Rails upgrade fixes security issues, Ruby 1.9 compatibility

XSS protection is cited as major feature of the release, but Rails 3.0 release date "up in the air"

Ruby on Rails 2.3.5, featuring security boosts and compatibility improvements for version 1.9 of the Ruby language, was released over the weekend, according to a blog post on the Ruby on Rails Web site.

Rails is a popular open source Web framework. Rails 2.3.5 offers bug and security fixes and should be compatible with prior 2.3.x releases of Rails, said Greg Pollack, who is part of the Rails Activist Team. XSS (Cross Site Scripting) protection was cited as the major improvement in the release by Rails founder David Heinemeier Hansson in an e-mail.

[ See InfoWorld's earlier reports on planned Rails upgrades and enhancements for Rails 3. ]

"The big feature in Rails 2.3.5 is that it works with our new rails_xss plug-in, which makes XSS protection completely automatic for Rails applications," Hansson said. "Before that, you had to manually ensure that you weren't leaving windows open for XSS attacks. Now you can just get the plug-in and sit back and relax. This feature will also be standard equipment on Rails 3.0."

Bugs were fixed in version 2.3.5 to boost Ruby 1.9 compatibility.

"There were a few small bugs preventing full compatibility with Ruby 1.9. However, we wouldn't be surprised you were already running Rails 2.3.x successfully before these bugs were fixed (they were small)," Pollack said.

A security fix in version 2.3.5 takes care of a vulnerability in the Rails strip_tags function, in which a bug in the parsing code inside HTML:Tokenizer could make applications relying on strip tags for XSS vulnerable to attacks on Internet Explorer users.

Also featured is resolution of issues with using the Nokogiri XML parser. Rails 2.3 provided the ability to switch from the default REXML parser to faster parsers such as Nokogiri.

Meanwhile, a release date for Rails 3.0, which merges Rails with the Merb framework, is "still up in the air" at this point, said Hansson. The Rails team had hoped to release it this year.

"We're hoping to get something out, but we'll see," Hansson said.

This story, "Rails upgrade fixes security issues, Ruby 1.9 compatibility," was originally published at InfoWorld.com. Follow the latest developments in Ruby, Ruby on Rails, and application development at InfoWorld.com.

Join the discussion
Be the first to comment on this article. Our Commenting Policies