In association with heise online

18 November 2011, 10:29

Rails updates close XSS hole - Update

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Ruby on Rails logo The Ruby on Rails open source web framework has been updated to close a security hole in the translate helper method. According to the developers, a cross-site scripting (XSS) vulnerability in the helper method for i18n translations could be exploited by an attacker to insert arbitrary code into a page. Rails 3.0.0 and later, as well as 2.3.x in combination with the rails_xss plug-in, are affected. Upgrading to 3.0.11 or 3.1.2 corrects the issue; the updates also address several non-security-related bugs.

Further information about the updates, including a full list of bug fixes, can be found in the 3.0.11 and 3.1.2 change logs. Users can install the new versions using gem install rails or update with gem update rails. Patches for existing versions are also available. Hosted on GitHub, Rails source code is released under the MIT licence.

Update – Rails 3.1.3 has been released by the developers after the discovery of a number of regressions in Rails 3.1.2.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit