Ruby on Rails 1.2.5
64 views
Skip to first unread message
Michael Koziarski
Oct 12, 2007, 6:30:23 PM10/12/07
to rubyonrail...@googlegroups.com
The rails core team has released ruby on rails 1.2.5 to address a
potential XSS exploit with our json serialization. The CVE Identifier
for this problem is CVE-2007-3227.
potential XSS exploit with our json serialization. The CVE Identifier
for this problem is CVE-2007-3227.
You are only at risk if you embed the result of a .to_json call in a
page you generate. For example:
<script type="text/javascript">
var customers = <%= @customers.to_json %>;
</script>
However as this release addresses some backwards compatibility bugs in
1.2.4, all users are advised to upgrade.
--
Cheers
Koz
Reply all
Reply to author
Forward
0 new messages