---
- branch: MAIN
  date: Sun Aug 12 10:34:38 UTC 2012
  files:
  - new: '1.7'
    old: '1.6'
    path: pkgsrc/www/ruby-actionpack31/distinfo
    pathrev: pkgsrc/www/ruby-actionpack31/distinfo@1.7
    type: modified
  id: 20120812T103438Z.255821fd66362d4e96e18f006ee14733947f4e59
  log: |
    Update ruby-actionpack31 to 3.1.8.

    ## Rails 3.1.8 (Aug 9, 2012)

    * There is an XSS vulnerability in the strip_tags helper in Ruby on Rails, the
      helper doesn't correctly handle malformed html.  As a result an attacker can
      execute arbitrary javascript through the use of specially crafted malformed
      html.

      *Marek from Nethemba (www.nethemba.com) & Santiago Pastorino*

    * When a "prompt" value is supplied to the `select_tag` helper, the
      "prompt" value is not escaped.
      If untrusted data is not escaped, and is supplied as the prompt value,
      there is a potential for XSS attacks.
      Vulnerable code will look something like this:
        select_tag("name", options, :prompt => UNTRUSTED_INPUT)

      *Santiago Pastorino*
  module: pkgsrc
  subject: 'CVS commit: pkgsrc/www/ruby-actionpack31'
  unixtime: '1344767678'
  user: taca