Closed gavinheavyside closed 13 years ago
Rails 3.0.8 contains a fix for an XSS vulnerability, and raises exceptions when in-place string modifications are performed on HTML safe strings.
See http://weblog.rubyonrails.org/2011/6/8/ann-rails-3-0-8-has-been-released and http://weblog.rubyonrails.org/2011/6/8/potential-xss-vulnerability-in-ruby-on-rails-applications
Thanks a lot!
I wonder why we need the html_safe on the class attribute anyway?
Rails 3.0.8 contains a fix for an XSS vulnerability, and raises exceptions when in-place string modifications are performed on HTML safe strings.
See http://weblog.rubyonrails.org/2011/6/8/ann-rails-3-0-8-has-been-released and http://weblog.rubyonrails.org/2011/6/8/potential-xss-vulnerability-in-ruby-on-rails-applications