-
Fix and add protections for XSS in
ActionView::Helpers
andERB::Util
.Escape dangerous characters in names of tags and names of attributes in the tag helpers, following the XML specification. Rename the option
:escape_attributes
to:escape
, to simplify by applying the option to the whole tag.Álvaro Martín Fraguas
-
Ensure models passed to
form_for
attempt to callto_model
.Sean Doyle
Please check 7-0-stable for previous changes.