[ANN] Rails 3.0.9.rc1 has been released!

[Aaron Patterson]

Hey folks. Sorry for the multiple releases in such a short time span, but the security fixes released yesterday seem to have broken people's applications. I am not happy about that.

I've pushed a 3.0.9.rc1. Please test it against your application against this release candidate and report any regressions to the [rails core mailing list](http://groups.google.com/group/rubyonrails-core). I would like to hear your feedback, good or bad.

I will release the final in 72hours if there are no reported regressions. If there are reported regressions, I will release another RC and the clock will start over.

## How to test

Update your Gemfile to point at Rails version 3.0.9.rc1, then do a `bundle update` and test out your application.

## CHANGES

Here are some of the major changes:

* MemCacheStore works with Ruby 1.9 and -Ku
* `mailto` SafeBuffer fixes
* `escape_javascript` SafeBuffer fixes

For an exaustive list, please check out the commits on [github](https://github.com/rails/rails/compare/v3.0.8...v3.0.9.rc1).

Thanks for your patience everyone!

<3 <3 <3

--
Aaron Patterson
http://tenderlovemaking.com/

[Jesse Cooke]

escape_javascript still doesn't work like it has in previous versions.

You can see how it's expected to work & what it outputs here: http://twitpic.com/58vm5j

The code is here: http://bit.ly/leww2A

An upgrade to Haml 3.1.2 was also necessary for the new SafeBuffer changes.

Jesse

--------------------------------------------
Jesse Cooke :: N-tier Engineer
jc00ke.com / @jc00ke

[Prem Sichanugrist]

Let me check. There wasn't really anybody tainted to the function or making it not html_safe, except just changing regular expression term.

Mind open an issue?

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group.
To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-core/-/MXaDmZkGUR4J.
To post to this group, send email to rubyonra...@googlegroups.com.
To unsubscribe from this group, send email to rubyonrails-co...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.

[Jesse Cooke]

Issue has been created: https://github.com/rails/rails/issues/1589

[Aaron Patterson]

On Wed, Jun 08, 2011 at 05:53:09PM -0700, Jesse Cooke wrote:
> Issue has been created: https://github.com/rails/rails/issues/1589

Awesome. Thank you very much!

[Tony Perrie]

If you’re using js views and partial html replacements, Rails 3.0.8
was totally broken. Right after the 3.0.8 release, 3.0.9rc1 was
released which partially addresses the problem. But, after upgrading,
you have to wrap every escape_javascript call with raw() if you want
your javascript to replace HTML. This was absolutely _not_ the case
with 3.0.7.

So, escape_javascript('<img src="lolcat.jpg" />') becomes
raw(escape_javascript('<img src="lolcat.jpg" />')).

On Jun 8, 5:18 pm, Prem Sichanugrist <sikand...@gmail.com> wrote:
> Let me check. There wasn't really anybody tainted to the function or making it not html_safe, except just changing regular expression term.
>
> Mind open an issue?
>
> On Jun 8, 2011, at 8:15 PM, Jesse Cooke wrote:
>
>
>
>
>
>
>
> > escape_javascript still doesn't work like it has in previous versions.
> > You can see how it's expected to work & what it outputs here:http://twitpic.com/58vm5j
> > The code is here:http://bit.ly/leww2A
>
> > An upgrade to Haml 3.1.2 was also necessary for the new SafeBuffer changes.
>
> > Jesse
>
> > --------------------------------------------
> > Jesse Cooke :: N-tier Engineer
> > jc00ke.com / @jc00ke
>
> > --
> > You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group.

> > To view this discussion on the web visithttps://groups.google.com/d/msg/rubyonrails-core/-/MXaDmZkGUR4J.

[Greg]

Howdy,

I posted a patch @ https://github.com/rails/rails/issues/1576

HTH,
Greg

>  application_pgp-signature_part
> < 1KViewDownload

[Aaron Patterson]

On Wed, Jun 08, 2011 at 05:25:08PM -0700, Tony Perrie wrote:
> If you’re using js views and partial html replacements, Rails 3.0.8
> was totally broken. Right after the 3.0.8 release, 3.0.9rc1 was
> released which partially addresses the problem. But, after upgrading,
> you have to wrap every escape_javascript call with raw() if you want
> your javascript to replace HTML. This was absolutely _not_ the case
> with 3.0.7.
>
> So, escape_javascript('<img src="lolcat.jpg" />') becomes
> raw(escape_javascript('<img src="lolcat.jpg" />')).

Sorry about the breakage. We'll fix the problem and release another
release candidate.

[Ted Milker]

Rails 3.0.8 and 3.0.9.rc1 breaks render :inline too

render :inline => raw @content

No longer functions anymore with either version.

