diff --git a/CVE-2011-0446.patch b/CVE-2011-0446.patch
new file mode 100644
index 0000000..486c359
--- /dev/null
+++ b/CVE-2011-0446.patch
@@ -0,0 +1,57 @@
+From 349725b1759b110256b54b45080b6986b471080a Mon Sep 17 00:00:00 2001
+From: Michael Koziarski <michael@koziarski.com>
+Date: Wed, 8 Dec 2010 13:46:37 +1300
+Subject: [PATCH 1/2] Be sure to javascript_escape the email address to prevent apostrophes inadvertently causing javascript errors.
+
+This fixes CVE-2011-0446
+---
+ actionpack/lib/action_view/helpers/url_helper.rb |    3 ++-
+ actionpack/test/template/url_helper_test.rb      |    8 ++++----
+ 2 files changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/actionpack/lib/action_view/helpers/url_helper.rb b/actionpack/lib/action_view/helpers/url_helper.rb
+index 74cb448..8654adb 100644
+--- a/actionpack/lib/action_view/helpers/url_helper.rb
++++ b/actionpack/lib/action_view/helpers/url_helper.rb
+@@ -473,7 +473,8 @@ module ActionView
+         email_address_obfuscated.gsub!(/\./, html_options.delete("replace_dot")) if html_options.has_key?("replace_dot")
+ 
+         if encode == "javascript"
+-          "document.write('#{content_tag("a", name || email_address_obfuscated, html_options.merge({ "href" => "mailto:"+email_address+extras }))}');".each_byte do |c|
++          html = content_tag("a", name || email_address_obfuscated, html_options.merge({ "href" => "mailto:"+html_escape(email_address)+extras }))
++          "document.write('#{escape_javascript(html)}');".each_byte do |c|
+             string << sprintf("%%%x", c)
+           end
+           "<script type=\"#{Mime::JS}\">eval(decodeURIComponent('#{string}'))</script>"
+diff --git a/actionpack/test/template/url_helper_test.rb b/actionpack/test/template/url_helper_test.rb
+index 9d541fc..480624f 100644
+--- a/actionpack/test/template/url_helper_test.rb
++++ b/actionpack/test/template/url_helper_test.rb
+@@ -329,11 +329,11 @@ class UrlHelperTest < ActionView::TestCase
+   end
+ 
+   def test_mail_to_with_javascript
+-    assert_dom_equal "<script type=\"text/javascript\">eval(decodeURIComponent('%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%61%20%68%72%65%66%3d%22%6d%61%69%6c%74%6f%3a%6d%65%40%64%6f%6d%61%69%6e%2e%63%6f%6d%22%3e%4d%79%20%65%6d%61%69%6c%3c%2f%61%3e%27%29%3b'))</script>", mail_to("me@domain.com", "My email", :encode => "javascript")
++    assert_dom_equal "<script type=\"text/javascript\">eval(decodeURIComponent('%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%61%20%68%72%65%66%3d%5c%22%6d%61%69%6c%74%6f%3a%6d%65%40%64%6f%6d%61%69%6e%2e%63%6f%6d%5c%22%3e%4d%79%20%65%6d%61%69%6c%3c%5c%2f%61%3e%27%29%3b'))</script>", mail_to("me@domain.com", "My email", :encode => "javascript")
+   end
+ 
+   def test_mail_to_with_javascript_unicode
+-    assert_dom_equal "<script type=\"text/javascript\">eval(decodeURIComponent('%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%61%20%68%72%65%66%3d%22%6d%61%69%6c%74%6f%3a%75%6e%69%63%6f%64%65%40%65%78%61%6d%70%6c%65%2e%63%6f%6d%22%3e%c3%ba%6e%69%63%6f%64%65%3c%2f%61%3e%27%29%3b'))</script>", mail_to("unicode@example.com", "únicode", :encode => "javascript")
++    assert_dom_equal "<script type=\"text/javascript\">eval(decodeURIComponent('%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%61%20%68%72%65%66%3d%5c%22%6d%61%69%6c%74%6f%3a%75%6e%69%63%6f%64%65%40%65%78%61%6d%70%6c%65%2e%63%6f%6d%5c%22%3e%c3%ba%6e%69%63%6f%64%65%3c%5c%2f%61%3e%27%29%3b'))</script>", mail_to("unicode@example.com", "únicode", :encode => "javascript")
+   end
+ 
+   def test_mail_with_options
+@@ -357,8 +357,8 @@ class UrlHelperTest < ActionView::TestCase
