Hi everybody! Rails 3.0.6 has been released!
Let's get the serious business out of the way first:
Rails 3.0.6 contains an important security fix! Please upgrade!
Rails versions 3.0.x prior to 3.0.6 contain an XSS vulnerability. The vulnerability manifests itself via the
For example:
Let's get the serious business out of the way first:
Rails 3.0.6 contains an important security fix! Please upgrade!
Rails versions 3.0.x prior to 3.0.6 contain an XSS vulnerability. The vulnerability manifests itself via the
auto_link method. The auto_link method will automatically mark input strings as "html safe" even if the input is from an unknown origin. For example:
<%= auto_link(params[:content]) %>How can I protect myself?
- Upgrade to Rails 3.0.6, then content passed to
auto_linkwill be automatically escaped for you. - If you cannot upgrade Rails, then apply the patch found here. Then
auto_linkcontent will be escaped for you. - If you cannot upgrade Rails, or apply the patch, then change your calls to
auto_linkto call sanitize like so:
<%= sanitize(auto_link(params[:content])) %>
If you trust the input, then change to this
<%= raw(auto_link(params[:content])) %>
Credits
Thanks go to Torben Schulz for reporting this issue!For Free consultation on regarding RoR Applications, RoR Developers, RoR Development, ROR Programmer log on to http://www.dckap.com
1 comments:
I agreed with the ideas and version that can be provided in these post and its really wonderful for the use.
----------
Ruby on Rails Development | ROR Development
Post a Comment