October 1, 2016

Ruby on Rails Updated to Fix XSS Vulnerability

(LiveHacking.Com) – The open source open source web framework Ruby on Rails has been updated to fix a cross site scripting vulnerability in the translate helper method.

The vulnerability, which could allow an attacker to insert arbitrary code into a page, affects versions 3.0.0 and later as well as version 2.3.X in combination with the rails_xss plugin. It has been fixed in version 3.0.11 and version 3.1.2.

The bug in the translate helper method meant that when using interpolation in combination with HTML-safe translations, the interpolated input would not get HTML escaped

The releases notes gives the following example:

translate('foo_html', :something => '<script>') # => "...<script>..."

After:

translate('foo_html', :something => '<script>') # => "...&lt;script&gt;..."

Shortly after the release of 3.1.2, the Ruby on Rails team released 3.1.3 to fix a number of regressions that found their way into 3.1.2, including a fix to the translate helper with a html translation which uses the :count option for pluralization.

Share and Enjoy:
  • Print
  • Digg
  • StumbleUpon
  • del.icio.us
  • Facebook
  • Yahoo! Buzz
  • Twitter
  • Google Bookmarks