Security announcement about potential XSS problem with mail_to :encode => :javascript.

Full details here

Versions affected 2.x.x and 3.0.x