Rails updates close XSS hole - Update
The Ruby on Rails open source web framework has been updated to close a security hole in the translate helper method. According to the developers, a cross-site scripting (XSS) vulnerability in the helper method for i18n translations could be exploited by an attacker to insert arbitrary code into a page. Rails 3.0.0 and later, as well as 2.3.x in combination with the rails_xss plug-in, are affected. Upgrading to 3.0.11 or 3.1.2 corrects the issue; the updates also address several non-security-related bugs.
Further information about the updates, including a full list of bug fixes, can be found in the 3.0.11 and 3.1.2 change logs. Users can install the new versions using gem install rails
or update with gem update rails
. Patches for existing versions are also available. Hosted on GitHub, Rails source code is released under the MIT licence.
Update – Rails 3.1.3 has been released by the developers after the discovery of a number of regressions in Rails 3.1.2.
See also:
- XSS vulnerability in the translate helper method in Ruby on Rails , Ruby on Rails security advisory.
- New features of Rails 3.1, a feature from The H.
(crve)