+     assert_dom_equal "<a href=\"&#109;&#97;&#105;&#108;&#116;&#111;&#58;%6d%65@%64%6f%6d%61%69%6e.%63%6f%6d\">&#109;&#101;&#40;&#97;&#116;&#41;&#100;&#111;&#109;&#97;&#105;&#110;&#46;&#99;&#111;&#109;</a>", mail_to("me@domain.com", nil, :encode => "hex", :replace_at => "(at)")
+     assert_dom_equal "<a href=\"&#109;&#97;&#105;&#108;&#116;&#111;&#58;%6d%65@%64%6f%6d%61%69%6e.%63%6f%6d\">My email</a>", mail_to("me@domain.com", "My email", :encode => "hex", :replace_at => "(at)")
+     assert_dom_equal "<a href=\"&#109;&#97;&#105;&#108;&#116;&#111;&#58;%6d%65@%64%6f%6d%61%69%6e.%63%6f%6d\">&#109;&#101;&#40;&#97;&#116;&#41;&#100;&#111;&#109;&#97;&#105;&#110;&#40;&#100;&#111;&#116;&#41;&#99;&#111;&#109;</a>", mail_to("me@domain.com", nil, :encode => "hex", :replace_at => "(at)", :replace_dot => "(dot)")
+-    assert_dom_equal "<script type=\"text/javascript\">eval(decodeURIComponent('%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%61%20%68%72%65%66%3d%22%6d%61%69%6c%74%6f%3a%6d%65%40%64%6f%6d%61%69%6e%2e%63%6f%6d%22%3e%4d%79%20%65%6d%61%69%6c%3c%2f%61%3e%27%29%3b'))</script>", mail_to("me@domain.com", "My email", :encode => "javascript", :replace_at => "(at)", :replace_dot => "(dot)")
+-    assert_dom_equal "<script type=\"text/javascript\">eval(decodeURIComponent('%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%61%20%68%72%65%66%3d%22%6d%61%69%6c%74%6f%3a%6d%65%40%64%6f%6d%61%69%6e%2e%63%6f%6d%22%3e%6d%65%28%61%74%29%64%6f%6d%61%69%6e%28%64%6f%74%29%63%6f%6d%3c%2f%61%3e%27%29%3b'))</script>", mail_to("me@domain.com", nil, :encode => "javascript", :replace_at => "(at)", :replace_dot => "(dot)")
++    assert_dom_equal "<script type=\"text/javascript\">eval(decodeURIComponent('%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%61%20%68%72%65%66%3d%5c%22%6d%61%69%6c%74%6f%3a%6d%65%40%64%6f%6d%61%69%6e%2e%63%6f%6d%5c%22%3e%4d%79%20%65%6d%61%69%6c%3c%5c%2f%61%3e%27%29%3b'))</script>", mail_to("me@domain.com", "My email", :encode => "javascript", :replace_at => "(at)", :replace_dot => "(dot)")
++    assert_dom_equal "<script type=\"text/javascript\">eval(decodeURIComponent('%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%61%20%68%72%65%66%3d%5c%22%6d%61%69%6c%74%6f%3a%6d%65%40%64%6f%6d%61%69%6e%2e%63%6f%6d%5c%22%3e%6d%65%28%61%74%29%64%6f%6d%61%69%6e%28%64%6f%74%29%63%6f%6d%3c%5c%2f%61%3e%27%29%3b'))</script>", mail_to("me@domain.com", nil, :encode => "javascript", :replace_at => "(at)", :replace_dot => "(dot)")
+   end
+   
+   def protect_against_forgery?
+-- 
+1.7.2
+
diff --git a/rubygem-actionpack.spec b/rubygem-actionpack.spec
index a5167da..25198ad 100644
--- a/rubygem-actionpack.spec
+++ b/rubygem-actionpack.spec
@@ -10,7 +10,7 @@ Summary: Web-flow and rendering framework putting the VC in MVC
 Name: rubygem-%{gemname}
 Epoch: 1
 Version: 2.3.5
-Release: 3%{?dist}
+Release: 4%{?dist}
 Group: Development/Languages
 License: MIT
 URL: http://www.rubyonrails.org
@@ -20,6 +20,8 @@ Patch0:  rubygem-actionpack-2.3.4-enable-test.patch
 # Please someone fix the following Patch2!! (mtasaka)
 #
 Patch2:  rubygem-actionpack-2.3.5-rack-compat.patch
+# http://groups.google.com/group/rubyonrails-security/browse_thread/thread/f02a48ede8315f81
+Patch3:  CVE-2011-0446.patch
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 Requires: rubygems
 Requires: rubygem(activesupport) = %{version}
@@ -54,6 +56,7 @@ sed -i -e '/rack/s|~>|>=|' \
 pushd .%{geminstdir}
 %patch0 -p0
 %patch2 -p0
+%patch3 -p2
 
 # create missing symlink
 pushd test/fixtures/layout_tests/layouts/
@@ -124,6 +127,9 @@ rake test --trace
 
 
 %changelog
+* Thu Feb 24 2011 Vít Ondruch <vondruch@redhat.com> - 1:2.3.5-4
+- Fixed CVE-2011-0446
+
 * Wed Sep 15 2010 Mohammed Morsi <mmorsi@redhat.com> - 1:2.3.5-3
 - additional rack compat fix (in patch2)
 - https://bugzilla.redhat.com/show_bug.cgi?id=617803