A cross site scripting vulnerability in Rails was publicly reported yesterday that affects everyone running Rails 2.x on versions of Ruby before 1.9. The vulnerability occurs in the escaping code for form helpers in Ruby on Rails. Attackers who can inject deliberately malformed Unicode strings into the form helpers can defeat the escaping checks and inject arbitrary HTML.
A fix for this problem has been incorporated in a new release (Rails 2.3.4), and patches are now available for all minor versions of Rails 2.x (2.0, 2.1, 2.2 and 2.3).
(Engine Yard customers are being contacted via email about this vulnerability with instructions on how to obtain the upgrade.)