[ANN] Rails 3.2.8 has been released!

Good news everyone! Rails version 3.2.8 has been released.

IMPORTANT

This version contains three important security fixes, please upgrade
immediately.

• CVE-2012-3463 Ruby on Rails Potential XSS Vulnerability in
  select_tag
  prompt
• CVE-2012-3464 Potential XSS Vulnerability in Ruby on
  Rails
• CVE-2012-3465 XSS Vulnerability in
  strip_tags

One of security fixes impacts all users and is related to HTML
escaping code. The other two fixes impacts people using select_tag’s
prompt option and strip_tags helper from ActionPack.

We are also removing all the deprecation warnings that we introduced in
3.2.x.
We have decided to stop introducing API deprecations in all point
releases going forward. From now on, it’ll only happen in
majors/minors.

CHANGES since 3.2.7

ActionMailer

• No changes

ActionPack

• html_escape should escape single quotes. Santiago Pastorino

• Reverted the deprecation of :confirm. Rafael Mendona Frana

• Reverted the deprecation of :disable_with. Rafael Mendona Frana

• Reverted the deprecation of :mouseover option to image_tag.
  Rafael Mendona Frana

• Reverted the deprecation of button_to_function and
  link_to_function helpers. Rafael Mendona Frana

ActiveModel

• No changes

ActiveRecord

• Do not set RAILS_ENV to “development” when using db:test:prepare
  and related rake tasks.
  This was causing the truncation of the development database data
  when using RSpec.
  In RC2 was fixed again when using config.active_record.schema_format
  = :sql
  Rafael Mendona Frana

• Do not consider the numeric attribute as changed if the old value
  is zero and the new value is not a string. Fixes #7237. Rafael
  Mendona Frana

• Removes the deprecation of update_attribute. fxn

• Reverted the deprecation of composed_of. Rafael Mendona Frana

• Reverted the deprecation of *_sql association options. They will
  be deprecated in 4.0 instead. Jon L.

• Do not eager load AR session store. ActiveRecord::SessionStore
  depends on the abstract store
  in Action Pack. Eager loading this class would break client code
  that eager loads Active Record
  standalone.
  Fixes #7160

  Xavier N.

• Do not set RAILS_ENV to “development” when using db:test:prepare
  and related rake tasks.
  This was causing the truncation of the development database data
  when using RSpec.
  Fixes #7175.

  Rafael Mendona Frana

ActiveResource

• No changes

ActiveSupport

• Fix ActiveSupport integration with Mocha > 0.12.1. Mike G.

• Reverted the deprecation of ActiveSupport::JSON::Variable. Rafael
  Mendona Frana

Railties

• ERB scaffold generator use the :data => { :confirm => "Text" }
  syntax instead of :confirm. Rafael Mendona Frana

SHA-1

• 20525face84f3cdc8b0fc039e0f75ec4963e3677 actionmailer-3.2.8.gem
• ccc63cc2fcb3131b92d45cf5834aa629857d7258 actionpack-3.2.8.gem
• df7fb9febe248201fd1ad741a2044324f4c90cc9 activemodel-3.2.8.gem
• 96e876f625b98915d2b1994c06ea057bf7dd23b8 activerecord-3.2.8.gem
• 195e1e4653e6e06f469ea20e181727ef9d940ee7 activeresource-3.2.8.gem
• e5136f556b62343425cc147a8990bd043430354d activesupport-3.2.8.gem
• 35581ffc256d73d217537170b0e116cf4545752e rails-3.2.8.gem
• e44accc5d057866087856a521398250fe082b70b railties-3.2.8.gem

You can find an exhaustive list of changes on
github.

Thanks to everyone!

–

Santiago Pastorino
WyeWorks Co-founder

Twitter: http://twitter.com/spastorino
Github: spastorino (Santiago Pastorino) · GitHub

Hi!

In 3.2.7 this code was possible if ‘auto_models_for_select’ is nil :
<%= select_tag :model, auto_models_for_select, :include_blank => true,
:disabled => auto_models_for_select.nil? %>

In 3.2.8 this should be :
<%= select_tag :model, auto_models_for_select || ‘’, :include_blank =>
true, :disabled => auto_models_for_select.nil? %>

If second parameter is nil it raise an exception.

Please, return back that it was possible to transfer nil of second
parameter - options.