diff -ur actionpack/lib/action_controller/base.rb /usr/lib/ruby/site_ruby/1.8/action_controller/base.rb
--- actionpack/lib/action_controller/base.rb	Mon Oct 25 11:13:24 2004
+++ /usr/lib/ruby/site_ruby/1.8/action_controller/base.rb	Sun Nov  7 06:49:22 2004
@@ -326,7 +326,7 @@
 
       # Returns the name of the action this controller is processing.
       def action_name
-        @params["action"] || "index"
+        @params["action"].untaint || "index"
       end
 
     protected
diff -ur actionpack/lib/action_controller/templates/rescues/diagnostics.rhtml /usr/lib/ruby/site_ruby/1.8/action_controller/templates/rescues/diagnostics.rhtml
--- actionpack/lib/action_controller/templates/rescues/diagnostics.rhtml	Mon Sep  6 01:21:16 2004
+++ /usr/lib/ruby/site_ruby/1.8/action_controller/templates/rescues/diagnostics.rhtml	Sun Nov  7 06:08:27 2004
@@ -8,7 +8,7 @@
 
 <h1>
   <%=h @exception.class.to_s %> in
-  <%=h @request.parameters["controller"].capitalize %>#<%=h @request.parameters["action"] %>
+  <%=h @controller.controller_name.capitalize %>#<%=h @request.parameters["action"] %>
 </h1>
 <p><%=h @exception.message %></p>
 
diff -ur actionpack/lib/action_controller/templates/rescues/template_error.rhtml /usr/lib/ruby/site_ruby/1.8/action_controller/templates/rescues/template_error.rhtml
--- actionpack/lib/action_controller/templates/rescues/template_error.rhtml	Sun Nov  7 03:13:26 2004
+++ /usr/lib/ruby/site_ruby/1.8/action_controller/templates/rescues/template_error.rhtml	Sun Nov  7 06:08:36 2004
@@ -8,7 +8,7 @@
 
 <h1>
   <%=h @exception.original_exception.class.to_s %> in
-  <%=h @request.parameters["controller"].capitalize %>#<%=h @request.parameters["action"] %>
+  <%=h @controller.controller_name.capitalize %>#<%=h @request.parameters["action"] %>
 </h1>
 
 <p>
diff -ur actionpack/lib/action_view/base.rb /usr/lib/ruby/site_ruby/1.8/action_view/base.rb
--- actionpack/lib/action_view/base.rb	Mon Oct 25 11:13:24 2004
+++ /usr/lib/ruby/site_ruby/1.8/action_view/base.rb	Sun Nov  7 06:09:56 2004
@@ -240,12 +240,12 @@
       end
 
       def rhtml_render(template, binding)
-        @@compiled_erb_templates[template] ||= ERB.new(template)
+        @@compiled_erb_templates[template] ||= ERB.new(template.untaint)
         @@compiled_erb_templates[template].result(binding)
       end
 
       def rxml_render(template, binding)
-        eval(template, binding)
+        eval(template.untaint, binding)
       end
   end
 end