Rails versions 3.0.x prior to 3.0.6 contain an XSS vulnerability. The vulnerability manifests itself via the auto_link method. The auto_link method will automatically mark input strings as "html safe" even if the input is from an unknown origin.
<%= auto_link(params[:content]) %>
@ruby, please bump the unstable version to 3.0.6 and drop 3.0.3. Thanks!
Rails 3.0.7 is now in the tree.
(In reply to comment #1)
> Rails 3.0.7 is now in the tree.
Great, thank you. Closing noglsa.