oss-sec mailing list archives
Re: CVE for ruby on rails XSS fixes
From: Josh Bressers <bressers () redhat com>
Date: Wed, 6 Apr 2011 13:47:53 -0400 (EDT)
----- Original Message -----
Hi, Can someone assign a CVE for the XSS issue described in https://github.com/rails/rails/blob/38df020c95beca7e12f0188cb7e18f3c37789e20/actionpack/CHANGELOG
Here is the changelog text: *Rails 3.0.6 (April 5, 2011) * Fixed XSS vulnerability in `auto_link`. `auto_link` no longer marks input as html safe. Please make sure that calls to auto_link() are wrapped in a sanitize(), or a raw() depending on the type of input passed to auto_link(). For example: <%= sanitize(auto_link(some_user_input)) %> Thanks to Torben Schulz for reporting this. The fix can be found here: 61ee3449674c591747db95f9b3472c5c3bd9e84d Use CVE-2011-1497 Thanks. -- JB
Current thread:
- CVE for ruby on rails XSS fixes Sebastian Krahmer (Apr 06)
- Re: CVE for ruby on rails XSS fixes Josh Bressers (Apr 06)