XSS and CSRF Vulnerabilities in the in_place_editing plugin

[Michael Koziarski]

We have been advised of several vulnerabilities in the
in_place_editing plugin which was created prior to the 2.0.0 release
of Ruby on Rails.

* The actions generated by in_place_edit_for perform no verification
of the request method, allowing a hostile website to bypass built in
CSRF protection.
* The the input controls generated by in_place_editor_field perform no
output sanitization, leaving the application vulnerable to XSS
attacks.

Users of all versions of the plugin are advised to update to the
latest version contained in our git repository at:

* git://github.com/rails/in_place_editing.git

For users who are unable to use git, we have provided a zip file
containing the patched code:

* http://weblog.rubyonrails.org/assets/2009/2/28/in_place_editing.zip

Finally, the patch containing the fix is available also:

* http://weblog.rubyonrails.org/assets/2009/2/28/0001-Security-fixes-for-XSS-and-CSRF-issues.patch

Users of all versions of Rails prior to 2.0 are advised to stop using
the in_place_editing functionality, or manually apply those changes to
their version of Rails. If these changes are backported, this post
will be updated to include a patch for the relevant versions of rails.

Thanks to Pawel Stradomski of Code Sprinters for reporting this bug to
us and working so patiently with us to get it

--
Cheers

Koz