Rails 3+4 support now! Simple Captcha is the simplest and a robust captcha plugin. Its implementation requires adding up a single line in views and in controllers/models.
In middleware.rb, a request parameter is passed directly to the response body without being escaped.
id = request.params['id']
the parameter should be wrapped in html_escape to prevent possible XSS
id = html_escape(request.params['id'])
Please see this example URI as proof:
simple_captcha/?id=%22)%3B%20%3Cscript%20type=%27text/javascript%27%3Ealert(%27xss%27](url))%3B%3C/script%3E%20%23(%22
In middleware.rb, a request parameter is passed directly to the response body without being escaped.
id = request.params['id']
the parameter should be wrapped in html_escape to prevent possible XSS
id = html_escape(request.params['id'])
Please see this example URI as proof:
simple_captcha/?id=%22)%3B%20%3Cscript%20type=%27text/javascript%27%3Ealert(%27xss%27](url))%3B%3C/script%3E%20%23(%22