diff --git a/actionmailer/CHANGELOG.md b/actionmailer/CHANGELOG.md
index 96cfb43e0b..d2b8c35124 100644
--- a/actionmailer/CHANGELOG.md
+++ b/actionmailer/CHANGELOG.md
@@ -6,6 +6,22 @@
* Asynchronously send messages via the Rails Queue *Brian Cardarella*
+
+## Rails 3.2.8 (Aug 9, 2012) ##
+
+* No changes.
+
+
+## Rails 3.2.7 (Jul 26, 2012) ##
+
+* No changes.
+
+
+## Rails 3.2.6 (Jun 12, 2012) ##
+
+* No changes.
+
+
## Rails 3.2.5 (Jun 1, 2012) ##
* No changes.
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
index e1937e14a2..8f845ce7e1 100644
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@@ -17,19 +17,19 @@
We recommend the use of Unobtrusive JavaScript instead. For example:
- link_to "Greeting", "#", :class => "nav_link"
+ link_to "Greeting", "#", :class => "nav_link"
- $(function() {
- $('.nav_link').click(function() {
- // Some complex code
+ $(function() {
+ $('.nav_link').click(function() {
+ // Some complex code
- return false;
+ return false;
+ });
});
- });
or
- link_to "Greeting", '#', onclick: "alert('Hello world!'); return false", class: "nav_link"
+ link_to "Greeting", '#', onclick: "alert('Hello world!'); return false", class: "nav_link"
for simple cases.
@@ -46,18 +46,18 @@
* Added ActionController::Live. Mix it in to your controller and you can
stream data to the client live. For example:
- class FooController < ActionController::Base
- include ActionController::Live
+ class FooController < ActionController::Base
+ include ActionController::Live
- def index
- 100.times {
- # Client will see this as it's written
- response.stream.write "hello world\n"
- sleep 1
- }
- response.stream.close
+ def index
+ 100.times {
+ # Client will see this as it's written
+ response.stream.write "hello world\n"
+ sleep 1
+ }
+ response.stream.close
+ end
end
- end
* Remove ActionDispatch::Head middleware in favor of Rack::Head. *Santiago Pastorino*
@@ -266,13 +266,13 @@
* Add `collection_check_boxes` form helper, similar to `collection_select`:
Example:
- collection_check_boxes :post, :author_ids, Author.all, :id, :name
- # Outputs something like:
-
-
-
-
-
+ collection_check_boxes :post, :author_ids, Author.all, :id, :name
+ # Outputs something like:
+
+
+
+
+
The label/check_box pairs can be customized with a block.
@@ -281,12 +281,12 @@
* Add `collection_radio_buttons` form helper, similar to `collection_select`:
Example:
- collection_radio_buttons :post, :author_id, Author.all, :id, :name
- # Outputs something like:
-
-
-
-
+ collection_radio_buttons :post, :author_id, Author.all, :id, :name
+ # Outputs something like:
+
+
+
+
The label/radio_button pairs can be customized with a block.
@@ -330,6 +330,67 @@
HTML5 `mark` element. *Brian Cardarella*
+## Rails 3.2.8 (Aug 9, 2012) ##
+
+* There is an XSS vulnerability in the strip_tags helper in Ruby on Rails, the
+ helper doesn't correctly handle malformed html. As a result an attacker can
+ execute arbitrary javascript through the use of specially crafted malformed
+ html.
+
+ *Marek from Nethemba (www.nethemba.com) & Santiago Pastorino*
+
+* When a "prompt" value is supplied to the `select_tag` helper, the "prompt" value is not escaped.
+ If untrusted data is not escaped, and is supplied as the prompt value, there is a potential for XSS attacks.
