Work around AR that does not call serializable_hash on to_xml.

CHANGELOG.rdoc

@@ -6,6 +6,7 @@
   * Better localization for devise_error_messages! (by github.com/zedtux)
 
 * bug fix
+  * Ensure to_xml is properly white listened
   * Ensure handle_unverified_request clean up any cached signed-in user
 
 == 1.4.0

lib/devise/models/authenticatable.rb

@@ -76,13 +76,18 @@ module Devise
       def authenticatable_salt
       end
 
-      def serializable_hash(options={})
-        if self.class.respond_to?(:accessible_attributes)
-          options = { :only => self.class.accessible_attributes.to_a }.merge(options || {})
-          super(options)
-        else
-          super
-        end
+      # TODO: to_xml does not call serializable_hash. Hopefully someone will fix this in AR.
+      %w(to_xml serializable_hash).each do |method|
+        class_eval <<-RUBY, __FILE__, __LINE__
+          def #{method}(options={})
+            if self.class.respond_to?(:accessible_attributes)
+              options = { :only => self.class.accessible_attributes.to_a }.merge(options || {})
+              super(options)
+            else
+              super
+            end
+          end
+        RUBY
       end
 
       module ClassMethods

test/integration/registerable_test.rb

@@ -211,7 +211,7 @@ class RegistrationTest < ActionController::IntegrationTest
     get new_user_registration_path(:format => 'xml')
     assert_response :success
     assert_match %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<user>), response.body
-    assert_no_match(/<confirmation_token>/, response.body) if DEVISE_ORM == :active_record
+    assert_no_match(/<confirmation-token/, response.body) if DEVISE_ORM == :active_record
   end
 
   test 'a user with JSON sign up stub' do