Two new Rails vulnerabilities were reported today: * Manual options are not escaped in select(): http://groups.google.com/group/rubyonrails-security/browse_thread/thread/9da0c515a6c4664
* Some operations on SafeBuffer mistakenly return strings marked as html_safe: http://groups.google.com/group/rubyonrails-security/browse_thread/thread/edd28f1e3d04e913 This release checks for these issues, amongst other changes. Changes since 1.4.0: * Add version check for SafeBuffer vulnerability * Add check for select vulnerability in Rails 3 * select() is no longer considered safe in Rails 2 * Add check for skipping CSRF protection with a blacklist * Add JSON report format * Model#id should not be considered XSS * Standardize methods to check for SQL injection * Fix Rails 2 route parsing issue with nested routes It is VERY likely some of these changes will introduce new warnings or disregard previous warnings (hopefully only false positives). For more information: http://brakemanscanner.org/blog/2012/03/01/brakeman-1-dot-5-0-released/