From 0697d17d121fcf9f46b5dd2dd1034dffa19ebdf2 Mon Sep 17 00:00:00 2001 From: rick Date: Tue, 6 May 2008 00:42:24 -0700 Subject: Change the request forgery protection to go by Content-Type instead of request.format so that you can't bypass it by POSTing to "#{request.uri}.xml" [#73 state:resolved] --- actionpack/CHANGELOG | 2 ++ 1 file changed, 2 insertions(+) (limited to 'actionpack/CHANGELOG') diff --git a/actionpack/CHANGELOG b/actionpack/CHANGELOG index 54030047ba..87f570d55c 100644 --- a/actionpack/CHANGELOG +++ b/actionpack/CHANGELOG @@ -1,5 +1,7 @@ *SVN* +* Change the request forgery protection to go by Content-Type instead of request.format so that you can't bypass it by POSTing to "#{request.uri}.xml" [rick] + * Fixed that TextHelper#text_field would corrypt when raw HTML was used as the value (mchenryc, Kevin Glowacz) [#80] * Added ActionController::TestCase#rescue_action_in_public! to control whether the action under test should use the regular rescue_action path instead of simply raising the exception inline (great for error testing) [DHH] -- cgit v1.2.3