option set to true. + This is useful when you rely on the fact that when no options is set, + the state of select will be sent to rails application. Without hidden field + nothing is sent according to HTML spec [Bogdan Gusiev] * Refactor ActionController::TestCase cookies [Andrew White] @@ -18,7 +27,43 @@ persistent between requests so if you need to manipulate the environment for your test you need to do it before the cookie jar is created. -* Added 'ActionView::Helpers::FormHelper.fields_for_with_index', similar to fields_for but allows to have access to the current iteration index [Jorge Bejar] + +*Rails 3.1.0 (unreleased)* + +* Make sure respond_with with :js tries to render a template in all cases [José Valim] + +* json_escape will now return a SafeBuffer string if it receives SafeBuffer string [tenderlove] + +* Make sure escape_js returns SafeBuffer string if it receives SafeBuffer string [Prem Sichanugrist] + +* Fix escape_js to work correctly with the new SafeBuffer restriction [Paul Gallagher] + +* Brought back alternative convention for namespaced models in i18n [thoefer] + + Now the key can be either "namespace.model" or "namespace/model" until further deprecation. + +* It is prohibited to perform a in-place SafeBuffer mutation [tenderlove] + + The old behavior of SafeBuffer allowed you to mutate string in place via + method like `sub!`. These methods can add unsafe strings to a safe buffer, + and the safe buffer will continue to be marked as safe. + + An example problem would be something like this: + + <%= link_to('hello world', @user).sub!(/hello/, params[:xss]) %> + + In the above example, an untrusted string (`params[:xss]`) is added to the + safe buffer returned by `link_to`, and the untrusted content is successfully + sent to the client without being escaped. To prevent this from happening + `sub!` and other similar methods will now raise an exception when they are called on a safe buffer. + + In addition to the in-place versions, some of the versions of these methods which return a copy of the string will incorrectly mark strings as safe. For example: + + <%= link_to('hello world', @user).sub(/hello/, params[:xss]) %> + + The new versions will now ensure that *all* strings returned by these methods on safe buffers are marked unsafe. + + You can read more about this change in http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2e516e7acc96c4fb * Warn if we cannot verify CSRF token authenticity [José Valim] |