From $URL: Rails versions 3.0.x prior to 3.0.6 contain an XSS vulnerability. The vulnerability manifests itself via the auto_link method. The auto_link method will automatically mark input strings as "html safe" even if the input is from an unknown origin. For example: <%= auto_link(params[:content]) %> If the "content" parameter contains malicious javascript, that script will be rendered without being escaped. @ruby, please bump the unstable version to 3.0.6 and drop 3.0.3. Thanks!
Rails 3.0.7 is now in the tree.
(In reply to comment #1) > Rails 3.0.7 is now in the tree. Great, thank you. Closing noglsa.