0.6.1

• Fix XSS check for cookies as parameters in output
• Don't bother calling super in CheckSessionSettings
• Add escape_once as a safe method
• Accept '\Z' or '\z' in model validations

0.6.0

• Tests are in place and fully functional
• Hide errors by default in HTML output
• Warn if routes.rb cannot be found
• Narrow methods assumed to be file access
• Increase confidence for methods known to not escape output
• Fixes to output processing for Erubis
• Fixes for Rails 3 XSS checks
• Fixes to line numbers with Erubis
• Fixes to escaped output scanning
• Update CSRF CVE-2011-0447 message to be less assertive

0.5.2

• Output report file name when finished
• Add initial tests for Rails 2.x
• Fix ERB line numbers when using Ruby 1.9

0.5.1

Fix issue with 'has_one' => in routes

0.5.0

• Add support for routes like get 'x/y', :to => 'ctrlr#whatever'
• Allow empty blocks in Rails 3 routes
• Check initializer for session settings
• Add line numbers to session setting warnings
• Add --checks option to list checks

0.4.1

Fix reported line numbers when using new Erubis parser (mostly affects Rails 3 apps).

0.4.0

• Handle Rails XSS protection properly
• More detection options for rails_xss
• Add --escape-html option

0.3.2

• Autodetect Rails 3 applications
• Turn on auto-escaping for Rails 3 apps
• Check Model.create() for mass assignment

0.3.1

• Always output a line number in tabbed output format
• Restrict characters in category name in tabbed output format to word characters and spaces, for Hudson/Jenkins plugin

0.2.2

• Fix version_between? when no Rails version is specified