Try Engine Yard for your Rails app
START A FREE TRIALFree Download
"Top 10 Advantages of Platform-as-a-Service"
Should you DIY your app deployment & maintenance or hand it off?
Subscribe to the Engine Yard blog for expert Rails tips!
Cross Site Scripting (XSS) Vulnerability In Rails 2.x on Ruby 1.8.x
A cross site scripting vulnerability in Rails was publicly reported yesterday that affects everyone running Rails 2.x on versions of Ruby before 1.9. The vulnerability occurs in the escaping code for form helpers in Ruby on Rails. Attackers who can inject deliberately malformed Unicode strings into the form helpers can defeat the escaping checks and inject arbitrary HTML.
A fix for this problem has been incorporated in a new release (Rails 2.3.4), and patches are now available for all minor versions of Rails 2.x (2.0, 2.1, 2.2 and 2.3).
Please read the full posting on the Rails Security Group for more details. For more information on the process for how Rails vulnerabilities are handled, read the Rails security process document.
(Engine Yard customers are being contacted via email about this vulnerability with instructions on how to obtain the upgrade.)
Share your thoughts with @engineyard on Twitter