CHANGES

## 1.0

 * Better handling of assignments inside ifs
 * Check more expressions for SQL injection
 * Use latest ruby_parser for better 1.9 syntax support
 * Better behavior for Brakeman as a library

## 1.0.0rc1

 * Brakeman can now be used as a library
 * Faster call search
 * Add option to return error code if warnings are found (tw-ngreen)
 * Allow truncated messages to be expanded in HTML
 * Fix summary when using warning thresholds
 * Better support for Rails 3 routes
 * Reduce SQL injection duplicate warnings
 * Lower confidence on mass assignment with no user input
 * Ignore mass assignment using all literal arguments
 * Keep expanded context in view with HTML output

## 0.9.2

 * Fix Rails 3 configuration parsing
 * Add t() helper to check for translate XSS bug

## 0.9.1

 * Add warning for translator helper XSS vulnerability

## 0.9.0

 * Process Rails 3 configuration files
 * Fix CSV output
 * Check for config.active_record.whitelist_attributes = true
 * Always produce a warning for without_protection => true

## 0.8.4

 * Option for separate attr_accessible warnings
 * Option to set CSS file for HTML output
 * Add file names for version-specific warnings
 * Add line number for default routes in a controller
 * Fix hash_insert()
 * Remove use of Queue from threaded checks

## 0.8.3
 
 * Respect -w flag in .tabs format (tw-ngreen)
 * Escape HTML output of error messages
 * Add --skip-libs option

## 0.8.2

 * Run checks in parallel threads by default
 * Fix compatibility with ruby_parser 2.3.1

## 0.8.1

 * Add option to assume all controller methods are actions
 * Recover from errors when parsing routes

## 0.8.0

 * Add check for mass assignment using without_protection
 * Add check for password in http_basic_authenticate_with
 * Warn on user input in hash argument with mass assignment
 * auto_link is now considered safe for Rails >= 3.0.6
 * Output detected Rails version in report
 * Keep track of methods called in class definition
 * Add ruby_parser hack for Ruby 1.9 hash syntax
 * Add a few Rails 3.1 tests

## 0.7.2

 * Fix handling of params and cookies with nested access
 * Add CVEs for checks added in 0.7.0

## 0.7.1

 * Require BaseProcessor for GemProcessor

## 0.7.0

 * Allow local variable as a class name
 * Add checks for vulnerabilities fixed in Rails 2.3.14 and 3.0.10
 * Check for default routes in Rails 3 apps
 * Look in Gemfile or Gemfile.lock for Rails version

## 0.6.1

 * Fix XSS check for cookies as parameters in output
 * Don't bother calling super in CheckSessionSettings
 * Add escape_once as a safe method
 * Accept '\Z' or '\z' in model validations

## 0.6.0

 * Tests are in place and fully functional
 * Hide errors by default in HTML output
 * Warn if routes.rb cannot be found
 * Narrow methods assumed to be file access
 * Increase confidence for methods known to not escape output
 * Fixes to output processing for Erubis
 * Fixes for Rails 3 XSS checks
 * Fixes to line numbers with Erubis
 * Fixes to escaped output scanning
 * Update CSRF CVE-2011-0447 message to be less assertive

## 0.5.2

 * Output report file name when finished
 * Add initial tests for Rails 2.x
 * Fix ERB line numbers when using Ruby 1.9

## 0.5.1

 * Fix issue with 'has_one' => in routes

## 0.5.0

  * Add support for routes like get 'x/y', :to => 'ctrlr#whatever'
  * Allow empty blocks in Rails 3 routes
  * Check initializer for session settings
  * Add line numbers to session setting warnings
  * Add --checks option to list checks

## 0.4.1
  
  * Fix reported line numbers when using new Erubis parser
    (Mostly affects Rails 3 apps)

## 0.4.0

  * Handle Rails XSS protection properly
  * More detection options for rails_xss
  * Add --escape-html option 

## 0.3.2  

  * Autodetect Rails 3 applications
  * Turn on auto-escaping for Rails 3 apps
  * Check Model.create() for mass assignment

## 0.3.1

  * Always output a line number in tabbed output format
  * Restrict characters in category name in tabbed output format to
    word characters and spaces, for Hudson/Jenkins plugin

## 0.3.0

  * Check for SQL injection in calls using constantize()
  * Check for SQL injection in calls to count_by_sql()

## 0.2.2

  * Fix version_between? when no Rails version is specified

## 0.2.1

  * Add code snippet to tab output messages

## 0.2.0

  * Add check for mail_to vulnerability - CVE-2011-0446
  * Add check for CSRF weakness - CVE-2011-0447

## 0.1.1

  * Be more permissive with ActiveSupport version

## 0.1.0

  * Check link_to for XSS (because arguments are not escaped)
  * Process layouts better (although not perfectly yet)
  * Load custom Haml filters if they are in lib/
  * Tab separated output via .tabs output extension
  * Switch to normal versioning scheme