|
Rails 3.0.6, released today, contains an important security fix. If you can't upgrade there is also a security patch to fix the issue.
Rails versions 3.0.x prior to 3.0.6 contain an XSS vulnerability which manifests itself via the auto_link method such that this method automatically marks input strings as "html safe" even if the input is from an unknown origin. Users are therefore being urged to update to Rails 3.0.6 which can be downloaded from github. This upgrade will ensure that content passed to auto_link will be automatically escaped for you.
In the event that upgrading Rails 3 isn't something you want to do there is also a security patch that has the same effect.
If you don't want either to upgrade Rails or apply the patch then the advice from the Rails blog is to change calls to auto_link as follows:
<%= sanitize(auto_link(params[:content])) %>
If you trust the input, then this is the change to make:
<%= raw(auto_link(params[:content])) %>
A list of other important changes is available on the Rails blog.
Further reading:
Rails 3.0 Released
Faster Rails with 3.0.3
Redis Changes License, Rival Fork Launched
03/04/2024
The developers of Redis have announced that they are changing the licensing model for the database. From now on, all future versions of Redis will be released with source-available licenses rather tha [ ... ]
|
Actionforge Releases GitHub Actions VSCode Extension
09/04/2024
Actionforge has released the beta of its GitHub Actions tool as a VS Code extension. The extension consists of a suite of tools making up a visual node system for building and managing GitHub Actions [ ... ]
| | More News |
|
