Ruby on Rails is a model-view-controller framework for web application development. Action View implements the view component, and Active Record implements the model component. Security Fix in rubygem-actionview: * It was discovered that Action View tag helpers did not escape quotes when using strings declared as HTML safe as attribute values. A remote attacker could use this flaw to conduct a cross-site scripting attack. Security Fix in rubygem-activerecord: * A flaw was found in the way Active Record handled certain special values in dynamic finders and relations. If a Ruby on Rails application performed JSON parameter parsing, a remote attacker could possibly manipulate search conditions in SQL queries generated by the application. Red Hat would like to thank the Ruby on Rails project for reporting these issues. Upstream acknowledges Andrew Carpenter as the original reporter of CVE-2016-6316; and joernchen as the original reporter of CVE-2016-6317.