+ Vulnerable code will look something like this:
+ select_tag("name", options, :prompt => UNTRUSTED_INPUT)
+
+ *Santiago Pastorino*
+
+* Reverted the deprecation of `:confirm`. *Rafael Mendonça França*
+
+* Reverted the deprecation of `:disable_with`. *Rafael Mendonça França*
+
+* Reverted the deprecation of `:mouseover` option to `image_tag`. *Rafael Mendonça França*
+
+* Reverted the deprecation of `button_to_function` and `link_to_function` helpers.
+
+ *Rafael Mendonça França*
+
+
+## Rails 3.2.7 (Jul 26, 2012) ##
+
+* Do not convert digest auth strings to symbols. CVE-2012-3424
+
+* Bump Journey requirements to 1.0.4
+
+* Add support for optional root segments containing slashes
+
+* Fixed bug creating invalid HTML in select options
+
+* Show in log correct wrapped keys
+
+* Fix NumberHelper options wrapping to prevent verbatim blocks being rendered instead of line continuations.
+
+* ActionController::Metal doesn't have logger method, check it and then delegate
+
+* ActionController::Caching depends on RackDelegation and AbstractController::Callbacks
+
+
+## Rails 3.2.6 (Jun 12, 2012) ##
+
+* nil is removed from array parameter values
+
+ CVE-2012-2694
+
+* Deprecate `:confirm` in favor of `':data => { :confirm => "Text" }'` option for `button_to`, `button_tag`, `image_submit_tag`, `link_to` and `submit_tag` helpers.
+
+ *Carlos Galdino*
+
+* Allow to use mounted_helpers (helpers for accessing mounted engines) in ActionView::TestCase. *Piotr Sarnacki*
+
+* Include mounted_helpers (helpers for accessing mounted engines) in ActionDispatch::IntegrationTest by default. *Piotr Sarnacki*
+
+
## Rails 3.2.5 (Jun 1, 2012) ##
* No changes.
diff --git a/activemodel/CHANGELOG.md b/activemodel/CHANGELOG.md
index 847ae7f237..9188719b78 100644
--- a/activemodel/CHANGELOG.md
+++ b/activemodel/CHANGELOG.md
@@ -39,10 +39,24 @@
* When `^` or `$` are used in the regular expression provided to `validates_format_of` and the :multiline option is not set to true, an exception will be raised. This is to prevent security vulnerabilities when using `validates_format_of`. The problem is described in detail in the Rails security guide.
+
+## Rails 3.2.8 (Aug 9, 2012) ##
+
+* No changes.
+
+
+## Rails 3.2.7 (Jul 26, 2012) ##
+
+* `validates_inclusion_of` and `validates_exclusion_of` now accept `:within` option as alias of `:in` as documented.
+
+* Fix the the backport of the object dup with the ruby 1.9.3p194.
+
+
## Rails 3.2.6 (Jun 12, 2012) ##
* No changes.
+
## Rails 3.2.5 (Jun 1, 2012) ##
* No changes.
diff --git a/activerecord/CHANGELOG.md b/activerecord/CHANGELOG.md
index 66e4335e30..fc3f754b9f 100644
--- a/activerecord/CHANGELOG.md
+++ b/activerecord/CHANGELOG.md
@@ -468,11 +468,11 @@
The `add_index` method now supports a `where` option that receives a
string with the partial index criteria.
- add_index(:accounts, :code, :where => "active")
+ add_index(:accounts, :code, :where => "active")
- Generates
+ Generates
- CREATE INDEX index_accounts_on_code ON accounts(code) WHERE active
+ CREATE INDEX index_accounts_on_code ON accounts(code) WHERE active
*Marcelo Silveira*
@@ -582,6 +582,86 @@
* PostgreSQL hstore types are automatically deserialized from the database.
+## Rails 3.2.8 (Aug 9, 2012) ##
+
+* Do not consider the numeric attribute as changed if the old value is zero and the new value
+ is not a string.
+ Fixes #7237.
+
+ *Rafael Mendonça França*
+
+* Do not consider the numeric attribute as changed if the old value is zero and the new value
+ is not a string.
+ Fixes #7237.
