Hello everyone and happy Monday!

Rails 5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, and 3.2.22.1 have been released! These contain the following important security fixes, and it is recommended that users upgrade as soon as possible:

For ease of upgrading, these Rails releases only contain patches pertaining to the security fixes. The released versions can be found in the usual locations, and you can find a list of changes on GitHub:

rails-html-sanitizer version 1.0.3 has been released, and it contains the following important security fixes:

In Rails 4.2, the HTML sanitizer was inadvertently made much more permissive than in 4.1.

In order to maintain our “secure by default” policy, rectifying this has forced us to make a backwards-incompatible change to the sanitizer.

If you use the sanitizer in 4.2, you will need to verify that the more restrictive filter still permits all the tags you need to allow. If it doesn’t, you can add additional tags to the whitelist.

We’ve done our best to minimize any impact to your applications, but if you run in to any issues, please file a ticket and we’ll do our best to help!

Again, as always, if you run in to any bugs, please file them on the Rails issue tracker which is located here. If you run in to security issues, please follow the reporting process which can be found here.

Please have a happy Monday! <3<3<3

P.S.

Here are checksums for the released gems: