Cross Site Scripting (XSS) Vulnerability In Rails 2.x on Ruby 1.8.x

A cross site scripting vulnerability in Rails was publicly reported yesterday that affects everyone running Rails 2.x on versions of Ruby before 1.9. The vulnerability occurs in the escaping code for form helpers in Ruby on Rails. Attackers who can inject deliberately malformed Unicode strings into the form helpers can defeat the escaping checks and inject arbitrary HTML.

A fix for this problem has been incorporated in a new release (Rails 2.3.4), and patches are now available for all minor versions of Rails 2.x (2.0, 2.1, 2.2 and 2.3).

Please read the full posting on the Rails Security Group for more details. For more information on the process for how Rails vulnerabilities are handled, read the Rails security process document.

(Engine Yard customers are being contacted via email about this vulnerability with instructions on how to obtain the upgrade.)