+
+ *Rafael Mendonça França*
+
+* Removes the deprecation of `update_attribute`. *fxn*
+
+* Reverted the deprecation of `composed_of`. *Rafael Mendonça França*
+
+* Reverted the deprecation of `*_sql` association options. They will
+ be deprecated in 4.0 instead. *Jon Leighton*
+
+* Do not eager load AR session store. ActiveRecord::SessionStore depends on the abstract store
+ in Action Pack. Eager loading this class would break client code that eager loads Active Record
+ standalone.
+ Fixes #7160
+
+ *Xavier Noria*
+
+* Do not set RAILS_ENV to "development" when using `db:test:prepare` and related rake tasks.
+ This was causing the truncation of the development database data when using RSpec.
+ Fixes #7175.
+
+ *Rafael Mendonça França*
+
+
+## Rails 3.2.7 (Jul 26, 2012) ##
+
+* `:finder_sql` and `:counter_sql` options on collection associations
+ are deprecated. Please transition to using scopes.
+
+ *Jon Leighton*
+
+* `:insert_sql` and `:delete_sql` options on `has_and_belongs_to_many`
+ associations are deprecated. Please transition to using `has_many
+ :through`
+
+ *Jon Leighton*
+
+* `composed_of` has been deprecated. You'll have to write your own accessor
+ and mutator methods if you'd like to use value objects to represent some
+ portion of your models.
+
+ *Steve Klabnik*
+
+* `update_attribute` has been deprecated. Use `update_column` if
+ you want to bypass mass-assignment protection, validations, callbacks,
+ and touching of updated_at. Otherwise please use `update_attributes`.
+
+ *Steve Klabnik*
+
+
+## Rails 3.2.6 (Jun 12, 2012) ##
+
+* protect against the nesting of hashes changing the
+ table context in the next call to build_from_hash. This fix
+ covers this case as well.
+
+ CVE-2012-2695
+
+* Revert earlier 'perf fix' (see 3.2.4 changelog / GH #6289). This
+ change introduced a regression (GH #6609). assoc.clear and
+ assoc.delete_all have loaded the association before doing the delete
+ since at least Rails 2.3. Doing the delete without loading the
+ records means that the `before_remove` and `after_remove` callbacks do
+ not get invoked. Therefore, this change was less a fix a more an
+ optimisation, which should only have gone into master.
+
+ *Jon Leighton*
+
+
## Rails 3.2.5 (Jun 1, 2012) ##
* Restore behavior of Active Record 3.2.3 scopes.
diff --git a/activesupport/CHANGELOG.md b/activesupport/CHANGELOG.md
index ddd6a8b568..b0b21a1563 100644
--- a/activesupport/CHANGELOG.md
+++ b/activesupport/CHANGELOG.md
@@ -105,6 +105,33 @@
* Remove deprecated ActiveSupport::JSON::Variable. *Erich Menge*
+## Rails 3.2.8 (Aug 9, 2012) ##
+
+* Fix ActiveSupport integration with Mocha > 0.12.1. *Mike Gunderloy*
+
+* Reverted the deprecation of ActiveSupport::JSON::Variable. *Rafael Mendonça França*
+
+* ERB::Util.html_escape now escapes single quotes. *Santiago Pastorino*
+
+
+## Rails 3.2.7 (Jul 26, 2012) ##
+
+* Hash#fetch(fetch) is not the same as doing hash[key]
+
+* adds a missing require [fixes #6896]
+
+* make sure the inflection rules are loaded when cherry-picking active_support/core_ext/string/inflections.rb [fixes #6884]
+
+* Merge pull request #6857 from rsutphin/as_core_ext_time_missing_require
+
+* bump AS deprecation_horizon to 4.0
+
+
+## Rails 3.2.6 (Jun 12, 2012) ##
+
+* No changes.
+
+
## Rails 3.2.5 (Jun 1, 2012) ##
* ActiveSupport::JSON::Variable is deprecated. Define your own #as_json and #encode_json methods