Full trace:
activesupport (3.0.9.rc1) lib/active_support/core_ext/string/
output_safety.rb:122:in `sub!'
actionpack (3.0.9.rc1) lib/action_view/template.rb:198:in `compile'
actionpack (3.0.9.rc1) lib/action_view/template.rb:134:in `block in
render'
activesupport (3.0.9.rc1) lib/active_support/notifications.rb:54:in
`instrument'
actionpack (3.0.9.rc1) lib/action_view/template.rb:127:in `render'
actionpack (3.0.9.rc1) lib/action_view/render/rendering.rb:59:in
`block in _render_template'
activesupport (3.0.9.rc1) lib/active_support/notifications.rb:52:in
`block in instrument'
activesupport (3.0.9.rc1) lib/active_support/notifications/
instrumenter.rb:21:in `instrument'
activesupport (3.0.9.rc1) lib/active_support/notifications.rb:52:in
`instrument'
actionpack (3.0.9.rc1) lib/action_view/render/rendering.rb:56:in
`_render_template'
actionpack (3.0.9.rc1) lib/action_view/render/rendering.rb:26:in
`render'
app/views/pages/show.html.erb:1:in
`_app_views_pages_show_html_erb__2904213535306082214_17246046540__3583876390624022854'
actionpack (3.0.9.rc1) lib/action_view/template.rb:135:in `block in
render'
activesupport (3.0.9.rc1) lib/active_support/notifications.rb:54:in
`instrument'
actionpack (3.0.9.rc1) lib/action_view/template.rb:127:in `render'
actionpack (3.0.9.rc1) lib/action_view/render/rendering.rb:59:in
`block in _render_template'
activesupport (3.0.9.rc1) lib/active_support/notifications.rb:52:in
`block in instrument'
activesupport (3.0.9.rc1) lib/active_support/notifications/
instrumenter.rb:21:in `instrument'
activesupport (3.0.9.rc1) lib/active_support/notifications.rb:52:in
`instrument'
actionpack (3.0.9.rc1) lib/action_view/render/rendering.rb:56:in
`_render_template'
actionpack (3.0.9.rc1) lib/action_view/render/rendering.rb:26:in
`render'
actionpack (3.0.9.rc1) lib/abstract_controller/rendering.rb:115:in
`_render_template'
actionpack (3.0.9.rc1) lib/abstract_controller/rendering.rb:109:in
`render_to_body'
actionpack (3.0.9.rc1) lib/action_controller/metal/renderers.rb:47:in
`render_to_body'
actionpack (3.0.9.rc1) lib/action_controller/metal/compatibility.rb:
55:in `render_to_body'
actionpack (3.0.9.rc1) lib/abstract_controller/rendering.rb:102:in
`render_to_string'
actionpack (3.0.9.rc1) lib/abstract_controller/rendering.rb:93:in
`render'
actionpack (3.0.9.rc1) lib/action_controller/metal/rendering.rb:17:in
`render'
actionpack (3.0.9.rc1) lib/action_controller/metal/instrumentation.rb:
40:in `block (2 levels) in render'
activesupport (3.0.9.rc1) lib/active_support/core_ext/benchmark.rb:
5:in `block in ms'
/home/ted/.rvm/rubies/ruby-1.9.2-p180/lib/ruby/1.9.1/benchmark.rb:
309:in `realtime'
activesupport (3.0.9.rc1) lib/active_support/core_ext/benchmark.rb:
5:in `ms'
actionpack (3.0.9.rc1) lib/action_controller/metal/instrumentation.rb:
40:in `block in render'
actionpack (3.0.9.rc1) lib/action_controller/metal/instrumentation.rb:
78:in `cleanup_view_runtime'
dm-rails (1.1.0) lib/dm-rails/railties/controller_runtime.rb:19:in
`cleanup_view_runtime'
actionpack (3.0.9.rc1) lib/action_controller/metal/instrumentation.rb:
39:in `render'
app/controllers/pages_controller.rb:30:in `show_url'
actionpack (3.0.9.rc1) lib/action_controller/metal/implicit_render.rb:
4:in `send_action'
actionpack (3.0.9.rc1) lib/abstract_controller/base.rb:150:in
`process_action'
actionpack (3.0.9.rc1) lib/action_controller/metal/rendering.rb:11:in
`process_action'
actionpack (3.0.9.rc1) lib/abstract_controller/callbacks.rb:18:in
`block in process_action'
activesupport (3.0.9.rc1) lib/active_support/callbacks.rb:451:in
`_run__1595386109040248870__process_action__3313148932168942018__callbacks'
activesupport (3.0.9.rc1) lib/active_support/callbacks.rb:410:in
`_run_process_action_callbacks'
activesupport (3.0.9.rc1) lib/active_support/callbacks.rb:94:in
`run_callbacks'
actionpack (3.0.9.rc1) lib/abstract_controller/callbacks.rb:17:in
`process_action'
actionpack (3.0.9.rc1) lib/action_controller/metal/instrumentation.rb:
30:in `block in process_action'
activesupport (3.0.9.rc1) lib/active_support/notifications.rb:52:in
`block in instrument'
activesupport (3.0.9.rc1) lib/active_support/notifications/
instrumenter.rb:21:in `instrument'
activesupport (3.0.9.rc1) lib/active_support/notifications.rb:52:in
`instrument'
actionpack (3.0.9.rc1) lib/action_controller/metal/instrumentation.rb:
29:in `process_action'
actionpack (3.0.9.rc1) lib/action_controller/metal/rescue.rb:17:in
`process_action'
actionpack (3.0.9.rc1) lib/abstract_controller/base.rb:119:in
`process'
actionpack (3.0.9.rc1) lib/abstract_controller/rendering.rb:41:in
`process'
actionpack (3.0.9.rc1) lib/action_controller/metal.rb:138:in
`dispatch'
actionpack (3.0.9.rc1) lib/action_controller/metal/rack_delegation.rb:
14:in `dispatch'
actionpack (3.0.9.rc1) lib/action_controller/metal.rb:178:in `block in
action'
actionpack (3.0.9.rc1) lib/action_dispatch/routing/route_set.rb:62:in
`call'
actionpack (3.0.9.rc1) lib/action_dispatch/routing/route_set.rb:62:in
`dispatch'
actionpack (3.0.9.rc1) lib/action_dispatch/routing/route_set.rb:27:in
`call'
rack-mount (0.6.14) lib/rack/mount/route_set.rb:148:in `block in call'
rack-mount (0.6.14) lib/rack/mount/code_generation.rb:93:in `block in
recognize'
rack-mount (0.6.14) lib/rack/mount/code_generation.rb:68:in
`optimized_each'
rack-mount (0.6.14) lib/rack/mount/code_generation.rb:92:in
`recognize'
rack-mount (0.6.14) lib/rack/mount/route_set.rb:139:in `call'
actionpack (3.0.9.rc1) lib/action_dispatch/routing/route_set.rb:493:in
`call'
actionpack (3.0.9.rc1) lib/action_dispatch/middleware/
best_standards_support.rb:17:in `call'
actionpack (3.0.9.rc1) lib/action_dispatch/middleware/head.rb:14:in
`call'
rack (1.2.3) lib/rack/methodoverride.rb:24:in `call'
actionpack (3.0.9.rc1) lib/action_dispatch/middleware/params_parser.rb:
21:in `call'
actionpack (3.0.9.rc1) lib/action_dispatch/middleware/flash.rb:182:in
`call'
actionpack (3.0.9.rc1) lib/action_dispatch/middleware/session/
abstract_store.rb:149:in `call'
actionpack (3.0.9.rc1) lib/action_dispatch/middleware/cookies.rb:
302:in `call'
actionpack (3.0.9.rc1) lib/action_dispatch/middleware/callbacks.rb:
46:in `block in call'
activesupport (3.0.9.rc1) lib/active_support/callbacks.rb:416:in
`_run_call_callbacks'
actionpack (3.0.9.rc1) lib/action_dispatch/middleware/callbacks.rb:
44:in `call'
rack (1.2.3) lib/rack/sendfile.rb:107:in `call'
actionpack (3.0.9.rc1) lib/action_dispatch/middleware/remote_ip.rb:
48:in `call'
actionpack (3.0.9.rc1) lib/action_dispatch/middleware/
show_exceptions.rb:47:in `call'
railties (3.0.9.rc1) lib/rails/rack/logger.rb:13:in `call'
rack (1.2.3) lib/rack/runtime.rb:17:in `call'
activesupport (3.0.9.rc1) lib/active_support/cache/strategy/
local_cache.rb:72:in `call'
rack (1.2.3) lib/rack/lock.rb:11:in `block in call'
<internal:prelude>:10:in `synchronize'
rack (1.2.3) lib/rack/lock.rb:11:in `call'
actionpack (3.0.9.rc1) lib/action_dispatch/middleware/static.rb:30:in
`call'
railties (3.0.9.rc1) lib/rails/application.rb:168:in `call'
railties (3.0.9.rc1) lib/rails/application.rb:77:in `method_missing'
railties (3.0.9.rc1) lib/rails/rack/log_tailer.rb:14:in `call'
rack (1.2.3) lib/rack/content_length.rb:13:in `call'
rack (1.2.3) lib/rack/handler/webrick.rb:52:in `service'
/home/ted/.rvm/rubies/ruby-1.9.2-p180/lib/ruby/1.9.1/webrick/
httpserver.rb:111:in `service'
/home/ted/.rvm/rubies/ruby-1.9.2-p180/lib/ruby/1.9.1/webrick/
httpserver.rb:70:in `run'
/home/ted/.rvm/rubies/ruby-1.9.2-p180/lib/ruby/1.9.1/webrick/server.rb:
183:in `block in start_thread'

[Prem Sichanugrist]

Challenge accepted!

https://github.com/rails/rails/blob/3-0-stable/actionpack/lib/action_view/template.rb#L198

ZOMG we can't find enough gsub!

---

Can you please open a issue in GitHub?

> --
> You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group.

[Ted Milker]

Still broken in rails 3.0.9.rc3

https://github.com/rails/rails/issues/1633 - I hope I did this well enough.