The XSS prevention support in recent versions Ruby on Rails allows some string operations which, when combined with user supplied data, may leave an 'unsafe string' incorrectly considered safe. It is unlikely that applications call these methods, however we are shipping new versions today which prevent their use to ensure they're not called unintentionally.
This problem affects all versions of rails: 3.1.0.rc1, 3.0.7, and 2.3.11.
This problem is fixed in Rails 3.1.0.rc2, 3.0.8, and 2.3.12 (with rails_xss)
Status update: rails 2.3.12 has been in the tree for a while. 3.0.8 still pending.
Thank you, Hans. Can we stabilize 2.3.12?
(In reply to comment #2)
> Thank you, Hans. Can we stabilize 2.3.12?
I think so. I've filed a separate bug for it since it requires some explanation and that bug can also serve as a focus point for any discussion on the stabilization.
Rails 3.0.9 is now also in the tree (note that all 3.0.x versions are still marked ~)
Stabilization completed via bug 372391. Closing noglsa for xss.