Ruby on Rails update fixes security problems

Ruby on Rails 2.3.5, featuring security boosts and compatibility improvements for version 1.9 of the Ruby language, was released over the weekend, according to a blog post on the Ruby on Rails website.

Rails is a popular open source web framework. Rails 2.3.5 offers bug and security fixes and should be compatible with prior 2.3.x releases of Rails, said Greg Pollack, who is part of the Rails Activist Team. XSS (Extensible Style Sheets) protection was cited as the major improvement in the release by Rails founder David Heinemeier Hansson in an email.

"The big feature in Rails 2.3.5 is that it works with our new rails_xss plugin, which makes XSS protection completely automatic for Rails applications," Hansson said. "Before that, you had to manually ensure that you weren't leaving windows open for XSS attacks. Now you can just get the plugin and sit back and relax. This feature will also be standard equipment on Rails 3.0."

Bugs were fixed in version 2.3.5 to boost Ruby 1.9 compatibility.

"There were a few small bugs preventing full compatibility with Ruby 1.9. However, we wouldn't be surprised you were already running Rails 2.3.x successfully before these bugs were fixed (they were small)," Pollack said.

A security fix in version 2.3.5 takes care of a vulnerability in the Rails strip_tags function, in which a bug in the parsing code inside HTML:Tokenizer could make applications relying on strip tags for XSS vulnerable to attacks on Internet Explorer users.

Also featured is resolution of issues with using the Nokogiri XML parser. Rails 2.3 provided the ability to switch from the default REXML parser to faster parsers such as Nokogiri.

Meanwhile, a release date for Rails 3.0, which merges Rails with the Merb framework, is "still up in the air" at this point, said Hansson. The Rails team had hoped to release it this year.

"We're hoping to get something out, but we'll see," Hansson said.