Rails 3 to add security enhancement

The preview release of Web framework upgrade, which features protection against cross-site scripting attacks, will not arrive this week as originally intended

Although developers of the Ruby on Rails Web framework will miss this week's target date for offering a preview release of Rails 3, the framework's founder will be touting planned capabilities, such as a major security enhancement, during a conference on Tuesday.

Rails 3, which is to feature a merger of Rails with the Merb framework, will be fitted with protection against cross-site scripting attacks, said Rails creator David Heinemeier Hansson, in an interview on Monday afternoon. He will be presenting at the RailsConf 2009 event in Las Vegas. Cross-site scripting enables intruders to gain unauthorized access to an application by injecting pieces of JavaScript, but version 3 will protect against this.

[ Related: Ruby on Rails on track for major upgrades. ]

Default settings in Rails 3 will only permit allowable JavaScript to execute, Hansson said. "You do not want a user to be able to execute JavaScript on your page" without proper authorization to do so, he explained.

"We'll have a function that allows you to insert this code if [you] actually do mean that this code should be executed," Hansson explained.

But a preview release of Rails 3, which several months ago had been eyed for availability at the conference, will not arrive. Hansson stressed that target date was more along the lines of wishful thinking.

"Our release dates aren't as much planning as, 'That would be nice.' What matters more is [that] what we're releasing is worthwhile and it's done," said Hansson.

Still, preview code releases for Rails 3 have been ongoing, he said. "It's just not being bundled up in an official release," said Hansson. Rails 3 code has been developed in a publicly available repository, he said. A general release for Rails 3 is hoped for later this year.

Rails 3 will add Merb capabilities in such areas as the Rails router. The router is used to process application requests. The new router will offer a simplified domain-specific language for defining a route.

REST capabilities will be added to the router also, to make it more useful for declaring REST applications.

REST Web services was perhaps the key feature in Rails 2. "That's worked out fantastic," Hansson said.

By merging Rails and Merb, the Rails community adds an impressive roster of Merb developers, according to Hansson. Needless duplication of efforts is avoided as well. "Merb and Rails were doing a lot of the same things," he said. The Rails-Merb merger was revealed late last year.

Elsewhere, Rails 3 cleans up code. "We have a fair amount of code that's just been around for a long time and could stand a good cleanup, and that's what we're doing right now," said Hansson.

Also at RailsConf, Agilebuddy announced release of its Connector for Git and Github version control systems. Rails developers and developers using Git can manage a software development lifecycle from one interface, the company said. Agilebuddy features Scrum project management.

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies